From patchwork Fri May 3 01:05:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 1930902 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=HyErJQqC; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=dfNh7Ggu; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVt0P3WWcz20fb for ; Fri, 3 May 2024 11:05:57 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2483B88BB9; Fri, 3 May 2024 03:05:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698352; bh=kw52sS47d9n7tBHDa2WHAr8qVvjMHGYVrnssL16RLAI=; h=From:To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=HyErJQqCJ/CVJVBn94rSyH96/poBXmdf9dXQCy/ydgZyX2XOGFnRXqDskwBUtXFGD 60/y7k/t4vLnLgvtYEnl/IbbpRcLHj5JUmHEGjk+0CsWAx+iBufNAuuwyaKSJdttG3 czOcg5eAV8gmptgnHOEGI01+WTGIiRCEpox1Kuw68ehaWMKXH6GPOMGlXZhYYDiYSg iRiWLC8CvaTMlj8mtWn3qkAmODZOJAn6b3KrM6ocXp1/L7E8Xqvm5tK5/iyqhK0A37 Wu+DiIvTGPqf9/6khnwypZoIFqmiejYd+tp5iZgEzSMb/aUyZDYfEYzX/TiEd0JInd DLGnZZ+z8ObuQ== Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marex@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 9E8BE88BAF; Fri, 3 May 2024 03:05:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698351; bh=kw52sS47d9n7tBHDa2WHAr8qVvjMHGYVrnssL16RLAI=; h=From:To:Cc:Subject:Date:From; b=dfNh7Ggur20MV9GR/oJNq7Wf5Ext85LEqIUnW+KVYnVazfzpQIkiDIz6djQeiZfHq 2YXhlbKvj6rFodqSOWCiV1BIcLOa11TR3ikkTXV6msLSuwdtyN3M9pwv2ZSgfcBkuX tD2Agh+0PNT+3TRigGXaVmtCgkvUvuL3o7L2y3ZJ3RvgCTnbAbeVlH4E9Pk9lG4L++ BLRETK6+FXL4PQE5O6BiEqUx8C9TcgMgq0WERJXda6piJZHYg2sjLmU3yxrFOmXP9G G6/qvgEVDXwlE0zx5FfEHvIhT07cIUGHyxeiepenH4uK8/0xJni9vbkY11nyzY4+S4 m1yFihXmkY6CQ== From: Marek Vasut To: u-boot@lists.denx.de Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut , "NXP i.MX U-Boot Team" , Adam Ford , Alper Nebi Yasak , Andrejs Cainikovs , Angus Ainslie , Emanuele Ghidoli , Fabio Estevam , Francesco Dolcini , Marcel Ziswiler , Rasmus Villemoes , Simon Glass , Stefan Eichenberger , Stefano Babic , Tim Harvey , Tom Rini , kernel@puri.sm, u-boot@dh-electronics.com Subject: [PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing Date: Fri, 3 May 2024 03:05:09 +0200 Message-ID: <20240503010518.263458-1-marex@denx.de> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: - Use configparser module for generating the configuration INI file - Use config template as an input, parse it, modify only keys of interest - Pull magic values into top level variables - Rename nxp,csf-key and nxp,img-key to nxp,csf-crt and nxp,img-crt - Return unmodified data if signing unrecognized (non-SPL/non-FIT) section --- tools/binman/btool/cst.py | 48 +++++++++ tools/binman/etype/nxp_imx8mcst.py | 163 +++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 tools/binman/btool/cst.py create mode 100644 tools/binman/etype/nxp_imx8mcst.py diff --git a/tools/binman/btool/cst.py b/tools/binman/btool/cst.py new file mode 100644 index 00000000000..30e78bdbbd9 --- /dev/null +++ b/tools/binman/btool/cst.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2024 Marek Vasut +# +"""Bintool implementation for cst""" + +import re + +from binman import bintool + +class Bintoolcst(bintool.Bintool): + """Image generation for U-Boot + + This bintool supports running `cst` with some basic parameters as + needed by binman. + """ + def __init__(self, name): + super().__init__(name, 'Sign NXP i.MX image') + + # pylint: disable=R0913 + def run(self, output_fname=None): + """Run cst + + Args: + output_fname: Output filename to write to + """ + args = [] + if output_fname: + args += ['-o', output_fname] + return self.run_cmd(*args) + + def fetch(self, method): + """Fetch handler for cst + + This installs cst using the apt utility. + + Args: + method (FETCH_...): Method to use + + Returns: + True if the file was fetched and now installed, None if a method + other than FETCH_BIN was requested + + Raises: + Valuerror: Fetching could not be completed + """ + if method != bintool.FETCH_BIN: + return None + return self.apt_install('imx-code-signing-tool') diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py new file mode 100644 index 00000000000..132127ad482 --- /dev/null +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -0,0 +1,163 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2023-2024 Marek Vasut +# Written with much help from Simon Glass +# +# Entry-type module for generating the i.MX8M code signing tool +# input configuration file and invocation of cst on generated +# input configuration file and input data to be signed. +# + +import configparser +import struct + +from collections import OrderedDict + +from binman.entry import Entry +from binman.etype.mkimage import Entry_mkimage +from binman.etype.section import Entry_section +from binman import elf +from dtoc import fdt_util +from u_boot_pylib import tools + +MAGIC_NXP_IMX_IVT = 0x412000d1 +MAGIC_FITIMAGE = 0xedfe0dd0 + +csf_config_template = """ +[Header] + Version = 4.3 + Hash Algorithm = sha256 + Engine = CAAM + Engine Configuration = 0 + Certificate Format = X509 + Signature Format = CMS + +[Install SRK] + File = "SRK_1_2_3_4_table.bin" + Source index = 0 + +[Install CSFK] + File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate CSF] + +[Unlock] + Engine = CAAM + Features = MID + +[Install Key] + Verification index = 0 + Target Index = 2 + File = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate Data] + Verification index = 2 + Blocks = 0x1234 0x78 0xabcd "data.bin" +""" + +class Entry_nxp_imx8mcst(Entry_mkimage): + """NXP i.MX8M CST .cfg file generator and cst invoker + + Properties / Entry arguments: + - nxp,loader-address - loader address (SPL text base) + """ + + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.required_props = ['nxp,loader-address'] + + def ReadNode(self): + super().ReadNode() + self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') + self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') + self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') + self.ReadEntries() + + def BuildSectionData(self, required): + data, input_fname, uniq = self.collect_contents_to_file( + self._entries.values(), 'input') + + # Parse the input data and figure out what it is that is being signed. + # - If it is mkimage'd imx8mimage, then extract to be signed data size + # from imx8mimage header, and calculate CSF blob offset right past + # the SPL from this information. + # - If it is fitImage, then pad the image to 4k, add generated IVT and + # sign the whole payload, then append CSF blob at the end right past + # the IVT. + signtype = struct.unpack('