From d3be1ab1fcd20aa83af228df552eb74fa68c5c89 Mon Sep 17 00:00:00 2001 From: Marc Kleine-Budde Date: Mon, 13 Apr 2015 14:27:02 +0200 Subject: images: add HABv4 support for i.MX6 This patch adds high assurance boot support (HABv4) image generation to barebox, currently tested on i.MX6 only. In order to build a signed barebox image, add a new image target to images/Makefile.imx as illustrated in the diff below: - - - a/images/Makefile.imx + + + b/images/Makefile.imx @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf) +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img + Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure the paths to the SRK table and certificates via: System Type -> i.MX specific settings -> HABv4 support. The proprietary tool "cst" by Freescale tool is expected in the PATH. Signed-off-by: Marc Kleine-Budde Signed-off-by: Sascha Hauer --- scripts/habv4/gencsf.sh | 47 ++++++++++++++++++++++++++++++++++++++++ scripts/habv4/habv4-imx28.csf.in | 33 ++++++++++++++++++++++++++++ scripts/habv4/habv4-imx6.csf.in | 37 +++++++++++++++++++++++++++++++ 3 files changed, 117 insertions(+) create mode 100755 scripts/habv4/gencsf.sh create mode 100644 scripts/habv4/habv4-imx28.csf.in create mode 100644 scripts/habv4/habv4-imx6.csf.in (limited to 'scripts') diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh new file mode 100755 index 0000000000..2c1c34add4 --- /dev/null +++ b/scripts/habv4/gencsf.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +set -e + +while getopts "f:c:i:o:" opt; do + case $opt in + f) + file=$OPTARG + ;; + c) + cfg=$OPTARG + ;; + i) + in=$OPTARG + ;; + o) + out=$OPTARG + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + exit 1 + ;; + esac +done + +if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then + echo "file not found!" + exit 1 +fi + +# +# extract and set as shell vars: +# loadaddr= +# dcdofs= +# +eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg) + +length=$(stat -c '%s' $file) + +sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \ + -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \ + -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \ + -e "s:@LOADADDR@:$loadaddr:" \ + -e "s:@OFFSET@:0:" \ + -e "s:@LENGTH@:$length:" \ + -e "s:@FILE@:$file:" \ + $in > $out diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in new file mode 100644 index 0000000000..5efd25b1e5 --- /dev/null +++ b/scripts/habv4/habv4-imx28.csf.in @@ -0,0 +1,33 @@ +[Header] +Version = 4.0 +Hash Algorithm = sha256 +Engine Configuration = 0 +Certificate Format = X509 +Signature Format = CMS +Engine = DCP + +[Install SRK] +File = "@TABLE_BIN@" +# SRK index within SRK-Table 0..3 +Source index = 0 + +[Install CSFK] +File = "@CSF_CRT_PEM@" + +[Authenticate CSF] + +[Install Key] +# verification key index in key store (0, 2...5) +Verification index = 0 +# target key index in key store (2...5) +Target index = 2 +File = "@IMG_CRT_PEM@" + +[Authenticate Data] +# verification key index in key store (2...5) +Verification index = 2 +# "starting load address in memory" +# "starting offset within the source file" +# "length (in bytes)" +# "file (binary)" +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@" diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in new file mode 100644 index 0000000000..11a5db9494 --- /dev/null +++ b/scripts/habv4/habv4-imx6.csf.in @@ -0,0 +1,37 @@ +[Header] +Version = 4.1 +Hash Algorithm = sha256 +Engine Configuration = 0 +Certificate Format = X509 +Signature Format = CMS +Engine = CAAM + +[Install SRK] +File = "@TABLE_BIN@" +# SRK index within SRK-Table 0..3 +Source index = 0 + +[Install CSFK] +File = "@CSF_CRT_PEM@" + +[Authenticate CSF] + +[Unlock] +Engine = CAAM +Features = RNG + +[Install Key] +# verification key index in key store (0, 2...5) +Verification index = 0 +# target key index in key store (2...5) +Target index = 2 +File = "@IMG_CRT_PEM@" + +[Authenticate Data] +# verification key index in key store (2...5) +Verification index = 2 +# "starting load address in memory" +# "starting offset within the source file" +# "length (in bytes)" +# "file (binary)" +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@" -- cgit v1.2.3