tf-a: switch signing to native C++ tool

embetrix · embetrix · commit ece177e8b26b · 2024-12-14T23:02:21.000+01:00
diff --git a/classes/stm32mp15x-sign.bbclass b/classes/stm32mp15x-sign.bbclass
@@ -9,12 +9,12 @@
 #
 #####################################################################################
 
-DEPENDS += "openssl-native util-linux-native tf-a-stm32mp-tools-native stm32mp-keygen-native"
+DEPENDS += "openssl-native util-linux-native tf-a-stm32mp-tools-native stm32mp-sign-tool-native"
 
 do_tfa_sign() {
 
-    stm32-sign  -k "${SECBOOT_SIGN_KEY}" \
-                -s ${B}/build/stm32mp1/${TFA_BUILD_TYPE}/${TF_A_BASENAME}-${TFA_DEVICETREE}.${TF_A_SUFFIX} \
+    stm32mp-sign-tool  -k "${SECBOOT_SIGN_KEY}" \
+                -i ${B}/build/stm32mp1/${TFA_BUILD_TYPE}/${TF_A_BASENAME}-${TFA_DEVICETREE}.${TF_A_SUFFIX} \
                 -o ${B}/build/stm32mp1/${TFA_BUILD_TYPE}/${TF_A_BASENAME}-${TFA_DEVICETREE}.${TF_A_SUFFIX}
 }
 
@@ -56,10 +56,8 @@ do_fip_sign() {
 
 do_deploy:append() {
 
-    openssl ec -in ${SECBOOT_SIGN_KEY}  -outform PEM -out ${DEPLOYDIR}/secureboot-pubkey.pem -pubout
-    ecdsa-sha256 --public-key=${DEPLOYDIR}/secureboot-pubkey.pem \
-                 --binhash-file=${DEPLOYDIR}/secureboot-pubkey-hash.bin
-    
+    stm32mp-sign-tool -k ${SECBOOT_SIGN_KEY} -h ${DEPLOYDIR}/secureboot-pubkey-hash.bin
+
     # Generate u-boot cmd to fuse public key hashes into OTP
     echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "'\
                  ${DEPLOYDIR}/secureboot-pubkey-hash.bin) > ${DEPLOYDIR}/u-boot-fuse-prog.txt
diff --git a/recipes-support/stm32mp-sign-tool/stm32mp-sign-tool_git.bb b/recipes-support/stm32mp-sign-tool/stm32mp-sign-tool_git.bb
@@ -0,0 +1,19 @@
+SUMMARY = "STM32MP Sign Tool is a utility"
+DESCRIPTION = "The STM32MP Sign Tool is a utility for \
+signing and verifying firmware images for STM32MP MPUs. \
+It uses ECDSA (Elliptic Curve Digital Signature Algorithm) to ensure the integrity and authenticity of the firmware."
+HOMEPAGE = "https://github.com/embetrix/stm32mp-sign-tool"
+SECTION = "console/utils"
+LICENSE = "GPL-3.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e49f4652534af377a713df3d9dec60cb"
+
+SRC_URI = "git://github.com/embetrix/${BPN};branch=master;protocol=https"
+SRCREV = "9ba913b8ec4a6aab6cd2c15bb7e1fd6a3591d71e"
+S = "${WORKDIR}/git"
+
+DEPENDS += "openssl"
+inherit cmake
+
+FILES:${PN} = "${bindir}/stm32mp-sign-tool"
+
+BBCLASSEXTEND = "native nativesdk"
