[U-Boot] [PATCH v2 03/10] armv7R: K3: am654: Add support for generating build targets
Lokesh Vutla
lokeshvutla at ti.com
Tue Oct 23 12:31:52 UTC 2018
Update Makefiles to generate:
- tiboot3.bin: Image format that can be processed by ROM.
Below is the tiboot3.bin image format that is required by ROM:
_______________________
| X509 |
| Certificate |
| ____________________ |
| | | |
| | u-boot-spl.bin | |
| | | |
| |___________________| |
|_______________________|
Reviewed-by: Tom Rini <trini at konsulko.com>
Signed-off-by: Lokesh Vutla <lokeshvutla at ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg at ti.com>
---
arch/arm/mach-k3/Kconfig | 11 +++++++
arch/arm/mach-k3/config.mk | 59 ++++++++++++++++++++++++++++++++++++++
tools/k3_x509template.txt | 48 +++++++++++++++++++++++++++++++
3 files changed, 118 insertions(+)
create mode 100644 tools/k3_x509template.txt
diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 2df6197af7..9f5e8e5ee4 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -47,5 +47,16 @@ config SYS_K3_BOOT_PARAM_TABLE_INDEX
Address at which ROM stores the value which determines if SPL
is booted up by primary boot media or secondary boot media.
+config SYS_K3_KEY
+ string "Key used to generate x509 certificate"
+ help
+ This option enables to provide a custom key that can be used for
+ generating x509 certificate for spl binary. If not needed leave
+ it blank so that a random key is generated and used.
+
+config SYS_K3_BOOT_CORE_ID
+ int
+ default 16
+
source "board/ti/am65x/Kconfig"
endif
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index 9b86ddc715..b2c5a33520 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -5,6 +5,65 @@
ifdef CONFIG_SPL_BUILD
+# Openssl is required to generate x509 certificate.
+# Error out if openssl is not available.
+ifeq ($(shell which openssl),)
+$(error "No openssl in $(PATH), consider installing openssl")
+endif
+
+SHA_VALUE= $(shell openssl dgst -sha512 -hex $(obj)/u-boot-spl.bin | sed -e "s/^.*= //g")
+IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
+LOADADDR= $(shell echo $(CONFIG_SPL_TEXT_BASE) | sed -e "s/^0x//g")
+MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
+
+# Parameters to get populated into the x509 template
+SED_OPTS= -e s/TEST_IMAGE_LENGTH/$(IMAGE_SIZE)/
+SED_OPTS+= -e s/TEST_IMAGE_SHA_VAL/$(SHA_VALUE)/
+SED_OPTS+= -e s/TEST_CERT_TYPE/1/ # CERT_TYPE_PRIMARY_IMAGE_BIN
+SED_OPTS+= -e s/TEST_BOOT_CORE/$(CONFIG_SYS_K3_BOOT_CORE_ID)/
+SED_OPTS+= -e s/TEST_BOOT_ARCH_WIDTH/32/
+SED_OPTS+= -e s/TEST_BOOT_ADDR/$(LOADADDR)/
+
+# Command to generate ecparam key
+quiet_cmd_genkey = OPENSSL $@
+cmd_genkey = openssl ecparam -out $@ -name prime256v1 -genkey
+
+# Command to generate x509 certificate
+quiet_cmd_gencert = OPENSSL $@
+cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boot-spl-x509.txt; \
+ openssl req -new -x509 -key $(KEY) -nodes -outform DER -out $@ -config u-boot-spl-x509.txt -sha512
+
+# If external key is not provided, generate key using openssl.
+ifeq ($(CONFIG_SYS_K3_KEY), "")
+KEY=u-boot-spl-eckey.pem
+else
+KEY=$(CONFIG_SYS_K3_KEY)
+endif
+
+u-boot-spl-eckey.pem: FORCE
+ $(call if_changed,genkey)
+
+# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
+# So restrict tiboot3.bin creation for CPU_V7R.
+ifdef CONFIG_CPU_V7R
+u-boot-spl-cert.bin: u-boot-spl-eckey.pem $(obj)/u-boot-spl.bin image_check FORCE
+ $(call if_changed,gencert)
+
+image_check: $(obj)/u-boot-spl.bin FORCE
+ @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \
+ echo "===============================================" >&2; \
+ echo "ERROR: Final Image too big. " >&2; \
+ echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
+ echo "===============================================" >&2; \
+ exit 1; \
+ fi
+
+tiboot3.bin: u-boot-spl-cert.bin $(obj)/u-boot-spl.bin FORCE
+ $(call if_changed,cat)
+
+ALL-y += tiboot3.bin
+endif
+
ifdef CONFIG_ARM64
SPL_ITS := u-boot-spl-k3.its
$(SPL_ITS): FORCE
diff --git a/tools/k3_x509template.txt b/tools/k3_x509template.txt
new file mode 100644
index 0000000000..bd3a9ab056
--- /dev/null
+++ b/tools/k3_x509template.txt
@@ -0,0 +1,48 @@
+ [ req ]
+ distinguished_name = req_distinguished_name
+ x509_extensions = v3_ca
+ prompt = no
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ C = US
+ ST = TX
+ L = Dallas
+ O = Texas Instruments Incorporated
+ OU = Processors
+ CN = TI Support
+ emailAddress = support at ti.com
+
+ [ v3_ca ]
+ basicConstraints = CA:true
+ 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
+ 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
+ 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
+# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
+ 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
+
+ [ boot_seq ]
+ certType = INTEGER:TEST_CERT_TYPE
+ bootCore = INTEGER:TEST_BOOT_CORE
+ bootCoreOpts = INTEGER:TEST_BOOT_ARCH_WIDTH
+ destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
+ imageSize = INTEGER:TEST_IMAGE_LENGTH
+
+ [ image_integrity ]
+ shaType = OID:2.16.840.1.101.3.4.2.3
+ shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
+
+ [ swrv ]
+ swrv = INTEGER:0
+
+# [ encryption ]
+# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
+# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
+# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
+# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
+
+ [ debug ]
+ debugType = INTEGER:4
+ coreDbgEn = INTEGER:0
+ coreDbgSecEn = INTEGER:0
+ debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
--
2.19.1
More information about the U-Boot
mailing list