Commit graph

4 commits

Author SHA1 Message Date
Yogesh Siraswar
0019427251 k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection
The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.

Added new config K3_X509_SWRV to k3. Default is set to 1.

Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
Reviewed-by: Dave Gerlach <d-gerlach@ti.com>
2022-07-25 14:57:27 -04:00
Andrew F. Davis
a2303f4c06 tools: k3_gen_x509_cert: Set default early HS JTAG access to disabled
When authenticating the initial boot binary the ROM will check a debug
type value in the certificate and based on that open JTAG access to that
core. This only effects HS devices as non-HS device ROM allows JTAG
by default.

This can be useful for HS developers working in the early boot stage,
before SYSFW is loaded. After that point the JTAG access can be
changed based on board configurations passed to SYSFW.

This access can also be a large security problem as JTAG access on
HS devices can be used to circumvent the chain-of-trust controls.
Accidentally leaving this open defeats the security on HS, due to this
change the default to disabled.

This should only effect those working on early HS boot code, which
is a limited crowd who will already know how to re-enable this access
as needed.

Signed-off-by: Andrew F. Davis <afd@ti.com>
2020-06-13 23:12:17 +05:30
Andrew F. Davis
0428a0b88f tools: k3_gen_x509_cert: Allow selecting early JTAG debug value
When authenticating the initial boot binary the ROM will check a debug
type value in the certificate and based on that open JTAG access to that
core.

Make this selectable in the signing tool to allow it to be enabled or
disabled based on user command line input.

This does not change the default behavior.

Signed-off-by: Andrew F. Davis <afd@ti.com>
2020-06-13 23:12:17 +05:30
Lokesh Vutla
ca71186a76 tools: k3_get_x509 cert: Add a script to generate x509 certificate for K3 devices
TI's K3 boot architecture mandates a x509 certificate for every boot image.
While signing the image K3 ROM allows for two types of keys based on which
the boot image gets loaded in different ways:
- Degenerate RSA keys: This generates a signature which is equal to the digest.
		       When ROM sees this, it does a DMA for copying the images,
		       which significantly improves the boot time.
- Any other key: Does a memcpy to load the image. This is introduced as a
		 fallback for DMA copy.

Add a script for generating boot images with the above options. Default
generates image using rsa degenerate key in order to improve boot time.

Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
2019-05-09 20:22:04 -04:00