diff options
| -rw-r--r-- | arch/arm/mach-k3/Kconfig | 11 | ||||
| -rw-r--r-- | arch/arm/mach-k3/config.mk | 59 | ||||
| -rw-r--r-- | tools/k3_x509template.txt | 48 |
3 files changed, 118 insertions, 0 deletions
diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig index 2df6197af7..9f5e8e5ee4 100644 --- a/arch/arm/mach-k3/Kconfig +++ b/arch/arm/mach-k3/Kconfig @@ -47,5 +47,16 @@ config SYS_K3_BOOT_PARAM_TABLE_INDEX Address at which ROM stores the value which determines if SPL is booted up by primary boot media or secondary boot media. +config SYS_K3_KEY + string "Key used to generate x509 certificate" + help + This option enables to provide a custom key that can be used for + generating x509 certificate for spl binary. If not needed leave + it blank so that a random key is generated and used. + +config SYS_K3_BOOT_CORE_ID + int + default 16 + source "board/ti/am65x/Kconfig" endif diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk index 9b86ddc715..7fc0b3f357 100644 --- a/arch/arm/mach-k3/config.mk +++ b/arch/arm/mach-k3/config.mk @@ -5,6 +5,65 @@ ifdef CONFIG_SPL_BUILD +# Openssl is required to generate x509 certificate. +# Error out if openssl is not available. +ifeq ($(shell which openssl),) +$(error "No openssl in $(PATH), consider installing openssl") +endif + +SHA_VALUE= $(shell openssl dgst -sha512 -hex $(obj)/u-boot-spl.bin | sed -e "s/^.*= //g") +IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c) +LOADADDR= $(shell echo $(CONFIG_SPL_TEXT_BASE) | sed -e "s/^0x//g") +MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE)) + +# Parameters to get populated into the x509 template +SED_OPTS= -e s/TEST_IMAGE_LENGTH/$(IMAGE_SIZE)/ +SED_OPTS+= -e s/TEST_IMAGE_SHA_VAL/$(SHA_VALUE)/ +SED_OPTS+= -e s/TEST_CERT_TYPE/1/ # CERT_TYPE_PRIMARY_IMAGE_BIN +SED_OPTS+= -e s/TEST_BOOT_CORE/$(CONFIG_SYS_K3_BOOT_CORE_ID)/ +SED_OPTS+= -e s/TEST_BOOT_ARCH_WIDTH/32/ +SED_OPTS+= -e s/TEST_BOOT_ADDR/$(LOADADDR)/ + +# Command to generate ecparam key +quiet_cmd_genkey = OPENSSL $@ +cmd_genkey = openssl ecparam -out $@ -name prime256v1 -genkey + +# Command to generate x509 certificate +quiet_cmd_gencert = OPENSSL $@ +cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boot-spl-x509.txt; \ + openssl req -new -x509 -key $(KEY) -nodes -outform DER -out $@ -config u-boot-spl-x509.txt -sha512 + +# If external key is not provided, generate key using openssl. +ifeq ($(CONFIG_SYS_K3_KEY), "") +KEY=u-boot-spl-eckey.pem +else +KEY=$(patsubst "%",%,$(CONFIG_SYS_K3_KEY)) +endif + +u-boot-spl-eckey.pem: FORCE + $(call if_changed,genkey) + +# tiboot3.bin is mandated by ROM and ROM only supports R5 boot. +# So restrict tiboot3.bin creation for CPU_V7R. +ifdef CONFIG_CPU_V7R +u-boot-spl-cert.bin: $(KEY) $(obj)/u-boot-spl.bin image_check FORCE + $(call if_changed,gencert) + +image_check: $(obj)/u-boot-spl.bin FORCE + @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \ + echo "===============================================" >&2; \ + echo "ERROR: Final Image too big. " >&2; \ + echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \ + echo "===============================================" >&2; \ + exit 1; \ + fi + +tiboot3.bin: u-boot-spl-cert.bin $(obj)/u-boot-spl.bin FORCE + $(call if_changed,cat) + +ALL-y += tiboot3.bin +endif + ifdef CONFIG_ARM64 SPL_ITS := u-boot-spl-k3.its $(SPL_ITS): FORCE diff --git a/tools/k3_x509template.txt b/tools/k3_x509template.txt new file mode 100644 index 0000000000..bd3a9ab056 --- /dev/null +++ b/tools/k3_x509template.txt @@ -0,0 +1,48 @@ + [ req ] + distinguished_name = req_distinguished_name + x509_extensions = v3_ca + prompt = no + dirstring_type = nobmp + + [ req_distinguished_name ] + C = US + ST = TX + L = Dallas + O = Texas Instruments Incorporated + OU = Processors + CN = TI Support + emailAddress = support@ti.com + + [ v3_ca ] + basicConstraints = CA:true + 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq + 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity + 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption + 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug + + [ boot_seq ] + certType = INTEGER:TEST_CERT_TYPE + bootCore = INTEGER:TEST_BOOT_CORE + bootCoreOpts = INTEGER:TEST_BOOT_ARCH_WIDTH + destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR + imageSize = INTEGER:TEST_IMAGE_LENGTH + + [ image_integrity ] + shaType = OID:2.16.840.1.101.3.4.2.3 + shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL + + [ swrv ] + swrv = INTEGER:0 + +# [ encryption ] +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT + + [ debug ] + debugType = INTEGER:4 + coreDbgEn = INTEGER:0 + coreDbgSecEn = INTEGER:0 + debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 |