From: Sascha Hauer <s.hauer@pengutronix.de>
To: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH v2] images: add HABv4 support for i.MX6
Date: Mon, 13 Apr 2015 12:19:06 +0200 [thread overview]
Message-ID: <20150413101906.GP9742@pengutronix.de> (raw)
In-Reply-To: <1427917169-27278-1-git-send-email-mkl@pengutronix.de>
Hi Marc,
Looks mostly fine. Some minor stuff inside, mostly typos.
Sascha
On Wed, Apr 01, 2015 at 09:39:29PM +0200, Marc Kleine-Budde wrote:
> This patch adds high assurance boot support (HABv4) image generation to
> barebox, currently tested on i.MX6 only.
>
> In order to build a singed barebox image, add a new image target to
s/singed/signed/
> images/Makefile.imx as illustrated in the diff below:
>
> - - - a/images/Makefile.imx
> + + + b/images/Makefile.imx
> @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
> pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
> CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
> FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
> image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img
>
> +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
> +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
> +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
> +
>
> Here the defaut i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
s/defaut/default/
> build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
> the paths to the SRK table and certificates via: System Type -> i.MX specific
> settings -> HABv4 support.
>
> The proprietary tool "cst" by Freescale tool is expected in the PATH.
>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
> This time with a harmless patch description, so that it's not confused with the
> real patch.
>
> arch/arm/mach-imx/Kconfig | 39 ++++++++++++++++++++++++++++++++
> images/.gitignore | 2 ++
> images/Makefile | 1 +
> images/Makefile.habv4 | 48 ++++++++++++++++++++++++++++++++++++++++
> scripts/habv4/gencsf.sh | 47 +++++++++++++++++++++++++++++++++++++++
> scripts/habv4/habv4-imx28.csf.in | 28 +++++++++++++++++++++++
> scripts/habv4/habv4-imx6.csf.in | 37 +++++++++++++++++++++++++++++++
> 7 files changed, 202 insertions(+)
> create mode 100644 images/Makefile.habv4
> create mode 100755 scripts/habv4/gencsf.sh
> create mode 100644 scripts/habv4/habv4-imx28.csf.in
> create mode 100644 scripts/habv4/habv4-imx6.csf.in
>
> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> index 477207e646cd..f896b86d357d 100644
> --- a/arch/arm/mach-imx/Kconfig
> +++ b/arch/arm/mach-imx/Kconfig
> @@ -676,6 +676,45 @@ config IMX_OCOTP_WRITE
> mw -l -d /dev/imx-ocotp 0x8C 0x00001234
> mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
>
> +config HABV4
> + tristate "HABv4 support"
> + help
> + High Assurance Boot, as found on i.MX28/i.MX6.
depends on ARCH_IMX6?
> +
> +if HABV4
> +
> +config HABV4_TABLE_BIN
> + string "Path to SRK table"
> + default "../crts/SRK_1_2_3_4_table.bin"
> + help
> + Path to the Super Root Key (SRK) table, produced by the
> + Freescale Code Signing Tool (cst).
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +config HABV4_CSF_CRT_PEM
> + string "Path to CSF certificate"
> + default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
> + help
> + Path to the Command Sequence File (CSF) certificate, produced by the
> + Freescale Public Key Infrastructure (PKI) script.
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +config HABV4_IMG_CRT_PEM
> + string "Path to IMG certificate"
> + default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
> + help
> + Path to the Image certificate, produced by the Freescale
> + Public Key Infrastructure (PKI) script.
> +
> + This file will be inserted into to Command Sequence File
s/to/the/
> + (CSF) when using the CSF template that comes with barebox.
> +
> +endif
> +
> endmenu
>
> endif
> diff --git a/images/.gitignore b/images/.gitignore
> index c5377d9f6531..b5004fe48fd6 100644
> --- a/images/.gitignore
> +++ b/images/.gitignore
> @@ -3,6 +3,8 @@
> *.pblb
> *.img
> *.imximg
> +*.imximg.prep
> +*.imximg.signed
> *.map
> *.src
> *.kwbimg
> diff --git a/images/Makefile b/images/Makefile
> index 7c3aaf762767..d670ce6df1e3 100644
> --- a/images/Makefile
> +++ b/images/Makefile
> @@ -104,6 +104,7 @@ include $(srctree)/images/Makefile.rockchip
> include $(srctree)/images/Makefile.socfpga
> include $(srctree)/images/Makefile.tegra
> include $(srctree)/images/Makefile.mxs
> +include $(srctree)/images/Makefile.habv4
>
> targets += $(image-y) pbl.lds barebox.x barebox.z
> targets += $(patsubst %,%.pblx,$(pblx-y))
> diff --git a/images/Makefile.habv4 b/images/Makefile.habv4
Maybe name this Makefile.imxhabv4 to make clear this file is about i.MX.
> new file mode 100644
> index 000000000000..bb2fd3082639
> --- /dev/null
> +++ b/images/Makefile.habv4
> @@ -0,0 +1,48 @@
> +# -*-makefile-*-
> +#
> +# barebox image generation Makefile for HABv4 images
> +#
> +
> +# default csf templates
> +havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
> +habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
> +
> +# %.imximg.prep - Convert in i.MX image, with preparation for signature
> +# ----------------------------------------------------------------
> +quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
> + cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
> + $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
> +
> +.SECONDEXPANSION:
> +$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
> + $(call if_changed,imx_prep_image)
> +
> +# %.habv4.csf - create Command Sequence File from template
> +# ----------------------------------------------------------------
> +quiet_cmd_csf = CSF $@
> + cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
> + CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
> + IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
> + $< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
> +
> +.SECONDEXPANSION:
> +$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
> + $(call if_changed,csf)
> +
> +# %.habv4.sig - create signature and pad to 0x2000
> +# ----------------------------------------------------------------
> +CST = cst
> +quiet_cmd_habv4_sig = HAB4SIG $@
> + cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
> + $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
> +
> +$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
> + $(call if_changed,habv4_sig)
> +
> +# %.imximg.singed - concatinate bootloader and signature
s/singed/signed/
s/concatinate/concatenate/
> +# ----------------------------------------------------------------
> +quiet_cmd_cat = CAT $@
> + cmd_cat = cat $^ > $@
> +
> +$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
> + $(call if_changed,cat)
> diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
> new file mode 100755
> index 000000000000..2c1c34add43a
> --- /dev/null
> +++ b/scripts/habv4/gencsf.sh
> @@ -0,0 +1,47 @@
> +#!/bin/sh
> +
> +set -e
> +
> +while getopts "f:c:i:o:" opt; do
> + case $opt in
> + f)
> + file=$OPTARG
> + ;;
> + c)
> + cfg=$OPTARG
> + ;;
> + i)
> + in=$OPTARG
> + ;;
> + o)
> + out=$OPTARG
> + ;;
> + \?)
> + echo "Invalid option: -$OPTARG" >&2
> + exit 1
> + ;;
> + esac
> +done
> +
> +if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
> + echo "file not found!"
> + exit 1
> +fi
> +
> +#
> +# extract and set as shell vars:
> +# loadaddr=
> +# dcdofs=
> +#
> +eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
> +
> +length=$(stat -c '%s' $file)
> +
> +sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
> + -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
> + -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
> + -e "s:@LOADADDR@:$loadaddr:" \
> + -e "s:@OFFSET@:0:" \
> + -e "s:@LENGTH@:$length:" \
> + -e "s:@FILE@:$file:" \
> + $in > $out
> diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
> new file mode 100644
> index 000000000000..043602e09ba4
> --- /dev/null
> +++ b/scripts/habv4/habv4-imx28.csf.in
> @@ -0,0 +1,28 @@
> +[Header]
> +Version = 4.0
> +Hash Algorithm = sha256
> +Engine Configuration = 0
> +Certificate Format = X509
> +Signature Format = CMS
> +
> +[Install SRK]
> +File = "@TABLE_BIN@"
> +Source index = 0
> +
> +[Install CSFK]
> +File = "@CSF_CRT_PEM@"
> +
> +[Authenticate CSF]
> +
> +[Install Key]
> +Verification index = 0
> +Target index = 2
> +File = "@IMG_CRT_PEM@"
> +
> +# Sign entire image
> +# Blocks have the following definition:
> +# Base address of the binary file, Offset, Length of block in bytes
> +[Authenticate Data]
> +Verification index = 2
> +Engine = DCP
> +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
> diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
> new file mode 100644
> index 000000000000..11a5db94946c
> --- /dev/null
> +++ b/scripts/habv4/habv4-imx6.csf.in
> @@ -0,0 +1,37 @@
> +[Header]
> +Version = 4.1
> +Hash Algorithm = sha256
> +Engine Configuration = 0
> +Certificate Format = X509
> +Signature Format = CMS
> +Engine = CAAM
> +
> +[Install SRK]
> +File = "@TABLE_BIN@"
> +# SRK index within SRK-Table 0..3
> +Source index = 0
> +
> +[Install CSFK]
> +File = "@CSF_CRT_PEM@"
> +
> +[Authenticate CSF]
> +
> +[Unlock]
> +Engine = CAAM
> +Features = RNG
> +
> +[Install Key]
> +# verification key index in key store (0, 2...5)
> +Verification index = 0
> +# target key index in key store (2...5)
> +Target index = 2
> +File = "@IMG_CRT_PEM@"
> +
> +[Authenticate Data]
> +# verification key index in key store (2...5)
> +Verification index = 2
> +# "starting load address in memory"
> +# "starting offset within the source file"
> +# "length (in bytes)"
> +# "file (binary)"
> +Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
> --
> 2.1.4
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2015-04-13 10:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-01 16:14 [PATCH 01/10] add habv4 " Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 01/10] imx-image: sort included header files Marc Kleine-Budde
2015-04-03 6:32 ` Sascha Hauer
2015-04-01 16:14 ` [PATCH 02/10] imx-image: add_header_v2(): replace hardcoded 0x400 by offset parameter Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 03/10] imx-image: replace 0x400 by FLASH_HEADER_OFFSET Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 04/10] imx-image: introduce HEADER_LEN and replace several 0x1000 and 4096 Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 05/10] imx-image: mx35: increase load image size, due to dobule header Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 06/10] imx-image: main: make use of round_up instead of open coding it Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 07/10] imx-image: pad generated image to 4k Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 08/10] imx-image: add option to prepare image for HAB signing Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 09/10] images: add HABv4 support for i.MX6 Marc Kleine-Budde
2015-04-01 16:17 ` Marc Kleine-Budde
2015-04-01 19:39 ` [PATCH v2] " Marc Kleine-Budde
2015-04-13 10:19 ` Sascha Hauer [this message]
2015-04-13 10:22 ` Marc Kleine-Budde
2015-04-01 16:14 ` [PATCH 10/10] habv4: add High Assurance Boot v4 Marc Kleine-Budde
2015-04-13 10:30 ` Sascha Hauer
2015-04-03 6:33 ` [PATCH 01/10] add habv4 support for i.MX6 Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150413101906.GP9742@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=mkl@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox