mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-12-02 01:19:49 +00:00
033ab460d0
There are many ways to get a signed firmware for the IOT2050 devices, namely for the parts under user-control. This script documents one way of doing it, given a signing key. Augment the board documentation with the required procedure around it. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
51 lines
1.5 KiB
Bash
Executable file
51 lines
1.5 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
if [ -z "$1" ]; then
|
|
echo "Usage: $0 KEY"
|
|
exit 1
|
|
fi
|
|
|
|
TEMP_X509=$(mktemp XXXXXXXX.temp)
|
|
|
|
REVISION=${2:-0}
|
|
SHA_VAL=$(openssl dgst -sha512 -hex tispl.bin | sed -e "s/^.*= //g")
|
|
BIN_SIZE=$(stat -c %s tispl.bin)
|
|
|
|
cat <<EOF >$TEMP_X509
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca
|
|
prompt = no
|
|
dirstring_type = nobmp
|
|
|
|
[ req_distinguished_name ]
|
|
CN = IOT2050 Firmware Signature
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = CA:true
|
|
1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
|
|
1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity
|
|
|
|
[ swrv ]
|
|
swrv = INTEGER:$REVISION
|
|
|
|
[ sysfw_image_integrity ]
|
|
shaType = OID:2.16.840.1.101.3.4.2.3
|
|
shaValue = FORMAT:HEX,OCT:$SHA_VAL
|
|
imageSize = INTEGER:$BIN_SIZE
|
|
EOF
|
|
|
|
CERT_X509=$(mktemp XXXXXXXX.crt)
|
|
|
|
openssl req -new -x509 -key $1 -nodes -outform DER -out $CERT_X509 -config $TEMP_X509 -sha512
|
|
cat $CERT_X509 tispl.bin > tispl.bin_signed
|
|
# currently broken in upstream
|
|
#source/tools/binman/binman replace -i flash.bin -f tispl.bin_signed blob@0x180000
|
|
dd if=tispl.bin_signed of=flash.bin bs=$((0x1000)) seek=$((0x180000/0x1000)) conv=notrunc
|
|
|
|
rm $TEMP_X509 $CERT_X509
|
|
|
|
tools/mkimage -G $1 -r -o sha256,rsa4096 -F fit@0x380000.fit
|
|
# currently broken in upstream
|
|
#source/tools/binman/binman replace -i flash.bin -f fit@0x380000.fit fit@0x380000
|
|
dd if=fit@0x380000.fit of=flash.bin bs=$((0x1000)) seek=$((0x380000/0x1000)) conv=notrunc
|