[PATCH tiU2025.01 2/2] binman: openssl: disable JTAG access by default
Andrew Davis
afd at ti.com
Mon Jun 2 19:28:35 CEST 2025
On 6/2/25 11:56 AM, Bryan Brattlof wrote:
> Typically for boards operating in production environments will not be
> monitored and so will not need JTAG access unlocked. Disable the debug
> extension unless asked for in the binman configs.
>
> Signed-off-by: Bryan Brattlof <bb at ti.com>
> ---
> tools/binman/btool/openssl.py | 16 ++++++++++++----
> tools/binman/etype/ti_secure.py | 1 +
> tools/binman/etype/ti_secure_rom.py | 1 +
> tools/binman/etype/x509_cert.py | 7 +++++--
> 4 files changed, 19 insertions(+), 6 deletions(-)
>
> diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
> index 2e128e477bce87568b6d9647bbf2666f9770d732..c91d8990a1dc9151bb8fc831c0f1bff2d91b014e 100644
> --- a/tools/binman/btool/openssl.py
> +++ b/tools/binman/btool/openssl.py
> @@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
>
> def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
> config_fname, req_dist_name_dict, cert_type, bootcore,
> - bootcore_opts, load_addr, sha):
> + bootcore_opts, load_addr, sha, debug):
> """Create a certificate
>
> Args:
> @@ -214,9 +214,13 @@ emailAddress = {req_dist_name_dict['emailAddress']}
> [ swrv ]
> swrv = INTEGER:{sw_rev}
>
> + # When debugging low level boot firmware it can be useful to have ROM or TIFS
> + # unlock JTAG access to the misbehaving CPUs. However in a production setting
> + # this can lead to code modification after it's been authenticated by outside
> + # parties. To gain JTAG access add the 'debug' flag to the binman configuration
Stating that adding the debug flag gets you JTAG access seems a bit misleading.
Having the debugType is a necessary but not sufficient condition for JTAG unlock.
This only sets the upper-bound on what a later supplied JTAG unlock certificate
can do, unless coreDbg* is set this should not by itself open JTAG on HS-SE
devices. For HS-FS devices I'll have to double check and if it does we should
decide if we want this unlocked by default or not.
Andrew
> [ debug ]
> debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
> - debugType = INTEGER:4
> + debugType = INTEGER:{ "4" if debug else "0" }
> coreDbgEn = INTEGER:0
> coreDbgSecEn = INTEGER:0
> ''', file=outf)
> @@ -231,7 +235,7 @@ emailAddress = {req_dist_name_dict['emailAddress']}
> imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
> hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
> hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
> - dm_data_ext_boot_block, bootcore_opts):
> + dm_data_ext_boot_block, bootcore_opts, debug):
> """Create a certificate
>
> Args:
> @@ -317,9 +321,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
> shaType = OID:{sha_type}
> shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
>
> +# When debugging low level boot firmware it can be useful to have ROM or TIFS
> +# unlock JTAG access to the misbehaving CPUs. However in a production setting
> +# this can lead to code modification after it's been authenticated by outside
> +# parties. To gain JTAG access add the 'debug' flag to the binman configuration
> [ debug ]
> debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
> -debugType = INTEGER:4
> +debugType = INTEGER:{ "4" if debug else "0" }
> coreDbgEn = INTEGER:0
> coreDbgSecEn = INTEGER:0
>
> diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
> index 420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4 100644
> --- a/tools/binman/etype/ti_secure.py
> +++ b/tools/binman/etype/ti_secure.py
> @@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
> 'OU': 'Processors',
> 'CN': 'TI Support',
> 'emailAddress': 'support at ti.com'}
> + self.debug = fdt_util.GetBool(self._node, 'debug', False)
>
> def ReadFirewallNode(self):
> self.firewall_cert_data['certificate'] = ""
> diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
> index f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4 100644
> --- a/tools/binman/etype/ti_secure_rom.py
> +++ b/tools/binman/etype/ti_secure_rom.py
> @@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
> 'OU': 'Processors',
> 'CN': 'TI Support',
> 'emailAddress': 'support at ti.com'}
> + self.debug = fdt_util.GetBool(self._node, 'debug', False)
>
> def NonCombinedGetCertificate(self, required):
> """Generate certificate for legacy boot flow
> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> index 25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85 100644
> --- a/tools/binman/etype/x509_cert.py
> +++ b/tools/binman/etype/x509_cert.py
> @@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
> self.sysfw_inner_cert_ext_boot_block = None
> self.dm_data_ext_boot_block = None
> self.firewall_cert_data = None
> + self.debug = False
>
> def ReadNode(self):
> super().ReadNode()
> @@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
> bootcore=self.bootcore,
> bootcore_opts=self.bootcore_opts,
> load_addr=self.load_addr,
> - sha=self.sha
> + sha=self.sha,
> + debug=self.debug
> )
> elif type == 'rom-combined':
> stdout = self.openssl.x509_cert_rom_combined(
> @@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
> hashval_sysfw_data=self.hashval_sysfw_data,
> sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
> dm_data_ext_boot_block=self.dm_data_ext_boot_block,
> - bootcore_opts=self.bootcore_opts
> + bootcore_opts=self.bootcore_opts,
> + debug=self.debug
> )
> if stdout is not None:
> data = tools.read_file(output_fname)
>
More information about the U-Boot
mailing list