[U-Boot] [PATCH 2/3] arm: k3: config.mk: Use k3_gen_x509_cert.sh to generate boot images

Lokesh Vutla lokeshvutla at ti.com
Thu May 2 10:05:51 UTC 2019 

Instead of overlading makefile, use the k3_gen_x509_cert.sh script
to generate boot images.

Signed-off-by: Lokesh Vutla <lokeshvutla at ti.com>
---
 arch/arm/mach-k3/config.mk | 33 ++++----------------------
 tools/k3_x509template.txt  | 48 --------------------------------------
 2 files changed, 4 insertions(+), 77 deletions(-)
 delete mode 100644 tools/k3_x509template.txt

diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index 2d8f61f9db..f6b63db349 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -11,31 +11,11 @@ ifeq ($(shell which openssl),)
 $(error "No openssl in $(PATH), consider installing openssl")
 endif
 
-SHA_VALUE=  $(shell openssl dgst -sha512 -hex $(obj)/u-boot-spl.bin | sed -e "s/^.*= //g")
 IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
-LOADADDR= $(shell echo $(CONFIG_SPL_TEXT_BASE) | sed -e "s/^0x//g")
 MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
 
-# Parameters to get populated into the x509 template
-SED_OPTS=  -e s/TEST_IMAGE_LENGTH/$(IMAGE_SIZE)/
-SED_OPTS+= -e s/TEST_IMAGE_SHA_VAL/$(SHA_VALUE)/
-SED_OPTS+= -e s/TEST_CERT_TYPE/1/		# CERT_TYPE_PRIMARY_IMAGE_BIN
-SED_OPTS+= -e s/TEST_BOOT_CORE/$(CONFIG_SYS_K3_BOOT_CORE_ID)/
-SED_OPTS+= -e s/TEST_BOOT_ARCH_WIDTH/32/
-SED_OPTS+= -e s/TEST_BOOT_ADDR/$(LOADADDR)/
-
-# Command to generate ecparam key
-quiet_cmd_genkey = OPENSSL $@
-cmd_genkey = openssl ecparam -out $@ -name prime256v1 -genkey
-
-# Command to generate x509 certificate
-quiet_cmd_gencert = OPENSSL $@
-cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boot-spl-x509.txt; \
-	openssl req -new -x509 -key $(KEY) -nodes -outform DER -out $@ -config u-boot-spl-x509.txt -sha512
-
-# If external key is not provided, generate key using openssl.
 ifeq ($(CONFIG_SYS_K3_KEY), "")
-KEY=u-boot-spl-eckey.pem
+KEY=""
 # On HS use real key or warn if not available
 ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
 ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
@@ -48,15 +28,9 @@ else
 KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
 endif
 
-u-boot-spl-eckey.pem: FORCE
-	$(call if_changed,genkey)
-
 # tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
 # So restrict tiboot3.bin creation for CPU_V7R.
 ifdef CONFIG_CPU_V7R
-u-boot-spl-cert.bin: $(KEY) $(obj)/u-boot-spl.bin image_check FORCE
-	$(call if_changed,gencert)
-
 image_check: $(obj)/u-boot-spl.bin FORCE
 	@if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then			    \
 		echo "===============================================" >&2; \
@@ -66,8 +40,9 @@ image_check: $(obj)/u-boot-spl.bin FORCE
 		exit 1;							    \
 	fi
 
-tiboot3.bin: u-boot-spl-cert.bin $(obj)/u-boot-spl.bin FORCE
-	$(call if_changed,cat)
+tiboot3.bin: image_check FORCE
+	$(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
+				-o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
 
 ALL-y	+= tiboot3.bin
 endif
diff --git a/tools/k3_x509template.txt b/tools/k3_x509template.txt
deleted file mode 100644
index f176ff3ad2..0000000000
--- a/tools/k3_x509template.txt
+++ /dev/null
@@ -1,48 +0,0 @@
- [ req ]
- distinguished_name     = req_distinguished_name
- x509_extensions        = v3_ca
- prompt                 = no
- dirstring_type         = nobmp
-
- [ req_distinguished_name ]
- C                      = US
- ST                     = TX
- L                      = Dallas
- O                      = Texas Instruments Incorporated
- OU                     = Processors
- CN                     = TI Support
- emailAddress           = support at ti.com
-
- [ v3_ca ]
- basicConstraints = CA:true
- 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
- 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
- 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
-# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
- 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
-
- [ boot_seq ]
- certType = INTEGER:TEST_CERT_TYPE
- bootCore = INTEGER:TEST_BOOT_CORE
- bootCoreOpts = INTEGER:TEST_BOOT_ARCH_WIDTH
- destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
- imageSize = INTEGER:TEST_IMAGE_LENGTH
-
- [ image_integrity ]
- shaType = OID:2.16.840.1.101.3.4.2.3
- shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
-
- [ swrv ]
- swrv = INTEGER:0
-
-# [ encryption ]
-# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
-# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
-# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
-# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
-
- [ debug ]
- debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
- coreDbgEn = INTEGER:0
- coreDbgSecEn = INTEGER:0
-- 
2.21.0

More information about the U-Boot mailing list