Mirrors/u-boot
2
0
Fork 0
mirror of https://github.com/AsahiLinux/u-boot synced 2024-11-24 21:54:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

binman: ti-secure: Add support for firewalling entities

Browse source 
We can now firewall entities while loading them through our secure
entity TIFS, the required information should be present in the
certificate that is being parsed by TIFS.

The following commit adds the support to enable the certificates to be
generated if the firewall configurations are present in the binman dtsi
nodes.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
This commit is contained in:
Manorit Chawdhry 2023-12-29 16:16:26 +05:30 committed by Tom Rini
parent b1839fcf75
commit a3e407bef7
3 changed files with 112 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
tools/binman/btool/openssl.py
View file

@ -82,7 +82,7 @@ imageSize = INTEGER:{len(indata)}
return self.run_cmd(*args)
def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev,
config_fname, req_dist_name_dict):
config_fname, req_dist_name_dict, firewall_cert_data):
"""Create a certificate to be booted by system firmware
Args:
@ -94,6 +94,13 @@ imageSize = INTEGER:{len(indata)}
req_dist_name_dict (dict): Dictionary containing key-value pairs of
req_distinguished_name section extensions, must contain extensions for
C, ST, L, O, OU, CN and emailAddress
firewall_cert_data (dict):
- auth_in_place (int): The Priv ID for copying as the
specific host in firewall protected region
- num_firewalls (int): The number of firewalls in the
extended certificate
- certificate (str): Extended firewall certificate with
the information for the firewall configurations.
Returns:
str: Tool output
@ -121,6 +128,7 @@ basicConstraints = CA:true
1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity
1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load
1.3.6.1.4.1.294.1.37 = ASN1:SEQUENCE:firewall
[ swrv ]
swrv = INTEGER:{sw_rev}
@ -132,7 +140,11 @@ imageSize = INTEGER:{len(indata)}
[ sysfw_image_load ]
destAddr = FORMAT:HEX,OCT:00000000
authInPlace = INTEGER:2
authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])}
[ firewall ]
numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
{firewall_cert_data['certificate']}
''', file=outf)
args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
'-outform', 'DER', '-out', cert_fname, '-config', config_fname,

95
tools/binman/etype/ti_secure.py
View file

@ -7,9 +7,44 @@
from binman.entry import EntryArg
from binman.etype.x509_cert import Entry_x509_cert
from dataclasses import dataclass
from dtoc import fdt_util
@dataclass
class Firewall():
id: int
region: int
control : int
permissions: list
start_address: str
end_address: str
def ensure_props(self, etype, name):
missing_props = []
for key, val in self.__dict__.items():
if val is None:
missing_props += [key]
if len(missing_props):
etype.Raise(f"Subnode '{name}' is missing properties: {','.join(missing_props)}")
def get_certificate(self) -> str:
unique_identifier = f"{self.id}{self.region}"
cert = f"""
firewallID{unique_identifier} = INTEGER:{self.id}
region{unique_identifier} = INTEGER:{self.region}
control{unique_identifier} = INTEGER:{hex(self.control)}
nPermissionRegs{unique_identifier} = INTEGER:{len(self.permissions)}
"""
for index, permission in enumerate(self.permissions):
cert += f"""permissions{unique_identifier}{index} = INTEGER:{hex(permission)}
"""
cert += f"""startAddress{unique_identifier} = FORMAT:HEX,OCT:{self.start_address:02x}
endAddress{unique_identifier} = FORMAT:HEX,OCT:{self.end_address:02x}
"""
return cert
class Entry_ti_secure(Entry_x509_cert):
"""Entry containing a TI x509 certificate binary
@ -17,6 +52,11 @@ class Entry_ti_secure(Entry_x509_cert):
- content: List of phandles to entries to sign
- keyfile: Filename of file containing key to sign binary with
- sha: Hash function to be used for signing
- auth-in-place: This is an integer field that contains two pieces
of information
Lower Byte - Remains 0x02 as per our use case
( 0x02: Move the authenticated binary back to the header )
Upper Byte - The Host ID of the core owning the firewall
Output files:
- input.<unique_name> - input file passed to openssl
@ -25,6 +65,35 @@ class Entry_ti_secure(Entry_x509_cert):
- cert.<unique_name> - output file generated by openssl (which is
used as the entry contents)
Depending on auth-in-place information in the inputs, we read the
firewall nodes that describe the configurations of firewall that TIFS
will be doing after reading the certificate.
The syntax of the firewall nodes are as such:
firewall-257-0 {
id = <257>; /* The ID of the firewall being configured */
region = <0>; /* Region number to configure */
control = /* The control register */
<(FWCTRL_EN | FWCTRL_LOCK | FWCTRL_BG | FWCTRL_CACHE)>;
permissions = /* The permission registers */
<((FWPRIVID_ALL << FWPRIVID_SHIFT) |
FWPERM_SECURE_PRIV_RWCD |
FWPERM_SECURE_USER_RWCD |
FWPERM_NON_SECURE_PRIV_RWCD |
FWPERM_NON_SECURE_USER_RWCD)>;
/* More defines can be found in k3-security.h */
start_address = /* The Start Address of the firewall */
<0x0 0x0>;
end_address = /* The End Address of the firewall */
<0xff 0xffffffff>;
};
openssl signs the provided data, using the TI templated config file and
writes the signature in this entry. This allows verification that the
data is genuine.
@ -32,11 +101,20 @@ class Entry_ti_secure(Entry_x509_cert):
def __init__(self, section, etype, node):
super().__init__(section, etype, node)
self.openssl = None
self.firewall_cert_data: dict = {
'auth_in_place': 0x02,
'num_firewalls': 0,
'certificate': '',
}
def ReadNode(self):
super().ReadNode()
self.key_fname = self.GetEntryArgsOrProps([
EntryArg('keyfile', str)], required=True)[0]
auth_in_place = fdt_util.GetInt(self._node, 'auth-in-place')
if auth_in_place:
self.firewall_cert_data['auth_in_place'] = auth_in_place
self.ReadFirewallNode()
self.sha = fdt_util.GetInt(self._node, 'sha', 512)
self.req_dist_name = {'C': 'US',
'ST': 'TX',
@ -46,6 +124,23 @@ class Entry_ti_secure(Entry_x509_cert):
'CN': 'TI Support',
'emailAddress': 'support@ti.com'}
def ReadFirewallNode(self):
self.firewall_cert_data['certificate'] = ""
self.firewall_cert_data['num_firewalls'] = 0
for node in self._node.subnodes:
if 'firewall' in node.name:
firewall = Firewall(
fdt_util.GetInt(node, 'id'),
fdt_util.GetInt(node, 'region'),
fdt_util.GetInt(node, 'control'),
fdt_util.GetPhandleList(node, 'permissions'),
fdt_util.GetInt64(node, 'start_address'),
fdt_util.GetInt64(node, 'end_address'),
)
firewall.ensure_props(self, node.name)
self.firewall_cert_data['num_firewalls'] += 1
self.firewall_cert_data['certificate'] += firewall.get_certificate()
def GetCertificate(self, required):
"""Get the contents of this entry

4
tools/binman/etype/x509_cert.py
View file

@ -51,6 +51,7 @@ class Entry_x509_cert(Entry_collection):
self.hashval_sysfw_data = None
self.sysfw_inner_cert_ext_boot_block = None
self.dm_data_ext_boot_block = None
self.firewall_cert_data = None
def ReadNode(self):
super().ReadNode()
@ -98,7 +99,8 @@ class Entry_x509_cert(Entry_collection):
key_fname=self.key_fname,
config_fname=config_fname,
sw_rev=self.sw_rev,
req_dist_name_dict=self.req_dist_name)
req_dist_name_dict=self.req_dist_name,
firewall_cert_data=self.firewall_cert_data)
elif type == 'rom':
stdout = self.openssl.x509_cert_rom(
cert_fname=output_fname,