images: add HABv4 support for i.MX6
This patch adds high assurance boot support (HABv4) image generation to barebox, currently tested on i.MX6 only. In order to build a signed barebox image, add a new image target to images/Makefile.imx as illustrated in the diff below: - - - a/images/Makefile.imx + + + b/images/Makefile.imx @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf) +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img + Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure the paths to the SRK table and certificates via: System Type -> i.MX specific settings -> HABv4 support. The proprietary tool "cst" by Freescale tool is expected in the PATH. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This commit is contained in:
parent
b6c786528b
commit
d3be1ab1fc
|
@ -675,6 +675,46 @@ config IMX_OCOTP_WRITE
|
||||||
mw -l -d /dev/imx-ocotp 0x8C 0x00001234
|
mw -l -d /dev/imx-ocotp 0x8C 0x00001234
|
||||||
mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
|
mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
|
||||||
|
|
||||||
|
config HABV4
|
||||||
|
tristate "HABv4 support"
|
||||||
|
depends on ARCH_IMX6
|
||||||
|
help
|
||||||
|
High Assurance Boot, as found on i.MX28/i.MX6.
|
||||||
|
|
||||||
|
if HABV4
|
||||||
|
|
||||||
|
config HABV4_TABLE_BIN
|
||||||
|
string "Path to SRK table"
|
||||||
|
default "../crts/SRK_1_2_3_4_table.bin"
|
||||||
|
help
|
||||||
|
Path to the Super Root Key (SRK) table, produced by the
|
||||||
|
Freescale Code Signing Tool (cst).
|
||||||
|
|
||||||
|
This file will be inserted into the Command Sequence File
|
||||||
|
(CSF) when using the CSF template that comes with barebox.
|
||||||
|
|
||||||
|
config HABV4_CSF_CRT_PEM
|
||||||
|
string "Path to CSF certificate"
|
||||||
|
default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
|
||||||
|
help
|
||||||
|
Path to the Command Sequence File (CSF) certificate, produced by the
|
||||||
|
Freescale Public Key Infrastructure (PKI) script.
|
||||||
|
|
||||||
|
This file will be inserted into the Command Sequence File
|
||||||
|
(CSF) when using the CSF template that comes with barebox.
|
||||||
|
|
||||||
|
config HABV4_IMG_CRT_PEM
|
||||||
|
string "Path to IMG certificate"
|
||||||
|
default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
|
||||||
|
help
|
||||||
|
Path to the Image certificate, produced by the Freescale
|
||||||
|
Public Key Infrastructure (PKI) script.
|
||||||
|
|
||||||
|
This file will be inserted into the Command Sequence File
|
||||||
|
(CSF) when using the CSF template that comes with barebox.
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
*.pblb
|
*.pblb
|
||||||
*.img
|
*.img
|
||||||
*.imximg
|
*.imximg
|
||||||
|
*.imximg.prep
|
||||||
|
*.imximg.signed
|
||||||
*.map
|
*.map
|
||||||
*.src
|
*.src
|
||||||
*.kwbimg
|
*.kwbimg
|
||||||
|
|
|
@ -102,11 +102,12 @@ objboard = $(objtree)/arch/$(ARCH)/boards
|
||||||
|
|
||||||
include $(srctree)/images/Makefile.am33xx
|
include $(srctree)/images/Makefile.am33xx
|
||||||
include $(srctree)/images/Makefile.imx
|
include $(srctree)/images/Makefile.imx
|
||||||
|
include $(srctree)/images/Makefile.imxhabv4
|
||||||
include $(srctree)/images/Makefile.mvebu
|
include $(srctree)/images/Makefile.mvebu
|
||||||
|
include $(srctree)/images/Makefile.mxs
|
||||||
include $(srctree)/images/Makefile.rockchip
|
include $(srctree)/images/Makefile.rockchip
|
||||||
include $(srctree)/images/Makefile.socfpga
|
include $(srctree)/images/Makefile.socfpga
|
||||||
include $(srctree)/images/Makefile.tegra
|
include $(srctree)/images/Makefile.tegra
|
||||||
include $(srctree)/images/Makefile.mxs
|
|
||||||
|
|
||||||
targets += $(image-y) pbl.lds barebox.x barebox.z
|
targets += $(image-y) pbl.lds barebox.x barebox.z
|
||||||
targets += $(patsubst %,%.pblx,$(pblx-y))
|
targets += $(patsubst %,%.pblx,$(pblx-y))
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
# -*-makefile-*-
|
||||||
|
#
|
||||||
|
# barebox image generation Makefile for HABv4 images
|
||||||
|
#
|
||||||
|
|
||||||
|
# default csf templates
|
||||||
|
havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
|
||||||
|
habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
|
||||||
|
|
||||||
|
# %.imximg.prep - Convert in i.MX image, with preparation for signature
|
||||||
|
# ----------------------------------------------------------------
|
||||||
|
quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
|
||||||
|
cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
|
||||||
|
$< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
|
||||||
|
|
||||||
|
.SECONDEXPANSION:
|
||||||
|
$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
|
||||||
|
$(call if_changed,imx_prep_image)
|
||||||
|
|
||||||
|
# %.habv4.csf - create Command Sequence File from template
|
||||||
|
# ----------------------------------------------------------------
|
||||||
|
quiet_cmd_csf = CSF $@
|
||||||
|
cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
|
||||||
|
CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
|
||||||
|
IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
|
||||||
|
$< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
|
||||||
|
|
||||||
|
.SECONDEXPANSION:
|
||||||
|
$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
|
||||||
|
$(call if_changed,csf)
|
||||||
|
|
||||||
|
# %.habv4.sig - create signature and pad to 0x2000
|
||||||
|
# ----------------------------------------------------------------
|
||||||
|
CST = cst
|
||||||
|
quiet_cmd_habv4_sig = HAB4SIG $@
|
||||||
|
cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
|
||||||
|
$(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
|
||||||
|
|
||||||
|
$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
|
||||||
|
$(call if_changed,habv4_sig)
|
||||||
|
|
||||||
|
# %.imximg.signed - concatenate bootloader and signature
|
||||||
|
# ----------------------------------------------------------------
|
||||||
|
quiet_cmd_cat = CAT $@
|
||||||
|
cmd_cat = cat $^ > $@
|
||||||
|
|
||||||
|
$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
|
||||||
|
$(call if_changed,cat)
|
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
while getopts "f:c:i:o:" opt; do
|
||||||
|
case $opt in
|
||||||
|
f)
|
||||||
|
file=$OPTARG
|
||||||
|
;;
|
||||||
|
c)
|
||||||
|
cfg=$OPTARG
|
||||||
|
;;
|
||||||
|
i)
|
||||||
|
in=$OPTARG
|
||||||
|
;;
|
||||||
|
o)
|
||||||
|
out=$OPTARG
|
||||||
|
;;
|
||||||
|
\?)
|
||||||
|
echo "Invalid option: -$OPTARG" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
|
||||||
|
echo "file not found!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# extract and set as shell vars:
|
||||||
|
# loadaddr=
|
||||||
|
# dcdofs=
|
||||||
|
#
|
||||||
|
eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
|
||||||
|
|
||||||
|
length=$(stat -c '%s' $file)
|
||||||
|
|
||||||
|
sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
|
||||||
|
-e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
|
||||||
|
-e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
|
||||||
|
-e "s:@LOADADDR@:$loadaddr:" \
|
||||||
|
-e "s:@OFFSET@:0:" \
|
||||||
|
-e "s:@LENGTH@:$length:" \
|
||||||
|
-e "s:@FILE@:$file:" \
|
||||||
|
$in > $out
|
|
@ -0,0 +1,33 @@
|
||||||
|
[Header]
|
||||||
|
Version = 4.0
|
||||||
|
Hash Algorithm = sha256
|
||||||
|
Engine Configuration = 0
|
||||||
|
Certificate Format = X509
|
||||||
|
Signature Format = CMS
|
||||||
|
Engine = DCP
|
||||||
|
|
||||||
|
[Install SRK]
|
||||||
|
File = "@TABLE_BIN@"
|
||||||
|
# SRK index within SRK-Table 0..3
|
||||||
|
Source index = 0
|
||||||
|
|
||||||
|
[Install CSFK]
|
||||||
|
File = "@CSF_CRT_PEM@"
|
||||||
|
|
||||||
|
[Authenticate CSF]
|
||||||
|
|
||||||
|
[Install Key]
|
||||||
|
# verification key index in key store (0, 2...5)
|
||||||
|
Verification index = 0
|
||||||
|
# target key index in key store (2...5)
|
||||||
|
Target index = 2
|
||||||
|
File = "@IMG_CRT_PEM@"
|
||||||
|
|
||||||
|
[Authenticate Data]
|
||||||
|
# verification key index in key store (2...5)
|
||||||
|
Verification index = 2
|
||||||
|
# "starting load address in memory"
|
||||||
|
# "starting offset within the source file"
|
||||||
|
# "length (in bytes)"
|
||||||
|
# "file (binary)"
|
||||||
|
Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
|
|
@ -0,0 +1,37 @@
|
||||||
|
[Header]
|
||||||
|
Version = 4.1
|
||||||
|
Hash Algorithm = sha256
|
||||||
|
Engine Configuration = 0
|
||||||
|
Certificate Format = X509
|
||||||
|
Signature Format = CMS
|
||||||
|
Engine = CAAM
|
||||||
|
|
||||||
|
[Install SRK]
|
||||||
|
File = "@TABLE_BIN@"
|
||||||
|
# SRK index within SRK-Table 0..3
|
||||||
|
Source index = 0
|
||||||
|
|
||||||
|
[Install CSFK]
|
||||||
|
File = "@CSF_CRT_PEM@"
|
||||||
|
|
||||||
|
[Authenticate CSF]
|
||||||
|
|
||||||
|
[Unlock]
|
||||||
|
Engine = CAAM
|
||||||
|
Features = RNG
|
||||||
|
|
||||||
|
[Install Key]
|
||||||
|
# verification key index in key store (0, 2...5)
|
||||||
|
Verification index = 0
|
||||||
|
# target key index in key store (2...5)
|
||||||
|
Target index = 2
|
||||||
|
File = "@IMG_CRT_PEM@"
|
||||||
|
|
||||||
|
[Authenticate Data]
|
||||||
|
# verification key index in key store (2...5)
|
||||||
|
Verification index = 2
|
||||||
|
# "starting load address in memory"
|
||||||
|
# "starting offset within the source file"
|
||||||
|
# "length (in bytes)"
|
||||||
|
# "file (binary)"
|
||||||
|
Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
|
Loading…
Reference in New Issue