blob: 029247c10597f4ad032bcca8d1fcaad01c57f786 [file] [log] [blame]
Lokesh Vutla76f72592019-05-02 15:35:50 +05301#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
3#
4# Script to add K3 specific x509 cetificate to a binary.
5#
6
7# Variables
8OUTPUT=tiboot3.bin
9TEMP_X509=x509-temp.cert
10CERT=certificate.bin
11RAND_KEY=eckey.pem
12LOADADDR=0x41c00000
13BOOTCORE_OPTS=0
14BOOTCORE=16
Andrew F. Davis0cfc54a2020-05-27 09:47:55 -040015DEBUG_TYPE=0
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -050016SWRV=1
Lokesh Vutla76f72592019-05-02 15:35:50 +053017
18gen_degen_template() {
19cat << 'EOF' > degen-template.txt
20
21asn1=SEQUENCE:rsa_key
22
23[rsa_key]
24version=INTEGER:0
25modulus=INTEGER:0xDEGEN_MODULUS
26pubExp=INTEGER:1
27privExp=INTEGER:1
28p=INTEGER:0xDEGEN_P
29q=INTEGER:0xDEGEN_Q
30e1=INTEGER:1
31e2=INTEGER:1
32coeff=INTEGER:0xDEGEN_COEFF
33EOF
34}
35
36# Generate x509 Template
37gen_template() {
38cat << 'EOF' > x509-template.txt
39 [ req ]
40 distinguished_name = req_distinguished_name
41 x509_extensions = v3_ca
42 prompt = no
43 dirstring_type = nobmp
44
45 [ req_distinguished_name ]
46 C = US
47 ST = TX
48 L = Dallas
49 O = Texas Instruments Incorporated
50 OU = Processors
51 CN = TI support
52 emailAddress = support@ti.com
53
54 [ v3_ca ]
55 basicConstraints = CA:true
56 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
57 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
58 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
59# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
60 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
61
62 [ boot_seq ]
63 certType = INTEGER:TEST_CERT_TYPE
64 bootCore = INTEGER:TEST_BOOT_CORE
65 bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
66 destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
67 imageSize = INTEGER:TEST_IMAGE_LENGTH
68
69 [ image_integrity ]
70 shaType = OID:2.16.840.1.101.3.4.2.3
71 shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
72
73 [ swrv ]
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -050074 swrv = INTEGER:TEST_SWRV
Lokesh Vutla76f72592019-05-02 15:35:50 +053075
76# [ encryption ]
77# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
78# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
79# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
80# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
81
82 [ debug ]
83 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
Andrew F. Davis1d2a8d32020-05-27 09:47:54 -040084 debugType = INTEGER:TEST_DEBUG_TYPE
Lokesh Vutla76f72592019-05-02 15:35:50 +053085 coreDbgEn = INTEGER:0
86 coreDbgSecEn = INTEGER:0
87EOF
88}
89
90parse_key() {
Simon Glass53f376b2022-08-07 07:12:19 -060091 sed '/ /s/://g' key.txt | \
92 awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \
93 sed 's/ //g' | \
94 awk "/$1:/{getline; print}"
Lokesh Vutla76f72592019-05-02 15:35:50 +053095}
96
97gen_degen_key() {
98# Generate a 4096 bit RSA Key
99 openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
100 openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
101 DEGEN_MODULUS=$( parse_key 'modulus' )
102 DEGEN_P=$( parse_key 'prime1' )
103 DEGEN_Q=$( parse_key 'prime2' )
104 DEGEN_COEFF=$( parse_key 'coefficient' )
105 gen_degen_template
106
107 sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
108 -e "s/DEGEN_P/$DEGEN_P/" \
109 -e "s/DEGEN_Q/$DEGEN_Q/" \
110 -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
111 degen-template.txt > degenerateKey.txt
112
113 openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
114 openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
115 KEY=$RAND_KEY
116 rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
117}
118
119declare -A options_help
120usage() {
121 if [ -n "$*" ]; then
122 echo "ERROR: $*"
123 fi
124 echo -n "Usage: $0 "
125 for option in "${!options_help[@]}"
126 do
127 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
128 if [ -n "$arg" ]; then
129 arg=" $arg"
130 fi
131 echo -n "[-$option$arg] "
132 done
133 echo
134 echo -e "\nWhere:"
135 for option in "${!options_help[@]}"
136 do
137 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
138 txt=`echo ${options_help[$option]}|cut -d ':' -f2`
139 tb="\t\t\t"
140 if [ -n "$arg" ]; then
141 arg=" $arg"
142 tb="\t"
143 fi
144 echo -e " -$option$arg:$tb$txt"
145 done
146 echo
147 echo "Examples of usage:-"
148 echo "# Example of signing the SYSFW binary with rsa degenerate key"
149 echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
150 echo "# Example of signing the SPL binary with rsa degenerate key"
151 echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
152}
153
154options_help[b]="bin_file:Bin file that needs to be signed"
155options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
156options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
157options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
158options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
Andrew F. Davis0cfc54a2020-05-27 09:47:55 -0400159options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -0500160options_help[r]="SWRV: Software Rev for X509 certificate"
Lokesh Vutla76f72592019-05-02 15:35:50 +0530161
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -0500162while getopts "b:k:o:c:l:d:h:r:" opt
Lokesh Vutla76f72592019-05-02 15:35:50 +0530163do
164 case $opt in
165 b)
166 BIN=$OPTARG
167 ;;
168 k)
169 KEY=$OPTARG
170 ;;
171 o)
172 OUTPUT=$OPTARG
173 ;;
174 l)
175 LOADADDR=$OPTARG
176 ;;
177 c)
178 BOOTCORE=$OPTARG
179 ;;
Andrew F. Davis1d2a8d32020-05-27 09:47:54 -0400180 d)
181 DEBUG_TYPE=$OPTARG
182 ;;
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -0500183 r)
184 SWRV=$OPTARG
185 ;;
Lokesh Vutla76f72592019-05-02 15:35:50 +0530186 h)
187 usage
188 exit 0
189 ;;
190 \?)
191 usage "Invalid Option '-$OPTARG'"
192 exit 1
193 ;;
194 :)
195 usage "Option '-$OPTARG' Needs an argument."
196 exit 1
197 ;;
198 esac
199done
200
201if [ "$#" -eq 0 ]; then
202 usage "Arguments missing"
203 exit 1
204fi
205
206if [ -z "$BIN" ]; then
207 usage "Bin file missing in arguments"
208 exit 1
209fi
210
211# Generate rsa degenerate key if user doesn't provide a key
212if [ -z "$KEY" ]; then
213 gen_degen_key
214fi
215
216if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
217 CERTTYPE=2
218elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
219 CERTTYPE=1
220else # Non BOOTCORE, loaded by SYSFW
221 BOOTCORE_OPTS_VER=$(printf "%01x" 1)
222 # Add input args option for SET and CLR flags.
223 BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
224 BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
225 BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
226 # Set the cert type to zero.
227 # We are not using public/private key store now
228 CERTTYPE=$(printf "0x%08x" 0)
229fi
230
231SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
232BIN_SIZE=`cat $BIN | wc -c`
233ADDR=`printf "%08x" $LOADADDR`
234
235gen_cert() {
236 #echo "Certificate being generated :"
237 #echo " LOADADDR = 0x$ADDR"
238 #echo " IMAGE_SIZE = $BIN_SIZE"
239 #echo " CERT_TYPE = $CERTTYPE"
Andrew F. Davis1d2a8d32020-05-27 09:47:54 -0400240 #echo " DEBUG_TYPE = $DEBUG_TYPE"
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -0500241 echo " SWRV = $SWRV"
Lokesh Vutla76f72592019-05-02 15:35:50 +0530242 sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
243 -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
244 -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
245 -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
246 -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
Andrew F. Davis1d2a8d32020-05-27 09:47:54 -0400247 -e "s/TEST_BOOT_ADDR/$ADDR/" \
248 -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
Yogesh Siraswar26ebaed2022-07-15 11:38:53 -0500249 -e "s/TEST_SWRV/$SWRV/" \
Andrew F. Davis1d2a8d32020-05-27 09:47:54 -0400250 x509-template.txt > $TEMP_X509
Lokesh Vutla76f72592019-05-02 15:35:50 +0530251 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
252}
253
254gen_template
255gen_cert
256cat $CERT $BIN > $OUTPUT
257
258# Remove all intermediate files
259rm $TEMP_X509 $CERT x509-template.txt
260if [ "$KEY" == "$RAND_KEY" ]; then
261 rm $RAND_KEY
262fi