summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 598f0e4)
raw | patch | inline | side by side (parent: 598f0e4)
author | Andrew F. Davis <afd@ti.com> | |
Tue, 23 Apr 2019 14:21:13 +0000 (10:21 -0400) | ||
committer | Andreas Dannenberg <dannenberg@ti.com> | |
Wed, 24 Apr 2019 16:44:38 +0000 (11:44 -0500) |
This tool can be used to download and sign HS SYSFW images, add
support for this here. Usage is described in the README.
Signed-off-by: Andrew F. Davis <afd@ti.com>
support for this here. Usage is described in the README.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Makefile | patch | blob | history | |
README.md | patch | blob | history |
diff --git a/Makefile b/Makefile
index 49e6b6b225ffb45361d219f1474990dba399ca76..96489c11ac641b10fb01cbdd0d01852111114413 100644 (file)
--- a/Makefile
+++ b/Makefile
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
+# The HS SYSFW will only work on HS hardware when signed with valid
+# keys, warn HS users if the SECDEV environment variable is not set
+ifdef HS
+ifeq ($(TI_SECURE_DEV_PKG),)
+$(warning TI_SECURE_DEV_PKG should be set for HS, defaults may not work)
+endif
+endif
+
# If using the default SYSFW make sure to manually copy/populate the unsigned
# image into the root folder of this repository.
SYSFW_PATH ?= ti-sci-firmware-am65x-gp.bin
+SYSFW_HS_PATH ?= ti-sci-firmware-am65x-hs-enc.bin
+SYSFW_HS_INNER_CERT_PATH ?= ti-sci-firmware-am65x-hs-cert.bin
+SYSFW_HS_CERTS_PATH ?= ti-sci-firmware-am65x-hs-certs.bin
# Must use FULL Git hash below, as it is used as part of an URL for direct DL
SYSFW_GIT_HASH ?= 77bd5534eb33c2f9654ab1b56fcdff4e8b7143e0
# URL to download SYSFW release binary from if not provided otherwise
SYSFW_DL_URL ?= https://git.ti.com/processor-firmware/ti-linux-firmware/blobs/raw/$(SYSFW_GIT_HASH)/ti-sysfw/$(SYSFW_PATH)
+SYSFW_HS_DL_URL ?= https://git.ti.com/processor-firmware/ti-linux-firmware/blobs/raw/$(SYSFW_GIT_HASH)/ti-sysfw/$(SYSFW_HS_PATH)
+SYSFW_HS_INNER_CERT_DL_URL ?= https://git.ti.com/processor-firmware/ti-linux-firmware/blobs/raw/$(SYSFW_GIT_HASH)/ti-sysfw/$(SYSFW_HS_INNER_CERT_PATH)
+
+# Set HS SYSFW image signing key
+ifdef HS
+KEY ?= $(TI_SECURE_DEV_PKG)/keys/custMpk.pem
+endif
CROSS_COMPILE ?= arm-linux-gnueabihf-
wget $(SYSFW_DL_URL)
@echo "Download SUCCESS!"
+$(SYSFW_HS_PATH):
+ @echo "Downloading HS SYSFW release image..."
+ wget $(SYSFW_HS_DL_URL)
+ @echo "Download SUCCESS!"
+
+$(SYSFW_HS_INNER_CERT_PATH):
+ @echo "Downloading HS SYSFW release certificate..."
+ wget $(SYSFW_HS_INNER_CERT_DL_URL)
+ @echo "Download SUCCESS!"
+
+ifdef HS
+$(SYSFW_HS_CERTS_PATH): $(SYSFW_HS_INNER_CERT_PATH)
+ @echo "Signing the SYSFW inner certificate with $(KEY) key...";
+ ./gen_x509_cert.sh -d -c m3 -b $< -o $@ -l 0x40000 -k $(KEY);
+
+sysfw.bin: $(SYSFW_HS_CERTS_PATH) $(SYSFW_HS_PATH)
+ cat $^ > $@
+else
sysfw.bin: $(SYSFW_PATH) sysfw_version
@echo "Signing the SYSFW release image with random key..."
./gen_x509_cert.sh -c m3 -b $< -o $@ -l 0x40000
+endif
$(ITS): $(BINS)
./gen_its.sh $(BINS) > $@
-rm $(BINS)
-rm $(ITB)
-rm $(ITS)
+ -rm $(SYSFW_HS_CERTS_PATH)
.PHONY: mrproper
mrproper: clean
-rm $(SYSFW_PATH)
+ -rm $(SYSFW_HS_PATH)
+ -rm $(SYSFW_HS_INNER_CERT_PATH)
diff --git a/README.md b/README.md
index 494914daa2d32bb0556fd604e00d5c78f5544c63..35640117a998f229047e0a89686e36fbd7a005bd 100644 (file)
--- a/README.md
+++ b/README.md
$ make mrproper
+Building SYSFW Image for High-Security(HS) devices
+--------------------------------------------------
+The process for building and image suitable for use with HS devices is similar
+to the above process with the following differences:
+
+The make commands should be appended with HS=1,
+
+ $ make HS=1
+
+The environment variable **TI_SECURE_DEV_PKG** should be defined to point to
+the TI Secure Development Tools package.
+
+There are two images downloaded and consumed by the build process.
+
+ * ti-sci-firmware-am65x-hs-enc.bin: Encrypted HS SYSFW image
+ * ti-sci-firmware-am65x-hs-cert.bin: Inner-certificate for HS SYSFW image
+
+The inner-certificate is signed by the key provided by the **TI_SECURE_DEV_PKG**
+path producing an outer-certificate. These images are then appended to produce
+the final **sysfw.bin** which is bundled with the configuration data exactly as
+the non-HS version above.
Important Notes
---------------