diff options
| author | Yogesh Siraswar <yogeshs@ti.com> | 2021-11-18 05:12:13 +0000 |
|---|---|---|
| committer | Praneeth Bajjuri <praneeth@ti.com> | 2021-11-17 18:40:27 -0600 |
| commit | 081b693cf741b8b2d85ae618f10263432727d296 (patch) | |
| tree | 2561d8d1df2b9dce5c4da30d71c93ad2bd0e7a5b | |
| parent | 4198f8b93b565150562f9d3af2dde37a016fe77a (diff) | |
k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection
The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.
Added new config K3_X509_SWRV to k3. Default is set to 1.
Signed-off-by: Yogesh Siraswar <yogeshs@ti.com>
Reviewed-by: Dave Gerlach <d-gerlach@ti.com>
| -rw-r--r-- | arch/arm/mach-k3/Kconfig | 6 | ||||
| -rw-r--r-- | arch/arm/mach-k3/config.mk | 5 | ||||
| -rwxr-xr-x | tools/k3_gen_x509_cert.sh | 11 |
3 files changed, 19 insertions, 3 deletions
diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig index 5e7daed903..c2891326f8 100644 --- a/arch/arm/mach-k3/Kconfig +++ b/arch/arm/mach-k3/Kconfig @@ -165,6 +165,12 @@ config K3_ATF_LOAD_ADDR The load address for the ATF image. This value defaults to 0x70000000 if not provided in the board defconfig file. +config K3_X509_SWRV + int "SWRV for X509 certificate used for boot images" + default 1 + help + SWRV for X509 certificate used for boot images + source "board/ti/am65x/Kconfig" source "board/ti/am64x/Kconfig" source "board/ti/j721e/Kconfig" diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk index da458bcfb2..4feb57992d 100644 --- a/arch/arm/mach-k3/config.mk +++ b/arch/arm/mach-k3/config.mk @@ -28,6 +28,9 @@ else KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) endif +# X509 SWRV default +SWRV = $(CONFIG_K3_X509_SWRV) + # tiboot3.bin is mandated by ROM and ROM only supports R5 boot. # So restrict tiboot3.bin creation for CPU_V7R. ifdef CONFIG_CPU_V7R @@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE tiboot3.bin: image_check FORCE $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \ - -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY) + -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY) INPUTS-y += tiboot3.bin endif diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh index 298cec1313..24cfc4e5fb 100755 --- a/tools/k3_gen_x509_cert.sh +++ b/tools/k3_gen_x509_cert.sh @@ -13,6 +13,7 @@ LOADADDR=0x41c00000 BOOTCORE_OPTS=0 BOOTCORE=16 DEBUG_TYPE=0 +SWRV=1 gen_degen_template() { cat << 'EOF' > degen-template.txt @@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL [ swrv ] - swrv = INTEGER:0 + swrv = INTEGER:TEST_SWRV # [ encryption ] # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV @@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT" options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" +options_help[r]="SWRV: Software Rev for X509 certificate" -while getopts "b:k:o:c:l:d:h" opt +while getopts "b:k:o:c:l:d:h:r:" opt do case $opt in b) @@ -175,6 +177,9 @@ do d) DEBUG_TYPE=$OPTARG ;; + r) + SWRV=$OPTARG + ;; h) usage exit 0 @@ -230,6 +235,7 @@ gen_cert() { #echo " IMAGE_SIZE = $BIN_SIZE" #echo " CERT_TYPE = $CERTTYPE" #echo " DEBUG_TYPE = $DEBUG_TYPE" + echo " SWRV = $SWRV" sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ @@ -237,6 +243,7 @@ gen_cert() { -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ -e "s/TEST_BOOT_ADDR/$ADDR/" \ -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ + -e "s/TEST_SWRV/$SWRV/" \ x509-template.txt > $TEMP_X509 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 } |