images: add HABv4 support for i.MX6

This patch adds high assurance boot support (HABv4) image generation to
barebox, currently tested on i.MX6 only.

In order to build a signed barebox image, add a new image target to
images/Makefile.imx as illustrated in the diff below:

- - - a/images/Makefile.imx
+ + + b/images/Makefile.imx
@@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
 pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
 CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
 FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
 image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img

+CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
+FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
+image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
+

Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
the paths to the SRK table and certificates via: System Type -> i.MX specific
settings -> HABv4 support.

The proprietary tool "cst" by Freescale tool is expected in the PATH.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

arch/arm/mach-imx/Kconfig

@@ -675,6 +675,46 @@ config IMX_OCOTP_WRITE
 		mw -l -d /dev/imx-ocotp 0x8C 0x00001234
 		mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
 
+config HABV4
+	tristate "HABv4 support"
+	depends on ARCH_IMX6
+	help
+	  High Assurance Boot, as found on i.MX28/i.MX6.
+
+if HABV4
+
+config HABV4_TABLE_BIN
+	string "Path to SRK table"
+	default "../crts/SRK_1_2_3_4_table.bin"
+	help
+	  Path to the Super Root Key (SRK) table, produced by the
+	  Freescale Code Signing Tool (cst).
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_CSF_CRT_PEM
+	string "Path to CSF certificate"
+	default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+	help
+	  Path to the Command Sequence File (CSF) certificate, produced by the
+	  Freescale Public Key Infrastructure (PKI) script.
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_IMG_CRT_PEM
+	string "Path to IMG certificate"
+	default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
+	help
+	  Path to the Image certificate, produced by the Freescale
+	  Public Key Infrastructure (PKI) script.
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+endif
+
 endmenu
 
 endif

images/.gitignore

@@ -3,6 +3,8 @@
 *.pblb
 *.img
 *.imximg
+*.imximg.prep
+*.imximg.signed
 *.map
 *.src
 *.kwbimg

images/Makefile

@@ -102,11 +102,12 @@ objboard = $(objtree)/arch/$(ARCH)/boards
 
 include $(srctree)/images/Makefile.am33xx
 include $(srctree)/images/Makefile.imx
+include $(srctree)/images/Makefile.imxhabv4
 include $(srctree)/images/Makefile.mvebu
+include $(srctree)/images/Makefile.mxs
 include $(srctree)/images/Makefile.rockchip
 include $(srctree)/images/Makefile.socfpga
 include $(srctree)/images/Makefile.tegra
-include $(srctree)/images/Makefile.mxs
 
 targets += $(image-y) pbl.lds barebox.x barebox.z
 targets += $(patsubst %,%.pblx,$(pblx-y))

images/Makefile.imxhabv4

@@ -0,0 +1,48 @@
+# -*-makefile-*-
+#
+# barebox image generation Makefile for HABv4 images
+#
+
+# default csf templates
+havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
+habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
+
+# %.imximg.prep - Convert in i.MX image, with preparation for signature
+# ----------------------------------------------------------------
+quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
+      cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
+			   $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
+
+.SECONDEXPANSION:
+$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
+	$(call if_changed,imx_prep_image)
+
+# %.habv4.csf - create Command Sequence File from template
+# ----------------------------------------------------------------
+quiet_cmd_csf = CSF     $@
+      cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
+		CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
+		IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
+		$< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
+
+.SECONDEXPANSION:
+$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
+	$(call if_changed,csf)
+
+# %.habv4.sig - create signature and pad to 0x2000
+# ----------------------------------------------------------------
+CST = cst
+quiet_cmd_habv4_sig = HAB4SIG $@
+      cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
+		      $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
+
+$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
+	$(call if_changed,habv4_sig)
+
+# %.imximg.signed - concatenate bootloader and signature
+# ----------------------------------------------------------------
+quiet_cmd_cat = CAT     $@
+      cmd_cat = cat $^ > $@
+
+$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
+	$(call if_changed,cat)

scripts/habv4/gencsf.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -e
+
+while getopts "f:c:i:o:" opt; do
+    case $opt in
+	f)
+	    file=$OPTARG
+	    ;;
+	c)
+	    cfg=$OPTARG
+	    ;;
+	i)
+	    in=$OPTARG
+	    ;;
+	o)
+	    out=$OPTARG
+	    ;;
+	\?)
+	    echo "Invalid option: -$OPTARG" >&2
+	    exit 1
+	;;
+    esac
+done
+
+if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
+    echo "file not found!"
+    exit 1
+fi
+
+#
+# extract and set as shell vars:
+# loadaddr=
+# dcdofs=
+#
+eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
+
+length=$(stat -c '%s' $file)
+
+sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
+    -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
+    -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
+    -e "s:@LOADADDR@:$loadaddr:" \
+    -e "s:@OFFSET@:0:" \
+    -e "s:@LENGTH@:$length:" \
+    -e "s:@FILE@:$file:" \
+    $in > $out

scripts/habv4/habv4-imx28.csf.in

@@ -0,0 +1,33 @@
+[Header]
+Version = 4.0
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = DCP
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"

scripts/habv4/habv4-imx6.csf.in

@@ -0,0 +1,37 @@
+[Header]
+Version = 4.1
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = CAAM
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Unlock]
+Engine = CAAM
+Features = RNG
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"