search

toradex / meta-toradex-security

MIT License
4 stars 9 forks source link

TDX_IMX_HAB_ENABLE not being set by tdx-signed #15

Closed jsrc27 closed 8 months ago

jsrc27 commented 8 months ago

As the title says for some reason it seems inheriting tdx-signed does not set TDX_IMX_HAB_ENABLE as documented. This was discovered by a Toradex customer here: https://community.toradex.com/t/guidance-on-meta-toradex-security-and-cst-tool/22225

Also reproduced by me. In summary setup a Torizon Yocto environment as usual and add INHERIT += "tdx-signed" to local.conf. Go ahead and bitbake torizon-minimal for Verdin iMX8MP. Despite not downloading and setting up CST as needed the build will complete successfully without issue. What's expected is the following error to be thrown from here: https://github.com/toradex/meta-toradex-security/blob/kirkstone-6.x.y/recipes-bsp/imx-mkimage/imx-boot-hab.inc#L159

Checking my build environment I can see things related to the FIT Image were executed, but nothing related to HAB. Even stranger, if I check my bitbake environment for UBOOT_SIGN_ENABLE I can see this is set, as expected. But, if I check for TDX_IMX_HAB_ENABLE then nothing. If I explicitly set TDX_IMX_HAB_ENABLE in my local.conf then I get the error I was expecting. But I thought this gets set by default just by inheriting tdx-signed.

As a final note I did the build with the latest commit: https://github.com/toradex/meta-toradex-security/commit/a94730df74cf4784487f3dae3da4cf85e153daaf

sergioprado commented 8 months ago

The reason for this is that NXP BSP adds several machine overrides to a custom variable called MACHINEOVERRIDES_EXTENDER, and this variable is parsed by a class in meta-freescale called machine-overrides-extender.bbclass.

This class registers a function called machine_overrides_extender_handler that will add MACHINEOVERRIDES_EXTENDER to MACHINEOVERRIDES, that goes later to OVERRIDES.

But this function is registered to run only AFTER the parsing is done (see https://github.com/Freescale/meta-freescale/blob/master/classes/machine-overrides-extender.bbclass#L56).

So that means there are a few overrides from NXP that cannot be used during parsing, and that includes the one we need: imx-generic-bsp.

The solution for that is using MACHINEOVERRIDES_EXTENDER instead of OVERRIDES.

I am doing some tests and working on a PR to fix this.