WIP: Signing TI x509 certificates using binman

Neha Malcom Francis n-francis at ti.com
Sun Apr 2 16:19:32 CEST 2023 

Hi Simon

On 02/04/23 18:00, Neha Malcom Francis wrote:
> Hi Simon
> 
> On 01/04/23 12:02, Simon Glass wrote:
>> Hi Neha,
>>
>> On Sat, 1 Apr 2023 at 00:14, Neha Malcom Francis <n-francis at ti.com> 
>> wrote:
>>>
>>> Hi Simon
>>>
>>> On 31/03/23 02:01, Simon Glass wrote:
>>>> Hi Neha,
>>>>
>>>> On Fri, 24 Mar 2023 at 22:28, Neha Malcom Francis <n-francis at ti.com> 
>>>> wrote:
>>>>>
>>>>> Hi Simon,
>>>>>
>>>>> Before I roll out the entire series that works for packaging K3
>>>>> bootloader images, wanted to get some reviews and comments 
>>>>> regarding the
>>>>> implementation of the signing etype [1] . I believe I've taken into
>>>>> consideration what we've discussed earlier [2].
>>>>>
>>>>> Let me know your thoughts. The tree is also WIP, and was mainly 
>>>>> designed
>>>>> for testing the signing etype on two of the devices. I will add the
>>>>> remaining and refine the series based on the next comments.
>>>>
>>>> Yes this looks reasonable to me. For the openssl method, can you
>>>> create a new 'real' method and put the cert stuff in there instead of
>>>> using a 'custom' one? It seems to have a lot in common with what is
>>>> there. We should really have an internal cert-generator method in that
>>>> class, with other functions in that class doing appropriate things. I
>>>> am looking for code reuse here, as well as clear indication of what
>>>> the cert is for or does.
>>>
>>> So you're suggesting to include the config creation within the openssl
>>> btool, am I right? For example methods to generate a config, add section
>>> to a config, add extension to a section of a config... etc? I can take a
>>> look at implementing this if this is what you have suggested.
>>
>> I am more thinking that your use case could be a new method in that
>> file, with arguments that suit your case, but with common code to
>> create a cert of the correct type. That means pulling out the existing
>> cert creation into a new (internal) function in that btool that does
>> both types of cert. For the CN args I think a dict would be suitable
>> to pass in the settings.
>>
>> I'm trying to avoid people passing in a cert every time, since that is
>> going to create a lot of code duplication and it will be hard to take
>> advantage of common algos.
>>
> 
> Okay I think I get it, let me respin with this in mind.

I am still a little doubtful about putting in *this* cert generation in 
the openssl btool. These sections and extensions are TI specific and I 
don't think there would be code duplication in future. The least code 
duplication along with functionality would be acheived by allowing 
creating configs, sections, extensions etc. in openssl btool or x509 
etype. and then creating the final cert binary in openssl. What do you 
think?

>>>
>>> If most of the cert is the same, you could
>>>> pass a dict for the CN stuff, perhaps?
>>>>
>>>> What is the taml for? It is hard to tell, from the example provided.
>>> Did you mean YAML? If so in the patch I linked, I don't think I had a
>>> example for that. Could you point out what exactly you're asking about?
>>
>> Well I am wondering why it is in the code...is there a yaml file that
>> you need to ingest and process? What is it for?
>>
>> ...actually I see the yaml files in your tree mentioned below. Does
>> this come out of some other tool?
>>
> 
> Right, so currently we have certain board specific configurations in 
> YAML. This is input to our board configuration binary entry type [6], 
> which converts YAML into binary blobs prepended with certain headers 
> needed.
> 
>>>
>>>>
>>>> Do you have a .dts which shows the full image for a board? I think the
>>>> cert stuff looks right, but it's a bit hard to tell.
>>>
>>> Yes, in the same github link I have the whole tree [3] that contains
>>> DTBs for couple of the devices [4] and [5], please have a look and let
>>> me know (I might force push a few changes in the next couple of days, so
>>> better to look from the tree)
>>
>> OK I see. Yes it looks pretty good to me.
>>
>>>
>>>>
>>>> When sending the patches please do do follow the function-commenting
>>>> style and make sure that it is clear what each arg means. E.g. I saw a
>>>> hash integer which I assume is used to pass 256 or 384 or 512 for sha
>>>> hashing. It should indicate the possible values / meaning in the arg.
>>>> In fact, in that case, it might be better to pass a string like
>>>> 'sha256'.
>>>
>>> Yes, you're right. Will address that when sending the patch series
>>> completely.
>>
>> OK
>>
>>>
>>>>
>>>> Anyway, apart from my questions it seems good.
>>>>
>>>> Regards,
>>>> Simon
>>>>
>>>>>
>>>>> [1]
>>>>> https://github.com/nehamalcom/u-boot/commit/ea7413ed5864340bd6f01e704e8bdcc073a7896b#diff-efb03d61a324724c4f86bf42b45c4e4e614cab18e1b3184f63721d62280a11b5
>>>>>
>>>>> [2]
>>>>> https://patchwork.ozlabs.org/project/uboot/patch/20230224120340.587786-1-n-francis@ti.com/
>>>>>
>>>>> -- 
>>>>> Thanking You
>>>>> Neha Malcom Francis
>>>
>>> [3] https://github.com/nehamalcom/u-boot/commits/ti-secure-functionality
>>> [4]
>>> https://github.com/nehamalcom/u-boot/commit/dda1f9caf436df59c576466f35262df90aa1c0af
>>>
>>
>> Regards,
>> Simon
> 
> [6] 
> https://github.com/nehamalcom/u-boot/commit/3ca258562c374e553a7005a5b6d6441358801e78
> 

-- 
Thanking You
Neha Malcom Francis

More information about the U-Boot mailing list