blob: b6d055f6f51f25e09ce9be17a5964f66cc4dc540 [file] [log] [blame]
Lokesh Vutlaca711862019-05-02 15:35:50 +05301#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
3#
4# Script to add K3 specific x509 cetificate to a binary.
5#
6
7# Variables
8OUTPUT=tiboot3.bin
9TEMP_X509=x509-temp.cert
10CERT=certificate.bin
11RAND_KEY=eckey.pem
12LOADADDR=0x41c00000
13BOOTCORE_OPTS=0
14BOOTCORE=16
15
16gen_degen_template() {
17cat << 'EOF' > degen-template.txt
18
19asn1=SEQUENCE:rsa_key
20
21[rsa_key]
22version=INTEGER:0
23modulus=INTEGER:0xDEGEN_MODULUS
24pubExp=INTEGER:1
25privExp=INTEGER:1
26p=INTEGER:0xDEGEN_P
27q=INTEGER:0xDEGEN_Q
28e1=INTEGER:1
29e2=INTEGER:1
30coeff=INTEGER:0xDEGEN_COEFF
31EOF
32}
33
34# Generate x509 Template
35gen_template() {
36cat << 'EOF' > x509-template.txt
37 [ req ]
38 distinguished_name = req_distinguished_name
39 x509_extensions = v3_ca
40 prompt = no
41 dirstring_type = nobmp
42
43 [ req_distinguished_name ]
44 C = US
45 ST = TX
46 L = Dallas
47 O = Texas Instruments Incorporated
48 OU = Processors
49 CN = TI support
50 emailAddress = support@ti.com
51
52 [ v3_ca ]
53 basicConstraints = CA:true
54 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
55 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
56 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
57# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
58 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
59
60 [ boot_seq ]
61 certType = INTEGER:TEST_CERT_TYPE
62 bootCore = INTEGER:TEST_BOOT_CORE
63 bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
64 destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
65 imageSize = INTEGER:TEST_IMAGE_LENGTH
66
67 [ image_integrity ]
68 shaType = OID:2.16.840.1.101.3.4.2.3
69 shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
70
71 [ swrv ]
72 swrv = INTEGER:0
73
74# [ encryption ]
75# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
76# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
77# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
78# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
79
80 [ debug ]
81 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
82 debugType = INTEGER:4
83 coreDbgEn = INTEGER:0
84 coreDbgSecEn = INTEGER:0
85EOF
86}
87
88parse_key() {
89 sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
90}
91
92gen_degen_key() {
93# Generate a 4096 bit RSA Key
94 openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
95 openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
96 DEGEN_MODULUS=$( parse_key 'modulus' )
97 DEGEN_P=$( parse_key 'prime1' )
98 DEGEN_Q=$( parse_key 'prime2' )
99 DEGEN_COEFF=$( parse_key 'coefficient' )
100 gen_degen_template
101
102 sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
103 -e "s/DEGEN_P/$DEGEN_P/" \
104 -e "s/DEGEN_Q/$DEGEN_Q/" \
105 -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
106 degen-template.txt > degenerateKey.txt
107
108 openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
109 openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
110 KEY=$RAND_KEY
111 rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
112}
113
114declare -A options_help
115usage() {
116 if [ -n "$*" ]; then
117 echo "ERROR: $*"
118 fi
119 echo -n "Usage: $0 "
120 for option in "${!options_help[@]}"
121 do
122 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
123 if [ -n "$arg" ]; then
124 arg=" $arg"
125 fi
126 echo -n "[-$option$arg] "
127 done
128 echo
129 echo -e "\nWhere:"
130 for option in "${!options_help[@]}"
131 do
132 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
133 txt=`echo ${options_help[$option]}|cut -d ':' -f2`
134 tb="\t\t\t"
135 if [ -n "$arg" ]; then
136 arg=" $arg"
137 tb="\t"
138 fi
139 echo -e " -$option$arg:$tb$txt"
140 done
141 echo
142 echo "Examples of usage:-"
143 echo "# Example of signing the SYSFW binary with rsa degenerate key"
144 echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
145 echo "# Example of signing the SPL binary with rsa degenerate key"
146 echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
147}
148
149options_help[b]="bin_file:Bin file that needs to be signed"
150options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
151options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
152options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
153options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
154
155while getopts "b:k:o:c:l:h" opt
156do
157 case $opt in
158 b)
159 BIN=$OPTARG
160 ;;
161 k)
162 KEY=$OPTARG
163 ;;
164 o)
165 OUTPUT=$OPTARG
166 ;;
167 l)
168 LOADADDR=$OPTARG
169 ;;
170 c)
171 BOOTCORE=$OPTARG
172 ;;
173 h)
174 usage
175 exit 0
176 ;;
177 \?)
178 usage "Invalid Option '-$OPTARG'"
179 exit 1
180 ;;
181 :)
182 usage "Option '-$OPTARG' Needs an argument."
183 exit 1
184 ;;
185 esac
186done
187
188if [ "$#" -eq 0 ]; then
189 usage "Arguments missing"
190 exit 1
191fi
192
193if [ -z "$BIN" ]; then
194 usage "Bin file missing in arguments"
195 exit 1
196fi
197
198# Generate rsa degenerate key if user doesn't provide a key
199if [ -z "$KEY" ]; then
200 gen_degen_key
201fi
202
203if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
204 CERTTYPE=2
205elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
206 CERTTYPE=1
207else # Non BOOTCORE, loaded by SYSFW
208 BOOTCORE_OPTS_VER=$(printf "%01x" 1)
209 # Add input args option for SET and CLR flags.
210 BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
211 BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
212 BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
213 # Set the cert type to zero.
214 # We are not using public/private key store now
215 CERTTYPE=$(printf "0x%08x" 0)
216fi
217
218SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
219BIN_SIZE=`cat $BIN | wc -c`
220ADDR=`printf "%08x" $LOADADDR`
221
222gen_cert() {
223 #echo "Certificate being generated :"
224 #echo " LOADADDR = 0x$ADDR"
225 #echo " IMAGE_SIZE = $BIN_SIZE"
226 #echo " CERT_TYPE = $CERTTYPE"
227 sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
228 -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
229 -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
230 -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
231 -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
232 -e "s/TEST_BOOT_ADDR/$ADDR/" x509-template.txt > $TEMP_X509
233 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
234}
235
236gen_template
237gen_cert
238cat $CERT $BIN > $OUTPUT
239
240# Remove all intermediate files
241rm $TEMP_X509 $CERT x509-template.txt
242if [ "$KEY" == "$RAND_KEY" ]; then
243 rm $RAND_KEY
244fi