tools/binman/btool/openssl.py

# SPDX-License-Identifier: GPL-2.0+
# Copyright 2022 Google LLC
#
"""Bintool implementation for openssl

openssl provides a number of features useful for signing images

Documentation is at https://www.coreboot.org/CBFS

Source code is at https://www.openssl.org/
"""

import hashlib

from binman import bintool
from u_boot_pylib import tools


VALID_SHAS = [256, 384, 512, 224]
SHA_OIDS = {256:'2.16.840.1.101.3.4.2.1',
            384:'2.16.840.1.101.3.4.2.2',
            512:'2.16.840.1.101.3.4.2.3',
            224:'2.16.840.1.101.3.4.2.4'}

class Bintoolopenssl(bintool.Bintool):
    """openssl tool

    This bintool supports creating new openssl certificates.

    It also supports fetching a binary openssl

    Documentation about openssl is at https://www.openssl.org/
    """
    def __init__(self, name):
        super().__init__(
            name, 'openssl cryptography toolkit',
            version_regex=r'OpenSSL (.*) \(', version_args='version')

    def x509_cert(self, cert_fname, input_fname, key_fname, cn, revision,
                  config_fname):
        """Create a certificate

        Args:
            cert_fname (str): Filename of certificate to create
            input_fname (str): Filename containing data to sign
            key_fname (str): Filename of .pem file
            cn (str): Common name
            revision (int): Revision number
            config_fname (str): Filename to write fconfig into

        Returns:
            str: Tool output
        """
        indata = tools.read_file(input_fname)
        hashval = hashlib.sha512(indata).hexdigest()
        with open(config_fname, 'w', encoding='utf-8') as outf:
            print(f'''[ req ]
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt                 = no
dirstring_type         = nobmp

[ req_distinguished_name ]
CN                     = {cert_fname}

[ v3_ca ]
basicConstraints       = CA:true
1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity

[ swrv ]
swrv = INTEGER:{revision}

[ sysfw_image_integrity ]
shaType                = OID:2.16.840.1.101.3.4.2.3
shaValue               = FORMAT:HEX,OCT:{hashval}
imageSize              = INTEGER:{len(indata)}
''', file=outf)
        args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                '-outform', 'DER', '-out', cert_fname, '-config', config_fname,
                '-sha512']
        return self.run_cmd(*args)

    def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev,
                  config_fname, req_dist_name_dict, firewall_cert_data):
        """Create a certificate to be booted by system firmware

        Args:
            cert_fname (str): Filename of certificate to create
            input_fname (str): Filename containing data to sign
            key_fname (str): Filename of .pem file
            sw_rev (int): Software revision
            config_fname (str): Filename to write fconfig into
            req_dist_name_dict (dict): Dictionary containing key-value pairs of
            req_distinguished_name section extensions, must contain extensions for
            C, ST, L, O, OU, CN and emailAddress
            firewall_cert_data (dict):
              - auth_in_place (int): The Priv ID for copying as the
                specific host in firewall protected region
              - num_firewalls (int): The number of firewalls in the
                extended certificate
              - certificate (str): Extended firewall certificate with
                the information for the firewall configurations.

        Returns:
            str: Tool output
        """
        indata = tools.read_file(input_fname)
        hashval = hashlib.sha512(indata).hexdigest()
        with open(config_fname, 'w', encoding='utf-8') as outf:
            print(f'''[ req ]
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt                 = no
dirstring_type         = nobmp

[ req_distinguished_name ]
C                      = {req_dist_name_dict['C']}
ST                     = {req_dist_name_dict['ST']}
L                      = {req_dist_name_dict['L']}
O                      = {req_dist_name_dict['O']}
OU                     = {req_dist_name_dict['OU']}
CN                     = {req_dist_name_dict['CN']}
emailAddress           = {req_dist_name_dict['emailAddress']}

[ v3_ca ]
basicConstraints       = CA:true
1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity
1.3.6.1.4.1.294.1.35   = ASN1:SEQUENCE:sysfw_image_load
1.3.6.1.4.1.294.1.37   = ASN1:SEQUENCE:firewall

[ swrv ]
swrv = INTEGER:{sw_rev}

[ sysfw_image_integrity ]
shaType                = OID:2.16.840.1.101.3.4.2.3
shaValue               = FORMAT:HEX,OCT:{hashval}
imageSize              = INTEGER:{len(indata)}

[ sysfw_image_load ]
destAddr = FORMAT:HEX,OCT:00000000
authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])}

[ firewall ]
numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
{firewall_cert_data['certificate']}
''', file=outf)
        args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                '-outform', 'DER', '-out', cert_fname, '-config', config_fname,
                '-sha512']
        return self.run_cmd(*args)

    def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
                  config_fname, req_dist_name_dict, cert_type, bootcore,
                  bootcore_opts, load_addr, sha):
        """Create a certificate

        Args:
            cert_fname (str): Filename of certificate to create
            input_fname (str): Filename containing data to sign
            key_fname (str): Filename of .pem file
            sw_rev (int): Software revision
            config_fname (str): Filename to write fconfig into
            req_dist_name_dict (dict): Dictionary containing key-value pairs of
            req_distinguished_name section extensions, must contain extensions for
            C, ST, L, O, OU, CN and emailAddress
            cert_type (int): Certification type
            bootcore (int): Booting core
            bootcore_opts(int): Booting core option, lockstep (0) or split (2) mode
            load_addr (int): Load address of image
            sha (int): Hash function

        Returns:
            str: Tool output
        """
        indata = tools.read_file(input_fname)
        hashval = hashlib.sha512(indata).hexdigest()
        with open(config_fname, 'w', encoding='utf-8') as outf:
            print(f'''
[ req ]
 distinguished_name     = req_distinguished_name
 x509_extensions        = v3_ca
 prompt                 = no
 dirstring_type         = nobmp

 [ req_distinguished_name ]
C                      = {req_dist_name_dict['C']}
ST                     = {req_dist_name_dict['ST']}
L                      = {req_dist_name_dict['L']}
O                      = {req_dist_name_dict['O']}
OU                     = {req_dist_name_dict['OU']}
CN                     = {req_dist_name_dict['CN']}
emailAddress           = {req_dist_name_dict['emailAddress']}

 [ v3_ca ]
 basicConstraints = CA:true
 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug

 [ boot_seq ]
 certType = INTEGER:{cert_type}
 bootCore = INTEGER:{bootcore}
 bootCoreOpts = INTEGER:{bootcore_opts}
 destAddr = FORMAT:HEX,OCT:{load_addr:08x}
 imageSize = INTEGER:{len(indata)}

 [ image_integrity ]
 shaType = OID:{SHA_OIDS[sha]}
 shaValue = FORMAT:HEX,OCT:{hashval}

 [ swrv ]
 swrv = INTEGER:{sw_rev}

# [ encryption ]
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT

 [ debug ]
 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
 debugType = INTEGER:4
 coreDbgEn = INTEGER:0
 coreDbgSecEn = INTEGER:0
''', file=outf)
        args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                '-outform', 'DER', '-out', cert_fname, '-config', config_fname,
                '-sha512']
        return self.run_cmd(*args)

    def x509_cert_rom_combined(self, cert_fname, input_fname, key_fname, sw_rev,
                  config_fname, req_dist_name_dict, load_addr, sha, total_size, num_comps,
                  sysfw_inner_cert_ext_boot_sequence_string, dm_data_ext_boot_sequence_string,
                  imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
                  hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
                  hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
                  dm_data_ext_boot_block, bootcore_opts):
        """Create a certificate

        Args:
            cert_fname (str): Filename of certificate to create
            input_fname (str): Filename containing data to sign
            key_fname (str): Filename of .pem file
            sw_rev (int): Software revision
            config_fname (str): Filename to write fconfig into
            req_dist_name_dict (dict): Dictionary containing key-value pairs of
            req_distinguished_name section extensions, must contain extensions for
            C, ST, L, O, OU, CN and emailAddress
            cert_type (int): Certification type
            bootcore (int): Booting core
            load_addr (int): Load address of image
            sha (int): Hash function
            bootcore_opts (int): Booting core option, lockstep (0) or split (2) mode

        Returns:
            str: Tool output
        """
        indata = tools.read_file(input_fname)
        hashval = hashlib.sha512(indata).hexdigest()
        sha_type = SHA_OIDS[sha]
        with open(config_fname, 'w', encoding='utf-8') as outf:
            print(f'''
[ req ]
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt                 = no
dirstring_type         = nobmp

[ req_distinguished_name ]
C                      = {req_dist_name_dict['C']}
ST                     = {req_dist_name_dict['ST']}
L                      = {req_dist_name_dict['L']}
O                      = {req_dist_name_dict['O']}
OU                     = {req_dist_name_dict['OU']}
CN                     = {req_dist_name_dict['CN']}
emailAddress           = {req_dist_name_dict['emailAddress']}

[ v3_ca ]
basicConstraints = CA:true
1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.9=ASN1:SEQUENCE:ext_boot_info
1.3.6.1.4.1.294.1.8=ASN1:SEQUENCE:debug

[swrv]
swrv=INTEGER:{sw_rev}

[ext_boot_info]
extImgSize=INTEGER:{total_size}
numComp=INTEGER:{num_comps}
sbl=SEQUENCE:sbl
sysfw=SEQUENCE:sysfw
sysfw_data=SEQUENCE:sysfw_data
{sysfw_inner_cert_ext_boot_sequence_string}
{dm_data_ext_boot_sequence_string}

[sbl]
compType = INTEGER:1
bootCore = INTEGER:16
compOpts = INTEGER:{bootcore_opts}
destAddr = FORMAT:HEX,OCT:{load_addr:08x}
compSize = INTEGER:{imagesize_sbl}
shaType  = OID:{sha_type}
shaValue = FORMAT:HEX,OCT:{hashval_sbl}

[sysfw]
compType = INTEGER:2
bootCore = INTEGER:0
compOpts = INTEGER:0
destAddr = FORMAT:HEX,OCT:{load_addr_sysfw:08x}
compSize = INTEGER:{imagesize_sysfw}
shaType  = OID:{sha_type}
shaValue = FORMAT:HEX,OCT:{hashval_sysfw}

[sysfw_data]
compType = INTEGER:18
bootCore = INTEGER:0
compOpts = INTEGER:0
destAddr = FORMAT:HEX,OCT:{load_addr_sysfw_data:08x}
compSize = INTEGER:{imagesize_sysfw_data}
shaType  = OID:{sha_type}
shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}

[ debug ]
debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
debugType = INTEGER:4
coreDbgEn = INTEGER:0
coreDbgSecEn = INTEGER:0

{sysfw_inner_cert_ext_boot_block}

{dm_data_ext_boot_block}
        ''', file=outf)
        args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                '-outform', 'DER', '-out', cert_fname, '-config', config_fname,
                '-sha512']
        return self.run_cmd(*args)

    def fetch(self, method):
        """Fetch handler for openssl

        This installs the openssl package using the apt utility.

        Args:
            method (FETCH_...): Method to use

        Returns:
            True if the file was fetched and now installed, None if a method
            other than FETCH_BIN was requested

        Raises:
            Valuerror: Fetching could not be completed
        """
        if method != bintool.FETCH_BIN:
            return None
        return self.apt_install('openssl')