summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorMarc Kleine-Budde <mkl@pengutronix.de>2015-04-13 14:27:02 +0200
committerSascha Hauer <s.hauer@pengutronix.de>2015-04-15 07:12:17 +0200
commitd3be1ab1fcd20aa83af228df552eb74fa68c5c89 (patch)
treec79219b6dd840cb9e5003d8a89660a8481d77ec8 /scripts
parentb6c786528b291733f979e57ae5e62803dfc44bbb (diff)
downloadbarebox-d3be1ab1fcd20aa83af228df552eb74fa68c5c89.tar.gz
barebox-d3be1ab1fcd20aa83af228df552eb74fa68c5c89.tar.xz
images: add HABv4 support for i.MX6
This patch adds high assurance boot support (HABv4) image generation to barebox, currently tested on i.MX6 only. In order to build a signed barebox image, add a new image target to images/Makefile.imx as illustrated in the diff below: - - - a/images/Makefile.imx + + + b/images/Makefile.imx @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf) +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img + Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure the paths to the SRK table and certificates via: System Type -> i.MX specific settings -> HABv4 support. The proprietary tool "cst" by Freescale tool is expected in the PATH. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/habv4/gencsf.sh47
-rw-r--r--scripts/habv4/habv4-imx28.csf.in33
-rw-r--r--scripts/habv4/habv4-imx6.csf.in37
3 files changed, 117 insertions, 0 deletions
diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
new file mode 100755
index 0000000000..2c1c34add4
--- /dev/null
+++ b/scripts/habv4/gencsf.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -e
+
+while getopts "f:c:i:o:" opt; do
+ case $opt in
+ f)
+ file=$OPTARG
+ ;;
+ c)
+ cfg=$OPTARG
+ ;;
+ i)
+ in=$OPTARG
+ ;;
+ o)
+ out=$OPTARG
+ ;;
+ \?)
+ echo "Invalid option: -$OPTARG" >&2
+ exit 1
+ ;;
+ esac
+done
+
+if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
+ echo "file not found!"
+ exit 1
+fi
+
+#
+# extract and set as shell vars:
+# loadaddr=
+# dcdofs=
+#
+eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
+
+length=$(stat -c '%s' $file)
+
+sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
+ -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
+ -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
+ -e "s:@LOADADDR@:$loadaddr:" \
+ -e "s:@OFFSET@:0:" \
+ -e "s:@LENGTH@:$length:" \
+ -e "s:@FILE@:$file:" \
+ $in > $out
diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
new file mode 100644
index 0000000000..5efd25b1e5
--- /dev/null
+++ b/scripts/habv4/habv4-imx28.csf.in
@@ -0,0 +1,33 @@
+[Header]
+Version = 4.0
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = DCP
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
new file mode 100644
index 0000000000..11a5db9494
--- /dev/null
+++ b/scripts/habv4/habv4-imx6.csf.in
@@ -0,0 +1,37 @@
+[Header]
+Version = 4.1
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = CAAM
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Unlock]
+Engine = CAAM
+Features = RNG
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"