From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Subject: [PATCH 27/34] scripts: imx: Generate signed images with imx-image
Date: Tue, 2 Feb 2016 15:48:10 +0100 [thread overview]
Message-ID: <1454424497-7157-28-git-send-email-s.hauer@pengutronix.de> (raw)
In-Reply-To: <1454424497-7157-1-git-send-email-s.hauer@pengutronix.de>
The imx-image tool can now generate signed images itself, so we can
switch to this mechanism:
- Move the CSF templates to header files which can be included by the
flash config files
- remove images/Makefile.imxhabv4 which is no longer necessary.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
.../arm/mach-imx/include/mach/habv3-imx25-gencsf.h | 43 +++++++++++++++++++
arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 44 ++++++++++++++++++++
images/Makefile | 1 -
images/Makefile.imxhabv4 | 48 ----------------------
scripts/habv4/gencsf.sh | 47 ---------------------
scripts/habv4/habv4-imx28.csf.in | 33 ---------------
scripts/habv4/habv4-imx6.csf.in | 37 -----------------
7 files changed, 87 insertions(+), 166 deletions(-)
create mode 100644 arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h
create mode 100644 arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
delete mode 100644 images/Makefile.imxhabv4
delete mode 100755 scripts/habv4/gencsf.sh
delete mode 100644 scripts/habv4/habv4-imx28.csf.in
delete mode 100644 scripts/habv4/habv4-imx6.csf.in
diff --git a/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h
new file mode 100644
index 0000000..4b81d49
--- /dev/null
+++ b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h
@@ -0,0 +1,43 @@
+/*
+ * This snippet can be included from a i.MX flash header configuration
+ * file for generating signed images. The necessary keys/certificates
+ * are expected in these config variables:
+ *
+ * CONFIG_HABV3_SRK_PEM
+ * CONFIG_HABV3_SRK_PEM
+ * CONFIG_HABV3_IMG_CRT_PEM
+ */
+super_root_key CONFIG_HABV3_SRK_PEM
+
+hab [Header]
+hab Version = 3.0
+hab Security Configuration = Engineering
+hab Hash Algorithm = SHA256
+hab Engine = RTIC
+hab Certificate Format = WTLS
+hab Signature Format = PKCS1
+hab UID = Generic
+hab Code = 0x00
+
+hab [Install SRK]
+hab File = "not-used"
+
+hab [Install CSFK]
+hab File = CONFIG_HABV3_CSF_CRT_DER
+
+hab [Authenticate CSF]
+/* below is the command that unlock the access to the DryIce registers */
+
+hab [Write Data]
+hab Width = 4
+hab Address Data = 0x53FFC03C 0xCA693569
+
+hab [Install Key]
+hab Verification index = 1
+hab Target index = 2
+hab File = CONFIG_HABV3_IMG_CRT_DER
+
+hab [Authenticate Data]
+hab Verification index = 2
+
+hab_blocks
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
new file mode 100644
index 0000000..1a143a8
--- /dev/null
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
@@ -0,0 +1,44 @@
+/*
+ * This snippet can be included from a i.MX flash header configuration
+ * file for generating signed images. The necessary keys/certificates
+ * are expected in these config variables:
+ *
+ * CONFIG_HABV4_TABLE_BIN
+ * CONFIG_HABV4_CSF_CRT_PEM
+ * CONFIG_HABV4_IMG_CRT_PEM
+ */
+
+hab [Header]
+hab Version = 4.1
+hab Hash Algorithm = sha256
+hab Engine Configuration = 0
+hab Certificate Format = X509
+hab Signature Format = CMS
+hab Engine = CAAM
+
+hab [Install SRK]
+hab File = CONFIG_HABV4_TABLE_BIN
+hab # SRK index within SRK-Table 0..3
+hab Source index = 0
+
+hab [Install CSFK]
+hab File = CONFIG_HABV4_CSF_CRT_PEM
+
+hab [Authenticate CSF]
+
+hab [Unlock]
+hab Engine = CAAM
+hab Features = RNG
+
+hab [Install Key]
+/* verification key index in key store (0, 2...5) */
+hab Verification index = 0
+/* target key index in key store (2...5) */
+hab Target index = 2
+hab File = CONFIG_HABV4_IMG_CRT_PEM
+
+hab [Authenticate Data]
+/* verification key index in key store (2...5) */
+hab Verification index = 2
+
+hab_blocks
\ No newline at end of file
diff --git a/images/Makefile b/images/Makefile
index 6a44511..2422969 100644
--- a/images/Makefile
+++ b/images/Makefile
@@ -104,7 +104,6 @@ objboard = $(objtree)/arch/$(ARCH)/boards
include $(srctree)/images/Makefile.am33xx
include $(srctree)/images/Makefile.imx
-include $(srctree)/images/Makefile.imxhabv4
include $(srctree)/images/Makefile.mvebu
include $(srctree)/images/Makefile.mxs
include $(srctree)/images/Makefile.omap3
diff --git a/images/Makefile.imxhabv4 b/images/Makefile.imxhabv4
deleted file mode 100644
index 9eb9538..0000000
--- a/images/Makefile.imxhabv4
+++ /dev/null
@@ -1,48 +0,0 @@
-# -*-makefile-*-
-#
-# barebox image generation Makefile for HABv4 images
-#
-
-# default csf templates
-havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
-habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
-
-# %.imximg.prep - Convert in i.MX image, with preparation for signature
-# ----------------------------------------------------------------
-quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
- cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
- $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
-
-.SECONDEXPANSION:
-$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
- $(call if_changed,imx_prep_image)
-
-# %.habv4.csf - create Command Sequence File from template
-# ----------------------------------------------------------------
-quiet_cmd_csf = CSF $@
- cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
- CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
- IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
- $< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
-
-.SECONDEXPANSION:
-$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
- $(call if_changed,csf)
-
-# %.habv4.sig - create signature and pad to 0x2000
-# ----------------------------------------------------------------
-CST = cst
-quiet_cmd_habv4_sig = HAB4SIG $@
- cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
- $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
-
-$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
- $(call if_changed,habv4_sig)
-
-# %.imximg.signed - concatenate bootloader and signature
-# ----------------------------------------------------------------
-quiet_cmd_cat = CAT $@
- cmd_cat = cat $^ > $@
-
-$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
- $(call if_changed,cat)
diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
deleted file mode 100755
index 2c1c34a..0000000
--- a/scripts/habv4/gencsf.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-set -e
-
-while getopts "f:c:i:o:" opt; do
- case $opt in
- f)
- file=$OPTARG
- ;;
- c)
- cfg=$OPTARG
- ;;
- i)
- in=$OPTARG
- ;;
- o)
- out=$OPTARG
- ;;
- \?)
- echo "Invalid option: -$OPTARG" >&2
- exit 1
- ;;
- esac
-done
-
-if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
- echo "file not found!"
- exit 1
-fi
-
-#
-# extract and set as shell vars:
-# loadaddr=
-# dcdofs=
-#
-eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
-
-length=$(stat -c '%s' $file)
-
-sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
- -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
- -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
- -e "s:@LOADADDR@:$loadaddr:" \
- -e "s:@OFFSET@:0:" \
- -e "s:@LENGTH@:$length:" \
- -e "s:@FILE@:$file:" \
- $in > $out
diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
deleted file mode 100644
index 5efd25b..0000000
--- a/scripts/habv4/habv4-imx28.csf.in
+++ /dev/null
@@ -1,33 +0,0 @@
-[Header]
-Version = 4.0
-Hash Algorithm = sha256
-Engine Configuration = 0
-Certificate Format = X509
-Signature Format = CMS
-Engine = DCP
-
-[Install SRK]
-File = "@TABLE_BIN@"
-# SRK index within SRK-Table 0..3
-Source index = 0
-
-[Install CSFK]
-File = "@CSF_CRT_PEM@"
-
-[Authenticate CSF]
-
-[Install Key]
-# verification key index in key store (0, 2...5)
-Verification index = 0
-# target key index in key store (2...5)
-Target index = 2
-File = "@IMG_CRT_PEM@"
-
-[Authenticate Data]
-# verification key index in key store (2...5)
-Verification index = 2
-# "starting load address in memory"
-# "starting offset within the source file"
-# "length (in bytes)"
-# "file (binary)"
-Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
deleted file mode 100644
index 11a5db9..0000000
--- a/scripts/habv4/habv4-imx6.csf.in
+++ /dev/null
@@ -1,37 +0,0 @@
-[Header]
-Version = 4.1
-Hash Algorithm = sha256
-Engine Configuration = 0
-Certificate Format = X509
-Signature Format = CMS
-Engine = CAAM
-
-[Install SRK]
-File = "@TABLE_BIN@"
-# SRK index within SRK-Table 0..3
-Source index = 0
-
-[Install CSFK]
-File = "@CSF_CRT_PEM@"
-
-[Authenticate CSF]
-
-[Unlock]
-Engine = CAAM
-Features = RNG
-
-[Install Key]
-# verification key index in key store (0, 2...5)
-Verification index = 0
-# target key index in key store (2...5)
-Target index = 2
-File = "@IMG_CRT_PEM@"
-
-[Authenticate Data]
-# verification key index in key store (2...5)
-Verification index = 2
-# "starting load address in memory"
-# "starting offset within the source file"
-# "length (in bytes)"
-# "file (binary)"
-Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
--
2.7.0.rc3
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2016-02-02 14:48 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-02 14:47 [PATCH v2] i.MX HABv4 rework and HABv3 support Sascha Hauer
2016-02-02 14:47 ` [PATCH 01/34] scripts: Add common header files for tools Sascha Hauer
2016-02-02 14:47 ` [PATCH 02/34] scripts/include: Add ARRAY_SIZE Sascha Hauer
2016-02-02 14:47 ` [PATCH 03/34] scripts: Add scripts/include to host compiler includes Sascha Hauer
2016-02-02 14:47 ` [PATCH 04/34] scripts: imx: Use Kernel includes Sascha Hauer
2016-02-02 14:47 ` [PATCH 05/34] scripts: mxs: " Sascha Hauer
2016-02-02 14:47 ` [PATCH 06/34] ARM: i.MX: Add HABv3 Kconfig variables Sascha Hauer
2016-02-02 14:47 ` [PATCH 07/34] imx: hab: rename driver dir to hab/ Sascha Hauer
2016-02-02 14:47 ` [PATCH 08/34] hab: Add HABv3 status report function Sascha Hauer
2016-02-02 14:47 ` [PATCH 09/34] scripts: imx-usb-loader: Make readonly arguments const Sascha Hauer
2016-02-02 14:47 ` [PATCH 10/34] scripts: imx-usb-loader: Move definitions up Sascha Hauer
2016-02-02 14:47 ` [PATCH 11/34] scripts: imx-image: Allow dcd offset 0x0 Sascha Hauer
2016-02-02 14:47 ` [PATCH 12/34] scripts: imx-usb-loader: fully read images into memory Sascha Hauer
2016-02-02 14:47 ` [PATCH 13/34] scripts: imx-usb-loader: Move load_file up Sascha Hauer
2016-02-02 14:47 ` [PATCH 14/34] scripts: imx: Consolidate flash headers in imx tools Sascha Hauer
2016-02-02 14:47 ` [PATCH 15/34] scripts: imx-image: Add context struct to config parsers Sascha Hauer
2016-02-02 14:47 ` [PATCH 16/34] scripts: imx-image: move write_mem to context data Sascha Hauer
2016-02-02 14:48 ` [PATCH 17/34] scripts: imx-image: move check " Sascha Hauer
2016-02-02 14:48 ` [PATCH 18/34] scripts: imx: move config file parser to separate file Sascha Hauer
2016-02-02 14:48 ` [PATCH 19/34] scripts: imx: make libusb variables global Sascha Hauer
2016-02-02 14:48 ` [PATCH 20/34] scripts: imx-usb-loader: Add -s and -i options Sascha Hauer
2016-02-02 14:48 ` [PATCH 21/34] scripts: imx: Drop double check Sascha Hauer
2016-02-02 14:48 ` [PATCH 22/34] scripts: imx-image: move more variables to context data Sascha Hauer
2016-02-02 14:48 ` [PATCH 23/34] scripts: imx-image: pass config data to add_header_* Sascha Hauer
2016-02-02 14:48 ` [PATCH 24/34] scripts: imx-image: Support adding a Super Root Key to the image Sascha Hauer
2016-02-02 14:48 ` [PATCH 25/34] scripts: imx: Create CSF files from imx config file Sascha Hauer
2016-02-02 14:48 ` [PATCH 26/34] scripts: imx: Allow to create signed images Sascha Hauer
2016-02-02 14:48 ` Sascha Hauer [this message]
2016-02-02 14:48 ` [PATCH 28/34] scripts: imx-usb-loader: Use dcd len to invalidate dcd data Sascha Hauer
2016-02-02 14:48 ` [PATCH 29/34] scripts: imx-image: Factor out a read_file function Sascha Hauer
2016-02-02 14:48 ` [PATCH 30/34] scripts: imx-image: Allow to create HAB signed images suitable for USB upload Sascha Hauer
2016-02-02 14:48 ` [PATCH 31/34] Make: i.MX: Allow to pass config file to cmd_imx_image Sascha Hauer
2016-02-02 14:48 ` [PATCH 32/34] images: imx: Add targets for signed images and signed usb images Sascha Hauer
2016-02-02 14:48 ` [PATCH 33/34] scripts: imx-usb-loader: Do not zero out boot_data_ptr Sascha Hauer
2016-02-02 14:48 ` [PATCH 34/34] imx: hab: Make hab status functions SoC specific Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454424497-7157-28-git-send-email-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox