* [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection
@ 2022-07-15 16:38 Andrew Davis
2022-07-15 16:38 ` [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS Andrew Davis
2022-07-25 21:23 ` [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Tom Rini
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Davis @ 2022-07-15 16:38 UTC (permalink / raw)
To: Simon Glass, Tom Rini, u-boot; +Cc: Andrew Davis
From: Yogesh Siraswar <yogeshs@ti.com>
The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.
Added new config K3_X509_SWRV to k3. Default is set to 1.
Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
Reviewed-by: Dave Gerlach <d-gerlach@ti.com>
---
arch/arm/mach-k3/Kconfig | 6 ++++++
arch/arm/mach-k3/config.mk | 5 ++++-
tools/k3_gen_x509_cert.sh | 11 +++++++++--
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 57f693e9a1..9383fa478e 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -176,6 +176,12 @@ config K3_DM_FW
bootloader, it makes RM and PM services not being available
during R5 SPL execution time.
+config K3_X509_SWRV
+ int "SWRV for X509 certificate used for boot images"
+ default 1
+ help
+ SWRV for X509 certificate used for boot images
+
source "board/ti/am65x/Kconfig"
source "board/ti/am64x/Kconfig"
source "board/ti/am62x/Kconfig"
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index da458bcfb2..4feb57992d 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -28,6 +28,9 @@ else
KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
endif
+# X509 SWRV default
+SWRV = $(CONFIG_K3_X509_SWRV)
+
# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
# So restrict tiboot3.bin creation for CPU_V7R.
ifdef CONFIG_CPU_V7R
@@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE
tiboot3.bin: image_check FORCE
$(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
+ -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
INPUTS-y += tiboot3.bin
endif
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
index 298cec1313..24cfc4e5fb 100755
--- a/tools/k3_gen_x509_cert.sh
+++ b/tools/k3_gen_x509_cert.sh
@@ -13,6 +13,7 @@ LOADADDR=0x41c00000
BOOTCORE_OPTS=0
BOOTCORE=16
DEBUG_TYPE=0
+SWRV=1
gen_degen_template() {
cat << 'EOF' > degen-template.txt
@@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt
shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
[ swrv ]
- swrv = INTEGER:0
+ swrv = INTEGER:TEST_SWRV
# [ encryption ]
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
@@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
+options_help[r]="SWRV: Software Rev for X509 certificate"
-while getopts "b:k:o:c:l:d:h" opt
+while getopts "b:k:o:c:l:d:h:r:" opt
do
case $opt in
b)
@@ -175,6 +177,9 @@ do
d)
DEBUG_TYPE=$OPTARG
;;
+ r)
+ SWRV=$OPTARG
+ ;;
h)
usage
exit 0
@@ -230,6 +235,7 @@ gen_cert() {
#echo " IMAGE_SIZE = $BIN_SIZE"
#echo " CERT_TYPE = $CERTTYPE"
#echo " DEBUG_TYPE = $DEBUG_TYPE"
+ echo " SWRV = $SWRV"
sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
@@ -237,6 +243,7 @@ gen_cert() {
-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
-e "s/TEST_BOOT_ADDR/$ADDR/" \
-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
+ -e "s/TEST_SWRV/$SWRV/" \
x509-template.txt > $TEMP_X509
openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
}
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS
2022-07-15 16:38 [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Andrew Davis
@ 2022-07-15 16:38 ` Andrew Davis
2022-07-25 21:23 ` Tom Rini
2022-07-25 21:23 ` [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Tom Rini
1 sibling, 1 reply; 4+ messages in thread
From: Andrew Davis @ 2022-07-15 16:38 UTC (permalink / raw)
To: Simon Glass, Tom Rini, u-boot; +Cc: Andrew Davis
Read the swrv.txt file from the TI Security Development Tools when
TI_SECURE_DEVICE is enabled. This allows us to set our software
revision in one place and have it used by all the tools that create
TI x509 boot certificates.
Signed-off-by: Andrew Davis <afd@ti.com>
---
arch/arm/mach-k3/config.mk | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index 4feb57992d..9306f2627d 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -30,6 +30,14 @@ endif
# X509 SWRV default
SWRV = $(CONFIG_K3_X509_SWRV)
+# On HS use SECDEV provided software revision or warn if not available
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/swrv.txt),)
+SWRV= $(shell cat $(TI_SECURE_DEV_PKG)/keys/swrv.txt)
+else
+$(warning "WARNING: Software revision file not found. Default may not work on HS hardware.")
+endif
+endif
# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
# So restrict tiboot3.bin creation for CPU_V7R.
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection
2022-07-15 16:38 [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Andrew Davis
2022-07-15 16:38 ` [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS Andrew Davis
@ 2022-07-25 21:23 ` Tom Rini
1 sibling, 0 replies; 4+ messages in thread
From: Tom Rini @ 2022-07-25 21:23 UTC (permalink / raw)
To: Andrew Davis; +Cc: Simon Glass, u-boot
[-- Attachment #1: Type: text/plain, Size: 493 bytes --]
On Fri, Jul 15, 2022 at 11:38:53AM -0500, Andrew Davis wrote:
> From: Yogesh Siraswar <yogeshs@ti.com>
>
> The x509 certificate SWRV is currently hard-coded to 0. This need to be
> updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
> k3 devices.
>
> Added new config K3_X509_SWRV to k3. Default is set to 1.
>
> Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
> Reviewed-by: Dave Gerlach <d-gerlach@ti.com>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS
2022-07-15 16:38 ` [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS Andrew Davis
@ 2022-07-25 21:23 ` Tom Rini
0 siblings, 0 replies; 4+ messages in thread
From: Tom Rini @ 2022-07-25 21:23 UTC (permalink / raw)
To: Andrew Davis; +Cc: Simon Glass, u-boot
[-- Attachment #1: Type: text/plain, Size: 400 bytes --]
On Fri, Jul 15, 2022 at 11:38:54AM -0500, Andrew Davis wrote:
> Read the swrv.txt file from the TI Security Development Tools when
> TI_SECURE_DEVICE is enabled. This allows us to set our software
> revision in one place and have it used by all the tools that create
> TI x509 boot certificates.
>
> Signed-off-by: Andrew Davis <afd@ti.com>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-25 21:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-15 16:38 [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Andrew Davis
2022-07-15 16:38 ` [PATCH 2/2] arm: k3: config.mk: Read software revision information from file on HS Andrew Davis
2022-07-25 21:23 ` Tom Rini
2022-07-25 21:23 ` [PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.