From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 0BF8BC433EF
	for <u-boot@archiver.kernel.org>; Fri, 15 Jul 2022 16:39:08 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 30CB181872;
	Fri, 15 Jul 2022 18:39:06 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="ZBYJQybR";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 022B28210C; Fri, 15 Jul 2022 18:39:03 +0200 (CEST)
Received: from lelv0143.ext.ti.com (lelv0143.ext.ti.com [198.47.23.248])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 40502820AA
 for <u-boot@lists.denx.de>; Fri, 15 Jul 2022 18:38:57 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=afd@ti.com
Received: from lelv0266.itg.ti.com ([10.180.67.225])
 by lelv0143.ext.ti.com (8.15.2/8.15.2) with ESMTP id 26FGct0B059684;
 Fri, 15 Jul 2022 11:38:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
 s=ti-com-17Q1; t=1657903135;
 bh=dIiZALg73HgfQN/9Jd11GLYpn5OudJUSfGNqPyofiVA=;
 h=From:To:CC:Subject:Date;
 b=ZBYJQybRwjNdhJPkFZqmZ5CgLGm+OLYU8CS0u1YW4ti3ukIgTl8+9nk+QPO7ZiU8H
 p19nRom3KRSHaLiKbFrisCkabXZab1rtOvvKaKQxP0+8SA32gW3e+4dB48uk+zw7Yd
 ZJAq60UKhU6eIVVOPlV55bJtzXEXPGFmOeIwrwLQ=
Received: from DLEE108.ent.ti.com (dlee108.ent.ti.com [157.170.170.38])
 by lelv0266.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 26FGcttP094681
 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
 Fri, 15 Jul 2022 11:38:55 -0500
Received: from DLEE114.ent.ti.com (157.170.170.25) by DLEE108.ent.ti.com
 (157.170.170.38) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14; Fri, 15
 Jul 2022 11:38:54 -0500
Received: from lelv0327.itg.ti.com (10.180.67.183) by DLEE114.ent.ti.com
 (157.170.170.25) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14 via
 Frontend Transport; Fri, 15 Jul 2022 11:38:54 -0500
Received: from ula0226330.dal.design.ti.com (ileax41-snat.itg.ti.com
 [10.172.224.153])
 by lelv0327.itg.ti.com (8.15.2/8.15.2) with ESMTP id 26FGcsA8107229;
 Fri, 15 Jul 2022 11:38:54 -0500
From: Andrew Davis <afd@ti.com>
To: Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>,
 <u-boot@lists.denx.de>
CC: Andrew Davis <afd@ti.com>
Subject: [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for
 anti-rollback protection
Date: Fri, 15 Jul 2022 11:38:53 -0500
Message-ID: <20220715163854.1493-1-afd@ti.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

From: Yogesh Siraswar <yogeshs@ti.com>

The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.

Added new config K3_X509_SWRV to k3. Default is set to 1.

Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
Reviewed-by: Dave Gerlach <d-gerlach@ti.com>
---
 arch/arm/mach-k3/Kconfig   |  6 ++++++
 arch/arm/mach-k3/config.mk |  5 ++++-
 tools/k3_gen_x509_cert.sh  | 11 +++++++++--
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 57f693e9a1..9383fa478e 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -176,6 +176,12 @@ config K3_DM_FW
 	  bootloader, it makes RM and PM services not being available
 	  during R5 SPL execution time.
 
+config K3_X509_SWRV
+	int "SWRV for X509 certificate used for boot images"
+	default 1
+	help
+	  SWRV for X509 certificate used for boot images
+
 source "board/ti/am65x/Kconfig"
 source "board/ti/am64x/Kconfig"
 source "board/ti/am62x/Kconfig"
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index da458bcfb2..4feb57992d 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -28,6 +28,9 @@ else
 KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
 endif
 
+# X509 SWRV default
+SWRV = $(CONFIG_K3_X509_SWRV)
+
 # tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
 # So restrict tiboot3.bin creation for CPU_V7R.
 ifdef CONFIG_CPU_V7R
@@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE
 
 tiboot3.bin: image_check FORCE
 	$(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
-				-o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
+				-o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
 
 INPUTS-y	+= tiboot3.bin
 endif
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
index 298cec1313..24cfc4e5fb 100755
--- a/tools/k3_gen_x509_cert.sh
+++ b/tools/k3_gen_x509_cert.sh
@@ -13,6 +13,7 @@ LOADADDR=0x41c00000
 BOOTCORE_OPTS=0
 BOOTCORE=16
 DEBUG_TYPE=0
+SWRV=1
 
 gen_degen_template() {
 cat << 'EOF' > degen-template.txt
@@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt
  shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
 
  [ swrv ]
- swrv = INTEGER:0
+ swrv = INTEGER:TEST_SWRV
 
 # [ encryption ]
 # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
@@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
 options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
 options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
 options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
+options_help[r]="SWRV: Software Rev for X509 certificate"
 
-while getopts "b:k:o:c:l:d:h" opt
+while getopts "b:k:o:c:l:d:h:r:" opt
 do
 	case $opt in
 	b)
@@ -175,6 +177,9 @@ do
 	d)
 		DEBUG_TYPE=$OPTARG
 	;;
+        r)
+		SWRV=$OPTARG
+	;;
 	h)
 		usage
 		exit 0
@@ -230,6 +235,7 @@ gen_cert() {
 	#echo "	IMAGE_SIZE = $BIN_SIZE"
 	#echo "	CERT_TYPE = $CERTTYPE"
 	#echo "	DEBUG_TYPE = $DEBUG_TYPE"
+	echo " SWRV = $SWRV"
 	sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/"	\
 		-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
 		-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
@@ -237,6 +243,7 @@ gen_cert() {
 		-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
 		-e "s/TEST_BOOT_ADDR/$ADDR/" \
 		-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
+                -e "s/TEST_SWRV/$SWRV/" \
 		x509-template.txt > $TEMP_X509
 	openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
 }
-- 
2.36.1