From: Sascha Hauer <s.hauer@pengutronix.de>
To: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH v2] images: add HABv4 support for i.MX6
Date: Mon, 13 Apr 2015 12:19:06 +0200 [thread overview]
Message-ID: <20150413101906.GP9742@pengutronix.de> (raw)
In-Reply-To: <1427917169-27278-1-git-send-email-mkl@pengutronix.de>
Hi Marc,
Looks mostly fine. Some minor stuff inside, mostly typos.
Sascha
On Wed, Apr 01, 2015 at 09:39:29PM +0200, Marc Kleine-Budde wrote:
> This patch adds high assurance boot support (HABv4) image generation to
> barebox, currently tested on i.MX6 only.
>
> In order to build a singed barebox image, add a new image target to
s/singed/signed/
> images/Makefile.imx as illustrated in the diff below:
>
> - - - a/images/Makefile.imx
> + + + b/images/Makefile.imx
> @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
> pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
> CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
> FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
> image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img
>
> +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
> +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
> +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
> +
>
> Here the defaut i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
s/defaut/default/
> build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
> the paths to the SRK table and certificates via: System Type -> i.MX specific
> settings -> HABv4 support.
>
> The proprietary tool "cst" by Freescale tool is expected in the PATH.
>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
> This time with a harmless patch description, so that it's not confused with the
> real patch.
>
> arch/arm/mach-imx/Kconfig | 39 ++++++++++++++++++++++++++++++++
> images/.gitignore | 2 ++
> images/Makefile | 1 +
> images/Makefile.habv4 | 48 ++++++++++++++++++++++++++++++++++++++++
> scripts/habv4/gencsf.sh | 47 +++++++++++++++++++++++++++++++++++++++
> scripts/habv4/habv4-imx28.csf.in | 28 +++++++++++++++++++++++
> scripts/habv4/habv4-imx6.csf.in | 37 +++++++++++++++++++++++++++++++
> 7 files changed, 202 insertions(+)
> create mode 100644 images/Makefile.habv4
> create mode 100755 scripts/habv4/gencsf.sh
> create mode 100644 scripts/habv4/habv4-imx28.csf.in
> create mode 100644 scripts/habv4/habv4-imx6.csf.in
>
> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> index 477207e646cd..f896b86d357d 100644
> --- a/arch/arm/mach-imx/Kconfig
> +++ b/arch/arm/mach-imx/Kconfig
> @@ -676,6 +676,45 @@ config IMX_OCOTP_WRITE
> mw -l -d /dev/imx-ocotp 0x8C 0x00001234
> mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
>
> +config HABV4
> + tristate "HABv4 support"
> + help
> + High Assurance Boot, as found on i.MX28/i.MX6.
depends on ARCH_IMX6?
> +
> +if HABV4
> +
> +config HABV4_TABLE_BIN
> + string "Path to SRK table"
> + default "../crts/SRK_1_2_3_4_table.bin"
> + help
> + Path to the Super Root Key (SRK) table, produced by the
> + Freescale Code Signing Tool (cst).
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +config HABV4_CSF_CRT_PEM
> + string "Path to CSF certificate"
> + default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> + help
> + Path to the Command Sequence File (CSF) certificate, produced by the
> + Freescale Public Key Infrastructure (PKI) script.
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +config HABV4_IMG_CRT_PEM
> + string "Path to IMG certificate"
> + default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
> + help
> + Path to the Image certificate, produced by the Freescale
> + Public Key Infrastructure (PKI) script.
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +endif
> +
> endmenu
>
> endif
> diff --git a/images/.gitignore b/images/.gitignore
> index c5377d9f6531..b5004fe48fd6 100644
> --- a/images/.gitignore
> +++ b/images/.gitignore
> @@ -3,6 +3,8 @@
> *.pblb
> *.img
> *.imximg
> +*.imximg.prep
> +*.imximg.signed
> *.map
> *.src
> *.kwbimg
> diff --git a/images/Makefile b/images/Makefile
> index 7c3aaf762767..d670ce6df1e3 100644
> --- a/images/Makefile
> +++ b/images/Makefile
> @@ -104,6 +104,7 @@ include $(srctree)/images/Makefile.rockchip
> include $(srctree)/images/Makefile.socfpga
> include $(srctree)/images/Makefile.tegra
> include $(srctree)/images/Makefile.mxs
> +include $(srctree)/images/Makefile.habv4
>
> targets += $(image-y) pbl.lds barebox.x barebox.z
> targets += $(patsubst %,%.pblx,$(pblx-y))
> diff --git a/images/Makefile.habv4 b/images/Makefile.habv4
Maybe name this Makefile.imxhabv4 to make clear this file is about i.MX.
> new file mode 100644
> index 000000000000..bb2fd3082639
> --- /dev/null
> +++ b/images/Makefile.habv4
> @@ -0,0 +1,48 @@
> +# -*-makefile-*-
> +#
> +# barebox image generation Makefile for HABv4 images
> +#
> +
> +# default csf templates
> +havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
> +habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
> +
> +# %.imximg.prep - Convert in i.MX image, with preparation for signature
> +# ----------------------------------------------------------------
> +quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
> + cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
> + $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
> +
> +.SECONDEXPANSION:
> +$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
> + $(call if_changed,imx_prep_image)
> +
> +# %.habv4.csf - create Command Sequence File from template
> +# ----------------------------------------------------------------
> +quiet_cmd_csf = CSF $@
> + cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
> + CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
> + IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
> + $< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
> +
> +.SECONDEXPANSION:
> +$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
> + $(call if_changed,csf)
> +
> +# %.habv4.sig - create signature and pad to 0x2000
> +# ----------------------------------------------------------------
> +CST = cst
> +quiet_cmd_habv4_sig = HAB4SIG $@
> + cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
> + $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
> +
> +$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
> + $(call if_changed,habv4_sig)
> +
> +# %.imximg.singed - concatinate bootloader and signature
s/singed/signed/
s/concatinate/concatenate/
> +# ----------------------------------------------------------------
> +quiet_cmd_cat = CAT $@
> + cmd_cat = cat $^ > $@
> +
> +$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
> + $(call if_changed,cat)
> diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
> new file mode 100755
> index 000000000000..2c1c34add43a
> --- /dev/null
> +++ b/scripts/habv4/gencsf.sh
> @@ -0,0 +1,47 @@
> +#!/bin/sh
> +
> +set -e
> +
> +while getopts "f:c:i:o:" opt; do
> + case $opt in
> + f)
> + file=$OPTARG
> + ;;
> + c)
> + cfg=$OPTARG
> + ;;
> + i)
> + in=$OPTARG
> + ;;
> + o)
> + out=$OPTARG
> + ;;
> + \?)
> + echo "Invalid option: -$OPTARG" >&2
> + exit 1
> + ;;
> + esac
> +done
> +
> +if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
> + echo "file not found!"
> + exit 1
> +fi
> +
> +#
> +# extract and set as shell vars:
> +# loadaddr=
> +# dcdofs=
> +#
> +eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
> +
> +length=$(stat -c '%s' $file)
> +
> +sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
> + -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
> + -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
> + -e "s:@LOADADDR@:$loadaddr:" \
> + -e "s:@OFFSET@:0:" \
> + -e "s:@LENGTH@:$length:" \
> + -e "s:@FILE@:$file:" \
> + $in > $out
> diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
> new file mode 100644
> index 000000000000..043602e09ba4
> --- /dev/null
> +++ b/scripts/habv4/habv4-imx28.csf.in
> @@ -0,0 +1,28 @@
> +[Header]
> +Version = 4.0
> +Hash Algorithm = sha256
> +Engine Configuration = 0
> +Certificate Format = X509
> +Signature Format = CMS
> +
> +[Install SRK]
> +File = "@TABLE_BIN@"
> +Source index = 0
> +
> +[Install CSFK]
> +File = "@CSF_CRT_PEM@"
> +
> +[Authenticate CSF]
> +
> +[Install Key]
> +Verification index = 0
> +Target index = 2
> +File = "@IMG_CRT_PEM@"
> +
> +# Sign entire image
> +# Blocks have the following definition:
> +# Base address of the binary file, Offset, Length of block in bytes
> +[Authenticate Data]
> +Verification index = 2
> +Engine = DCP
> +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
> diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
> new file mode 100644
> index 000000000000..11a5db94946c
> --- /dev/null
> +++ b/scripts/habv4/habv4-imx6.csf.in
> @@ -0,0 +1,37 @@
> +[Header]
> +Version = 4.1
> +Hash Algorithm = sha256
> +Engine Configuration = 0
> +Certificate Format = X509
> +Signature Format = CMS
> +Engine = CAAM
> +
> +[Install SRK]
> +File = "@TABLE_BIN@"
> +# SRK index within SRK-Table 0..3
> +Source index = 0
> +
> +[Install CSFK]
> +File = "@CSF_CRT_PEM@"
> +
> +[Authenticate CSF]
> +
> +[Unlock]
> +Engine = CAAM
> +Features = RNG
> +
> +[Install Key]
> +# verification key index in key store (0, 2...5)
> +Verification index = 0
> +# target key index in key store (2...5)
> +Target index = 2
> +File = "@IMG_CRT_PEM@"
> +
> +[Authenticate Data]
> +# verification key index in key store (2...5)
> +Verification index = 2
> +# "starting load address in memory"
> +# "starting offset within the source file"
> +# "length (in bytes)"
> +# "file (binary)"
> +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
> --
> 2.1.4
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2015-04-13 10:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-01 16:14 [PATCH 01/10] add habv4 support for i.MX6 Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 01/10] imx-image: sort included header files Marc Kleine-Budde
2015-04-03 6:32 ` Sascha Hauer
2015-04-01 16:14 ` [PATCH 02/10] imx-image: add_header_v2(): replace hardcoded 0x400 by offset parameter Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 03/10] imx-image: replace 0x400 by FLASH_HEADER_OFFSET Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 04/10] imx-image: introduce HEADER_LEN and replace several 0x1000 and 4096 Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 05/10] imx-image: mx35: increase load image size, due to dobule header Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 06/10] imx-image: main: make use of round_up instead of open coding it Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 07/10] imx-image: pad generated image to 4k Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 08/10] imx-image: add option to prepare image for HAB signing Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 09/10] images: add HABv4 support for i.MX6 Marc Kleine-Budde
2015-04-01 16:17 ` Marc Kleine-Budde
2015-04-01 19:39 ` [PATCH v2] " Marc Kleine-Budde
2015-04-13 10:19 ` Sascha Hauer [this message]
2015-04-13 10:22 ` Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 10/10] habv4: add High Assurance Boot v4 Marc Kleine-Budde
2015-04-13 10:30 ` Sascha Hauer
2015-04-03 6:33 ` [PATCH 01/10] add habv4 support for i.MX6 Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150413101906.GP9742@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=mkl@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.