Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | # SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause |
| 3 | # |
| 4 | # Script to add K3 specific x509 cetificate to a binary. |
| 5 | # |
| 6 | |
| 7 | # Variables |
| 8 | OUTPUT=tiboot3.bin |
| 9 | TEMP_X509=x509-temp.cert |
| 10 | CERT=certificate.bin |
| 11 | RAND_KEY=eckey.pem |
| 12 | LOADADDR=0x41c00000 |
| 13 | BOOTCORE_OPTS=0 |
| 14 | BOOTCORE=16 |
Andrew F. Davis | a2303f4 | 2020-05-27 09:47:55 -0400 | [diff] [blame] | 15 | DEBUG_TYPE=0 |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 16 | SWRV=1 |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 17 | |
| 18 | gen_degen_template() { |
| 19 | cat << 'EOF' > degen-template.txt |
| 20 | |
| 21 | asn1=SEQUENCE:rsa_key |
| 22 | |
| 23 | [rsa_key] |
| 24 | version=INTEGER:0 |
| 25 | modulus=INTEGER:0xDEGEN_MODULUS |
| 26 | pubExp=INTEGER:1 |
| 27 | privExp=INTEGER:1 |
| 28 | p=INTEGER:0xDEGEN_P |
| 29 | q=INTEGER:0xDEGEN_Q |
| 30 | e1=INTEGER:1 |
| 31 | e2=INTEGER:1 |
| 32 | coeff=INTEGER:0xDEGEN_COEFF |
| 33 | EOF |
| 34 | } |
| 35 | |
| 36 | # Generate x509 Template |
| 37 | gen_template() { |
| 38 | cat << 'EOF' > x509-template.txt |
| 39 | [ req ] |
| 40 | distinguished_name = req_distinguished_name |
| 41 | x509_extensions = v3_ca |
| 42 | prompt = no |
| 43 | dirstring_type = nobmp |
| 44 | |
| 45 | [ req_distinguished_name ] |
| 46 | C = US |
| 47 | ST = TX |
| 48 | L = Dallas |
| 49 | O = Texas Instruments Incorporated |
| 50 | OU = Processors |
| 51 | CN = TI support |
| 52 | emailAddress = support@ti.com |
| 53 | |
| 54 | [ v3_ca ] |
| 55 | basicConstraints = CA:true |
| 56 | 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq |
| 57 | 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity |
| 58 | 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv |
| 59 | # 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption |
| 60 | 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug |
| 61 | |
| 62 | [ boot_seq ] |
| 63 | certType = INTEGER:TEST_CERT_TYPE |
| 64 | bootCore = INTEGER:TEST_BOOT_CORE |
| 65 | bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS |
| 66 | destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR |
| 67 | imageSize = INTEGER:TEST_IMAGE_LENGTH |
| 68 | |
| 69 | [ image_integrity ] |
| 70 | shaType = OID:2.16.840.1.101.3.4.2.3 |
| 71 | shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL |
| 72 | |
| 73 | [ swrv ] |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 74 | swrv = INTEGER:TEST_SWRV |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 75 | |
| 76 | # [ encryption ] |
| 77 | # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV |
| 78 | # randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS |
| 79 | # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX |
| 80 | # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT |
| 81 | |
| 82 | [ debug ] |
| 83 | debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 |
Andrew F. Davis | 0428a0b | 2020-05-27 09:47:54 -0400 | [diff] [blame] | 84 | debugType = INTEGER:TEST_DEBUG_TYPE |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 85 | coreDbgEn = INTEGER:0 |
| 86 | coreDbgSecEn = INTEGER:0 |
| 87 | EOF |
| 88 | } |
| 89 | |
| 90 | parse_key() { |
Simon Glass | cc0b365 | 2022-08-07 07:12:19 -0600 | [diff] [blame] | 91 | sed '/ /s/://g' key.txt | \ |
| 92 | awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \ |
| 93 | sed 's/ //g' | \ |
| 94 | awk "/$1:/{getline; print}" |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 95 | } |
| 96 | |
| 97 | gen_degen_key() { |
| 98 | # Generate a 4096 bit RSA Key |
| 99 | openssl genrsa -out key.pem 1024 >>/dev/null 2>&1 |
| 100 | openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1 |
| 101 | DEGEN_MODULUS=$( parse_key 'modulus' ) |
| 102 | DEGEN_P=$( parse_key 'prime1' ) |
| 103 | DEGEN_Q=$( parse_key 'prime2' ) |
| 104 | DEGEN_COEFF=$( parse_key 'coefficient' ) |
| 105 | gen_degen_template |
| 106 | |
| 107 | sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\ |
| 108 | -e "s/DEGEN_P/$DEGEN_P/" \ |
| 109 | -e "s/DEGEN_Q/$DEGEN_Q/" \ |
| 110 | -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \ |
| 111 | degen-template.txt > degenerateKey.txt |
| 112 | |
| 113 | openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1 |
| 114 | openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1 |
| 115 | KEY=$RAND_KEY |
| 116 | rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der |
| 117 | } |
| 118 | |
| 119 | declare -A options_help |
| 120 | usage() { |
| 121 | if [ -n "$*" ]; then |
| 122 | echo "ERROR: $*" |
| 123 | fi |
| 124 | echo -n "Usage: $0 " |
| 125 | for option in "${!options_help[@]}" |
| 126 | do |
| 127 | arg=`echo ${options_help[$option]}|cut -d ':' -f1` |
| 128 | if [ -n "$arg" ]; then |
| 129 | arg=" $arg" |
| 130 | fi |
| 131 | echo -n "[-$option$arg] " |
| 132 | done |
| 133 | echo |
| 134 | echo -e "\nWhere:" |
| 135 | for option in "${!options_help[@]}" |
| 136 | do |
| 137 | arg=`echo ${options_help[$option]}|cut -d ':' -f1` |
| 138 | txt=`echo ${options_help[$option]}|cut -d ':' -f2` |
| 139 | tb="\t\t\t" |
| 140 | if [ -n "$arg" ]; then |
| 141 | arg=" $arg" |
| 142 | tb="\t" |
| 143 | fi |
| 144 | echo -e " -$option$arg:$tb$txt" |
| 145 | done |
| 146 | echo |
| 147 | echo "Examples of usage:-" |
| 148 | echo "# Example of signing the SYSFW binary with rsa degenerate key" |
| 149 | echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000" |
| 150 | echo "# Example of signing the SPL binary with rsa degenerate key" |
| 151 | echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000" |
| 152 | } |
| 153 | |
| 154 | options_help[b]="bin_file:Bin file that needs to be signed" |
| 155 | options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key." |
| 156 | options_help[o]="output_file:Name of the final output file. default to $OUTPUT" |
| 157 | options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" |
| 158 | options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" |
Andrew F. Davis | a2303f4 | 2020-05-27 09:47:55 -0400 | [diff] [blame] | 159 | options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 160 | options_help[r]="SWRV: Software Rev for X509 certificate" |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 161 | |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 162 | while getopts "b:k:o:c:l:d:h:r:" opt |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 163 | do |
| 164 | case $opt in |
| 165 | b) |
| 166 | BIN=$OPTARG |
| 167 | ;; |
| 168 | k) |
| 169 | KEY=$OPTARG |
| 170 | ;; |
| 171 | o) |
| 172 | OUTPUT=$OPTARG |
| 173 | ;; |
| 174 | l) |
| 175 | LOADADDR=$OPTARG |
| 176 | ;; |
| 177 | c) |
| 178 | BOOTCORE=$OPTARG |
| 179 | ;; |
Andrew F. Davis | 0428a0b | 2020-05-27 09:47:54 -0400 | [diff] [blame] | 180 | d) |
| 181 | DEBUG_TYPE=$OPTARG |
| 182 | ;; |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 183 | r) |
| 184 | SWRV=$OPTARG |
| 185 | ;; |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 186 | h) |
| 187 | usage |
| 188 | exit 0 |
| 189 | ;; |
| 190 | \?) |
| 191 | usage "Invalid Option '-$OPTARG'" |
| 192 | exit 1 |
| 193 | ;; |
| 194 | :) |
| 195 | usage "Option '-$OPTARG' Needs an argument." |
| 196 | exit 1 |
| 197 | ;; |
| 198 | esac |
| 199 | done |
| 200 | |
| 201 | if [ "$#" -eq 0 ]; then |
| 202 | usage "Arguments missing" |
| 203 | exit 1 |
| 204 | fi |
| 205 | |
| 206 | if [ -z "$BIN" ]; then |
| 207 | usage "Bin file missing in arguments" |
| 208 | exit 1 |
| 209 | fi |
| 210 | |
| 211 | # Generate rsa degenerate key if user doesn't provide a key |
| 212 | if [ -z "$KEY" ]; then |
| 213 | gen_degen_key |
| 214 | fi |
| 215 | |
| 216 | if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM |
| 217 | CERTTYPE=2 |
| 218 | elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM |
| 219 | CERTTYPE=1 |
| 220 | else # Non BOOTCORE, loaded by SYSFW |
| 221 | BOOTCORE_OPTS_VER=$(printf "%01x" 1) |
| 222 | # Add input args option for SET and CLR flags. |
| 223 | BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0) |
| 224 | BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32 |
| 225 | BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG" |
| 226 | # Set the cert type to zero. |
| 227 | # We are not using public/private key store now |
| 228 | CERTTYPE=$(printf "0x%08x" 0) |
| 229 | fi |
| 230 | |
| 231 | SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"` |
| 232 | BIN_SIZE=`cat $BIN | wc -c` |
| 233 | ADDR=`printf "%08x" $LOADADDR` |
| 234 | |
| 235 | gen_cert() { |
| 236 | #echo "Certificate being generated :" |
| 237 | #echo " LOADADDR = 0x$ADDR" |
| 238 | #echo " IMAGE_SIZE = $BIN_SIZE" |
| 239 | #echo " CERT_TYPE = $CERTTYPE" |
Andrew F. Davis | 0428a0b | 2020-05-27 09:47:54 -0400 | [diff] [blame] | 240 | #echo " DEBUG_TYPE = $DEBUG_TYPE" |
Andrew Davis | fa1f99a | 2022-10-07 15:35:31 -0500 | [diff] [blame] | 241 | #echo " SWRV = $SWRV" |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 242 | sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ |
| 243 | -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ |
| 244 | -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ |
| 245 | -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \ |
| 246 | -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ |
Andrew F. Davis | 0428a0b | 2020-05-27 09:47:54 -0400 | [diff] [blame] | 247 | -e "s/TEST_BOOT_ADDR/$ADDR/" \ |
| 248 | -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ |
Yogesh Siraswar | 0019427 | 2022-07-15 11:38:53 -0500 | [diff] [blame] | 249 | -e "s/TEST_SWRV/$SWRV/" \ |
Andrew F. Davis | 0428a0b | 2020-05-27 09:47:54 -0400 | [diff] [blame] | 250 | x509-template.txt > $TEMP_X509 |
Lokesh Vutla | ca71186 | 2019-05-02 15:35:50 +0530 | [diff] [blame] | 251 | openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 |
| 252 | } |
| 253 | |
| 254 | gen_template |
| 255 | gen_cert |
| 256 | cat $CERT $BIN > $OUTPUT |
| 257 | |
| 258 | # Remove all intermediate files |
| 259 | rm $TEMP_X509 $CERT x509-template.txt |
| 260 | if [ "$KEY" == "$RAND_KEY" ]; then |
| 261 | rm $RAND_KEY |
| 262 | fi |