OSDN > Entwickler > ysato > Kammer > uboot > Commit

uboot
Fork

(Original-Repository, kein Fork Herkunft)

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	00194272519855ad26b7d5de2fd0419cf2963942 (tree)
Zeit	2022-07-26 03:57:27
Autor	Yogesh Siraswar <yogeshs@ti.c...>
Commiter	Tom Rini

Log Message

k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection

The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.

Added new config K3_X509_SWRV to k3. Default is set to 1.

Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
Reviewed-by: Dave Gerlach <d-gerlach@ti.com>

Ändern Zusammenfassung

modified: arch/arm/mach-k3/Kconfig (diff)
modified: arch/arm/mach-k3/config.mk (diff)
modified: tools/k3_gen_x509_cert.sh (diff)

Diff

--- a/arch/arm/mach-k3/Kconfig

+++ b/arch/arm/mach-k3/Kconfig

		@@ -176,6 +176,12 @@ config K3_DM_FW
176	176	bootloader, it makes RM and PM services not being available
177	177	during R5 SPL execution time.
178	178
	179	+config K3_X509_SWRV
	180	+ int "SWRV for X509 certificate used for boot images"
	181	+ default 1
	182	+ help
	183	+ SWRV for X509 certificate used for boot images
	184	+
179	185	source "board/ti/am65x/Kconfig"
180	186	source "board/ti/am64x/Kconfig"
181	187	source "board/ti/am62x/Kconfig"

--- a/arch/arm/mach-k3/config.mk

+++ b/arch/arm/mach-k3/config.mk

		@@ -28,6 +28,9 @@ else
28	28	KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
29	29	endif
30	30
	31	+# X509 SWRV default
	32	+SWRV = $(CONFIG_K3_X509_SWRV)
	33	+
31	34	# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
32	35	# So restrict tiboot3.bin creation for CPU_V7R.
33	36	ifdef CONFIG_CPU_V7R

		@@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE
42	45
43	46	tiboot3.bin: image_check FORCE
44	47	$(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
45		- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
	48	+ -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
46	49
47	50	INPUTS-y += tiboot3.bin
48	51	endif

--- a/tools/k3_gen_x509_cert.sh

+++ b/tools/k3_gen_x509_cert.sh

		@@ -13,6 +13,7 @@ LOADADDR=0x41c00000
13	13	BOOTCORE_OPTS=0
14	14	BOOTCORE=16
15	15	DEBUG_TYPE=0
	16	+SWRV=1
16	17
17	18	gen_degen_template() {
18	19	cat << 'EOF' > degen-template.txt

		@@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt
70	71	shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
71	72
72	73	[ swrv ]
73		- swrv = INTEGER:0
	74	+ swrv = INTEGER:TEST_SWRV
74	75
75	76	# [ encryption ]
76	77	# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV

		@@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
153	154	options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
154	155	options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
155	156	options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
	157	+options_help[r]="SWRV: Software Rev for X509 certificate"
156	158
157		-while getopts "b:k:o:c:l:d:h" opt
	159	+while getopts "b:k:o:c:l:d:h:r:" opt
158	160	do
159	161	case $opt in
160	162	b)

		@@ -175,6 +177,9 @@ do
175	177	d)
176	178	DEBUG_TYPE=$OPTARG
177	179	;;
	180	+ r)
	181	+ SWRV=$OPTARG
	182	+ ;;
178	183	h)
179	184	usage
180	185	exit 0

		@@ -230,6 +235,7 @@ gen_cert() {
230	235	#echo " IMAGE_SIZE = $BIN_SIZE"
231	236	#echo " CERT_TYPE = $CERTTYPE"
232	237	#echo " DEBUG_TYPE = $DEBUG_TYPE"
	238	+ echo " SWRV = $SWRV"
233	239	sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
234	240	-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
235	241	-e "s/TEST_CERT_TYPE/$CERTTYPE/" \

		@@ -237,6 +243,7 @@ gen_cert() {
237	243	-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
238	244	-e "s/TEST_BOOT_ADDR/$ADDR/" \
239	245	-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
	246	+ -e "s/TEST_SWRV/$SWRV/" \
240	247	x509-template.txt > $TEMP_X509
241	248	openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
242	249	}

uboot Fork