+++ /dev/null
-# SPDX-License-Identifier: GPL-2.0+
-#
-# Copyright (C) 2017-2018 Texas Instruments Incorporated - http://www.ti.com/
-# Lokesh Vutla <lokeshvutla@ti.com>
-
-ifdef CONFIG_SPL_BUILD
-
-# Openssl is required to generate x509 certificate.
-# Error out if openssl is not available.
-ifeq ($(shell which openssl),)
-$(error "No openssl in $(PATH), consider installing openssl")
-endif
-
-IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
-MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
-
-ifeq ($(CONFIG_SYS_K3_KEY), "")
-KEY=""
-# On HS use real key or warn if not available
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
-KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
-else
-$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
-endif
-endif
-else
-KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
-endif
-
-# X509 SWRV default
-SWRV = $(CONFIG_K3_X509_SWRV)
-# On HS use SECDEV provided software revision or warn if not available
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/swrv.txt),)
-SWRV= $(shell cat $(TI_SECURE_DEV_PKG)/keys/swrv.txt)
-else
-$(warning "WARNING: Software revision file not found. Default may not work on HS hardware.")
-endif
-endif
-
-# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
-# So restrict tiboot3.bin creation for CPU_V7R.
-ifdef CONFIG_CPU_V7R
-image_check: $(obj)/u-boot-spl.bin FORCE
- @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \
- echo "===============================================" >&2; \
- echo "ERROR: Final Image too big. " >&2; \
- echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
- echo "===============================================" >&2; \
- exit 1; \
- fi
-
-tiboot3.bin: image_check FORCE
- $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
-
-INPUTS-y += tiboot3.bin
-endif
-
-ifdef CONFIG_ARM64
-
-ifeq ($(CONFIG_SOC_K3_J721E),)
-export DM := /dev/null
-endif
-
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-SPL_ITS := u-boot-spl-k3_HS.its
-$(SPL_ITS): export IS_HS=1
-INPUTS-y += tispl.bin_HS
-INPUTS-y += tispl.bin
-tispl.bin: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST)))
-else
-SPL_ITS := u-boot-spl-k3.its
-INPUTS-y += tispl.bin
-endif
-
-ifeq ($(CONFIG_SPL_OF_LIST),)
-LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
-else
-LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
-endif
-
-quiet_cmd_k3_mkits = MKITS $@
-cmd_k3_mkits = \
- $(srctree)/tools/k3_fit_atf.sh \
- $(CONFIG_K3_ATF_LOAD_ADDR) \
- $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
-
-$(SPL_ITS): FORCE
- $(call cmd,k3_mkits)
-endif
-
-else
-
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-INPUTS-y += u-boot.img_HS
-else
-INPUTS-y += u-boot.img
-endif
-endif
-
-include $(srctree)/arch/arm/mach-k3/config_secure.mk
+++ /dev/null
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0+
-#
-# script to generate FIT image source for K3 Family boards with
-# ATF, OPTEE, SPL and multiple device trees (given on the command line).
-# Inspired from board/sunxi/mksunxi_fit_atf.sh
-#
-# usage: $0 <atf_load_addr> <dt_name> [<dt_name> [<dt_name] ...]
-
-[ -z "$ATF" ] && ATF="bl31.bin"
-
-if [ ! -f $ATF ]; then
- echo "WARNING ATF file $ATF NOT found, resulting binary is non-functional" >&2
- ATF=/dev/null
-fi
-
-[ -z "$TEE" ] && TEE="bl32.bin"
-
-if [ ! -f $TEE ]; then
- echo "WARNING OPTEE file $TEE NOT found, resulting might be non-functional" >&2
- TEE=/dev/null
-fi
-
-[ -z "$DM" ] && DM="dm.bin"
-
-if [ ! -e $DM ]; then
- echo "WARNING DM file $DM NOT found, resulting might be non-functional" >&2
- DM=/dev/null
-fi
-
-if [ ! -z "$IS_HS" ]; then
- HS_APPEND=_HS
-fi
-
-cat << __HEADER_EOF
-/dts-v1/;
-
-/ {
- description = "Configuration to load ATF and SPL";
- #address-cells = <1>;
-
- images {
- atf {
- description = "ARM Trusted Firmware";
- data = /incbin/("$ATF");
- type = "firmware";
- arch = "arm64";
- compression = "none";
- os = "arm-trusted-firmware";
- load = <$1>;
- entry = <$1>;
- };
- tee {
- description = "OPTEE";
- data = /incbin/("$TEE");
- type = "tee";
- arch = "arm64";
- compression = "none";
- os = "tee";
- load = <0x9e800000>;
- entry = <0x9e800000>;
- };
- dm {
- description = "DM binary";
- data = /incbin/("$DM");
- type = "firmware";
- arch = "arm32";
- compression = "none";
- os = "DM";
- load = <0x89000000>;
- entry = <0x89000000>;
- };
- spl {
- description = "SPL (64-bit)";
- data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
- type = "standalone";
- os = "U-Boot";
- arch = "arm64";
- compression = "none";
- load = <0x80080000>;
- entry = <0x80080000>;
- };
-__HEADER_EOF
-
-# shift through ATF load address in the command line arguments
-shift
-
-for dtname in $*
-do
- cat << __FDT_IMAGE_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- data = /incbin/("$dtname$HS_APPEND");
- type = "flat_dt";
- arch = "arm";
- compression = "none";
- };
-__FDT_IMAGE_EOF
-done
-
-cat << __CONF_HEADER_EOF
- };
- configurations {
- default = "$(basename $1)";
-
-__CONF_HEADER_EOF
-
-for dtname in $*
-do
- cat << __CONF_SECTION_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- firmware = "atf";
- loadables = "tee", "dm", "spl";
- fdt = "$(basename $dtname)";
- };
-__CONF_SECTION_EOF
-done
-
-cat << __ITS_EOF
- };
-};
-__ITS_EOF
+++ /dev/null
-#!/bin/bash
-# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
-#
-# Script to add K3 specific x509 cetificate to a binary.
-#
-
-# Variables
-OUTPUT=tiboot3.bin
-TEMP_X509=x509-temp.cert
-CERT=certificate.bin
-RAND_KEY=eckey.pem
-LOADADDR=0x41c00000
-BOOTCORE_OPTS=0
-BOOTCORE=16
-DEBUG_TYPE=0
-SWRV=1
-
-gen_degen_template() {
-cat << 'EOF' > degen-template.txt
-
-asn1=SEQUENCE:rsa_key
-
-[rsa_key]
-version=INTEGER:0
-modulus=INTEGER:0xDEGEN_MODULUS
-pubExp=INTEGER:1
-privExp=INTEGER:1
-p=INTEGER:0xDEGEN_P
-q=INTEGER:0xDEGEN_Q
-e1=INTEGER:1
-e2=INTEGER:1
-coeff=INTEGER:0xDEGEN_COEFF
-EOF
-}
-
-# Generate x509 Template
-gen_template() {
-cat << 'EOF' > x509-template.txt
- [ req ]
- distinguished_name = req_distinguished_name
- x509_extensions = v3_ca
- prompt = no
- dirstring_type = nobmp
-
- [ req_distinguished_name ]
- C = US
- ST = TX
- L = Dallas
- O = Texas Instruments Incorporated
- OU = Processors
- CN = TI support
- emailAddress = support@ti.com
-
- [ v3_ca ]
- basicConstraints = CA:true
- 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
- 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
- 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
-# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
- 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
-
- [ boot_seq ]
- certType = INTEGER:TEST_CERT_TYPE
- bootCore = INTEGER:TEST_BOOT_CORE
- bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
- destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
- imageSize = INTEGER:TEST_IMAGE_LENGTH
-
- [ image_integrity ]
- shaType = OID:2.16.840.1.101.3.4.2.3
- shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
-
- [ swrv ]
- swrv = INTEGER:TEST_SWRV
-
-# [ encryption ]
-# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
-# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
-# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
-# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
-
- [ debug ]
- debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:TEST_DEBUG_TYPE
- coreDbgEn = INTEGER:0
- coreDbgSecEn = INTEGER:0
-EOF
-}
-
-parse_key() {
- sed '/ /s/://g' key.txt | \
- awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \
- sed 's/ //g' | \
- awk "/$1:/{getline; print}"
-}
-
-gen_degen_key() {
-# Generate a 4096 bit RSA Key
- openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
- openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
- DEGEN_MODULUS=$( parse_key 'modulus' )
- DEGEN_P=$( parse_key 'prime1' )
- DEGEN_Q=$( parse_key 'prime2' )
- DEGEN_COEFF=$( parse_key 'coefficient' )
- gen_degen_template
-
- sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
- -e "s/DEGEN_P/$DEGEN_P/" \
- -e "s/DEGEN_Q/$DEGEN_Q/" \
- -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
- degen-template.txt > degenerateKey.txt
-
- openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
- openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
- KEY=$RAND_KEY
- rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
-}
-
-declare -A options_help
-usage() {
- if [ -n "$*" ]; then
- echo "ERROR: $*"
- fi
- echo -n "Usage: $0 "
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- if [ -n "$arg" ]; then
- arg=" $arg"
- fi
- echo -n "[-$option$arg] "
- done
- echo
- echo -e "\nWhere:"
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- txt=`echo ${options_help[$option]}|cut -d ':' -f2`
- tb="\t\t\t"
- if [ -n "$arg" ]; then
- arg=" $arg"
- tb="\t"
- fi
- echo -e " -$option$arg:$tb$txt"
- done
- echo
- echo "Examples of usage:-"
- echo "# Example of signing the SYSFW binary with rsa degenerate key"
- echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
- echo "# Example of signing the SPL binary with rsa degenerate key"
- echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
-}
-
-options_help[b]="bin_file:Bin file that needs to be signed"
-options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
-options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
-options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
-options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
-options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
-options_help[r]="SWRV: Software Rev for X509 certificate"
-
-while getopts "b:k:o:c:l:d:h:r:" opt
-do
- case $opt in
- b)
- BIN=$OPTARG
- ;;
- k)
- KEY=$OPTARG
- ;;
- o)
- OUTPUT=$OPTARG
- ;;
- l)
- LOADADDR=$OPTARG
- ;;
- c)
- BOOTCORE=$OPTARG
- ;;
- d)
- DEBUG_TYPE=$OPTARG
- ;;
- r)
- SWRV=$OPTARG
- ;;
- h)
- usage
- exit 0
- ;;
- \?)
- usage "Invalid Option '-$OPTARG'"
- exit 1
- ;;
- :)
- usage "Option '-$OPTARG' Needs an argument."
- exit 1
- ;;
- esac
-done
-
-if [ "$#" -eq 0 ]; then
- usage "Arguments missing"
- exit 1
-fi
-
-if [ -z "$BIN" ]; then
- usage "Bin file missing in arguments"
- exit 1
-fi
-
-# Generate rsa degenerate key if user doesn't provide a key
-if [ -z "$KEY" ]; then
- gen_degen_key
-fi
-
-if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
- CERTTYPE=2
-elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
- CERTTYPE=1
-else # Non BOOTCORE, loaded by SYSFW
- BOOTCORE_OPTS_VER=$(printf "%01x" 1)
- # Add input args option for SET and CLR flags.
- BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
- BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
- BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
- # Set the cert type to zero.
- # We are not using public/private key store now
- CERTTYPE=$(printf "0x%08x" 0)
-fi
-
-SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
-BIN_SIZE=`cat $BIN | wc -c`
-ADDR=`printf "%08x" $LOADADDR`
-
-gen_cert() {
- #echo "Certificate being generated :"
- #echo " LOADADDR = 0x$ADDR"
- #echo " IMAGE_SIZE = $BIN_SIZE"
- #echo " CERT_TYPE = $CERTTYPE"
- #echo " DEBUG_TYPE = $DEBUG_TYPE"
- #echo " SWRV = $SWRV"
- sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
- -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
- -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
- -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
- -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
- -e "s/TEST_BOOT_ADDR/$ADDR/" \
- -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
- -e "s/TEST_SWRV/$SWRV/" \
- x509-template.txt > $TEMP_X509
- openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
-}
-
-gen_template
-gen_cert
-cat $CERT $BIN > $OUTPUT
-
-# Remove all intermediate files
-rm $TEMP_X509 $CERT x509-template.txt
-if [ "$KEY" == "$RAND_KEY" ]; then
- rm $RAND_KEY
-fi