venice/secure_boot: sign_hab_imx8m.sh

File sign_hab_imx8m.sh, 5.6 KB (added by Tim Harvey, 15 months ago)

sign_hab_imx8m.sh

Line 
1#!/bin/bash
2
3# check for required files
4for i in flash.bin flash.log .config; do
5        if [ ! -f $i ]; then
6                echo "Missing $i! Please make sure to 'make flash.bin' first"
7                exit 1
8        fi
9done
10
11# check for required env
12if [ -z "$CST_BIN" ] || [ ! -f $CST_BIN ]; then
13        echo "Missing CST_BIN variable!"
14        exit 1
15fi
16if [ -z "$SIGN_KEY" ] || [ ! -f $SIGN_KEY ]; then
17        echo "Missing SIGN_KEY variable!"
18        exit 1
19fi
20if [ -z "$IMG_KEY" ] || [ ! -f $IMG_KEY ]; then
21        echo "Missing IMG_KEY variable!"
22        exit 1
23fi
24if [ -z "$SRK_TABLE" ] || [ ! -f $SRK_TABLE ]; then
25        echo "Missing SRK_TABLE variable!"
26        exit 1
27fi
28
29#
30# create csf_spl.txt
31#
32csf_spl() {
33        SPL_START_ADDR=`awk '/spl hab block/{print $4}' flash.log`
34        SPL_OFFSET=`awk '/spl hab block/{print $5}' flash.log`
35        SPL_LENGTH=`awk '/spl hab block/{print $6}' flash.log`
36
37        cat << EOF
38[Header]
39    Version = 4.3
40    Hash Algorithm = sha256
41    Engine = CAAM
42    Engine Configuration = 0
43    Certificate Format = X509
44    Signature Format = CMS
45
46[Install SRK]
47    # Index of the key location in the SRK table to be installed
48    File = "$SRK_TABLE"
49    Source index = 0
50
51[Install CSFK]
52    # Key used to authenticate the CSF data
53    File = "$SIGN_KEY"
54
55[Authenticate CSF]
56
57[Unlock]
58    # Leave Job Ring and DECO master ID registers Unlocked
59    Engine = CAAM
60    Features = MID
61
62[Install Key]
63    # Key slot index used to authenticate the key to be installed
64    Verification index = 0
65    # Target key slot in HAB key store where key will be installed
66    Target index = 2
67    # Key to install
68    File = "$IMG_KEY"
69
70[Authenticate Data]
71    # Key slot index used to authenticate the image data
72    Verification index = 2
73    # Authenticate Start Address, Offset, Length and file
74    Blocks = $SPL_START_ADDR $SPL_OFFSET $SPL_LENGTH "flash.bin"
75EOF
76}
77
78#
79# create csf_fit.txt
80#
81# Assumes using FIT generator (arch/arm/mach-imx/mkimage_fit_atf.sh)
82# which puts blobs in this order:
83#  u-boot-nodtb.bin (U-Boot)
84#  u-boot.dtb (dtb's)
85#  bl31.bin (ATF)
86#
87csf_fit() {
88        cat << EOF
89[Header]
90    Version = 4.3
91    Hash Algorithm = sha256
92    Engine = CAAM
93    Engine Configuration = 0
94    Certificate Format = X509
95    Signature Format = CMS
96
97[Install SRK]
98    # Index of the key location in the SRK table to be installed
99    File = "$SRK_TABLE"
100    Source index = 0
101
102[Install CSFK]
103    # Key used to authenticate the CSF data
104    File = "$SIGN_KEY"
105
106[Authenticate CSF]
107
108[Install Key]
109    # Key slot index used to authenticate the key to be installed
110    Verification index = 0
111    # Target key slot in HAB key store where key will be installed
112    Target index = 2
113    # Key to install
114    File = "$IMG_KEY"
115
116[Authenticate Data]
117    # Key slot index used to authenticate the image data
118    Verification index = 2
119    # Authenticate Start Address, Offset, Length and file
120    Blocks = \\
121EOF
122
123        # FIT
124        FIT_START_ADDR=`awk '/sld hab block/{print $4}' flash.log`
125        FIT_OFFSET=`awk '/sld hab block/{print $5}' flash.log`
126        FIT_LENGTH=`awk '/sld hab block/{print $6}' flash.log`
127        printf "        0x%08x 0x%08x 0x%08x \"flash.bin\", \\ \n" \
128                $FIT_START_ADDR $FIT_OFFSET $FIT_LENGTH
129
130        # U-Boot
131        BL32="tee.bin"
132        BL31="bl31.bin"
133        source .config
134        # TODO: this should be calculated from
135        #       CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR in include/autoconf.mk
136        #       (0x300*512)
137        fit_off=0x60000
138        if grep -Eq "^CONFIG_IMX8MQ=y$" .config; then
139                TEE_LOAD_ADDR=0xfe000000
140                ATF_LOAD_ADDR=0x00910000
141                VERSION=v1
142        elif grep -Eq "^CONFIG_IMX8MM=y$" .config; then
143                TEE_LOAD_ADDR=0xbe000000
144                ATF_LOAD_ADDR=0x00920000
145                VERSION=v1
146        elif grep -Eq "^CONFIG_IMX8MN=y$" .config; then
147                TEE_LOAD_ADDR=0xbe000000
148                ATF_LOAD_ADDR=0x00960000
149                VERSION=v2
150        fi
151        if [ -z "$ATF_LOAD_ADDR" ]; then
152                echo "ERROR: BL31 load address is not set" >&2
153                exit 0
154        fi
155        if [ "$VERSION" = "v1" ]; then
156                ivt_off=0x400
157        else
158                ivt_off=0x0
159        fi
160        # IMX8MM: flash.bin goes to 33KB (0x8400 = 0x8000 + 0x400)
161        # IMX8MN: flash.bin goes to 32KB (0x8000 = 0x8000 + 0x0)
162        uboot_sign_off=$((fit_off - 0x8000 - ivt_off + 0x3000))
163        uboot_size=$(stat -c "%s" u-boot-nodtb.bin)
164        uboot_load_addr=$CONFIG_SYS_TEXT_BASE
165        last_sign_off=$(((uboot_sign_off + uboot_size + 3) & ~3))
166        last_load_addr=$((uboot_load_addr + uboot_size))
167        printf "        0x%08x 0x%08x 0x%08x \"flash.bin\", \\ \n" \
168                $uboot_load_addr $uboot_sign_off $uboot_size
169
170        # DTB's
171        for i in $CONFIG_OF_LIST; do
172                fdt_size=$(stat -c "%s" arch/arm/dts/$i.dtb)
173                fdt_sign_off=$((last_sign_off))
174                fdt_load_addr=$((last_load_addr))
175                last_size=$((fdt_size))
176                last_sign_off=$(((last_sign_off + fdt_size + 3) & ~3))
177                last_load_addr=$((last_load_addr + fdt_size))
178                printf "        0x%08x 0x%08x 0x%08x \"flash.bin\", \\ \n" \
179                        $fdt_load_addr $fdt_sign_off $fdt_size
180        done
181
182        # ATF
183        atf_sign_off=$((last_sign_off))
184        atf_load_addr=$ATF_LOAD_ADDR
185        atf_size=$(stat -c "%s" $BL31)
186        if [ ! -f $BL32 ]; then
187                printf "        0x%08x 0x%08x 0x%08x \"flash.bin\"\n" \
188                        $atf_load_addr $atf_sign_off $atf_size
189        else
190                tee_size=$(stat -c "%s" tee.bin)
191                tee_sign_off=$(((atf_sign_off + atf_size + 3) & ~3))
192                tee_load_addr=$TEE_LOAD_ADDR
193                printf "        0x%08x 0x%08x 0x%08x \"flash.bin\", \\ \n" \
194                        $atf_load_addr $atf_sign_off $atf_size
195                printf "        0x%08x 0x%08x 0x%08x \"flash.bin\"\n" \
196                        $tee_load_addr $tee_sign_off $tee_size
197        fi
198}
199
200# generate templates
201csf_spl > csf_spl.txt
202csf_fit > csf_fit.txt
203
204# generate signatures
205$CST_BIN -i csf_spl.txt -o csf_spl.bin
206$CST_BIN -i csf_fit.txt -o csf_fit.bin
207
208# copy signatures into binary
209CSF_SPL_OFFSET=`awk '/csf_off/{print $2}' flash.log | head -n 1`
210CSF_FIT_OFFSET=`awk '/csf_off/{print $2}' flash.log | tail -n 1`
211cp flash.bin signed_flash.bin
212dd if=csf_spl.bin of=signed_flash.bin seek=$(($CSF_SPL_OFFSET)) bs=1 conv=notrunc
213dd if=csf_fit.bin of=signed_flash.bin seek=$(($CSF_FIT_OFFSET)) bs=1 conv=notrunc
214
215echo "signed_flash.bin is ready!"