Blame - tools/binman/btool/openssl.py - platform/external/u-boot

blob: aad3b61ae27ce58ad0e40e4d61a6319f18543318 [file] [log] [blame]

Simon Glass	953d417	2023-03-02 17:02:45 -0700	[diff] [blame]	1	# SPDX-License-Identifier: GPL-2.0+
				2	# Copyright 2022 Google LLC
				3	#
				4	"""Bintool implementation for openssl
				5
				6	openssl provides a number of features useful for signing images
				7
				8	Documentation is at https://www.coreboot.org/CBFS
				9
				10	Source code is at https://www.openssl.org/
				11	"""
				12
				13	import hashlib
				14
				15	from binman import bintool
				16	from u_boot_pylib import tools
				17
Neha Malcom Francis	7814482	2023-07-22 00:14:25 +0530	[diff] [blame]	18
				19	VALID_SHAS = [256, 384, 512, 224]
				20	SHA_OIDS = {256:'2.16.840.1.101.3.4.2.1',
				21	384:'2.16.840.1.101.3.4.2.2',
				22	512:'2.16.840.1.101.3.4.2.3',
				23	224:'2.16.840.1.101.3.4.2.4'}
				24
Simon Glass	953d417	2023-03-02 17:02:45 -0700	[diff] [blame]	25	class Bintoolopenssl(bintool.Bintool):
				26	"""openssl tool
				27
				28	This bintool supports creating new openssl certificates.
				29
				30	It also supports fetching a binary openssl
				31
				32	Documentation about openssl is at https://www.openssl.org/
				33	"""
				34	def __init__(self, name):
				35	super().__init__(
				36	name, 'openssl cryptography toolkit',
				37	version_regex=r'OpenSSL (.*) \(', version_args='version')
				38
				39	def x509_cert(self, cert_fname, input_fname, key_fname, cn, revision,
				40	config_fname):
				41	"""Create a certificate
				42
				43	Args:
				44	cert_fname (str): Filename of certificate to create
				45	input_fname (str): Filename containing data to sign
				46	key_fname (str): Filename of .pem file
				47	cn (str): Common name
				48	revision (int): Revision number
				49	config_fname (str): Filename to write fconfig into
				50
				51	Returns:
				52	str: Tool output
				53	"""
				54	indata = tools.read_file(input_fname)
				55	hashval = hashlib.sha512(indata).hexdigest()
				56	with open(config_fname, 'w', encoding='utf-8') as outf:
				57	print(f'''[ req ]
				58	distinguished_name = req_distinguished_name
				59	x509_extensions = v3_ca
				60	prompt = no
				61	dirstring_type = nobmp
				62
				63	[ req_distinguished_name ]
				64	CN = {cert_fname}
				65
				66	[ v3_ca ]
				67	basicConstraints = CA:true
				68	1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
				69	1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity
				70
				71	[ swrv ]
				72	swrv = INTEGER:{revision}
				73
				74	[ sysfw_image_integrity ]
				75	shaType = OID:2.16.840.1.101.3.4.2.3
				76	shaValue = FORMAT:HEX,OCT:{hashval}
				77	imageSize = INTEGER:{len(indata)}
				78	''', file=outf)
				79	args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
				80	'-outform', 'DER', '-out', cert_fname, '-config', config_fname,
				81	'-sha512']
				82	return self.run_cmd(*args)
				83
Neha Malcom Francis	7814482	2023-07-22 00:14:25 +0530	[diff] [blame]	84	def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev,
				85	config_fname, req_dist_name_dict):
				86	"""Create a certificate to be booted by system firmware
				87
				88	Args:
				89	cert_fname (str): Filename of certificate to create
				90	input_fname (str): Filename containing data to sign
				91	key_fname (str): Filename of .pem file
				92	sw_rev (int): Software revision
				93	config_fname (str): Filename to write fconfig into
				94	req_dist_name_dict (dict): Dictionary containing key-value pairs of
				95	req_distinguished_name section extensions, must contain extensions for
				96	C, ST, L, O, OU, CN and emailAddress
				97
				98	Returns:
				99	str: Tool output
				100	"""
				101	indata = tools.read_file(input_fname)
				102	hashval = hashlib.sha512(indata).hexdigest()
				103	with open(config_fname, 'w', encoding='utf-8') as outf:
				104	print(f'''[ req ]
				105	distinguished_name = req_distinguished_name
				106	x509_extensions = v3_ca
				107	prompt = no
				108	dirstring_type = nobmp
				109
				110	[ req_distinguished_name ]
				111	C = {req_dist_name_dict['C']}
				112	ST = {req_dist_name_dict['ST']}
				113	L = {req_dist_name_dict['L']}
				114	O = {req_dist_name_dict['O']}
				115	OU = {req_dist_name_dict['OU']}
				116	CN = {req_dist_name_dict['CN']}
				117	emailAddress = {req_dist_name_dict['emailAddress']}
				118
				119	[ v3_ca ]
				120	basicConstraints = CA:true
				121	1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
				122	1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity
				123	1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load
				124
				125	[ swrv ]
				126	swrv = INTEGER:{sw_rev}
				127
				128	[ sysfw_image_integrity ]
				129	shaType = OID:2.16.840.1.101.3.4.2.3
				130	shaValue = FORMAT:HEX,OCT:{hashval}
				131	imageSize = INTEGER:{len(indata)}
				132
				133	[ sysfw_image_load ]
				134	destAddr = FORMAT:HEX,OCT:00000000
				135	authInPlace = INTEGER:2
				136	''', file=outf)
				137	args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
				138	'-outform', 'DER', '-out', cert_fname, '-config', config_fname,
				139	'-sha512']
				140	return self.run_cmd(*args)
				141
				142	def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
				143	config_fname, req_dist_name_dict, cert_type, bootcore,
				144	bootcore_opts, load_addr, sha):
				145	"""Create a certificate
				146
				147	Args:
				148	cert_fname (str): Filename of certificate to create
				149	input_fname (str): Filename containing data to sign
				150	key_fname (str): Filename of .pem file
				151	sw_rev (int): Software revision
				152	config_fname (str): Filename to write fconfig into
				153	req_dist_name_dict (dict): Dictionary containing key-value pairs of
				154	req_distinguished_name section extensions, must contain extensions for
				155	C, ST, L, O, OU, CN and emailAddress
				156	cert_type (int): Certification type
				157	bootcore (int): Booting core
				158	load_addr (int): Load address of image
				159	sha (int): Hash function
				160
				161	Returns:
				162	str: Tool output
				163	"""
				164	indata = tools.read_file(input_fname)
				165	hashval = hashlib.sha512(indata).hexdigest()
				166	with open(config_fname, 'w', encoding='utf-8') as outf:
				167	print(f'''
				168	[ req ]
				169	distinguished_name = req_distinguished_name
				170	x509_extensions = v3_ca
				171	prompt = no
				172	dirstring_type = nobmp
				173
				174	[ req_distinguished_name ]
				175	C = {req_dist_name_dict['C']}
				176	ST = {req_dist_name_dict['ST']}
				177	L = {req_dist_name_dict['L']}
				178	O = {req_dist_name_dict['O']}
				179	OU = {req_dist_name_dict['OU']}
				180	CN = {req_dist_name_dict['CN']}
				181	emailAddress = {req_dist_name_dict['emailAddress']}
				182
				183	[ v3_ca ]
				184	basicConstraints = CA:true
				185	1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
				186	1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
				187	1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
				188	# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
				189	1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
				190
				191	[ boot_seq ]
				192	certType = INTEGER:{cert_type}
				193	bootCore = INTEGER:{bootcore}
				194	bootCoreOpts = INTEGER:{bootcore_opts}
				195	destAddr = FORMAT:HEX,OCT:{load_addr:08x}
				196	imageSize = INTEGER:{len(indata)}
				197
				198	[ image_integrity ]
				199	shaType = OID:{SHA_OIDS[sha]}
				200	shaValue = FORMAT:HEX,OCT:{hashval}
				201
				202	[ swrv ]
				203	swrv = INTEGER:{sw_rev}
				204
				205	# [ encryption ]
				206	# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
				207	# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
				208	# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
				209	# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
				210
				211	[ debug ]
				212	debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
				213	debugType = INTEGER:4
				214	coreDbgEn = INTEGER:0
				215	coreDbgSecEn = INTEGER:0
				216	''', file=outf)
				217	args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
				218	'-outform', 'DER', '-out', cert_fname, '-config', config_fname,
				219	'-sha512']
				220	return self.run_cmd(*args)
				221
				222	def x509_cert_rom_combined(self, cert_fname, input_fname, key_fname, sw_rev,
				223	config_fname, req_dist_name_dict, load_addr, sha, total_size, num_comps,
				224	sysfw_inner_cert_ext_boot_sequence_string, dm_data_ext_boot_sequence_string,
				225	imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
				226	hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
				227	hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
				228	dm_data_ext_boot_block):
				229	"""Create a certificate
				230
				231	Args:
				232	cert_fname (str): Filename of certificate to create
				233	input_fname (str): Filename containing data to sign
				234	key_fname (str): Filename of .pem file
				235	sw_rev (int): Software revision
				236	config_fname (str): Filename to write fconfig into
				237	req_dist_name_dict (dict): Dictionary containing key-value pairs of
				238	req_distinguished_name section extensions, must contain extensions for
				239	C, ST, L, O, OU, CN and emailAddress
				240	cert_type (int): Certification type
				241	bootcore (int): Booting core
				242	load_addr (int): Load address of image
				243	sha (int): Hash function
				244
				245	Returns:
				246	str: Tool output
				247	"""
				248	indata = tools.read_file(input_fname)
				249	hashval = hashlib.sha512(indata).hexdigest()
				250	sha_type = SHA_OIDS[sha]
				251	with open(config_fname, 'w', encoding='utf-8') as outf:
				252	print(f'''
				253	[ req ]
				254	distinguished_name = req_distinguished_name
				255	x509_extensions = v3_ca
				256	prompt = no
				257	dirstring_type = nobmp
				258
				259	[ req_distinguished_name ]
				260	C = {req_dist_name_dict['C']}
				261	ST = {req_dist_name_dict['ST']}
				262	L = {req_dist_name_dict['L']}
				263	O = {req_dist_name_dict['O']}
				264	OU = {req_dist_name_dict['OU']}
				265	CN = {req_dist_name_dict['CN']}
				266	emailAddress = {req_dist_name_dict['emailAddress']}
				267
				268	[ v3_ca ]
				269	basicConstraints = CA:true
				270	1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
				271	1.3.6.1.4.1.294.1.9=ASN1:SEQUENCE:ext_boot_info
				272
				273	[swrv]
				274	swrv=INTEGER:{sw_rev}
				275
				276	[ext_boot_info]
				277	extImgSize=INTEGER:{total_size}
				278	numComp=INTEGER:{num_comps}
				279	sbl=SEQUENCE:sbl
				280	sysfw=SEQUENCE:sysfw
				281	sysfw_data=SEQUENCE:sysfw_data
				282	{sysfw_inner_cert_ext_boot_sequence_string}
				283	{dm_data_ext_boot_sequence_string}
				284
				285	[sbl]
				286	compType = INTEGER:1
				287	bootCore = INTEGER:16
				288	compOpts = INTEGER:0
				289	destAddr = FORMAT:HEX,OCT:{load_addr:08x}
				290	compSize = INTEGER:{imagesize_sbl}
				291	shaType = OID:{sha_type}
				292	shaValue = FORMAT:HEX,OCT:{hashval_sbl}
				293
				294	[sysfw]
				295	compType = INTEGER:2
				296	bootCore = INTEGER:0
				297	compOpts = INTEGER:0
				298	destAddr = FORMAT:HEX,OCT:{load_addr_sysfw:08x}
				299	compSize = INTEGER:{imagesize_sysfw}
				300	shaType = OID:{sha_type}
				301	shaValue = FORMAT:HEX,OCT:{hashval_sysfw}
				302
				303	[sysfw_data]
				304	compType = INTEGER:18
				305	bootCore = INTEGER:0
				306	compOpts = INTEGER:0
				307	destAddr = FORMAT:HEX,OCT:{load_addr_sysfw_data:08x}
				308	compSize = INTEGER:{imagesize_sysfw_data}
				309	shaType = OID:{sha_type}
				310	shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
				311
				312	{sysfw_inner_cert_ext_boot_block}
				313
				314	{dm_data_ext_boot_block}
				315	''', file=outf)
				316	args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
				317	'-outform', 'DER', '-out', cert_fname, '-config', config_fname,
				318	'-sha512']
				319	return self.run_cmd(*args)
				320
Simon Glass	953d417	2023-03-02 17:02:45 -0700	[diff] [blame]	321	def fetch(self, method):
				322	"""Fetch handler for openssl
				323
				324	This installs the openssl package using the apt utility.
				325
				326	Args:
				327	method (FETCH_...): Method to use
				328
				329	Returns:
				330	True if the file was fetched and now installed, None if a method
				331	other than FETCH_BIN was requested
				332
				333	Raises:
				334	Valuerror: Fetching could not be completed
				335	"""
				336	if method != bintool.FETCH_BIN:
				337	return None
				338	return self.apt_install('openssl')