summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 06ee961)
raw | patch | inline | side by side (parent: 06ee961)
author | Badri S <badri@ti.com> | |
Thu, 3 Dec 2020 13:57:13 +0000 (19:27 +0530) | ||
committer | Sivaraj R <sivaraj@ti.com> | |
Mon, 7 Dec 2020 09:22:06 +0000 (03:22 -0600) |
sbl image signing in windows environment
Signed-off-by: Badri S <badri@ti.com>
Signed-off-by: Badri S <badri@ti.com>
packages/ti/board/utils/uniflash/target/build/uart_make.mk | patch | blob | history | |
packages/ti/boot/sbl/build/sbl_img.mk | patch | blob | history | |
packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe | [new file with mode: 0755] | patch | blob |
packages/ti/build/makerules/common.mk | patch | blob | history | |
packages/ti/build/makerules/tpr12_x509template.txt | [new file with mode: 0755] | patch | blob |
packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 | [new file with mode: 0644] | patch | blob |
diff --git a/packages/ti/board/utils/uniflash/target/build/uart_make.mk b/packages/ti/board/utils/uniflash/target/build/uart_make.mk
index 26df17c0432ae27244be787400ce17f6054bbb76..b27cbc1c6a27db5e25908e108c2317862c5b39b8 100644 (file)
@@ -158,7 +158,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop
#SoCs like TPR12 do not have GCC tool. So we package it as part of SBL
#TI ARM CGT objcopy does not copy .data sections correctly so cannot be used
ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","")
+ifneq ($(OS),Windows_NT)
SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy
+else
+SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
+endif
endif
export SBL_OBJ_COPY
index b930f8aca7e8669d0ef5044b44303e8f01661f1e..3bf50440ea1954d9a7833608e1842c092c6589c3 100644 (file)
@@ -159,7 +159,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop
#SoCs like TPR12 do not have GCC tool. So we package it as part of SBL
#TI ARM CGT objcopy does not copy .data sections correctly so cannot be used
ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","")
+ifneq ($(OS),Windows_NT)
SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy
+else
+SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
+endif
endif
export SBL_OBJ_COPY
diff --git a/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
new file mode 100755 (executable)
index 0000000..2bbbea2
Binary files /dev/null and b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe differ
index 0000000..2bbbea2
Binary files /dev/null and b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe differ
index 7a15dc11af9f1a3acd40440fd668ca2e65e9417a..4480819e701d0f8c04b206ab2e282ff041e6b797 100644 (file)
$(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.sh -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -i
cat R5-cert.bin $(SBL_BIN_PATH) > $(SBL_TIIMAGE_PATH)
else
- echo "Bypassing SBL signing as available only in unix environment presently"
+ powershell -executionpolicy unrestricted -command $(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.ps1 -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -o $(SBL_TIIMAGE_PATH)
endif
endif
$(ECHO) \# SBL image $@ created.
diff --git a/packages/ti/build/makerules/tpr12_x509template.txt b/packages/ti/build/makerules/tpr12_x509template.txt
--- /dev/null
@@ -0,0 +1,31 @@
+ [ req ]
+ distinguished_name = req_distinguished_name
+ x509_extensions = v3_ca
+ prompt = no
+
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ C = US
+ ST = MD
+ L = Germantown
+ O = Texas Instruments., Inc.
+ OU = RADAR PROCESSOR
+ CN = Anonymous, Anonymous
+ emailAddress = anonymous@ti.com
+
+ [ v3_ca ]
+ basicConstraints = CA:true
+ 1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
+ 1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity
+
+ [ boot_seq ]
+ certType = INTEGER:TEST_CERT_TYPE
+ bootCore = INTEGER:TEST_BOOT_CORE_ID
+ bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
+ destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
+ imageSize = INTEGER:TEST_IMAGE_LENGTH
+
+ [ image_integrity ]
+ shaType = OID:2.16.840.1.101.3.4.2.3
+ shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA512
diff --git a/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 b/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1
--- /dev/null
@@ -0,0 +1,133 @@
+#
+# windows script to add x509 certificate to binary/ELF
+param
+(
+ [string]$BIN,
+ [string]$KEY,
+ [string]$OUTPUT = $null,
+ [ValidateSet('R5','HSM')][string]$CERT_SIGN = 'R5'
+)
+
+#paths
+$SCRIPT_DIR = split-path -parent $MyInvocation.MyCommand.Definition
+$LOADADDR = '0x10200000'
+
+
+
+$WORK_DIR = [io.path]::GetFileNameWithoutExtension($BIN)
+
+#create working dir from input file
+#to allow parallel makes
+$WORK_DIR="$SCRIPT_DIR\$WORK_DIR"
+New-Item -ItemType Directory -Force -Path $WORK_DIR | Out-Null
+
+#variables
+$SHA = 'sha512'
+$TEMP_X509="$WORK_DIR\x509-temp.cert"
+$CERT="$WORK_DIR\$CERT_SIGN" + '-cert.bin'
+$VALID_CERT_SIGNS=@('R5', 'HSM')
+$X509_TEMPPLATE="$SCRIPT_DIR\tpr12_x509template.txt"
+
+
+# setup default output path if not specified
+if ( $OUTPUT.length -eq 0 ) {
+ $OUTPUT="$WORK_DIR\x509-firmware.bin"
+}
+
+#check if openssl is present
+Write-Host "Checking for OpenSSL..."
+try { Invoke-Expression "openssl version" }
+catch { Write-Host "Not found! Please install OpenSSL"
+ exit 1
+}
+
+$sha_oids = @{}
+$sha_oids.sha256='2.16.840.1.101.3.4.2.1'
+$sha_oids.sha384='2.16.840.1.101.3.4.2.2'
+$sha_oids.sha512='2.16.840.1.101.3.4.2.3'
+$sha_oids.sha224='2.16.840.1.101.3.4.2.4'
+
+$options_help = @{}
+function usage() {
+
+ if ( $args.count -ne 0 ) {
+ Write-Host "ERROR: $args"
+ }
+
+ Write-Host -NoNewline "Usage: $(split-path $MyInvocation.PSCommandPath -Leaf) "
+ foreach($option in $options_help.Keys) {
+ $param_short_desc = $options_help.$option.split(':')[0]
+ Write-Host -NoNewline "[-$option $param_short_desc] "
+ }
+ Write-Host ""
+ Write-Host "Where:"
+ foreach($option in $options_help.Keys) {
+ $param_short_desc, $param_long_desc = $options_help.$option.split(':')
+ Write-Host " -$option $param_short_desc$param_long_desc"
+ }
+ Write-Host 'Examples of usage:-'
+ Write-Host '# Generate x509 certificate from bin'
+ Write-Host " $(split-path $MyInvocation.PSCommandPath -Leaf) -b sbl_qspi_img_mcu1_0_release.bin -c R5 -k tpr12_gpkey.pem "
+}
+
+$options_help.b="bin_file:`t`ttBin file that needs to be signed"
+$options_help.k="key_file:`t`tFile with key inside it. If not provided script generates a random key."
+
+
+if ( $BIN.length -eq 0 ) {
+ usage "Input bin file missing"
+ exit 1
+}
+
+#Generate random key if user doesn't provide a key.
+if ( $KEY.length -eq 0 ) {
+ usage "key file missing"
+ exit 1
+}
+
+if ( "$CERT_SIGN" -eq 'R5' ) {
+ $BOOTCORE_ID=16
+ $CERT_TYPE=1
+ $BOOTCORE_OPTS=0
+} else {
+ $BOOTCORE_ID=0
+ $BOOTCORE_OPTS=0
+ $CERT_TYPE=2
+}
+
+$SHA_OID=$sha_oids.$SHA
+$SHA_VAL = $(Invoke-Expression "openssl dgst -$SHA -hex $BIN") -replace '.*= ', ''
+$BIN_SIZE=(Get-Item $BIN).length
+$ADDR = ([Int32]::Parse($LOADADDR.split('x')[1], 'HexNumber')).ToString('X8')
+
+function gen_cert() {
+ Write-Host "$CERT_SIGN Certificate being generated :"
+ Write-Host "`tX509_CFG = $TEMP_X509"
+ Write-Host "`tKEY = $KEY"
+ Write-Host "`tBIN = $BIN"
+ Write-Host "`tCERT TYPE = $CERT_SIGN"
+ Write-Host "`tCORE ID = $CERT_TYPE"
+ Write-Host "`tLOADADDR = 0x$ADDR"
+ Write-Host "`tIMAGE_SIZE = $BIN_SIZE"
+ $SSL_CONF_FILE = (Get-Content -Raw $X509_TEMPPLATE) | ForEach-Object {
+ $_.replace("TEST_IMAGE_LENGTH", "$BIN_SIZE").
+ replace("TEST_IMAGE_SHA_OID", "$SHA_OID").
+ replace("TEST_IMAGE_SHA512", "$SHA_VAL").
+ replace("TEST_CERT_TYPE", "$CERT_TYPE").
+ replace("TEST_BOOT_CORE_ID", "$BOOTCORE_ID").
+ replace("TEST_BOOT_CORE_OPTS", "$BOOTCORE_OPTS").
+ replace("TEST_BOOT_ADDR", "$ADDR")
+ }
+ [IO.File]::WriteAllText($TEMP_X509, $SSL_CONF_FILE)
+ Invoke-Expression "openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -$SHA -days 365"
+}
+
+gen_cert
+Get-Content $CERT, $BIN -Enc Byte -Read 512 | Set-Content $OUTPUT -Enc Byte
+
+Write-Host "SUCCESS: Image $OUTPUT generated. Good to boot"
+
+#Remove all intermediate files
+Remove-Item $TEMP_X509
+Remove-Item $CERT
+Remove-Item $WORK_DIR -Recurse
\ No newline at end of file