From patchwork Tue May 21 10:48:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marek Vasut <marex@denx.de>
X-Patchwork-Id: 1937331
X-Patchwork-Delegate: festevam@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256
 header.s=phobos-20191101 header.b=OkzVj7FV;
	dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de
 header.a=rsa-sha256 header.s=phobos-20191101 header.b=Xwb/+Rb2;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VkB4n4LKlz20KF
	for <incoming@patchwork.ozlabs.org>; Tue, 21 May 2024 20:48:57 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 513708871F;
	Tue, 21 May 2024 12:48:54 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=denx.de
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de;
	s=phobos-20191101; t=1716288534;
	bh=sXs/hX3+oOuE2xRKEX0aZSMWEzJlp4ITKRgxrhQHB9s=;
	h=From:To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe:From;
	b=OkzVj7FVI+zmqcU2fmi3/b8j9csOjWI/YHVB9RjeG39i76ylsqMsbFos2vYjzlUOK
	 d6kODGPe5523yHvgfGD1nbeiirw+5NjfcoPzYu4Agf2uGw57N7hfnc+EysX8NFNZkY
	 w7nwUI4mPin/vI7fnDiXZfKPzUoIrd7+h387ISZThn2ETq76V+OBIMoyl6KGnYcgLR
	 JWAAO866gJv47ZhT0P1Gq/xLDR5qOK2uXJHGOZy1Jr2Yc2HcPShQhM/qn8wwNuAupL
	 YpFBcokFqdYThDDfi+UJa5ANe45FYhL5CgUlw/VRzXtbFzRfa2IkA6TBRjUn7Py1fT
	 R25xB+C6yqCCQ==
Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: marex@denx.de)
 by phobos.denx.de (Postfix) with ESMTPSA id B12AC88256;
 Tue, 21 May 2024 12:48:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de;
 s=phobos-20191101; t=1716288533;
 bh=sXs/hX3+oOuE2xRKEX0aZSMWEzJlp4ITKRgxrhQHB9s=;
 h=From:To:Cc:Subject:Date:From;
 b=Xwb/+Rb222+QvzjtOXfJfSa+3lD6+APmbgs3Hnpzx4dJCDj3CfrATGbi+Plqash6T
 +Topb/bZvxjdGvI+oqvMF05jgXNtMrNriZUAX9akqAhMaJmFXNle9WbmG0WtF/K/Q1
 td8RzXtk+hvwo4f0+lw1d1xZ3XQ5L2So8LMuICAysUZKwxnAu06wEllY0BeomhyydZ
 F9dRSdOicWDXnEjQiFtI62zpEvkwdorJs9FPUJWgtUEatC3pPKlX9GozIj7cP4jC0e
 jKVgqvnskr76UORgQufX6XXCdhVIeughMeBiagHqh8w72zW1owL/r/7CDfLVLGRs9K
 VZyGvNM8EWn8A==
From: Marek Vasut <marex@denx.de>
To: u-boot@lists.denx.de
Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut <marex@denx.de>,
 Tim Harvey <tharvey@gateworks.com>,
 "NXP i.MX U-Boot Team" <uboot-imx@nxp.com>, Adam Ford <aford173@gmail.com>,
 Alper Nebi Yasak <alpernebiyasak@gmail.com>,
 Andrejs Cainikovs <andrejs.cainikovs@toradex.com>,
 Angus Ainslie <angus@akkea.ca>,
 Emanuele Ghidoli <emanuele.ghidoli@toradex.com>,
 Fabio Estevam <festevam@gmail.com>,
 Francesco Dolcini <francesco.dolcini@toradex.com>,
 Marcel Ziswiler <marcel.ziswiler@toradex.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>,
 Simon Glass <sjg@chromium.org>,
 Stefan Eichenberger <stefan.eichenberger@toradex.com>,
 Stefano Babic <sbabic@denx.de>, Tom Rini <trini@konsulko.com>,
 kernel@puri.sm, u-boot@dh-electronics.com
Subject: [PATCH v4 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin
 signing
Date: Tue, 21 May 2024 12:48:23 +0200
Message-ID: <20240521104834.11295-1-marex@denx.de>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

Add new binman etype which allows signing both the SPL and fitImage sections
of i.MX8M flash.bin using CST. There are multiple DT properties which govern
the signing process, nxp,loader-address is the only mandatory one which sets
the SPL signature start address without the imx8mimage header, this should be
SPL text base. The key material can be configured using optional DT properties
nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material
names generated by CST tool scripts. The nxp,unlock property can be used to
unlock CAAM access in SPL section.

Reviewed-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Marek Vasut <marex@denx.de>
---
Cc: "NXP i.MX U-Boot Team" <uboot-imx@nxp.com>
Cc: Adam Ford <aford173@gmail.com>
Cc: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Cc: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
Cc: Angus Ainslie <angus@akkea.ca>
Cc: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Francesco Dolcini <francesco.dolcini@toradex.com>
Cc: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Simon Glass <sjg@chromium.org>
Cc: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Tim Harvey <tharvey@gateworks.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: kernel@puri.sm
Cc: u-boot@dh-electronics.com
Cc: u-boot@lists.denx.de
---
V2: - Use configparser module for generating the configuration INI file
    - Use config template as an input, parse it, modify only keys of interest
    - Pull magic values into top level variables
    - Rename nxp,csf-key and nxp,img-key to nxp,csf-crt and nxp,img-crt
    - Return unmodified data if signing unrecognized (non-SPL/non-FIT) section
V3: - Introduce SRK_TABLE/CSF_KEY/IMG_KEY env variables as alternative
      option for specifying the key material paths
    - Clean up imx8mimage and imx8mcsf files and add them to gitignore
V4: Add RB from Tim
---
 .gitignore                         |   2 +
 Makefile                           |   2 +-
 tools/binman/btool/cst.py          |  48 +++++++++
 tools/binman/etype/nxp_imx8mcst.py | 164 +++++++++++++++++++++++++++++
 4 files changed, 215 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/btool/cst.py
 create mode 100644 tools/binman/etype/nxp_imx8mcst.py

diff --git a/.gitignore b/.gitignore
index 37f71c275c3..502a7e6ec70 100644
--- a/.gitignore
+++ b/.gitignore
@@ -73,6 +73,8 @@ fit-dtb.blob*
 /capsule.*.efi-capsule
 /capsule*.map
 /keep-syms-lto.*
+/*imx8mimage*
+/*imx8mcst*
 
 #
 # Generated include files
diff --git a/Makefile b/Makefile
index 44deb339af1..026a6014a48 100644
--- a/Makefile
+++ b/Makefile
@@ -2210,7 +2210,7 @@ MRPROPER_DIRS  += include/config include/generated spl tpl vpl \
 # Remove include/asm symlink created by U-Boot before v2014.01
 MRPROPER_FILES += .config .config.old include/autoconf.mk* include/config.h \
 		  ctags etags tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
-		  drivers/video/fonts/*.S include/asm
+		  drivers/video/fonts/*.S include/asm *imx8mimage* *imx8mcst*
 
 # clean - Delete most, but leave enough to build external modules
 #
diff --git a/tools/binman/btool/cst.py b/tools/binman/btool/cst.py
new file mode 100644
index 00000000000..30e78bdbbd9
--- /dev/null
+++ b/tools/binman/btool/cst.py
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2024 Marek Vasut <marex@denx.de>
+#
+"""Bintool implementation for cst"""
+
+import re
+
+from binman import bintool
+
+class Bintoolcst(bintool.Bintool):
+    """Image generation for U-Boot
+
+    This bintool supports running `cst` with some basic parameters as
+    needed by binman.
+    """
+    def __init__(self, name):
+        super().__init__(name, 'Sign NXP i.MX image')
+
+    # pylint: disable=R0913
+    def run(self, output_fname=None):
+        """Run cst
+
+        Args:
+            output_fname: Output filename to write to
+        """
+        args = []
+        if output_fname:
+            args += ['-o', output_fname]
+        return self.run_cmd(*args)
+
+    def fetch(self, method):
+        """Fetch handler for cst
+
+        This installs cst using the apt utility.
+
+        Args:
+            method (FETCH_...): Method to use
+
+        Returns:
+            True if the file was fetched and now installed, None if a method
+            other than FETCH_BIN was requested
+
+        Raises:
+            Valuerror: Fetching could not be completed
+        """
+        if method != bintool.FETCH_BIN:
+            return None
+        return self.apt_install('imx-code-signing-tool')
diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
new file mode 100644
index 00000000000..8221517b0c4
--- /dev/null
+++ b/tools/binman/etype/nxp_imx8mcst.py
@@ -0,0 +1,164 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2023-2024 Marek Vasut <marex@denx.de>
+# Written with much help from Simon Glass <sjg@chromium.org>
+#
+# Entry-type module for generating the i.MX8M code signing tool
+# input configuration file and invocation of cst on generated
+# input configuration file and input data to be signed.
+#
+
+import configparser
+import os
+import struct
+
+from collections import OrderedDict
+
+from binman.entry import Entry
+from binman.etype.mkimage import Entry_mkimage
+from binman.etype.section import Entry_section
+from binman import elf
+from dtoc import fdt_util
+from u_boot_pylib import tools
+
+MAGIC_NXP_IMX_IVT = 0x412000d1
+MAGIC_FITIMAGE    = 0xedfe0dd0
+
+csf_config_template = """
+[Header]
+  Version = 4.3
+  Hash Algorithm = sha256
+  Engine = CAAM
+  Engine Configuration = 0
+  Certificate Format = X509
+  Signature Format = CMS
+
+[Install SRK]
+  File = "SRK_1_2_3_4_table.bin"
+  Source index = 0
+
+[Install CSFK]
+  File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate CSF]
+
+[Unlock]
+  Engine = CAAM
+  Features = MID
+
+[Install Key]
+  Verification index = 0
+  Target Index = 2
+  File = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate Data]
+  Verification index = 2
+  Blocks = 0x1234 0x78 0xabcd "data.bin"
+"""
+
+class Entry_nxp_imx8mcst(Entry_mkimage):
+    """NXP i.MX8M CST .cfg file generator and cst invoker
+
+    Properties / Entry arguments:
+        - nxp,loader-address - loader address (SPL text base)
+    """
+
+    def __init__(self, section, etype, node):
+        super().__init__(section, etype, node)
+        self.required_props = ['nxp,loader-address']
+
+    def ReadNode(self):
+        super().ReadNode()
+        self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address')
+        self.srk_table = os.getenv('SRK_TABLE', fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin'))
+        self.csf_crt = os.getenv('CSF_KEY', fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'))
+        self.img_crt = os.getenv('IMG_KEY', fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'))
+        self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
+        self.ReadEntries()
+
+    def BuildSectionData(self, required):
+        data, input_fname, uniq = self.collect_contents_to_file(
+            self._entries.values(), 'input')
+
+        # Parse the input data and figure out what it is that is being signed.
+        # - If it is mkimage'd imx8mimage, then extract to be signed data size
+        #   from imx8mimage header, and calculate CSF blob offset right past
+        #   the SPL from this information.
+        # - If it is fitImage, then pad the image to 4k, add generated IVT and
+        #   sign the whole payload, then append CSF blob at the end right past
+        #   the IVT.
+        signtype = struct.unpack('<I', data[:4])[0]
+        signbase = self.loader_address
+        signsize = 0
+        if signtype == MAGIC_NXP_IMX_IVT: # SPL/imx8mimage
+            # Sign the payload including imx8mimage header
+            # (extra 0x40 bytes before the payload)
+            signbase -= 0x40
+            signsize = struct.unpack('<I', data[24:28])[0] - signbase
+            # Remove mkimage generated padding from the end of data
+            data = data[:signsize]
+        elif signtype == MAGIC_FITIMAGE: # fitImage
+            # Align fitImage to 4k
+            signsize = tools.align(len(data), 0x1000)
+            data += tools.get_bytes(0, signsize - len(data))
+            # Add generated IVT
+            data += struct.pack('<I', MAGIC_NXP_IMX_IVT)
+            data += struct.pack('<I', signbase + signsize) # IVT base
+            data += struct.pack('<I', 0)
+            data += struct.pack('<I', 0)
+            data += struct.pack('<I', 0)
+            data += struct.pack('<I', signbase + signsize) # IVT base
+            data += struct.pack('<I', signbase + signsize + 0x20) # CSF base
+            data += struct.pack('<I', 0)
+        else:
+            # Unknown section type, pass input data through.
+            return data
+
+        # Write out customized data to be signed
+        output_dname = tools.get_output_filename(f'nxp.cst-input-data.{uniq}')
+        tools.write_file(output_dname, data)
+
+        # Generate CST configuration file used to sign payload
+        cfg_fname = tools.get_output_filename('nxp.csf-config-txt.%s' % uniq)
+        config = configparser.ConfigParser()
+        # Do not make key names lowercase
+        config.optionxform = str
+        # Load configuration template and modify keys of interest
+        config.read_string(csf_config_template)
+        config['Install SRK']['File'] = '"' + self.srk_table + '"'
+        config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
+        config['Install Key']['File'] = '"' + self.img_crt + '"'
+        config['Authenticate Data']['Blocks'] = hex(signbase) + ' 0 ' + hex(len(data)) + ' "' + str(output_dname) + '"'
+        if not self.unlock:
+            config.remove_section('Unlock')
+        with open(cfg_fname, 'w') as cfgf:
+            config.write(cfgf)
+
+        output_fname = tools.get_output_filename(f'nxp.csf-output-blob.{uniq}')
+        args = ['-i', cfg_fname, '-o', output_fname]
+        if self.cst.run_cmd(*args) is not None:
+            outdata = tools.read_file(output_fname)
+            return data + outdata
+        else:
+            # Bintool is missing; just use the input data as the output
+            self.record_missing_bintool(self.cst)
+            return data
+
+    def SetImagePos(self, image_pos):
+        # Customized SoC specific SetImagePos which skips the mkimage etype
+        # implementation and removes the 0x48 offset introduced there. That
+        # offset is only used for uImage/fitImage, which is not the case in
+        # here.
+        upto = 0x00
+        for entry in super().GetEntries().values():
+            entry.SetOffsetSize(upto, None)
+
+            # Give up if any entries lack a size
+            if entry.size is None:
+                return
+            upto += entry.size
+
+        Entry_section.SetImagePos(self, image_pos)
+
+    def AddBintools(self, btools):
+        super().AddBintools(btools)
+        self.cst = self.AddBintool(btools, 'cst')