diff options
author | Marc Kleine-Budde <mkl@pengutronix.de> | 2015-04-13 14:27:02 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2015-04-15 07:12:17 +0200 |
commit | d3be1ab1fcd20aa83af228df552eb74fa68c5c89 (patch) | |
tree | c79219b6dd840cb9e5003d8a89660a8481d77ec8 | |
parent | b6c786528b291733f979e57ae5e62803dfc44bbb (diff) | |
download | barebox-d3be1ab1fcd20aa83af228df552eb74fa68c5c89.tar.gz barebox-d3be1ab1fcd20aa83af228df552eb74fa68c5c89.tar.xz |
images: add HABv4 support for i.MX6
This patch adds high assurance boot support (HABv4) image generation to
barebox, currently tested on i.MX6 only.
In order to build a signed barebox image, add a new image target to
images/Makefile.imx as illustrated in the diff below:
- - - a/images/Makefile.imx
+ + + b/images/Makefile.imx
@@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img
+CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
+FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
+image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
+
Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
the paths to the SRK table and certificates via: System Type -> i.MX specific
settings -> HABv4 support.
The proprietary tool "cst" by Freescale tool is expected in the PATH.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | arch/arm/mach-imx/Kconfig | 40 | ||||
-rw-r--r-- | images/.gitignore | 2 | ||||
-rw-r--r-- | images/Makefile | 3 | ||||
-rw-r--r-- | images/Makefile.imxhabv4 | 48 | ||||
-rwxr-xr-x | scripts/habv4/gencsf.sh | 47 | ||||
-rw-r--r-- | scripts/habv4/habv4-imx28.csf.in | 33 | ||||
-rw-r--r-- | scripts/habv4/habv4-imx6.csf.in | 37 |
7 files changed, 209 insertions, 1 deletions
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index 4d257a87a6..c713477701 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -675,6 +675,46 @@ config IMX_OCOTP_WRITE mw -l -d /dev/imx-ocotp 0x8C 0x00001234 mw -l -d /dev/imx-ocotp 0x88 0x56789ABC +config HABV4 + tristate "HABv4 support" + depends on ARCH_IMX6 + help + High Assurance Boot, as found on i.MX28/i.MX6. + +if HABV4 + +config HABV4_TABLE_BIN + string "Path to SRK table" + default "../crts/SRK_1_2_3_4_table.bin" + help + Path to the Super Root Key (SRK) table, produced by the + Freescale Code Signing Tool (cst). + + This file will be inserted into the Command Sequence File + (CSF) when using the CSF template that comes with barebox. + +config HABV4_CSF_CRT_PEM + string "Path to CSF certificate" + default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + help + Path to the Command Sequence File (CSF) certificate, produced by the + Freescale Public Key Infrastructure (PKI) script. + + This file will be inserted into the Command Sequence File + (CSF) when using the CSF template that comes with barebox. + +config HABV4_IMG_CRT_PEM + string "Path to IMG certificate" + default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem" + help + Path to the Image certificate, produced by the Freescale + Public Key Infrastructure (PKI) script. + + This file will be inserted into the Command Sequence File + (CSF) when using the CSF template that comes with barebox. + +endif + endmenu endif diff --git a/images/.gitignore b/images/.gitignore index c5377d9f65..b5004fe48f 100644 --- a/images/.gitignore +++ b/images/.gitignore @@ -3,6 +3,8 @@ *.pblb *.img *.imximg +*.imximg.prep +*.imximg.signed *.map *.src *.kwbimg diff --git a/images/Makefile b/images/Makefile index c01179081d..587cb2651f 100644 --- a/images/Makefile +++ b/images/Makefile @@ -102,11 +102,12 @@ objboard = $(objtree)/arch/$(ARCH)/boards include $(srctree)/images/Makefile.am33xx include $(srctree)/images/Makefile.imx +include $(srctree)/images/Makefile.imxhabv4 include $(srctree)/images/Makefile.mvebu +include $(srctree)/images/Makefile.mxs include $(srctree)/images/Makefile.rockchip include $(srctree)/images/Makefile.socfpga include $(srctree)/images/Makefile.tegra -include $(srctree)/images/Makefile.mxs targets += $(image-y) pbl.lds barebox.x barebox.z targets += $(patsubst %,%.pblx,$(pblx-y)) diff --git a/images/Makefile.imxhabv4 b/images/Makefile.imxhabv4 new file mode 100644 index 0000000000..9eb9538417 --- /dev/null +++ b/images/Makefile.imxhabv4 @@ -0,0 +1,48 @@ +# -*-makefile-*- +# +# barebox image generation Makefile for HABv4 images +# + +# default csf templates +havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in +habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in + +# %.imximg.prep - Convert in i.MX image, with preparation for signature +# ---------------------------------------------------------------- +quiet_cmd_imx_prep_image = IMX-PREP-IMG $@ + cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \ + $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^) + +.SECONDEXPANSION: +$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/% + $(call if_changed,imx_prep_image) + +# %.habv4.csf - create Command Sequence File from template +# ---------------------------------------------------------------- +quiet_cmd_csf = CSF $@ + cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \ + CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \ + IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \ + $< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@ + +.SECONDEXPANSION: +$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%) + $(call if_changed,csf) + +# %.habv4.sig - create signature and pad to 0x2000 +# ---------------------------------------------------------------- +CST = cst +quiet_cmd_habv4_sig = HAB4SIG $@ + cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \ + $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@ + +$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf + $(call if_changed,habv4_sig) + +# %.imximg.signed - concatenate bootloader and signature +# ---------------------------------------------------------------- +quiet_cmd_cat = CAT $@ + cmd_cat = cat $^ > $@ + +$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig + $(call if_changed,cat) diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh new file mode 100755 index 0000000000..2c1c34add4 --- /dev/null +++ b/scripts/habv4/gencsf.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +set -e + +while getopts "f:c:i:o:" opt; do + case $opt in + f) + file=$OPTARG + ;; + c) + cfg=$OPTARG + ;; + i) + in=$OPTARG + ;; + o) + out=$OPTARG + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + exit 1 + ;; + esac +done + +if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then + echo "file not found!" + exit 1 +fi + +# +# extract and set as shell vars: +# loadaddr= +# dcdofs= +# +eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg) + +length=$(stat -c '%s' $file) + +sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \ + -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \ + -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \ + -e "s:@LOADADDR@:$loadaddr:" \ + -e "s:@OFFSET@:0:" \ + -e "s:@LENGTH@:$length:" \ + -e "s:@FILE@:$file:" \ + $in > $out diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in new file mode 100644 index 0000000000..5efd25b1e5 --- /dev/null +++ b/scripts/habv4/habv4-imx28.csf.in @@ -0,0 +1,33 @@ +[Header] +Version = 4.0 +Hash Algorithm = sha256 +Engine Configuration = 0 +Certificate Format = X509 +Signature Format = CMS +Engine = DCP + +[Install SRK] +File = "@TABLE_BIN@" +# SRK index within SRK-Table 0..3 +Source index = 0 + +[Install CSFK] +File = "@CSF_CRT_PEM@" + +[Authenticate CSF] + +[Install Key] +# verification key index in key store (0, 2...5) +Verification index = 0 +# target key index in key store (2...5) +Target index = 2 +File = "@IMG_CRT_PEM@" + +[Authenticate Data] +# verification key index in key store (2...5) +Verification index = 2 +# "starting load address in memory" +# "starting offset within the source file" +# "length (in bytes)" +# "file (binary)" +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@" diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in new file mode 100644 index 0000000000..11a5db9494 --- /dev/null +++ b/scripts/habv4/habv4-imx6.csf.in @@ -0,0 +1,37 @@ +[Header] +Version = 4.1 +Hash Algorithm = sha256 +Engine Configuration = 0 +Certificate Format = X509 +Signature Format = CMS +Engine = CAAM + +[Install SRK] +File = "@TABLE_BIN@" +# SRK index within SRK-Table 0..3 +Source index = 0 + +[Install CSFK] +File = "@CSF_CRT_PEM@" + +[Authenticate CSF] + +[Unlock] +Engine = CAAM +Features = RNG + +[Install Key] +# verification key index in key store (0, 2...5) +Verification index = 0 +# target key index in key store (2...5) +Target index = 2 +File = "@IMG_CRT_PEM@" + +[Authenticate Data] +# verification key index in key store (2...5) +Verification index = 2 +# "starting load address in memory" +# "starting offset within the source file" +# "length (in bytes)" +# "file (binary)" +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@" |