mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-27 07:01:24 +00:00
a2303f4c06
When authenticating the initial boot binary the ROM will check a debug type value in the certificate and based on that open JTAG access to that core. This only effects HS devices as non-HS device ROM allows JTAG by default. This can be useful for HS developers working in the early boot stage, before SYSFW is loaded. After that point the JTAG access can be changed based on board configurations passed to SYSFW. This access can also be a large security problem as JTAG access on HS devices can be used to circumvent the chain-of-trust controls. Accidentally leaving this open defeats the security on HS, due to this change the default to disabled. This should only effect those working on early HS boot code, which is a limited crowd who will already know how to re-enable this access as needed. Signed-off-by: Andrew F. Davis <afd@ti.com>
252 lines
6.4 KiB
Bash
Executable file
252 lines
6.4 KiB
Bash
Executable file
#!/bin/bash
|
|
# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
|
|
#
|
|
# Script to add K3 specific x509 cetificate to a binary.
|
|
#
|
|
|
|
# Variables
|
|
OUTPUT=tiboot3.bin
|
|
TEMP_X509=x509-temp.cert
|
|
CERT=certificate.bin
|
|
RAND_KEY=eckey.pem
|
|
LOADADDR=0x41c00000
|
|
BOOTCORE_OPTS=0
|
|
BOOTCORE=16
|
|
DEBUG_TYPE=0
|
|
|
|
gen_degen_template() {
|
|
cat << 'EOF' > degen-template.txt
|
|
|
|
asn1=SEQUENCE:rsa_key
|
|
|
|
[rsa_key]
|
|
version=INTEGER:0
|
|
modulus=INTEGER:0xDEGEN_MODULUS
|
|
pubExp=INTEGER:1
|
|
privExp=INTEGER:1
|
|
p=INTEGER:0xDEGEN_P
|
|
q=INTEGER:0xDEGEN_Q
|
|
e1=INTEGER:1
|
|
e2=INTEGER:1
|
|
coeff=INTEGER:0xDEGEN_COEFF
|
|
EOF
|
|
}
|
|
|
|
# Generate x509 Template
|
|
gen_template() {
|
|
cat << 'EOF' > x509-template.txt
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca
|
|
prompt = no
|
|
dirstring_type = nobmp
|
|
|
|
[ req_distinguished_name ]
|
|
C = US
|
|
ST = TX
|
|
L = Dallas
|
|
O = Texas Instruments Incorporated
|
|
OU = Processors
|
|
CN = TI support
|
|
emailAddress = support@ti.com
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = CA:true
|
|
1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
|
|
1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
|
|
1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
|
|
# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
|
|
1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
|
|
|
|
[ boot_seq ]
|
|
certType = INTEGER:TEST_CERT_TYPE
|
|
bootCore = INTEGER:TEST_BOOT_CORE
|
|
bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
|
|
destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
|
|
imageSize = INTEGER:TEST_IMAGE_LENGTH
|
|
|
|
[ image_integrity ]
|
|
shaType = OID:2.16.840.1.101.3.4.2.3
|
|
shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
|
|
|
|
[ swrv ]
|
|
swrv = INTEGER:0
|
|
|
|
# [ encryption ]
|
|
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
|
|
# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
|
|
# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
|
|
# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
|
|
|
|
[ debug ]
|
|
debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
|
|
debugType = INTEGER:TEST_DEBUG_TYPE
|
|
coreDbgEn = INTEGER:0
|
|
coreDbgSecEn = INTEGER:0
|
|
EOF
|
|
}
|
|
|
|
parse_key() {
|
|
sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
|
|
}
|
|
|
|
gen_degen_key() {
|
|
# Generate a 4096 bit RSA Key
|
|
openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
|
|
openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
|
|
DEGEN_MODULUS=$( parse_key 'modulus' )
|
|
DEGEN_P=$( parse_key 'prime1' )
|
|
DEGEN_Q=$( parse_key 'prime2' )
|
|
DEGEN_COEFF=$( parse_key 'coefficient' )
|
|
gen_degen_template
|
|
|
|
sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
|
|
-e "s/DEGEN_P/$DEGEN_P/" \
|
|
-e "s/DEGEN_Q/$DEGEN_Q/" \
|
|
-e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
|
|
degen-template.txt > degenerateKey.txt
|
|
|
|
openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
|
|
openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
|
|
KEY=$RAND_KEY
|
|
rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
|
|
}
|
|
|
|
declare -A options_help
|
|
usage() {
|
|
if [ -n "$*" ]; then
|
|
echo "ERROR: $*"
|
|
fi
|
|
echo -n "Usage: $0 "
|
|
for option in "${!options_help[@]}"
|
|
do
|
|
arg=`echo ${options_help[$option]}|cut -d ':' -f1`
|
|
if [ -n "$arg" ]; then
|
|
arg=" $arg"
|
|
fi
|
|
echo -n "[-$option$arg] "
|
|
done
|
|
echo
|
|
echo -e "\nWhere:"
|
|
for option in "${!options_help[@]}"
|
|
do
|
|
arg=`echo ${options_help[$option]}|cut -d ':' -f1`
|
|
txt=`echo ${options_help[$option]}|cut -d ':' -f2`
|
|
tb="\t\t\t"
|
|
if [ -n "$arg" ]; then
|
|
arg=" $arg"
|
|
tb="\t"
|
|
fi
|
|
echo -e " -$option$arg:$tb$txt"
|
|
done
|
|
echo
|
|
echo "Examples of usage:-"
|
|
echo "# Example of signing the SYSFW binary with rsa degenerate key"
|
|
echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
|
|
echo "# Example of signing the SPL binary with rsa degenerate key"
|
|
echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
|
|
}
|
|
|
|
options_help[b]="bin_file:Bin file that needs to be signed"
|
|
options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
|
|
options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
|
|
options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
|
|
options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
|
|
options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
|
|
|
|
while getopts "b:k:o:c:l:d:h" opt
|
|
do
|
|
case $opt in
|
|
b)
|
|
BIN=$OPTARG
|
|
;;
|
|
k)
|
|
KEY=$OPTARG
|
|
;;
|
|
o)
|
|
OUTPUT=$OPTARG
|
|
;;
|
|
l)
|
|
LOADADDR=$OPTARG
|
|
;;
|
|
c)
|
|
BOOTCORE=$OPTARG
|
|
;;
|
|
d)
|
|
DEBUG_TYPE=$OPTARG
|
|
;;
|
|
h)
|
|
usage
|
|
exit 0
|
|
;;
|
|
\?)
|
|
usage "Invalid Option '-$OPTARG'"
|
|
exit 1
|
|
;;
|
|
:)
|
|
usage "Option '-$OPTARG' Needs an argument."
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ "$#" -eq 0 ]; then
|
|
usage "Arguments missing"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$BIN" ]; then
|
|
usage "Bin file missing in arguments"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate rsa degenerate key if user doesn't provide a key
|
|
if [ -z "$KEY" ]; then
|
|
gen_degen_key
|
|
fi
|
|
|
|
if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
|
|
CERTTYPE=2
|
|
elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
|
|
CERTTYPE=1
|
|
else # Non BOOTCORE, loaded by SYSFW
|
|
BOOTCORE_OPTS_VER=$(printf "%01x" 1)
|
|
# Add input args option for SET and CLR flags.
|
|
BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
|
|
BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
|
|
BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
|
|
# Set the cert type to zero.
|
|
# We are not using public/private key store now
|
|
CERTTYPE=$(printf "0x%08x" 0)
|
|
fi
|
|
|
|
SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
|
|
BIN_SIZE=`cat $BIN | wc -c`
|
|
ADDR=`printf "%08x" $LOADADDR`
|
|
|
|
gen_cert() {
|
|
#echo "Certificate being generated :"
|
|
#echo " LOADADDR = 0x$ADDR"
|
|
#echo " IMAGE_SIZE = $BIN_SIZE"
|
|
#echo " CERT_TYPE = $CERTTYPE"
|
|
#echo " DEBUG_TYPE = $DEBUG_TYPE"
|
|
sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
|
|
-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
|
|
-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
|
|
-e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
|
|
-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
|
|
-e "s/TEST_BOOT_ADDR/$ADDR/" \
|
|
-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
|
|
x509-template.txt > $TEMP_X509
|
|
openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
|
|
}
|
|
|
|
gen_template
|
|
gen_cert
|
|
cat $CERT $BIN > $OUTPUT
|
|
|
|
# Remove all intermediate files
|
|
rm $TEMP_X509 $CERT x509-template.txt
|
|
if [ "$KEY" == "$RAND_KEY" ]; then
|
|
rm $RAND_KEY
|
|
fi
|