[PATCH 1/2] k3_gen_x509_cert: Make SWRV configurable for anti-rollback protection
Andrew Davis
afd at ti.com
Fri Jul 15 18:38:53 CEST 2022
From: Yogesh Siraswar <yogeshs at ti.com>
The x509 certificate SWRV is currently hard-coded to 0. This need to be
updated to 1 for j721e 1.1, j7200 and am64x. It is don't care for other
k3 devices.
Added new config K3_X509_SWRV to k3. Default is set to 1.
Signed-off-by: Yogesh Siraswar <yogeshs at ti.com>
Reviewed-by: Dave Gerlach <d-gerlach at ti.com>
---
arch/arm/mach-k3/Kconfig | 6 ++++++
arch/arm/mach-k3/config.mk | 5 ++++-
tools/k3_gen_x509_cert.sh | 11 +++++++++--
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 57f693e9a1..9383fa478e 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -176,6 +176,12 @@ config K3_DM_FW
bootloader, it makes RM and PM services not being available
during R5 SPL execution time.
+config K3_X509_SWRV
+ int "SWRV for X509 certificate used for boot images"
+ default 1
+ help
+ SWRV for X509 certificate used for boot images
+
source "board/ti/am65x/Kconfig"
source "board/ti/am64x/Kconfig"
source "board/ti/am62x/Kconfig"
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index da458bcfb2..4feb57992d 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -28,6 +28,9 @@ else
KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
endif
+# X509 SWRV default
+SWRV = $(CONFIG_K3_X509_SWRV)
+
# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
# So restrict tiboot3.bin creation for CPU_V7R.
ifdef CONFIG_CPU_V7R
@@ -42,7 +45,7 @@ image_check: $(obj)/u-boot-spl.bin FORCE
tiboot3.bin: image_check FORCE
$(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
+ -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
INPUTS-y += tiboot3.bin
endif
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
index 298cec1313..24cfc4e5fb 100755
--- a/tools/k3_gen_x509_cert.sh
+++ b/tools/k3_gen_x509_cert.sh
@@ -13,6 +13,7 @@ LOADADDR=0x41c00000
BOOTCORE_OPTS=0
BOOTCORE=16
DEBUG_TYPE=0
+SWRV=1
gen_degen_template() {
cat << 'EOF' > degen-template.txt
@@ -70,7 +71,7 @@ cat << 'EOF' > x509-template.txt
shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
[ swrv ]
- swrv = INTEGER:0
+ swrv = INTEGER:TEST_SWRV
# [ encryption ]
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
@@ -153,8 +154,9 @@ options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
+options_help[r]="SWRV: Software Rev for X509 certificate"
-while getopts "b:k:o:c:l:d:h" opt
+while getopts "b:k:o:c:l:d:h:r:" opt
do
case $opt in
b)
@@ -175,6 +177,9 @@ do
d)
DEBUG_TYPE=$OPTARG
;;
+ r)
+ SWRV=$OPTARG
+ ;;
h)
usage
exit 0
@@ -230,6 +235,7 @@ gen_cert() {
#echo " IMAGE_SIZE = $BIN_SIZE"
#echo " CERT_TYPE = $CERTTYPE"
#echo " DEBUG_TYPE = $DEBUG_TYPE"
+ echo " SWRV = $SWRV"
sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
@@ -237,6 +243,7 @@ gen_cert() {
-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
-e "s/TEST_BOOT_ADDR/$ADDR/" \
-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
+ -e "s/TEST_SWRV/$SWRV/" \
x509-template.txt > $TEMP_X509
openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
}
--
2.36.1
More information about the U-Boot
mailing list