From 00194272519855ad26b7d5de2fd0419cf2963942 Mon Sep 17 00:00:00 2001 From: Yogesh Siraswar Date: Fri, 15 Jul 2022 11:38:53 -0500 Subject: [PATCH] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection The x509 certificate SWRV is currently hard-coded to 0. This need to be updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other k3 devices. Added new config K3_X509_SWRV to k3. Default is set to 1. Signed-off-by: Yogesh Siraswar Reviewed-by: Dave Gerlach --- arch/arm/mach-k3/Kconfig | 6 ++++++ arch/arm/mach-k3/config.mk | 5 ++++- tools/k3_gen_x509_cert.sh | 11 +++++++++-- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig index 0d21f26275..171a7f2f25 100644 --- a/arch/arm/mach-k3/Kconfig +++ b/arch/arm/mach-k3/Kconfig @@ -176,6 +176,12 @@ config K3_DM_FW bootloader, it makes RM and PM services not being available during R5 SPL execution time. +config K3_X509_SWRV + int "SWRV for X509 certificate used for boot images" + default 1 + help + SWRV for X509 certificate used for boot images + source "board/ti/am65x/Kconfig" source "board/ti/am64x/Kconfig" source "board/ti/am62x/Kconfig" diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk index da458bcfb2..4feb57992d 100644 --- a/arch/arm/mach-k3/config.mk +++ b/arch/arm/mach-k3/config.mk @@ -28,6 +28,9 @@ else KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) endif +# X509 SWRV default +SWRV = $(CONFIG_K3_X509_SWRV) + # tiboot3.bin is mandated by ROM and ROM only supports R5 boot. # So restrict tiboot3.bin creation for CPU_V7R. ifdef CONFIG_CPU_V7R @@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE tiboot3.bin: image_check FORCE $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \ - -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY) + -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY) INPUTS-y += tiboot3.bin endif diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh index 298cec1313..24cfc4e5fb 100755 --- a/tools/k3_gen_x509_cert.sh +++ b/tools/k3_gen_x509_cert.sh @@ -13,6 +13,7 @@ LOADADDR=0x41c00000 BOOTCORE_OPTS=0 BOOTCORE=16 DEBUG_TYPE=0 +SWRV=1 gen_degen_template() { cat << 'EOF' > degen-template.txt @@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL [ swrv ] - swrv = INTEGER:0 + swrv = INTEGER:TEST_SWRV # [ encryption ] # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV @@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT" options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" +options_help[r]="SWRV: Software Rev for X509 certificate" -while getopts "b:k:o:c:l:d:h" opt +while getopts "b:k:o:c:l:d:h:r:" opt do case $opt in b) @@ -175,6 +177,9 @@ do d) DEBUG_TYPE=$OPTARG ;; + r) + SWRV=$OPTARG + ;; h) usage exit 0 @@ -230,6 +235,7 @@ gen_cert() { #echo " IMAGE_SIZE = $BIN_SIZE" #echo " CERT_TYPE = $CERTTYPE" #echo " DEBUG_TYPE = $DEBUG_TYPE" + echo " SWRV = $SWRV" sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ @@ -237,6 +243,7 @@ gen_cert() { -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ -e "s/TEST_BOOT_ADDR/$ADDR/" \ -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ + -e "s/TEST_SWRV/$SWRV/" \ x509-template.txt > $TEMP_X509 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 }