From: Sascha Hauer <s.hauer@pengutronix.de>
To: "open list:BAREBOX" <barebox@lists.infradead.org>
Subject: [PATCH 13/13] scripts: add k3sign
Date: Fri, 28 Feb 2025 08:17:01 +0100 [thread overview]
Message-ID: <20250228-am625-secure-v1-13-4002488ff5ed@pengutronix.de> (raw)
In-Reply-To: <20250228-am625-secure-v1-0-4002488ff5ed@pengutronix.de>
This adds k3sign which is a small example script to generate a
certificate from an input file suitable for verification against the K3
ROM API.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
scripts/k3sign | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 126 insertions(+)
diff --git a/scripts/k3sign b/scripts/k3sign
new file mode 100755
index 0000000000..df66501eee
--- /dev/null
+++ b/scripts/k3sign
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+set -e
+
+myname=${0##*/}
+
+usage() {
+ cat >&2 << EOL
+
+Sign an image suitable for authenticating with the K3 ROM API
+Usage:
+$myname options <INFILE>
+options:
+ --key <KEYFILE> The key to sign the image with
+ --out <OUTFILE> Write output to OUTFILE
+ --help This help
+EOL
+ exit 1
+}
+
+TEMP=$(getopt -o '' --long 'out:,key:,help' -n 'k3img' -- "$@")
+
+if [ $? -ne 0 ]; then
+ echo 'Terminating...' >&2
+ exit 1
+fi
+
+# Note the quotes around "$TEMP": they are essential!
+eval set -- "$TEMP"
+unset TEMP
+
+while true; do
+ case "$1" in
+ '--out')
+ out="$2"
+ shift 2
+ continue
+ ;;
+ '--key')
+ key="$2"
+ shift 2
+ continue
+ ;;
+ '--help')
+ usage
+ continue
+ ;;
+ '--')
+ shift
+ break
+ ;;
+ *)
+ echo 'Internal error!' >&2
+ exit 1
+ ;;
+ esac
+done
+
+if [ $# = 0 ]; then
+ echo "No input file given"
+ usage
+fi
+
+in=$1
+
+if [ -z "$out" ]; then
+ out=$in.cert
+fi
+
+if [ -z "$key" ]; then
+ echo "No key given (--key)"
+ exit 1
+fi
+
+filesha=$(sha512sum $in | sed 's/ .*//')
+filesize=$(stat -c%s $in)
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf -- "$TMPDIR"' EXIT
+
+certcfg=${TMPDIR}/certcfg
+cert=${TMPDIR}/cert
+
+cat > $certcfg <<EndOfHereDocument
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+prompt = no
+dirstring_type = nobmp
+
+[ req_distinguished_name ]
+C = US
+ST = TX
+L = Dallas
+O = Texas Instruments Incorporated
+OU = Processors
+CN = TI Support
+emailAddress = support@ti.com
+
+[ v3_ca ]
+basicConstraints = CA:true
+1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
+1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity
+1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load
+1.3.6.1.4.1.294.1.37 = ASN1:SEQUENCE:firewall
+
+[ swrv ]
+swrv = INTEGER:1
+
+[ sysfw_image_integrity ]
+shaType = OID:2.16.840.1.101.3.4.2.3
+shaValue = FORMAT:HEX,OCT:$filesha
+imageSize = INTEGER:$filesize
+
+[ sysfw_image_load ]
+destAddr = FORMAT:HEX,OCT:00000000
+authInPlace = INTEGER:0x2
+
+[ firewall ]
+numFirewallRegions = INTEGER:0
+
+EndOfHereDocument
+
+openssl req -new -x509 -key $key -nodes -outform DER -out $cert -config $certcfg -sha512
+
+cat $cert $in > $out
--
2.39.5
next prev parent reply other threads:[~2025-02-28 7:33 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 7:16 [PATCH 00/13] am625: support secure loading of full barebox Sascha Hauer
2025-02-28 7:16 ` [PATCH 01/13] firmware: always generate sha256sum Sascha Hauer
2025-02-28 7:16 ` [PATCH 02/13] firmware: add function to verify next image Sascha Hauer
2025-03-10 18:37 ` Marco Felsch
2025-03-11 7:35 ` Sascha Hauer
2025-02-28 7:16 ` [PATCH 03/13] ARM: k3: r5: drop loading of separate binaries Sascha Hauer
2025-03-10 18:44 ` Marco Felsch
2025-02-28 7:16 ` [PATCH 04/13] ARM: k3: r5: add proper error handling Sascha Hauer
2025-03-10 18:52 ` Marco Felsch
2025-03-11 8:24 ` Sascha Hauer
2025-03-11 8:50 ` Marco Felsch
2025-02-28 7:16 ` [PATCH 05/13] fip: rework fip_image_open() Sascha Hauer
2025-02-28 7:16 ` [PATCH 06/13] fip: fix wrong function call Sascha Hauer
2025-02-28 7:16 ` [PATCH 07/13] fip: add function to calculate a sha256 over FIP image Sascha Hauer
2025-02-28 7:16 ` [PATCH 08/13] ARM: am625: support hash verification of full barebox Sascha Hauer
2025-03-10 19:22 ` Marco Felsch
2025-03-11 7:53 ` Sascha Hauer
2025-02-28 7:16 ` [PATCH 09/13] ARM: k3: add support for authenticating images against the ROM API Sascha Hauer
2025-02-28 7:16 ` [PATCH 10/13] ARM: k3: r5: delete fip image when it can't be opened Sascha Hauer
2025-02-28 7:16 ` [PATCH 11/13] ARM: k3: r5: Allow to authenticate next image by ROM API Sascha Hauer
2025-03-10 19:26 ` Marco Felsch
2025-03-11 7:54 ` Sascha Hauer
2025-02-28 7:17 ` [PATCH 12/13] scripts/k3img: remove temporary files Sascha Hauer
2025-02-28 7:17 ` Sascha Hauer [this message]
2025-03-10 17:40 ` [PATCH 00/13] am625: support secure loading of full barebox Marco Felsch
2025-03-11 8:12 ` Sascha Hauer
2025-03-11 8:48 ` Marco Felsch
2025-03-11 9:13 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250228-am625-secure-v1-13-4002488ff5ed@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox