Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 48a0060c8a3eae34d9fd44b4e8ec38f722bfb4af^! / . / tools / binman / btool / openssl.py
commit48a0060c8a3eae34d9fd44b4e8ec38f722bfb4af[log] [tgz]
authorManorit Chawdhry <m-chawdhry@ti.com>Fri Dec 29 16:16:26 2023 +0530
committerTom Rini <trini@konsulko.com>Thu Jan 04 16:48:00 2024 -0500
treef668cf6d1f140dff5333ecb84d6996ffc6f4f9af
parentb63e9b030fe858927b30fb73c4bfe966114da756 [diff] [blame]
binman: ti-secure: Add support for firewalling entities

We can now firewall entities while loading them through our secure
entity TIFS, the required information should be present in the
certificate that is being parsed by TIFS.

The following commit adds the support to enable the certificates to be
generated if the firewall configurations are present in the binman dtsi
nodes.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>

diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index 7ee2683..fe81a1f 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py

@@ -82,7 +82,7 @@
         return self.run_cmd(*args)
 
     def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev,
-                  config_fname, req_dist_name_dict):
+                  config_fname, req_dist_name_dict, firewall_cert_data):
         """Create a certificate to be booted by system firmware
 
         Args:
@@ -94,6 +94,13 @@
             req_dist_name_dict (dict): Dictionary containing key-value pairs of
             req_distinguished_name section extensions, must contain extensions for
             C, ST, L, O, OU, CN and emailAddress
+            firewall_cert_data (dict):
+              - auth_in_place (int): The Priv ID for copying as the
+                specific host in firewall protected region
+              - num_firewalls (int): The number of firewalls in the
+                extended certificate
+              - certificate (str): Extended firewall certificate with
+                the information for the firewall configurations.
 
         Returns:
             str: Tool output
@@ -121,6 +128,7 @@
 1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
 1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity
 1.3.6.1.4.1.294.1.35   = ASN1:SEQUENCE:sysfw_image_load
+1.3.6.1.4.1.294.1.37   = ASN1:SEQUENCE:firewall
 
 [ swrv ]
 swrv = INTEGER:{sw_rev}
@@ -132,7 +140,11 @@
 
 [ sysfw_image_load ]
 destAddr = FORMAT:HEX,OCT:00000000
-authInPlace = INTEGER:2
+authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])}
+
+[ firewall ]
+numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
+{firewall_cert_data['certificate']}
 ''', file=outf)
         args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                 '-outform', 'DER', '-out', cert_fname, '-config', config_fname,