tpr12/sbl: support for sbl image signing in windows
authorBadri S <badri@ti.com>
Thu, 3 Dec 2020 13:57:13 +0000 (19:27 +0530)
committerSivaraj R <sivaraj@ti.com>
Mon, 7 Dec 2020 09:22:06 +0000 (03:22 -0600)
sbl image signing in windows environment

Signed-off-by: Badri S <badri@ti.com>
packages/ti/board/utils/uniflash/target/build/uart_make.mk
packages/ti/boot/sbl/build/sbl_img.mk
packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe [new file with mode: 0755]
packages/ti/build/makerules/common.mk
packages/ti/build/makerules/tpr12_x509template.txt [new file with mode: 0755]
packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 [new file with mode: 0644]

index 26df17c0432ae27244be787400ce17f6054bbb76..b27cbc1c6a27db5e25908e108c2317862c5b39b8 100644 (file)
@@ -158,7 +158,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop
 #SoCs like TPR12 do not have GCC tool. So we package it as part of SBL
 #TI ARM CGT objcopy does not copy .data sections correctly so cannot be used
 ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","")
+ifneq ($(OS),Windows_NT)
 SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy
+else
+SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
+endif
 endif
 export SBL_OBJ_COPY
 
index b930f8aca7e8669d0ef5044b44303e8f01661f1e..3bf50440ea1954d9a7833608e1842c092c6589c3 100644 (file)
@@ -159,7 +159,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop
 #SoCs like TPR12 do not have GCC tool. So we package it as part of SBL
 #TI ARM CGT objcopy does not copy .data sections correctly so cannot be used
 ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","")
+ifneq ($(OS),Windows_NT)
 SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy
+else
+SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
+endif
 endif
 export SBL_OBJ_COPY
 
diff --git a/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe
new file mode 100755 (executable)
index 0000000..2bbbea2
Binary files /dev/null and b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe differ
index 7a15dc11af9f1a3acd40440fd668ca2e65e9417a..4480819e701d0f8c04b206ab2e282ff041e6b797 100644 (file)
@@ -646,7 +646,7 @@ ifneq ($(OS),Windows_NT)
        $(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.sh -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -i
        cat R5-cert.bin $(SBL_BIN_PATH) > $(SBL_TIIMAGE_PATH)
 else
-       echo "Bypassing SBL signing as available only in unix environment presently"
+       powershell -executionpolicy unrestricted -command $(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.ps1 -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -o $(SBL_TIIMAGE_PATH)
 endif
 endif
        $(ECHO) \# SBL image $@ created.
diff --git a/packages/ti/build/makerules/tpr12_x509template.txt b/packages/ti/build/makerules/tpr12_x509template.txt
new file mode 100755 (executable)
index 0000000..d59f9f2
--- /dev/null
@@ -0,0 +1,31 @@
+ [ req ]
+ distinguished_name     = req_distinguished_name
+ x509_extensions        = v3_ca
+ prompt                 = no
+
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ C                      = US
+ ST                     = MD
+ L                      = Germantown
+ O                      = Texas Instruments., Inc.
+ OU                     = RADAR PROCESSOR
+ CN                     = Anonymous, Anonymous
+ emailAddress           = anonymous@ti.com
+
+ [ v3_ca ]
+  basicConstraints = CA:true
+  1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
+  1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity
+
+ [ boot_seq ]
+  certType     =  INTEGER:TEST_CERT_TYPE
+  bootCore     =  INTEGER:TEST_BOOT_CORE_ID
+  bootCoreOpts =  INTEGER:TEST_BOOT_CORE_OPTS
+  destAddr     =  FORMAT:HEX,OCT:TEST_BOOT_ADDR
+  imageSize    =  INTEGER:TEST_IMAGE_LENGTH
+
+ [ image_integrity ]
+  shaType      =  OID:2.16.840.1.101.3.4.2.3
+  shaValue     =  FORMAT:HEX,OCT:TEST_IMAGE_SHA512
diff --git a/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 b/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1
new file mode 100644 (file)
index 0000000..477011d
--- /dev/null
@@ -0,0 +1,133 @@
+#
+# windows script to add x509 certificate to binary/ELF
+param
+(
+       [string]$BIN,
+       [string]$KEY,
+       [string]$OUTPUT = $null,
+       [ValidateSet('R5','HSM')][string]$CERT_SIGN = 'R5'
+)
+
+#paths
+$SCRIPT_DIR = split-path -parent $MyInvocation.MyCommand.Definition
+$LOADADDR = '0x10200000'
+
+
+
+$WORK_DIR = [io.path]::GetFileNameWithoutExtension($BIN)
+
+#create working dir from input file
+#to allow parallel makes
+$WORK_DIR="$SCRIPT_DIR\$WORK_DIR"
+New-Item -ItemType Directory -Force -Path $WORK_DIR | Out-Null
+
+#variables
+$SHA = 'sha512'
+$TEMP_X509="$WORK_DIR\x509-temp.cert"
+$CERT="$WORK_DIR\$CERT_SIGN" + '-cert.bin'
+$VALID_CERT_SIGNS=@('R5', 'HSM')
+$X509_TEMPPLATE="$SCRIPT_DIR\tpr12_x509template.txt"
+
+
+# setup default output path if not specified
+if ( $OUTPUT.length -eq  0 ) {
+       $OUTPUT="$WORK_DIR\x509-firmware.bin"
+}
+
+#check if openssl is present
+Write-Host "Checking for OpenSSL..."
+try { Invoke-Expression "openssl version" }
+catch { Write-Host "Not found! Please install OpenSSL" 
+    exit 1
+}
+
+$sha_oids = @{}
+$sha_oids.sha256='2.16.840.1.101.3.4.2.1'
+$sha_oids.sha384='2.16.840.1.101.3.4.2.2'
+$sha_oids.sha512='2.16.840.1.101.3.4.2.3'
+$sha_oids.sha224='2.16.840.1.101.3.4.2.4'
+
+$options_help = @{}
+function usage() {
+
+       if ( $args.count -ne 0 ) {
+               Write-Host "ERROR: $args"
+       }
+
+       Write-Host -NoNewline "Usage: $(split-path $MyInvocation.PSCommandPath -Leaf) "
+       foreach($option in $options_help.Keys) {
+               $param_short_desc = $options_help.$option.split(':')[0]
+               Write-Host -NoNewline "[-$option $param_short_desc] "
+       }
+       Write-Host ""
+       Write-Host "Where:"
+       foreach($option in $options_help.Keys) {
+               $param_short_desc, $param_long_desc = $options_help.$option.split(':')
+               Write-Host "   -$option $param_short_desc$param_long_desc"
+       }
+       Write-Host 'Examples of usage:-'
+       Write-Host '# Generate x509 certificate from bin'
+       Write-Host "    $(split-path $MyInvocation.PSCommandPath -Leaf) -b sbl_qspi_img_mcu1_0_release.bin -c R5 -k tpr12_gpkey.pem "
+}
+
+$options_help.b="bin_file:`t`ttBin file that needs to be signed"
+$options_help.k="key_file:`t`tFile with key inside it. If not provided script generates a random key."
+
+
+if (  $BIN.length -eq  0  ) {
+       usage "Input bin file missing"
+       exit 1
+}
+
+#Generate random key if user doesn't provide a key.
+if ( $KEY.length -eq 0 ) {
+       usage "key file missing"
+       exit 1
+}
+
+if ( "$CERT_SIGN" -eq 'R5' ) {
+       $BOOTCORE_ID=16
+       $CERT_TYPE=1
+       $BOOTCORE_OPTS=0
+} else {
+       $BOOTCORE_ID=0
+       $BOOTCORE_OPTS=0
+       $CERT_TYPE=2
+}
+
+$SHA_OID=$sha_oids.$SHA
+$SHA_VAL = $(Invoke-Expression "openssl dgst -$SHA -hex $BIN") -replace '.*= ', ''
+$BIN_SIZE=(Get-Item $BIN).length
+$ADDR = ([Int32]::Parse($LOADADDR.split('x')[1], 'HexNumber')).ToString('X8')
+
+function gen_cert() {
+               Write-Host "$CERT_SIGN Certificate being generated :"
+               Write-Host "`tX509_CFG = $TEMP_X509"
+               Write-Host "`tKEY = $KEY"
+               Write-Host "`tBIN = $BIN"
+               Write-Host "`tCERT TYPE = $CERT_SIGN"
+               Write-Host "`tCORE ID = $CERT_TYPE"
+               Write-Host "`tLOADADDR = 0x$ADDR"
+               Write-Host "`tIMAGE_SIZE = $BIN_SIZE"
+       $SSL_CONF_FILE = (Get-Content -Raw $X509_TEMPPLATE) | ForEach-Object {
+                               $_.replace("TEST_IMAGE_LENGTH", "$BIN_SIZE").
+                               replace("TEST_IMAGE_SHA_OID", "$SHA_OID").
+                               replace("TEST_IMAGE_SHA512", "$SHA_VAL").
+                               replace("TEST_CERT_TYPE", "$CERT_TYPE").
+                               replace("TEST_BOOT_CORE_ID", "$BOOTCORE_ID").
+                               replace("TEST_BOOT_CORE_OPTS", "$BOOTCORE_OPTS").
+                               replace("TEST_BOOT_ADDR", "$ADDR")
+                               }
+       [IO.File]::WriteAllText($TEMP_X509, $SSL_CONF_FILE)
+       Invoke-Expression "openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -$SHA -days 365"
+}
+
+gen_cert
+Get-Content $CERT, $BIN -Enc Byte -Read 512 | Set-Content $OUTPUT  -Enc Byte
+
+Write-Host "SUCCESS: Image $OUTPUT generated. Good to boot"
+
+#Remove all intermediate files
+Remove-Item $TEMP_X509
+Remove-Item $CERT
+Remove-Item $WORK_DIR -Recurse
\ No newline at end of file