[U-Boot] [PATCH v2 03/10] armv7R: K3: am654: Add support for generating build targets

Lokesh Vutla lokeshvutla at ti.com
Tue Oct 23 12:31:52 UTC 2018 

Update Makefiles to generate:
- tiboot3.bin: Image format that can be processed by ROM.

Below is the tiboot3.bin image format that is required by ROM:

		 _______________________
		|	 X509		|
		|     Certificate	|
		| ____________________	|
		| |		      |	|
		| | u-boot-spl.bin    |	|
		| |		      |	|
		| |___________________|	|
		|_______________________|

Reviewed-by: Tom Rini <trini at konsulko.com>
Signed-off-by: Lokesh Vutla <lokeshvutla at ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg at ti.com>
---
 arch/arm/mach-k3/Kconfig   | 11 +++++++
 arch/arm/mach-k3/config.mk | 59 ++++++++++++++++++++++++++++++++++++++
 tools/k3_x509template.txt  | 48 +++++++++++++++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 tools/k3_x509template.txt

diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 2df6197af7..9f5e8e5ee4 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -47,5 +47,16 @@ config SYS_K3_BOOT_PARAM_TABLE_INDEX
 	  Address at which ROM stores the value which determines if SPL
 	  is booted up by primary boot media or secondary boot media.
 
+config SYS_K3_KEY
+	string "Key used to generate x509 certificate"
+	help
+	  This option enables to provide a custom key that can be used for
+	  generating x509 certificate for spl binary. If not needed leave
+	  it blank so that a random key is generated and used.
+
+config SYS_K3_BOOT_CORE_ID
+	int
+	default 16
+
 source "board/ti/am65x/Kconfig"
 endif
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index 9b86ddc715..b2c5a33520 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -5,6 +5,65 @@
 
 ifdef CONFIG_SPL_BUILD
 
+# Openssl is required to generate x509 certificate.
+# Error out if openssl is not available.
+ifeq ($(shell which openssl),)
+$(error "No openssl in $(PATH), consider installing openssl")
+endif
+
+SHA_VALUE=  $(shell openssl dgst -sha512 -hex $(obj)/u-boot-spl.bin | sed -e "s/^.*= //g")
+IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
+LOADADDR= $(shell echo $(CONFIG_SPL_TEXT_BASE) | sed -e "s/^0x//g")
+MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
+
+# Parameters to get populated into the x509 template
+SED_OPTS=  -e s/TEST_IMAGE_LENGTH/$(IMAGE_SIZE)/
+SED_OPTS+= -e s/TEST_IMAGE_SHA_VAL/$(SHA_VALUE)/
+SED_OPTS+= -e s/TEST_CERT_TYPE/1/		# CERT_TYPE_PRIMARY_IMAGE_BIN
+SED_OPTS+= -e s/TEST_BOOT_CORE/$(CONFIG_SYS_K3_BOOT_CORE_ID)/
+SED_OPTS+= -e s/TEST_BOOT_ARCH_WIDTH/32/
+SED_OPTS+= -e s/TEST_BOOT_ADDR/$(LOADADDR)/
+
+# Command to generate ecparam key
+quiet_cmd_genkey = OPENSSL $@
+cmd_genkey = openssl ecparam -out $@ -name prime256v1 -genkey
+
+# Command to generate x509 certificate
+quiet_cmd_gencert = OPENSSL $@
+cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boot-spl-x509.txt; \
+	openssl req -new -x509 -key $(KEY) -nodes -outform DER -out $@ -config u-boot-spl-x509.txt -sha512
+
+# If external key is not provided, generate key using openssl.
+ifeq ($(CONFIG_SYS_K3_KEY), "")
+KEY=u-boot-spl-eckey.pem
+else
+KEY=$(CONFIG_SYS_K3_KEY)
+endif
+
+u-boot-spl-eckey.pem: FORCE
+	$(call if_changed,genkey)
+
+# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
+# So restrict tiboot3.bin creation for CPU_V7R.
+ifdef CONFIG_CPU_V7R
+u-boot-spl-cert.bin: u-boot-spl-eckey.pem $(obj)/u-boot-spl.bin image_check FORCE
+	$(call if_changed,gencert)
+
+image_check: $(obj)/u-boot-spl.bin FORCE
+	@if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then			    \
+		echo "===============================================" >&2; \
+		echo "ERROR: Final Image too big. " >&2;		    \
+		echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
+		echo "===============================================" >&2; \
+		exit 1;							    \
+	fi
+
+tiboot3.bin: u-boot-spl-cert.bin $(obj)/u-boot-spl.bin FORCE
+	$(call if_changed,cat)
+
+ALL-y	+= tiboot3.bin
+endif
+
 ifdef CONFIG_ARM64
 SPL_ITS := u-boot-spl-k3.its
 $(SPL_ITS): FORCE
diff --git a/tools/k3_x509template.txt b/tools/k3_x509template.txt
new file mode 100644
index 0000000000..bd3a9ab056
--- /dev/null
+++ b/tools/k3_x509template.txt
@@ -0,0 +1,48 @@
+ [ req ]
+ distinguished_name     = req_distinguished_name
+ x509_extensions        = v3_ca
+ prompt                 = no
+ dirstring_type         = nobmp
+
+ [ req_distinguished_name ]
+ C                      = US
+ ST                     = TX
+ L                      = Dallas
+ O                      = Texas Instruments Incorporated
+ OU                     = Processors
+ CN                     = TI Support
+ emailAddress           = support at ti.com
+
+ [ v3_ca ]
+ basicConstraints = CA:true
+ 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
+ 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
+ 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
+# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
+ 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
+
+ [ boot_seq ]
+ certType = INTEGER:TEST_CERT_TYPE
+ bootCore = INTEGER:TEST_BOOT_CORE
+ bootCoreOpts = INTEGER:TEST_BOOT_ARCH_WIDTH
+ destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
+ imageSize = INTEGER:TEST_IMAGE_LENGTH
+
+ [ image_integrity ]
+ shaType = OID:2.16.840.1.101.3.4.2.3
+ shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
+
+ [ swrv ]
+ swrv = INTEGER:0
+
+# [ encryption ]
+# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
+# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
+# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
+# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
+
+ [ debug ]
+ debugType = INTEGER:4
+ coreDbgEn = INTEGER:0
+ coreDbgSecEn = INTEGER:0
+ debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-- 
2.19.1

More information about the U-Boot mailing list