diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2016-02-08 08:26:35 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2016-02-08 08:26:35 +0100 |
commit | 6435fb09d8af3aeae7c6f8428f5e7ade15aca6f5 (patch) | |
tree | 47688a764f75d4c90ef2f233e214bea2d3110ffb /arch | |
parent | 129fb7d893a067232b28a471c4d24a0638404c95 (diff) | |
parent | 1db47f7616b1b9940e34c9b1d3ba17de36e957a0 (diff) | |
download | barebox-6435fb09d8af3aeae7c6f8428f5e7ade15aca6f5.tar.gz barebox-6435fb09d8af3aeae7c6f8428f5e7ade15aca6f5.tar.xz |
Merge branch 'for-next/hab'
Diffstat (limited to 'arch')
-rw-r--r-- | arch/arm/Makefile | 2 | ||||
-rw-r--r-- | arch/arm/mach-imx/Kconfig | 34 | ||||
-rw-r--r-- | arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h | 43 | ||||
-rw-r--r-- | arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 44 |
4 files changed, 122 insertions, 1 deletions
diff --git a/arch/arm/Makefile b/arch/arm/Makefile index 9ce16b9006..5ccdb83dc7 100644 --- a/arch/arm/Makefile +++ b/arch/arm/Makefile @@ -222,7 +222,7 @@ KBUILD_IMAGE := barebox.kwb barebox.kwbuart endif barebox.imximg: $(KBUILD_BINARY) FORCE - $(call if_changed,imx_image) + $(call if_changed,imx_image,$(CFG_$(@F)),) boarddir = $(srctree)/arch/arm/boards imxcfg-$(CONFIG_MACH_FREESCALE_MX53_SMD) += $(boarddir)/freescale-mx53-smd/flash-header.imxcfg diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index 3f6dd7743e..c631c33cf3 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -66,6 +66,12 @@ config ARCH_IMX_IMXIMAGE help if enabled the imx-image tool is compiled +config ARCH_IMX_IMXIMAGE_SSL_SUPPORT + bool + help + This enables SSL support for the imx-image tool. This is required + for created images for HABv3. This adds openssl to the build dependencies + config ARCH_IMX_XLOAD bool depends on ARCH_IMX51 @@ -695,8 +701,12 @@ config IMX_OCOTP_WRITE mw -l -d /dev/imx-ocotp 0x8C 0x00001234 mw -l -d /dev/imx-ocotp 0x88 0x56789ABC +config HAB + bool + config HABV4 tristate "HABv4 support" + select HAB depends on ARCH_IMX6 help High Assurance Boot, as found on i.MX28/i.MX6. @@ -735,6 +745,30 @@ config HABV4_IMG_CRT_PEM endif +config HABV3 + tristate "HABv3 support" + select HAB + select ARCH_IMX_IMXIMAGE_SSL_SUPPORT + depends on ARCH_IMX25 + help + High Assurance Boot, as found on i.MX25. + +if HABV3 + +config HABV3_SRK_PEM + string "Path to SRK Certificate (PEM)" + default "../crts/SRK1_sha256_2048_65537_v3_ca_x509_crt.pem" + +config HABV3_CSF_CRT_DER + string "Path to CSF certificate" + default "../crts/CSF1_1_sha256_2048_65537_v3_ca_crt.der" + +config HABV3_IMG_CRT_DER + string "Path to IMG certificate" + default "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.der" + +endif + endmenu endif diff --git a/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h new file mode 100644 index 0000000000..4b81d49203 --- /dev/null +++ b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h @@ -0,0 +1,43 @@ +/* + * This snippet can be included from a i.MX flash header configuration + * file for generating signed images. The necessary keys/certificates + * are expected in these config variables: + * + * CONFIG_HABV3_SRK_PEM + * CONFIG_HABV3_SRK_PEM + * CONFIG_HABV3_IMG_CRT_PEM + */ +super_root_key CONFIG_HABV3_SRK_PEM + +hab [Header] +hab Version = 3.0 +hab Security Configuration = Engineering +hab Hash Algorithm = SHA256 +hab Engine = RTIC +hab Certificate Format = WTLS +hab Signature Format = PKCS1 +hab UID = Generic +hab Code = 0x00 + +hab [Install SRK] +hab File = "not-used" + +hab [Install CSFK] +hab File = CONFIG_HABV3_CSF_CRT_DER + +hab [Authenticate CSF] +/* below is the command that unlock the access to the DryIce registers */ + +hab [Write Data] +hab Width = 4 +hab Address Data = 0x53FFC03C 0xCA693569 + +hab [Install Key] +hab Verification index = 1 +hab Target index = 2 +hab File = CONFIG_HABV3_IMG_CRT_DER + +hab [Authenticate Data] +hab Verification index = 2 + +hab_blocks diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h new file mode 100644 index 0000000000..1a143a8b18 --- /dev/null +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h @@ -0,0 +1,44 @@ +/* + * This snippet can be included from a i.MX flash header configuration + * file for generating signed images. The necessary keys/certificates + * are expected in these config variables: + * + * CONFIG_HABV4_TABLE_BIN + * CONFIG_HABV4_CSF_CRT_PEM + * CONFIG_HABV4_IMG_CRT_PEM + */ + +hab [Header] +hab Version = 4.1 +hab Hash Algorithm = sha256 +hab Engine Configuration = 0 +hab Certificate Format = X509 +hab Signature Format = CMS +hab Engine = CAAM + +hab [Install SRK] +hab File = CONFIG_HABV4_TABLE_BIN +hab # SRK index within SRK-Table 0..3 +hab Source index = 0 + +hab [Install CSFK] +hab File = CONFIG_HABV4_CSF_CRT_PEM + +hab [Authenticate CSF] + +hab [Unlock] +hab Engine = CAAM +hab Features = RNG + +hab [Install Key] +/* verification key index in key store (0, 2...5) */ +hab Verification index = 0 +/* target key index in key store (2...5) */ +hab Target index = 2 +hab File = CONFIG_HABV4_IMG_CRT_PEM + +hab [Authenticate Data] +/* verification key index in key store (2...5) */ +hab Verification index = 2 + +hab_blocks
\ No newline at end of file |