From: Badri S Date: Thu, 3 Dec 2020 13:57:13 +0000 (+0530) Subject: tpr12/sbl: support for sbl image signing in windows X-Git-Tag: REL.CORESDK.07.01.04.02~5 X-Git-Url: https://git.ti.com/gitweb?p=processor-sdk%2Fpdk.git;a=commitdiff_plain;h=6446327f918ea4128a3c759054b0a2dd2760d664 tpr12/sbl: support for sbl image signing in windows sbl image signing in windows environment Signed-off-by: Badri S --- diff --git a/packages/ti/board/utils/uniflash/target/build/uart_make.mk b/packages/ti/board/utils/uniflash/target/build/uart_make.mk index 26df17c04..b27cbc1c6 100644 --- a/packages/ti/board/utils/uniflash/target/build/uart_make.mk +++ b/packages/ti/board/utils/uniflash/target/build/uart_make.mk @@ -158,7 +158,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop #SoCs like TPR12 do not have GCC tool. So we package it as part of SBL #TI ARM CGT objcopy does not copy .data sections correctly so cannot be used ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","") +ifneq ($(OS),Windows_NT) SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy +else +SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe +endif endif export SBL_OBJ_COPY diff --git a/packages/ti/boot/sbl/build/sbl_img.mk b/packages/ti/boot/sbl/build/sbl_img.mk index b930f8aca..3bf50440e 100644 --- a/packages/ti/boot/sbl/build/sbl_img.mk +++ b/packages/ti/boot/sbl/build/sbl_img.mk @@ -159,7 +159,11 @@ SBL_OBJ_COPY := $(TOOLCHAIN_PATH_GCC_ARCH64)/bin/$(GCC_ARCH64_BIN_PREFIX)-objcop #SoCs like TPR12 do not have GCC tool. So we package it as part of SBL #TI ARM CGT objcopy does not copy .data sections correctly so cannot be used ifeq ("$(wildcard ${TOOLCHAIN_PATH_GCC_ARCH64})","") +ifneq ($(OS),Windows_NT) SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/unix/aarch64-none-elf-objcopy +else +SBL_OBJ_COPY := ${PDK_SBL_COMP_PATH}/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe +endif endif export SBL_OBJ_COPY diff --git a/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe new file mode 100755 index 000000000..2bbbea24d Binary files /dev/null and b/packages/ti/boot/sbl/tools/tpr12SBLImageGen/windows/aarch64-none-elf-objcopy.exe differ diff --git a/packages/ti/build/makerules/common.mk b/packages/ti/build/makerules/common.mk index 7a15dc11a..4480819e7 100644 --- a/packages/ti/build/makerules/common.mk +++ b/packages/ti/build/makerules/common.mk @@ -646,7 +646,7 @@ ifneq ($(OS),Windows_NT) $(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.sh -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -i cat R5-cert.bin $(SBL_BIN_PATH) > $(SBL_TIIMAGE_PATH) else - echo "Bypassing SBL signing as available only in unix environment presently" + powershell -executionpolicy unrestricted -command $(PDK_INSTALL_PATH)/ti/build/makerules/tpr12rom_sign_non_secure.ps1 -b $(SBL_BIN_PATH) -c R5 -k ${PDK_INSTALL_PATH}/ti/build/makerules/tpr12_gpkey.pem -o $(SBL_TIIMAGE_PATH) endif endif $(ECHO) \# SBL image $@ created. diff --git a/packages/ti/build/makerules/tpr12_x509template.txt b/packages/ti/build/makerules/tpr12_x509template.txt new file mode 100755 index 000000000..d59f9f2bd --- /dev/null +++ b/packages/ti/build/makerules/tpr12_x509template.txt @@ -0,0 +1,31 @@ + [ req ] + distinguished_name = req_distinguished_name + x509_extensions = v3_ca + prompt = no + + dirstring_type = nobmp + + [ req_distinguished_name ] + C = US + ST = MD + L = Germantown + O = Texas Instruments., Inc. + OU = RADAR PROCESSOR + CN = Anonymous, Anonymous + emailAddress = anonymous@ti.com + + [ v3_ca ] + basicConstraints = CA:true + 1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq + 1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity + + [ boot_seq ] + certType = INTEGER:TEST_CERT_TYPE + bootCore = INTEGER:TEST_BOOT_CORE_ID + bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS + destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR + imageSize = INTEGER:TEST_IMAGE_LENGTH + + [ image_integrity ] + shaType = OID:2.16.840.1.101.3.4.2.3 + shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA512 diff --git a/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 b/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 new file mode 100644 index 000000000..477011d08 --- /dev/null +++ b/packages/ti/build/makerules/tpr12rom_sign_non_secure.ps1 @@ -0,0 +1,133 @@ +# +# windows script to add x509 certificate to binary/ELF +param +( + [string]$BIN, + [string]$KEY, + [string]$OUTPUT = $null, + [ValidateSet('R5','HSM')][string]$CERT_SIGN = 'R5' +) + +#paths +$SCRIPT_DIR = split-path -parent $MyInvocation.MyCommand.Definition +$LOADADDR = '0x10200000' + + + +$WORK_DIR = [io.path]::GetFileNameWithoutExtension($BIN) + +#create working dir from input file +#to allow parallel makes +$WORK_DIR="$SCRIPT_DIR\$WORK_DIR" +New-Item -ItemType Directory -Force -Path $WORK_DIR | Out-Null + +#variables +$SHA = 'sha512' +$TEMP_X509="$WORK_DIR\x509-temp.cert" +$CERT="$WORK_DIR\$CERT_SIGN" + '-cert.bin' +$VALID_CERT_SIGNS=@('R5', 'HSM') +$X509_TEMPPLATE="$SCRIPT_DIR\tpr12_x509template.txt" + + +# setup default output path if not specified +if ( $OUTPUT.length -eq 0 ) { + $OUTPUT="$WORK_DIR\x509-firmware.bin" +} + +#check if openssl is present +Write-Host "Checking for OpenSSL..." +try { Invoke-Expression "openssl version" } +catch { Write-Host "Not found! Please install OpenSSL" + exit 1 +} + +$sha_oids = @{} +$sha_oids.sha256='2.16.840.1.101.3.4.2.1' +$sha_oids.sha384='2.16.840.1.101.3.4.2.2' +$sha_oids.sha512='2.16.840.1.101.3.4.2.3' +$sha_oids.sha224='2.16.840.1.101.3.4.2.4' + +$options_help = @{} +function usage() { + + if ( $args.count -ne 0 ) { + Write-Host "ERROR: $args" + } + + Write-Host -NoNewline "Usage: $(split-path $MyInvocation.PSCommandPath -Leaf) " + foreach($option in $options_help.Keys) { + $param_short_desc = $options_help.$option.split(':')[0] + Write-Host -NoNewline "[-$option $param_short_desc] " + } + Write-Host "" + Write-Host "Where:" + foreach($option in $options_help.Keys) { + $param_short_desc, $param_long_desc = $options_help.$option.split(':') + Write-Host " -$option $param_short_desc$param_long_desc" + } + Write-Host 'Examples of usage:-' + Write-Host '# Generate x509 certificate from bin' + Write-Host " $(split-path $MyInvocation.PSCommandPath -Leaf) -b sbl_qspi_img_mcu1_0_release.bin -c R5 -k tpr12_gpkey.pem " +} + +$options_help.b="bin_file:`t`ttBin file that needs to be signed" +$options_help.k="key_file:`t`tFile with key inside it. If not provided script generates a random key." + + +if ( $BIN.length -eq 0 ) { + usage "Input bin file missing" + exit 1 +} + +#Generate random key if user doesn't provide a key. +if ( $KEY.length -eq 0 ) { + usage "key file missing" + exit 1 +} + +if ( "$CERT_SIGN" -eq 'R5' ) { + $BOOTCORE_ID=16 + $CERT_TYPE=1 + $BOOTCORE_OPTS=0 +} else { + $BOOTCORE_ID=0 + $BOOTCORE_OPTS=0 + $CERT_TYPE=2 +} + +$SHA_OID=$sha_oids.$SHA +$SHA_VAL = $(Invoke-Expression "openssl dgst -$SHA -hex $BIN") -replace '.*= ', '' +$BIN_SIZE=(Get-Item $BIN).length +$ADDR = ([Int32]::Parse($LOADADDR.split('x')[1], 'HexNumber')).ToString('X8') + +function gen_cert() { + Write-Host "$CERT_SIGN Certificate being generated :" + Write-Host "`tX509_CFG = $TEMP_X509" + Write-Host "`tKEY = $KEY" + Write-Host "`tBIN = $BIN" + Write-Host "`tCERT TYPE = $CERT_SIGN" + Write-Host "`tCORE ID = $CERT_TYPE" + Write-Host "`tLOADADDR = 0x$ADDR" + Write-Host "`tIMAGE_SIZE = $BIN_SIZE" + $SSL_CONF_FILE = (Get-Content -Raw $X509_TEMPPLATE) | ForEach-Object { + $_.replace("TEST_IMAGE_LENGTH", "$BIN_SIZE"). + replace("TEST_IMAGE_SHA_OID", "$SHA_OID"). + replace("TEST_IMAGE_SHA512", "$SHA_VAL"). + replace("TEST_CERT_TYPE", "$CERT_TYPE"). + replace("TEST_BOOT_CORE_ID", "$BOOTCORE_ID"). + replace("TEST_BOOT_CORE_OPTS", "$BOOTCORE_OPTS"). + replace("TEST_BOOT_ADDR", "$ADDR") + } + [IO.File]::WriteAllText($TEMP_X509, $SSL_CONF_FILE) + Invoke-Expression "openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -$SHA -days 365" +} + +gen_cert +Get-Content $CERT, $BIN -Enc Byte -Read 512 | Set-Content $OUTPUT -Enc Byte + +Write-Host "SUCCESS: Image $OUTPUT generated. Good to boot" + +#Remove all intermediate files +Remove-Item $TEMP_X509 +Remove-Item $CERT +Remove-Item $WORK_DIR -Recurse \ No newline at end of file