* [cbootimage PATCH v3 1/5] Enable -u | --update option support for t210
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
@ 2015-10-08 19:38 ` Jimmy Zhang
[not found] ` <1444333109-3671-2-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 2/5] Add support for update pubkey and rsa-pss signatures Jimmy Zhang
` (5 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
src/cbootimage.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/cbootimage.c b/src/cbootimage.c
index 1dfb719c819b..b62cedc47ec0 100644
--- a/src/cbootimage.c
+++ b/src/cbootimage.c
@@ -79,7 +79,7 @@ usage(void)
printf(" Default: tegra20.\n");
printf(" -u|--update Copy input image data and update bct\n");
printf(" configs into new image file.\n");
- printf(" This feature is only for tegra114/124.\n");
+ printf(" This feature is currently not supported on tegra20/30.\n");
printf(" configfile File with configuration information\n");
printf(" inputimage Input image name. This is required\n");
printf(" if -u|--update option is used.\n");
@@ -169,9 +169,10 @@ process_command_line(int argc, char *argv[], build_image_context *context)
/* Record the input image filename if update_image is necessary */
if (context->update_image)
{
- if (context->boot_data_version != BOOTDATA_VERSION_T114 &&
- context->boot_data_version != BOOTDATA_VERSION_T124) {
- printf("Update image feature is only for Tegra114 and Tegra124.\n");
+ if (context->boot_data_version == BOOTDATA_VERSION_T20 ||
+ context->boot_data_version == BOOTDATA_VERSION_T30) {
+ printf("Update image feature is not supported on"
+ " Tegra20/30.\n");
return -EINVAL;
}
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* [cbootimage PATCH v3 2/5] Add support for update pubkey and rsa-pss signatures
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 1/5] Enable -u | --update option support for t210 Jimmy Zhang
@ 2015-10-08 19:38 ` Jimmy Zhang
2015-10-08 19:38 ` [cbootimage PATCH v3 3/5] Add support to dump rsa related fields for t210 Jimmy Zhang
` (4 subsequent siblings)
6 siblings, 0 replies; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
Create new configuration keywords:
RsaKeyModulusFile: pubkey modulus
RsaPssSigBlFile: bootloader rsa pss signature
RsaPssSigBctFile: bct rsa pss signature
Sample Configuration file update_bl_sig.cfg
RsaKeyModulusFile = pubkey.mod;
RsaPssSigBlFile = bl.sig;
where pubkey.mod and bl.sig are files that contain the public key
modulus and bootloader's rsa-pss signature respectively.
public key modulus and signature are created through utilities
outside cbootimage.
Command line example:
$ cbootimage -s tegra210 -u update_bl_sig.cfg image.bin image.bin-bl-signed
Above three new keywords added in this CL are only implemented support
for T210.
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
src/cbootimage.h | 4 ++++
src/parse.c | 35 +++++++++++++++++++++++++++++++++++
src/parse.h | 4 ++++
src/set.c | 38 ++++++++++++++++++++++++++++++++++++++
src/set.h | 5 +++++
src/t210/nvbctlib_t210.c | 23 ++++++++++++++++++++++-
src/t210/nvboot_bct_t210.h | 2 --
7 files changed, 108 insertions(+), 3 deletions(-)
diff --git a/src/cbootimage.h b/src/cbootimage.h
index 9706b2c1edb8..1ce8af6f6584 100644
--- a/src/cbootimage.h
+++ b/src/cbootimage.h
@@ -49,6 +49,9 @@
#define MAX_MTS_SIZE (4 * 1024 * 1024)
+#define ARSE_RSA_MAX_MODULUS_SIZE 2048
+#define ARSE_RSA_PARAM_MAX_BYTES (ARSE_RSA_MAX_MODULUS_SIZE / 8)
+
#define NVBOOT_CONFIG_TABLE_SIZE_MAX (10 * 1024)
/*
@@ -60,6 +63,7 @@ typedef enum
file_type_bl = 0,
file_type_bct,
file_type_mts,
+ file_type_bin,
} file_type;
/*
diff --git a/src/parse.c b/src/parse.c
index 8c9824437393..d2f4016effd8 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -65,6 +65,8 @@ parse_bootloader(build_image_context *context, parse_token token, char *rest);
static int
parse_mts_image(build_image_context *context, parse_token token, char *rest);
static int
+parse_rsa_param(build_image_context *context, parse_token token, char *rest);
+static int
parse_value_u32(build_image_context *context, parse_token token, char *rest);
static int
parse_value_chipuid(build_image_context *context,
@@ -116,6 +118,9 @@ static parse_item s_top_level_items[] = {
{ "ChipUid=", token_unique_chip_id, parse_value_chipuid },
{ "JtagCtrl=", token_secure_jtag_control, parse_value_u32 },
{ "DebugCtrl=", token_secure_debug_control, parse_value_u32 },
+ { "RsaKeyModulusFile=", token_rsa_key_modulus, parse_rsa_param },
+ { "RsaPssSigBlFile=", token_rsa_pss_sig_bl, parse_rsa_param },
+ { "RsaPssSigBctFile=", token_rsa_pss_sig_bct, parse_rsa_param },
{ NULL, 0, NULL } /* Must be last */
};
@@ -480,6 +485,36 @@ static int parse_mts_image(build_image_context *context,
}
/*
+ * Parse the given rsa modulus/key/signature file name
+ * then call set_rsa_settings to set proper rsa field.
+ *
+ * @param context The main context pointer
+ * @param token The parse token value
+ * @param rest String to parse
+ * @return 0 and 1 for success and failure
+ */
+static int parse_rsa_param(build_image_context *context,
+ parse_token token,
+ char *rest)
+{
+ char filename[MAX_BUFFER];
+
+ assert(context != NULL);
+ assert(rest != NULL);
+
+ if (context->generate_bct != 0)
+ return 0;
+
+ /* Parse the file name. */
+ rest = parse_filename(rest, filename, MAX_BUFFER);
+ if (rest == NULL)
+ return 1;
+
+ /* Parsing has finished - set the bootloader */
+ return set_rsa_param(context, token, filename);
+}
+
+/*
* Parse the given string and find the array items in config file.
*
* @param context The main context pointer
diff --git a/src/parse.h b/src/parse.h
index ce3f21fb8a31..16242a5c2701 100644
--- a/src/parse.h
+++ b/src/parse.h
@@ -114,6 +114,10 @@ typedef enum
token_secure_jtag_control,
token_secure_debug_control,
+ token_rsa_key_modulus,
+ token_rsa_pss_sig_bl,
+ token_rsa_pss_sig_bct,
+
token_nand_clock_divider,
token_nand_nand_timing,
token_nand_nand_timing2,
diff --git a/src/set.c b/src/set.c
index 73af52111360..6dec0bc8755e 100644
--- a/src/set.c
+++ b/src/set.c
@@ -147,6 +147,44 @@ set_mts_image(build_image_context *context,
context->mts_entry_point = entry_point;
return update_mts_image(context);
}
+
+int
+set_rsa_param(build_image_context *context, parse_token token,
+ char *filename)
+{
+ int result;
+ u_int8_t *rsa_storage; /* Holds the rsa param after reading */
+ u_int32_t actual_size; /* In bytes */
+
+ /* Read the image into memory. */
+ result = read_from_image(filename,
+ 0,
+ ARSE_RSA_PARAM_MAX_BYTES,
+ &rsa_storage,
+ &actual_size,
+ file_type_bin);
+
+ if (result) {
+ printf("Error reading file %s.\n", filename);
+ exit(1);
+ }
+
+ if (actual_size != ARSE_RSA_PARAM_MAX_BYTES) {
+ printf("Error: invalid size, file %s.\n", filename);
+ exit(1);
+ }
+
+ if (enable_debug)
+ printf("Updating token %d with file %s\n", (int)token, filename);
+
+ /* set to appropriate bct field */
+ result = g_soc_config->set_value(token,
+ rsa_storage, context->bct);
+
+ free(rsa_storage);
+ return result;
+}
+
#define DEFAULT() \
default: \
printf("Unexpected token %d at line %d\n", \
diff --git a/src/set.h b/src/set.h
index 8b9a69b2a950..b38d4cefcb4f 100644
--- a/src/set.h
+++ b/src/set.h
@@ -42,6 +42,11 @@ set_mts_image(build_image_context *context,
u_int32_t entry_point);
int
+set_rsa_param(build_image_context *context,
+ parse_token token,
+ char *filename);
+
+int
context_set_value(build_image_context *context,
parse_token token,
void *value);
diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c
index 9921bbbe0d2d..91a42ec8367f 100644
--- a/src/t210/nvbctlib_t210.c
+++ b/src/t210/nvbctlib_t210.c
@@ -113,7 +113,10 @@ parse_token t210_root_token_list[] = {
token_crypto_length,
token_max_bct_search_blks,
token_unique_chip_id,
- token_secure_debug_control
+ token_secure_debug_control,
+ token_rsa_key_modulus,
+ token_rsa_pss_sig_bl,
+ token_rsa_pss_sig_bct
};
int
@@ -2198,6 +2201,24 @@ t210_bct_set_value(parse_token id, void *data, u_int8_t *bct)
memcpy(&bct_ptr->unique_chip_id, data, sizeof(nvboot_ecid));
break;
+ case token_rsa_key_modulus:
+ memcpy(&bct_ptr->key, data, sizeof(nvboot_rsa_key_modulus));
+ break;
+
+ case token_rsa_pss_sig_bl:
+ /*
+ * Update bootloader 0 since there is only one copy
+ * of bootloader being built in.
+ */
+ memcpy(&bct_ptr->bootloader[0].signature.rsa_pss_sig,
+ data, sizeof(nvboot_rsa_pss_sig));
+ break;
+
+ case token_rsa_pss_sig_bct:
+ memcpy(&bct_ptr->signature.rsa_pss_sig,
+ data, sizeof(nvboot_rsa_pss_sig));
+ break;
+
default:
return -ENODATA;
}
diff --git a/src/t210/nvboot_bct_t210.h b/src/t210/nvboot_bct_t210.h
index 90841f63feb6..c790ee97106d 100644
--- a/src/t210/nvboot_bct_t210.h
+++ b/src/t210/nvboot_bct_t210.h
@@ -94,8 +94,6 @@
*/
#define NVBOOT_MAX_BCT_SEARCH_BLOCKS 64
-#define ARSE_RSA_MAX_MODULUS_SIZE 2048
-
/**
* Defines the RSA modulus length in bits and bytes used for PKC secure boot.
*/
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* [cbootimage PATCH v3 3/5] Add support to dump rsa related fields for t210
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 1/5] Enable -u | --update option support for t210 Jimmy Zhang
2015-10-08 19:38 ` [cbootimage PATCH v3 2/5] Add support for update pubkey and rsa-pss signatures Jimmy Zhang
@ 2015-10-08 19:38 ` Jimmy Zhang
[not found] ` <1444333109-3671-4-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 4/5] Add new configuration keyword "RehashBl" Jimmy Zhang
` (3 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
Add support to dump rsa pubkey, bct's rsa-pss signature and
bootloader's rsa-pss signature.
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
src/bct_dump.c | 38 ++++++++++++++++++++++++++++++++++++++
src/t210/nvbctlib_t210.c | 16 ++++++++++++++++
2 files changed, 54 insertions(+)
diff --git a/src/bct_dump.c b/src/bct_dump.c
index be7b85dc72d6..fb1134b1b679 100644
--- a/src/bct_dump.c
+++ b/src/bct_dump.c
@@ -30,6 +30,8 @@ cbootimage_soc_config * g_soc_config;
static void format_u32_hex8(char const * message, void * data);
static void format_u32(char const * message, void * data);
static void format_chipuid(char const * message, void * data);
+static void format_hex_16_bytes(char const * message, void * data);
+static void format_rsa_param(char const * message, void * data);
typedef void (*format_function)(char const * message, void * data);
@@ -42,6 +44,7 @@ typedef struct {
typedef union {
u_int32_t val;
u_int8_t uid[16];
+ u_int8_t rsa_param[256];
} param_types;
#define MAX_PARAM_SIZE sizeof(param_types)
@@ -54,6 +57,9 @@ static value_data const values[] = {
{ token_odm_data, "OdmData = ", format_u32_hex8 },
{ token_secure_jtag_control, "JtagCtrl = ", format_u32_hex8 },
{ token_secure_debug_control, "DebugCtrl = ", format_u32_hex8 },
+ { token_crypto_hash, "BCT AES Hash = ", format_hex_16_bytes },
+ { token_rsa_key_modulus, "RsaKeyModulus = ", format_rsa_param },
+ { token_rsa_pss_sig_bct, "RsaPssSigBct = ", format_rsa_param },
{ token_unique_chip_id, "ChipUid = ", format_chipuid },
{ token_bootloader_used, "# Bootloader used = ", format_u32 },
{ token_bootloaders_max, "# Bootloaders max = ", format_u32 },
@@ -72,6 +78,8 @@ static value_data const bl_values[] = {
{ token_bl_load_addr, "Load address = ", format_u32_hex8 },
{ token_bl_entry_point, "Entry point = ", format_u32_hex8 },
{ token_bl_attribute, "Attributes = ", format_u32_hex8 },
+ { token_bl_crypto_hash, "Bl AES Hash = ", format_hex_16_bytes },
+ { token_rsa_pss_sig_bl, "RsaPssSigBl = ", format_rsa_param },
};
static value_data const mts_values[] = {
@@ -108,6 +116,36 @@ static void format_chipuid(char const * message, void * data)
printf("%s%s;\n", message, uid_str);
}
+static void format_hex_16_bytes(char const * message, void * data)
+{
+ u_int8_t *p_byte = (u_int8_t *)data;
+ int byte_index;
+
+ printf("%s", message);
+ for (byte_index = 0; byte_index < 16; ++byte_index)
+ printf("%02x", *p_byte++);
+
+ printf(";\n");
+}
+
+static void format_rsa_param(char const * message, void * data)
+{
+ u_int8_t *rsa = (u_int8_t *)data;
+ int byte_index;
+
+ printf("%s", message);
+ for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES;
+ ++byte_index) {
+ printf("%02x", *rsa++);
+
+ if ((byte_index + 1) % 64 == 0)
+ printf(";\n");
+ }
+
+ if (byte_index % 64 != 0)
+ printf(";\n");
+}
+
/*****************************************************************************/
static void usage(void)
{
diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c
index 91a42ec8367f..10e2a4756e1a 100644
--- a/src/t210/nvbctlib_t210.c
+++ b/src/t210/nvbctlib_t210.c
@@ -109,6 +109,8 @@ parse_token t210_root_token_list[] = {
token_bootloaders_max,
token_bct_size,
token_hash_size,
+ token_crypto_hash,
+ token_bl_crypto_hash,
token_crypto_offset,
token_crypto_length,
token_max_bct_search_blks,
@@ -2034,6 +2036,11 @@ t210_getbl_param(u_int32_t set,
sizeof(nvboot_hash));
break;
+ case token_rsa_pss_sig_bl:
+ memcpy(data, &bct_ptr->bootloader[set].signature.rsa_pss_sig,
+ sizeof(nvboot_rsa_pss_sig));
+ break;
+
default:
return -ENODATA;
}
@@ -2130,6 +2137,15 @@ t210_bct_get_value(parse_token id, void *data, u_int8_t *bct)
memcpy(data, &(bct_ptr->unique_chip_id), sizeof(nvboot_ecid));
break;
+ case token_rsa_key_modulus:
+ memcpy(data, &bct_ptr->key, sizeof(nvboot_rsa_key_modulus));
+ break;
+
+ case token_rsa_pss_sig_bct:
+ memcpy(data, &bct_ptr->signature.rsa_pss_sig,
+ sizeof(nvboot_rsa_pss_sig));
+ break;
+
case token_reserved_offset:
*((u_int32_t *)data) = (u_int8_t *)&(samplebct.reserved)
- (u_int8_t *)&samplebct;
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* [cbootimage PATCH v3 4/5] Add new configuration keyword "RehashBl"
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
` (2 preceding siblings ...)
2015-10-08 19:38 ` [cbootimage PATCH v3 3/5] Add support to dump rsa related fields for t210 Jimmy Zhang
@ 2015-10-08 19:38 ` Jimmy Zhang
[not found] ` <1444333109-3671-5-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 5/5] Add sample shell script to sign bootimage for T210 Jimmy Zhang
` (2 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
This feature is needed in case an image is updated at later stage
after bootimage has been created.
How to use:
Add keyword "RehashBl" to configuration file, for example, update.cfg:
RehashBl;
Invoke cbootimage to re-calculate bootloader aes hash, for example, for
bootimage bootloader.bin:
$ cbootimage -s tegra210 --update update.cfg bootloader.bin bootloader.bin-resigned
Where bootloader.bin-resigned is the resigned bootimage bootloader.bin
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
src/crypto.c | 34 ++++++++++++++++++++++++++++++++++
src/crypto.h | 6 ++++++
src/data_layout.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
src/data_layout.h | 2 ++
src/parse.c | 9 +++++++++
src/parse.h | 1 +
6 files changed, 104 insertions(+)
diff --git a/src/crypto.c b/src/crypto.c
index 99e9f085763c..d6889cb602c9 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -297,3 +297,37 @@ sign_bct(build_image_context *context,
free(hash_buffer);
return e;
}
+
+int
+sign_bl(build_image_context *context,
+ u_int8_t *bootloader,
+ u_int32_t length,
+ u_int32_t image_instance)
+{
+ int e = 0;
+ u_int8_t *hash_buffer;
+ u_int32_t hash_size;
+
+ g_soc_config->get_value(token_hash_size,
+ &hash_size, context->bct);
+
+ hash_buffer = calloc(1, hash_size);
+ if (hash_buffer == NULL)
+ return -ENOMEM;
+
+ /* Encrypt and compute hash */
+ if ((e = sign_data_block(bootloader,
+ length,
+ hash_buffer)) != 0)
+ goto fail;
+
+ if ((e = g_soc_config->setbl_param(image_instance,
+ token_bl_crypto_hash,
+ (u_int32_t*)hash_buffer,
+ context->bct)) != 0)
+ goto fail;
+
+ fail:
+ free(hash_buffer);
+ return e;
+}
diff --git a/src/crypto.h b/src/crypto.h
index d7151e0cd191..936ca9c4c0eb 100644
--- a/src/crypto.h
+++ b/src/crypto.h
@@ -44,4 +44,10 @@ sign_data_block(u_int8_t *source,
u_int32_t length,
u_int8_t *signature);
+int
+sign_bl(build_image_context *context,
+ u_int8_t *bootloader,
+ u_int32_t length,
+ u_int32_t image_instance);
+
#endif /* #ifndef INCLUDED_CRYPTO_H */
diff --git a/src/data_layout.c b/src/data_layout.c
index 082609236724..2975f7d1e0f3 100644
--- a/src/data_layout.c
+++ b/src/data_layout.c
@@ -1065,3 +1065,55 @@ int get_bct_size_from_image(build_image_context *context)
context->bct = 0;
return bct_size;
}
+
+int resign_bl(build_image_context *context)
+{
+ int ret;
+ u_int8_t *buffer, *image;
+ u_int32_t image_instance = 0; /* support only one instance */
+ u_int32_t image_actual_size; /* In bytes */
+ u_int32_t bl_length;
+ u_int32_t pages_in_image;
+ u_int32_t blk_size, page_size, current_blk, current_page;
+ u_int32_t offset;
+
+ /* read in bl from image */
+ g_soc_config->get_value(token_block_size, &blk_size, context->bct);
+ g_soc_config->get_value(token_page_size, &page_size, context->bct);
+
+ GET_BL_FIELD(image_instance, start_blk, ¤t_blk);
+ GET_BL_FIELD(image_instance, start_page, ¤t_page);
+ GET_BL_FIELD(image_instance, length, &bl_length);
+
+ offset = current_blk * blk_size +
+ current_page * page_size;
+
+ if (read_from_image(context->input_image_filename,
+ offset, bl_length,
+ &image, &image_actual_size, file_type_bin)) {
+ printf("Error reading image file %s.\n",
+ context->input_image_filename);
+ return -ENOMEM;
+ }
+
+ pages_in_image = ICEIL(image_actual_size, page_size);
+
+ /* Create a local copy of the bl */
+ if ((buffer = malloc(pages_in_image * page_size)) == NULL) {
+ ret = -ENOMEM;
+ goto fail;
+ }
+
+ memset(buffer, 0, pages_in_image * page_size);
+ memcpy(buffer, image, image_actual_size);
+
+ insert_padding(buffer, image_actual_size);
+
+ /* sign bl */
+ ret = sign_bl(context, buffer, image_actual_size, image_instance);
+ free (buffer);
+ fail:
+ free (image);
+ return ret;
+}
+
diff --git a/src/data_layout.h b/src/data_layout.h
index c6e53e61be83..0e6e41fcb24c 100644
--- a/src/data_layout.h
+++ b/src/data_layout.h
@@ -64,4 +64,6 @@ get_bct_size_from_image(build_image_context *context);
int
begin_update(build_image_context *context);
+int
+resign_bl(build_image_context *context);
#endif /* #ifndef INCLUDED_DATA_LAYOUT_H */
diff --git a/src/parse.c b/src/parse.c
index d2f4016effd8..a7cfb72fa77c 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -80,6 +80,8 @@ static int
parse_dev_param(build_image_context *context, parse_token token, char *rest);
static int
parse_sdram_param(build_image_context *context, parse_token token, char *rest);
+static int
+parse_sign_bl(build_image_context *context, parse_token token, char *rest);
static int process_statement(build_image_context *context,
char *str,
@@ -121,6 +123,7 @@ static parse_item s_top_level_items[] = {
{ "RsaKeyModulusFile=", token_rsa_key_modulus, parse_rsa_param },
{ "RsaPssSigBlFile=", token_rsa_pss_sig_bl, parse_rsa_param },
{ "RsaPssSigBctFile=", token_rsa_pss_sig_bct, parse_rsa_param },
+ { "RehashBl", token_sign_bl, parse_sign_bl },
{ NULL, 0, NULL } /* Must be last */
};
@@ -689,6 +692,12 @@ parse_bct_file(build_image_context *context, parse_token token, char *rest)
return 0;
}
+static int
+parse_sign_bl(build_image_context *context, parse_token token, char *rest)
+{
+ return resign_bl(context);
+}
+
static char *
parse_end_state(char *str, char *uname, int chars_remaining)
{
diff --git a/src/parse.h b/src/parse.h
index 16242a5c2701..69f7abe1d405 100644
--- a/src/parse.h
+++ b/src/parse.h
@@ -117,6 +117,7 @@ typedef enum
token_rsa_key_modulus,
token_rsa_pss_sig_bl,
token_rsa_pss_sig_bct,
+ token_sign_bl,
token_nand_clock_divider,
token_nand_nand_timing,
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* [cbootimage PATCH v3 5/5] Add sample shell script to sign bootimage for T210
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
` (3 preceding siblings ...)
2015-10-08 19:38 ` [cbootimage PATCH v3 4/5] Add new configuration keyword "RehashBl" Jimmy Zhang
@ 2015-10-08 19:38 ` Jimmy Zhang
[not found] ` <1444333109-3671-6-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 19:38 ` [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa signing for T210 bootimage Jimmy Zhang
2015-10-08 20:34 ` [cbootimage PATCH v3 0/5] Add RSA signing support Stephen Warren
6 siblings, 1 reply; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
Sign.sh runs openssl and other linux utilities to generate rsa-pss
signatures for bootloader and bct and inject them into bct directly.
Syntax: sign.sh <bootimage> <rsa_key.pem>
Another way to update signature is to use configuration keyword
"RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". Details
are explained in man page.
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
rehash.cfg | 1 +
rsa_priv.pem | 27 +++++++++++++++++++++++++
sign.sh | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 93 insertions(+)
create mode 100644 rehash.cfg
create mode 100644 rsa_priv.pem
create mode 100755 sign.sh
diff --git a/rehash.cfg b/rehash.cfg
new file mode 100644
index 000000000000..c5c741bad536
--- /dev/null
+++ b/rehash.cfg
@@ -0,0 +1 @@
+RehashBl;
diff --git a/rsa_priv.pem b/rsa_priv.pem
new file mode 100644
index 000000000000..cbafc03ba35a
--- /dev/null
+++ b/rsa_priv.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs3Lf87UkomlfVHdw/FEz+owzgO+ZFu6/72qT+jSu7aEDZeZj
+l2cgTQOnHjlmBYj6KoqwXQmY6ZWPNBT7xDqzGdvimCVRC3OGRee2uD+Itu/Qwo1F
+FOb7v+l3v6lODGqDJ06aIxLicEiqK55dk5z+7dP8yyJ3pRhwiDPE4tNtlLOWgmJ/
+hENyqBHbMMzg67Qwb+aa89wfq2FRrvGOpfmrKlhqtikDnwJALBfkr7hsZGZOszHC
+ii2L5T3eCaI/me2/VIGlQSjGxmaDkiG/aIZVTuIX/LuOyi4sLXJ9cIFQ7Ty/0PAk
+6Ia6VyEGETQt6+JeLETX4Zc+XCnfbE/Flhs5PwIDAQABAoIBAQCMcmM/Xc4PY0Ne
+W6FNicyR0vtYda4u2avVGWg50tP6XiPHtDrMO8V3IV3B9RCZUmzhsOx51NIeN5T+
+IVIvcfXNTmCZzdMRkFhODB3hNLCu5SFRs7mWs3Xj7TlxA3R3mUGPGSDgRJ5/XQ/6
+1ZbNunl38IuQ/SgBShCBOWtmUC4ay+ctm1CzBZ/7AYlauOxdoKiU2nzlwpMrX9+C
+vaVKRQVYbE7EYJsWKOx6vRPU5Kjoq6StlSW4caG0ReRu9tO+xL7kZnqp1BWl3KHw
+OfzLy1CmwDkV3bKFclRWWPR97nN7F95SUFIJ3bOVjU/K2TKuLtMYPPVdG4CBBeB5
+eK2Qae7ZAoGBAOprwiAvcRNWJ2W5JoCkh0L6AHXx2z+S1Bbt0laz4NyqyfPX2SMl
+DJRxm/IoYRfwZf7fussI1bG7g4UP8HjfrlAzSEWVgPNMSWftOFzkv4QNr2ySjk0/
+nZRsd+zj2kxhc8ukDhiORkyEEg5gtsEUqbtdZHOiqtkNbKOPD6EGKeP7AoGBAMP3
+q5NUh9pJ2RGSkdKutloXNe0HPI6sjsCX3HHWAaFyqBtXWvRU3fIaMUpGQcPaqDCt
+LhzVoNlPXdeQ7vTkBPtiYQBcs0NPI+58pnD5fgR00yTX/5ZIGKbX0NnpZ3spsQAQ
+FQTXGy80+JyGMmJCDf32VGC96I9Ey5w49U23kXiNAoGAGEtiqwM/rMlY++ncW6ix
+e/d85LxUBJqq8FVlXyb1PulUVLkh/8pvK1M63jXhGiIH8Aovyar4upq8XqXwPhaw
+cg9ehhegbZaSZProxHfQgVcJvy7RIKBfLGqxYxOaJCBVZ91wuIrGLlfhpyvOxOPn
+U0uyhWluW2BQygKhlAaXgNECgYAKDAif5RWR+3dFj14qjwqKU+ZP4K8aIX6wIRkM
+PQyYWmiD/laLcE5wuycLx85XXD6DQF283LcCbS9CfgvCQm5+9OxEOHx4VvZgo8Nk
+x2XOlK6+lNRlwAyDgU0T3wOPLPQGLMznEqAyK2UToU2z++77tkVdMF9b+Qr3V3Q8
+J80tgQKBgQCW2OHHUfnfRMns/d1sp/QNMag19flOT+IjvZXI5ZMy9yojlpcTSdSq
+NzaahUZKtEankjMlXw2RHMYrXjtAJgwXlV4rMWxkaqUrVqq99v6M1QNx/SHjnVB+
+SYQ8PZHp0mPk/opRPydP/U5WKDcP10KRuSNRSQmvacD5gzs3B6Jhqg==
+-----END RSA PRIVATE KEY-----
diff --git a/sign.sh b/sign.sh
new file mode 100755
index 000000000000..8f8a353fe19f
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,65 @@
+IMAGE_FILE=$1
+KEY_FILE=$2
+TARGET_IMAGE=$IMAGE_FILE
+CONFIG_FILE=rehash.cfg
+
+CBOOTIMAGE=src/cbootimage
+BCT_DUMP=src/bct_dump
+OBJCOPY=objcopy
+OPENSSL=openssl
+DD=dd
+RM=rm
+MV=mv
+XXD=xxd
+
+echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev"
+$RM -f *.sig *.tosig *.tmp *.mod *.rev
+
+echo " Get bl length "
+BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \
+ | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'`
+
+echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH "
+$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH
+
+echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig
+
+echo " Reverse bl signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev
+
+echo " Inject bl signature into bct"
+$DD conv=notrunc bs=1 if=$IMAGE_FILE.bl.sig.rev of=$IMAGE_FILE seek=9052 count=256
+
+echo " Update bct aes hash and output to $IMAGE_FILE.tmp"
+$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp
+
+echo " Extract the part of bct which needs to be rsa signed"
+$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296
+
+echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig
+
+echo " Reverse bct signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev
+
+echo " Inject bct signature into bct"
+$DD conv=notrunc bs=1 if=$IMAGE_FILE.bct.sig.rev of=$IMAGE_FILE.tmp seek=800 count=256
+
+echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod"
+$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod
+# remove prefix and LF
+$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512
+# convert format from hexdecimal to binary
+$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin
+# reverse byte order"
+$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev
+
+echo " Inject public key modulus into bct"
+$DD conv=notrunc bs=1 if=$KEY_FILE.mod.bin.rev of=$IMAGE_FILE.tmp seek=528 count=256
+
+echo " Copy the signed binary to the target file $TARGET_IMAGE"
+$MV $IMAGE_FILE.tmp $TARGET_IMAGE
+
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa signing for T210 bootimage
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
` (4 preceding siblings ...)
2015-10-08 19:38 ` [cbootimage PATCH v3 5/5] Add sample shell script to sign bootimage for T210 Jimmy Zhang
@ 2015-10-08 19:38 ` Jimmy Zhang
[not found] ` <1444333109-3671-7-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2015-10-08 20:34 ` [cbootimage PATCH v3 0/5] Add RSA signing support Stephen Warren
6 siblings, 1 reply; 19+ messages in thread
From: Jimmy Zhang @ 2015-10-08 19:38 UTC (permalink / raw)
To: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, Jimmy Zhang
sign.sh runs openssl and other linux utilities to generate rsa-pss
signatures for a prebuilt bootimage and inject signatures and rsa
modulus into bct directly.
Syntax: sign.sh <bootimage> <rsa_key.pem>
sign-by-update.sh is similar to sign.sh. The difference is the
signatures update are done by cbootimage with configuration
keywords "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile".
Comparing to sign.sh, this script is relatively simple to be ported
to T124/T114.
Syntax: sign-by-update.sh <bootimage> <rsa_key.pem>
Signed-off-by: Jimmy Zhang <jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
---
rehash.cfg | 1 +
rsa_priv.pem | 27 +++++++++++++++++++++++
sign-by-update.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
sign.sh | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 152 insertions(+)
create mode 100644 rehash.cfg
create mode 100644 rsa_priv.pem
create mode 100755 sign-by-update.sh
create mode 100755 sign.sh
diff --git a/rehash.cfg b/rehash.cfg
new file mode 100644
index 000000000000..c5c741bad536
--- /dev/null
+++ b/rehash.cfg
@@ -0,0 +1 @@
+RehashBl;
diff --git a/rsa_priv.pem b/rsa_priv.pem
new file mode 100644
index 000000000000..cbafc03ba35a
--- /dev/null
+++ b/rsa_priv.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs3Lf87UkomlfVHdw/FEz+owzgO+ZFu6/72qT+jSu7aEDZeZj
+l2cgTQOnHjlmBYj6KoqwXQmY6ZWPNBT7xDqzGdvimCVRC3OGRee2uD+Itu/Qwo1F
+FOb7v+l3v6lODGqDJ06aIxLicEiqK55dk5z+7dP8yyJ3pRhwiDPE4tNtlLOWgmJ/
+hENyqBHbMMzg67Qwb+aa89wfq2FRrvGOpfmrKlhqtikDnwJALBfkr7hsZGZOszHC
+ii2L5T3eCaI/me2/VIGlQSjGxmaDkiG/aIZVTuIX/LuOyi4sLXJ9cIFQ7Ty/0PAk
+6Ia6VyEGETQt6+JeLETX4Zc+XCnfbE/Flhs5PwIDAQABAoIBAQCMcmM/Xc4PY0Ne
+W6FNicyR0vtYda4u2avVGWg50tP6XiPHtDrMO8V3IV3B9RCZUmzhsOx51NIeN5T+
+IVIvcfXNTmCZzdMRkFhODB3hNLCu5SFRs7mWs3Xj7TlxA3R3mUGPGSDgRJ5/XQ/6
+1ZbNunl38IuQ/SgBShCBOWtmUC4ay+ctm1CzBZ/7AYlauOxdoKiU2nzlwpMrX9+C
+vaVKRQVYbE7EYJsWKOx6vRPU5Kjoq6StlSW4caG0ReRu9tO+xL7kZnqp1BWl3KHw
+OfzLy1CmwDkV3bKFclRWWPR97nN7F95SUFIJ3bOVjU/K2TKuLtMYPPVdG4CBBeB5
+eK2Qae7ZAoGBAOprwiAvcRNWJ2W5JoCkh0L6AHXx2z+S1Bbt0laz4NyqyfPX2SMl
+DJRxm/IoYRfwZf7fussI1bG7g4UP8HjfrlAzSEWVgPNMSWftOFzkv4QNr2ySjk0/
+nZRsd+zj2kxhc8ukDhiORkyEEg5gtsEUqbtdZHOiqtkNbKOPD6EGKeP7AoGBAMP3
+q5NUh9pJ2RGSkdKutloXNe0HPI6sjsCX3HHWAaFyqBtXWvRU3fIaMUpGQcPaqDCt
+LhzVoNlPXdeQ7vTkBPtiYQBcs0NPI+58pnD5fgR00yTX/5ZIGKbX0NnpZ3spsQAQ
+FQTXGy80+JyGMmJCDf32VGC96I9Ey5w49U23kXiNAoGAGEtiqwM/rMlY++ncW6ix
+e/d85LxUBJqq8FVlXyb1PulUVLkh/8pvK1M63jXhGiIH8Aovyar4upq8XqXwPhaw
+cg9ehhegbZaSZProxHfQgVcJvy7RIKBfLGqxYxOaJCBVZ91wuIrGLlfhpyvOxOPn
+U0uyhWluW2BQygKhlAaXgNECgYAKDAif5RWR+3dFj14qjwqKU+ZP4K8aIX6wIRkM
+PQyYWmiD/laLcE5wuycLx85XXD6DQF283LcCbS9CfgvCQm5+9OxEOHx4VvZgo8Nk
+x2XOlK6+lNRlwAyDgU0T3wOPLPQGLMznEqAyK2UToU2z++77tkVdMF9b+Qr3V3Q8
+J80tgQKBgQCW2OHHUfnfRMns/d1sp/QNMag19flOT+IjvZXI5ZMy9yojlpcTSdSq
+NzaahUZKtEankjMlXw2RHMYrXjtAJgwXlV4rMWxkaqUrVqq99v6M1QNx/SHjnVB+
+SYQ8PZHp0mPk/opRPydP/U5WKDcP10KRuSNRSQmvacD5gzs3B6Jhqg==
+-----END RSA PRIVATE KEY-----
diff --git a/sign-by-update.sh b/sign-by-update.sh
new file mode 100755
index 000000000000..b3f010a41d0e
--- /dev/null
+++ b/sign-by-update.sh
@@ -0,0 +1,59 @@
+IMAGE_FILE=$1
+KEY_FILE=$2
+TARGET_IMAGE=$IMAGE_FILE
+CONFIG_FILE=update.cfg
+
+CBOOTIMAGE=src/cbootimage
+BCT_DUMP=src/bct_dump
+OBJCOPY=objcopy
+OPENSSL=openssl
+DD=dd
+RM=rm
+MV=mv
+XXD=xxd
+
+echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev"
+$RM -f *.sig *.tosig *.tmp *.mod *.rev
+
+echo " Get bl length "
+BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \
+ | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'`
+
+echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH "
+$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH
+
+echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig
+
+echo " Reverse bl signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev
+
+echo "# Update bootloader's rsa signature, aes hash and bct's aes hash"
+echo "RsaPssSigBlFile = $IMAGE_FILE.bl.sig.rev;" > $CONFIG_FILE
+echo "RehashBl;" >> $CONFIG_FILE
+$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp
+
+echo " Extract the part of bct which needs to be rsa signed"
+$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296
+
+echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig
+
+echo " Reverse bct signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev
+
+echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod"
+$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod
+# remove prefix and LF
+$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512
+# convert format from hexdecimal to binary
+$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin
+# reverse byte order"
+$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev
+
+echo "# Update bct's rsa signature and modulus"
+echo "RsaPssSigBctFile = $IMAGE_FILE.bct.sig.rev;" > $CONFIG_FILE
+echo "RsaKeyModulusFile = $KEY_FILE.mod.bin.rev;" >> $CONFIG_FILE
+$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE.tmp $TARGET_IMAGE
diff --git a/sign.sh b/sign.sh
new file mode 100755
index 000000000000..8f8a353fe19f
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,65 @@
+IMAGE_FILE=$1
+KEY_FILE=$2
+TARGET_IMAGE=$IMAGE_FILE
+CONFIG_FILE=rehash.cfg
+
+CBOOTIMAGE=src/cbootimage
+BCT_DUMP=src/bct_dump
+OBJCOPY=objcopy
+OPENSSL=openssl
+DD=dd
+RM=rm
+MV=mv
+XXD=xxd
+
+echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev"
+$RM -f *.sig *.tosig *.tmp *.mod *.rev
+
+echo " Get bl length "
+BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \
+ | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'`
+
+echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH "
+$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH
+
+echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig
+
+echo " Reverse bl signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev
+
+echo " Inject bl signature into bct"
+$DD conv=notrunc bs=1 if=$IMAGE_FILE.bl.sig.rev of=$IMAGE_FILE seek=9052 count=256
+
+echo " Update bct aes hash and output to $IMAGE_FILE.tmp"
+$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp
+
+echo " Extract the part of bct which needs to be rsa signed"
+$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296
+
+echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig"
+$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig
+
+echo " Reverse bct signature to meet tegra soc signature ordering"
+$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev
+
+echo " Inject bct signature into bct"
+$DD conv=notrunc bs=1 if=$IMAGE_FILE.bct.sig.rev of=$IMAGE_FILE.tmp seek=800 count=256
+
+echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod"
+$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod
+# remove prefix and LF
+$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512
+# convert format from hexdecimal to binary
+$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin
+# reverse byte order"
+$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev
+
+echo " Inject public key modulus into bct"
+$DD conv=notrunc bs=1 if=$KEY_FILE.mod.bin.rev of=$IMAGE_FILE.tmp seek=528 count=256
+
+echo " Copy the signed binary to the target file $TARGET_IMAGE"
+$MV $IMAGE_FILE.tmp $TARGET_IMAGE
+
--
1.8.1.5
^ permalink raw reply related [flat|nested] 19+ messages in thread* Re: [cbootimage PATCH v3 0/5] Add RSA signing support
[not found] ` <1444333109-3671-1-git-send-email-jimmzhang-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
` (5 preceding siblings ...)
2015-10-08 19:38 ` [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa signing for T210 bootimage Jimmy Zhang
@ 2015-10-08 20:34 ` Stephen Warren
6 siblings, 0 replies; 19+ messages in thread
From: Stephen Warren @ 2015-10-08 20:34 UTC (permalink / raw)
To: Jimmy Zhang
Cc: amartin-DDmLM1+adcrQT0dZR+AlfA, swarren-DDmLM1+adcrQT0dZR+AlfA,
linux-tegra-u79uwXL29TY76Z2rM5mHXA
On 10/08/2015 01:38 PM, Jimmy Zhang wrote:
> 1. Address issues found in v2.
> 2. Use keyword "RehashBl" instead of "ReSignBl" to re-generate AES hash
> for bootloader (and bct).
> 3. Add sample scripts to do rsa signing for T210 bootimage.
It's nice to have the changelog (also) in the individual patches so that
it's easier for reviewers to track down where to look for changes.
^ permalink raw reply [flat|nested] 19+ messages in thread