From: Marc Kleine-Budde <mkl@pengutronix.de>
To: barebox@lists.infradead.org
Subject: [PATCH v3 2/3] images: add HABv4 support for i.MX6
Date: Mon, 13 Apr 2015 14:27:02 +0200 [thread overview]
Message-ID: <1428928023-13401-3-git-send-email-mkl@pengutronix.de> (raw)
In-Reply-To: <1428928023-13401-1-git-send-email-mkl@pengutronix.de>
This patch adds high assurance boot support (HABv4) image generation to
barebox, currently tested on i.MX6 only.
In order to build a signed barebox image, add a new image target to
images/Makefile.imx as illustrated in the diff below:
- - - a/images/Makefile.imx
+ + + b/images/Makefile.imx
@@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img
+CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
+FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
+image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
+
Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
the paths to the SRK table and certificates via: System Type -> i.MX specific
settings -> HABv4 support.
The proprietary tool "cst" by Freescale tool is expected in the PATH.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
arch/arm/mach-imx/Kconfig | 40 +++++++++++++++++++++++++++++++++
images/.gitignore | 2 ++
images/Makefile | 3 ++-
images/Makefile.imxhabv4 | 48 ++++++++++++++++++++++++++++++++++++++++
scripts/habv4/gencsf.sh | 47 +++++++++++++++++++++++++++++++++++++++
scripts/habv4/habv4-imx28.csf.in | 33 +++++++++++++++++++++++++++
scripts/habv4/habv4-imx6.csf.in | 37 +++++++++++++++++++++++++++++++
7 files changed, 209 insertions(+), 1 deletion(-)
create mode 100644 images/Makefile.imxhabv4
create mode 100755 scripts/habv4/gencsf.sh
create mode 100644 scripts/habv4/habv4-imx28.csf.in
create mode 100644 scripts/habv4/habv4-imx6.csf.in
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 477207e646cd..caeb5a3b5aa1 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -676,6 +676,46 @@ config IMX_OCOTP_WRITE
mw -l -d /dev/imx-ocotp 0x8C 0x00001234
mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
+config HABV4
+ tristate "HABv4 support"
+ depends on ARCH_IMX6
+ help
+ High Assurance Boot, as found on i.MX28/i.MX6.
+
+if HABV4
+
+config HABV4_TABLE_BIN
+ string "Path to SRK table"
+ default "../crts/SRK_1_2_3_4_table.bin"
+ help
+ Path to the Super Root Key (SRK) table, produced by the
+ Freescale Code Signing Tool (cst).
+
+ This file will be inserted into the Command Sequence File
+ (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_CSF_CRT_PEM
+ string "Path to CSF certificate"
+ default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+ help
+ Path to the Command Sequence File (CSF) certificate, produced by the
+ Freescale Public Key Infrastructure (PKI) script.
+
+ This file will be inserted into the Command Sequence File
+ (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_IMG_CRT_PEM
+ string "Path to IMG certificate"
+ default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
+ help
+ Path to the Image certificate, produced by the Freescale
+ Public Key Infrastructure (PKI) script.
+
+ This file will be inserted into the Command Sequence File
+ (CSF) when using the CSF template that comes with barebox.
+
+endif
+
endmenu
endif
diff --git a/images/.gitignore b/images/.gitignore
index c5377d9f6531..b5004fe48fd6 100644
--- a/images/.gitignore
+++ b/images/.gitignore
@@ -3,6 +3,8 @@
*.pblb
*.img
*.imximg
+*.imximg.prep
+*.imximg.signed
*.map
*.src
*.kwbimg
diff --git a/images/Makefile b/images/Makefile
index 7c3aaf762767..1b188a1d2060 100644
--- a/images/Makefile
+++ b/images/Makefile
@@ -99,11 +99,12 @@ $(obj)/%.img: $(obj)/$$(FILE_$$(@F))
include $(srctree)/images/Makefile.am33xx
include $(srctree)/images/Makefile.imx
+include $(srctree)/images/Makefile.imxhabv4
include $(srctree)/images/Makefile.mvebu
+include $(srctree)/images/Makefile.mxs
include $(srctree)/images/Makefile.rockchip
include $(srctree)/images/Makefile.socfpga
include $(srctree)/images/Makefile.tegra
-include $(srctree)/images/Makefile.mxs
targets += $(image-y) pbl.lds barebox.x barebox.z
targets += $(patsubst %,%.pblx,$(pblx-y))
diff --git a/images/Makefile.imxhabv4 b/images/Makefile.imxhabv4
new file mode 100644
index 000000000000..9eb953841794
--- /dev/null
+++ b/images/Makefile.imxhabv4
@@ -0,0 +1,48 @@
+# -*-makefile-*-
+#
+# barebox image generation Makefile for HABv4 images
+#
+
+# default csf templates
+havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
+habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
+
+# %.imximg.prep - Convert in i.MX image, with preparation for signature
+# ----------------------------------------------------------------
+quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
+ cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
+ $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
+
+.SECONDEXPANSION:
+$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
+ $(call if_changed,imx_prep_image)
+
+# %.habv4.csf - create Command Sequence File from template
+# ----------------------------------------------------------------
+quiet_cmd_csf = CSF $@
+ cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
+ CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
+ IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
+ $< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
+
+.SECONDEXPANSION:
+$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
+ $(call if_changed,csf)
+
+# %.habv4.sig - create signature and pad to 0x2000
+# ----------------------------------------------------------------
+CST = cst
+quiet_cmd_habv4_sig = HAB4SIG $@
+ cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
+ $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
+
+$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
+ $(call if_changed,habv4_sig)
+
+# %.imximg.signed - concatenate bootloader and signature
+# ----------------------------------------------------------------
+quiet_cmd_cat = CAT $@
+ cmd_cat = cat $^ > $@
+
+$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
+ $(call if_changed,cat)
diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
new file mode 100755
index 000000000000..2c1c34add43a
--- /dev/null
+++ b/scripts/habv4/gencsf.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -e
+
+while getopts "f:c:i:o:" opt; do
+ case $opt in
+ f)
+ file=$OPTARG
+ ;;
+ c)
+ cfg=$OPTARG
+ ;;
+ i)
+ in=$OPTARG
+ ;;
+ o)
+ out=$OPTARG
+ ;;
+ \?)
+ echo "Invalid option: -$OPTARG" >&2
+ exit 1
+ ;;
+ esac
+done
+
+if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
+ echo "file not found!"
+ exit 1
+fi
+
+#
+# extract and set as shell vars:
+# loadaddr=
+# dcdofs=
+#
+eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
+
+length=$(stat -c '%s' $file)
+
+sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
+ -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
+ -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
+ -e "s:@LOADADDR@:$loadaddr:" \
+ -e "s:@OFFSET@:0:" \
+ -e "s:@LENGTH@:$length:" \
+ -e "s:@FILE@:$file:" \
+ $in > $out
diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
new file mode 100644
index 000000000000..5efd25b1e57a
--- /dev/null
+++ b/scripts/habv4/habv4-imx28.csf.in
@@ -0,0 +1,33 @@
+[Header]
+Version = 4.0
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = DCP
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
new file mode 100644
index 000000000000..11a5db94946c
--- /dev/null
+++ b/scripts/habv4/habv4-imx6.csf.in
@@ -0,0 +1,37 @@
+[Header]
+Version = 4.1
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = CAAM
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Unlock]
+Engine = CAAM
+Features = RNG
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
--
2.1.4
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2015-04-13 12:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 12:27 [PATCH v3 0/3] add habv4 " Marc Kleine-Budde
2015-04-13 12:27 ` [PATCH v3 1/3] imx-image: add option to prepare image for HAB signing Marc Kleine-Budde
2015-04-13 12:27 ` Marc Kleine-Budde [this message]
2015-04-13 12:27 ` [PATCH v3 3/3] habv4: add High Assurance Boot v4 Marc Kleine-Budde
2015-04-15 5:12 ` [PATCH v3 0/3] add habv4 support for i.MX6 Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1428928023-13401-3-git-send-email-mkl@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox