ca71186a76
TI's K3 boot architecture mandates a x509 certificate for every boot image. While signing the image K3 ROM allows for two types of keys based on which the boot image gets loaded in different ways: - Degenerate RSA keys: This generates a signature which is equal to the digest. When ROM sees this, it does a DMA for copying the images, which significantly improves the boot time. - Any other key: Does a memcpy to load the image. This is introduced as a fallback for DMA copy. Add a script for generating boot images with the above options. Default generates image using rsa degenerate key in order to improve boot time. Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com> Signed-off-by: Dave Gerlach <d-gerlach@ti.com> Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
245 lines
6.2 KiB
Bash
Executable File
245 lines
6.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
|
|
#
|
|
# Script to add K3 specific x509 cetificate to a binary.
|
|
#
|
|
|
|
# Variables
|
|
OUTPUT=tiboot3.bin
|
|
TEMP_X509=x509-temp.cert
|
|
CERT=certificate.bin
|
|
RAND_KEY=eckey.pem
|
|
LOADADDR=0x41c00000
|
|
BOOTCORE_OPTS=0
|
|
BOOTCORE=16
|
|
|
|
gen_degen_template() {
|
|
cat << 'EOF' > degen-template.txt
|
|
|
|
asn1=SEQUENCE:rsa_key
|
|
|
|
[rsa_key]
|
|
version=INTEGER:0
|
|
modulus=INTEGER:0xDEGEN_MODULUS
|
|
pubExp=INTEGER:1
|
|
privExp=INTEGER:1
|
|
p=INTEGER:0xDEGEN_P
|
|
q=INTEGER:0xDEGEN_Q
|
|
e1=INTEGER:1
|
|
e2=INTEGER:1
|
|
coeff=INTEGER:0xDEGEN_COEFF
|
|
EOF
|
|
}
|
|
|
|
# Generate x509 Template
|
|
gen_template() {
|
|
cat << 'EOF' > x509-template.txt
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca
|
|
prompt = no
|
|
dirstring_type = nobmp
|
|
|
|
[ req_distinguished_name ]
|
|
C = US
|
|
ST = TX
|
|
L = Dallas
|
|
O = Texas Instruments Incorporated
|
|
OU = Processors
|
|
CN = TI support
|
|
emailAddress = support@ti.com
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = CA:true
|
|
1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
|
|
1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
|
|
1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
|
|
# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
|
|
1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
|
|
|
|
[ boot_seq ]
|
|
certType = INTEGER:TEST_CERT_TYPE
|
|
bootCore = INTEGER:TEST_BOOT_CORE
|
|
bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
|
|
destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
|
|
imageSize = INTEGER:TEST_IMAGE_LENGTH
|
|
|
|
[ image_integrity ]
|
|
shaType = OID:2.16.840.1.101.3.4.2.3
|
|
shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
|
|
|
|
[ swrv ]
|
|
swrv = INTEGER:0
|
|
|
|
# [ encryption ]
|
|
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
|
|
# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
|
|
# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
|
|
# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
|
|
|
|
[ debug ]
|
|
debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
|
|
debugType = INTEGER:4
|
|
coreDbgEn = INTEGER:0
|
|
coreDbgSecEn = INTEGER:0
|
|
EOF
|
|
}
|
|
|
|
parse_key() {
|
|
sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
|
|
}
|
|
|
|
gen_degen_key() {
|
|
# Generate a 4096 bit RSA Key
|
|
openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
|
|
openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
|
|
DEGEN_MODULUS=$( parse_key 'modulus' )
|
|
DEGEN_P=$( parse_key 'prime1' )
|
|
DEGEN_Q=$( parse_key 'prime2' )
|
|
DEGEN_COEFF=$( parse_key 'coefficient' )
|
|
gen_degen_template
|
|
|
|
sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
|
|
-e "s/DEGEN_P/$DEGEN_P/" \
|
|
-e "s/DEGEN_Q/$DEGEN_Q/" \
|
|
-e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
|
|
degen-template.txt > degenerateKey.txt
|
|
|
|
openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
|
|
openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
|
|
KEY=$RAND_KEY
|
|
rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
|
|
}
|
|
|
|
declare -A options_help
|
|
usage() {
|
|
if [ -n "$*" ]; then
|
|
echo "ERROR: $*"
|
|
fi
|
|
echo -n "Usage: $0 "
|
|
for option in "${!options_help[@]}"
|
|
do
|
|
arg=`echo ${options_help[$option]}|cut -d ':' -f1`
|
|
if [ -n "$arg" ]; then
|
|
arg=" $arg"
|
|
fi
|
|
echo -n "[-$option$arg] "
|
|
done
|
|
echo
|
|
echo -e "\nWhere:"
|
|
for option in "${!options_help[@]}"
|
|
do
|
|
arg=`echo ${options_help[$option]}|cut -d ':' -f1`
|
|
txt=`echo ${options_help[$option]}|cut -d ':' -f2`
|
|
tb="\t\t\t"
|
|
if [ -n "$arg" ]; then
|
|
arg=" $arg"
|
|
tb="\t"
|
|
fi
|
|
echo -e " -$option$arg:$tb$txt"
|
|
done
|
|
echo
|
|
echo "Examples of usage:-"
|
|
echo "# Example of signing the SYSFW binary with rsa degenerate key"
|
|
echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
|
|
echo "# Example of signing the SPL binary with rsa degenerate key"
|
|
echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
|
|
}
|
|
|
|
options_help[b]="bin_file:Bin file that needs to be signed"
|
|
options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
|
|
options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
|
|
options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
|
|
options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
|
|
|
|
while getopts "b:k:o:c:l:h" opt
|
|
do
|
|
case $opt in
|
|
b)
|
|
BIN=$OPTARG
|
|
;;
|
|
k)
|
|
KEY=$OPTARG
|
|
;;
|
|
o)
|
|
OUTPUT=$OPTARG
|
|
;;
|
|
l)
|
|
LOADADDR=$OPTARG
|
|
;;
|
|
c)
|
|
BOOTCORE=$OPTARG
|
|
;;
|
|
h)
|
|
usage
|
|
exit 0
|
|
;;
|
|
\?)
|
|
usage "Invalid Option '-$OPTARG'"
|
|
exit 1
|
|
;;
|
|
:)
|
|
usage "Option '-$OPTARG' Needs an argument."
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ "$#" -eq 0 ]; then
|
|
usage "Arguments missing"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$BIN" ]; then
|
|
usage "Bin file missing in arguments"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate rsa degenerate key if user doesn't provide a key
|
|
if [ -z "$KEY" ]; then
|
|
gen_degen_key
|
|
fi
|
|
|
|
if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
|
|
CERTTYPE=2
|
|
elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
|
|
CERTTYPE=1
|
|
else # Non BOOTCORE, loaded by SYSFW
|
|
BOOTCORE_OPTS_VER=$(printf "%01x" 1)
|
|
# Add input args option for SET and CLR flags.
|
|
BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
|
|
BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
|
|
BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
|
|
# Set the cert type to zero.
|
|
# We are not using public/private key store now
|
|
CERTTYPE=$(printf "0x%08x" 0)
|
|
fi
|
|
|
|
SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
|
|
BIN_SIZE=`cat $BIN | wc -c`
|
|
ADDR=`printf "%08x" $LOADADDR`
|
|
|
|
gen_cert() {
|
|
#echo "Certificate being generated :"
|
|
#echo " LOADADDR = 0x$ADDR"
|
|
#echo " IMAGE_SIZE = $BIN_SIZE"
|
|
#echo " CERT_TYPE = $CERTTYPE"
|
|
sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
|
|
-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
|
|
-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
|
|
-e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
|
|
-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
|
|
-e "s/TEST_BOOT_ADDR/$ADDR/" x509-template.txt > $TEMP_X509
|
|
openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
|
|
}
|
|
|
|
gen_template
|
|
gen_cert
|
|
cat $CERT $BIN > $OUTPUT
|
|
|
|
# Remove all intermediate files
|
|
rm $TEMP_X509 $CERT x509-template.txt
|
|
if [ "$KEY" == "$RAND_KEY" ]; then
|
|
rm $RAND_KEY
|
|
fi
|