[PATCH tiU2025.01 2/2] binman: openssl: disable JTAG access by default

Andrew Davis afd at ti.com
Mon Jun 2 23:21:52 CEST 2025 

On 6/2/25 12:28 PM, Andrew Davis wrote:
> On 6/2/25 11:56 AM, Bryan Brattlof wrote:
>> Typically for boards operating in production environments will not be
>> monitored and so will not need JTAG access unlocked. Disable the debug
>> extension unless asked for in the binman configs.
>>
>> Signed-off-by: Bryan Brattlof <bb at ti.com>
>> ---
>>   tools/binman/btool/openssl.py       | 16 ++++++++++++----
>>   tools/binman/etype/ti_secure.py     |  1 +
>>   tools/binman/etype/ti_secure_rom.py |  1 +
>>   tools/binman/etype/x509_cert.py     |  7 +++++--
>>   4 files changed, 19 insertions(+), 6 deletions(-)
>>
>> diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
>> index 2e128e477bce87568b6d9647bbf2666f9770d732..c91d8990a1dc9151bb8fc831c0f1bff2d91b014e 100644
>> --- a/tools/binman/btool/openssl.py
>> +++ b/tools/binman/btool/openssl.py
>> @@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
>>       def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
>>                     config_fname, req_dist_name_dict, cert_type, bootcore,
>> -                  bootcore_opts, load_addr, sha):
>> +                  bootcore_opts, load_addr, sha, debug):
>>           """Create a certificate
>>           Args:
>> @@ -214,9 +214,13 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
>>    [ swrv ]
>>    swrv = INTEGER:{sw_rev}
>> + # When debugging low level boot firmware it can be useful to have ROM or TIFS
>> + # unlock JTAG access to the misbehaving CPUs. However in a production setting
>> + # this can lead to code modification after it's been authenticated by outside
>> + # parties. To gain JTAG access add the 'debug' flag to the binman configuration
> 
> Stating that adding the debug flag gets you JTAG access seems a bit misleading.
> Having the debugType is a necessary but not sufficient condition for JTAG unlock.
> 

I have to walk this back a little, this might only be true for TIFS which processes
the debug certificates after it takes over the SMS from secure ROM. Secure ROM may
have a different set of rules. Since this patch is updating both ROM and TIFS
certificates boot images we should focus on the ROM side.

> This only sets the upper-bound on what a later supplied JTAG unlock certificate
> can do, unless coreDbg* is set this should not by itself open JTAG on HS-SE
> devices. For HS-FS devices I'll have to double check and if it does we should
> decide if we want this unlocked by default or not.
> 

Seems HS-FS devices are default unlocked, and so I'm not sure why we set this to
unlock for the rest of the device types here in the first place. It only seems
to be a really big foot-gun for HS-SE users :/

Let's flip the default,

Acked-by: Andrew Davis <afd at ti.com>

Also could you send v2 of this as a stand-alone patch? This change should be
independent of the encryption extension in patch [1/2].

Andrew

> Andrew
> 
>>    [ debug ]
>>    debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>> - debugType = INTEGER:4
>> + debugType = INTEGER:{ "4" if debug else "0" }
>>    coreDbgEn = INTEGER:0
>>    coreDbgSecEn = INTEGER:0
>>   ''', file=outf)
>> @@ -231,7 +235,7 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
>>                     imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
>>                     hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
>>                     hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
>> -                  dm_data_ext_boot_block, bootcore_opts):
>> +                  dm_data_ext_boot_block, bootcore_opts, debug):
>>           """Create a certificate
>>           Args:
>> @@ -317,9 +321,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
>>   shaType  = OID:{sha_type}
>>   shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
>> +# When debugging low level boot firmware it can be useful to have ROM or TIFS
>> +# unlock JTAG access to the misbehaving CPUs. However in a production setting
>> +# this can lead to code modification after it's been authenticated by outside
>> +# parties. To gain JTAG access add the 'debug' flag to the binman configuration
>>   [ debug ]
>>   debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>> -debugType = INTEGER:4
>> +debugType = INTEGER:{ "4" if debug else "0" }
>>   coreDbgEn = INTEGER:0
>>   coreDbgSecEn = INTEGER:0
>> diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
>> index 420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4 100644
>> --- a/tools/binman/etype/ti_secure.py
>> +++ b/tools/binman/etype/ti_secure.py
>> @@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
>>                   'OU': 'Processors',
>>                   'CN': 'TI Support',
>>                   'emailAddress': 'support at ti.com'}
>> +        self.debug = fdt_util.GetBool(self._node, 'debug', False)
>>       def ReadFirewallNode(self):
>>           self.firewall_cert_data['certificate'] = ""
>> diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
>> index f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4 100644
>> --- a/tools/binman/etype/ti_secure_rom.py
>> +++ b/tools/binman/etype/ti_secure_rom.py
>> @@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
>>                       'OU': 'Processors',
>>                       'CN': 'TI Support',
>>                       'emailAddress': 'support at ti.com'}
>> +        self.debug = fdt_util.GetBool(self._node, 'debug', False)
>>       def NonCombinedGetCertificate(self, required):
>>           """Generate certificate for legacy boot flow
>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>> index 25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85 100644
>> --- a/tools/binman/etype/x509_cert.py
>> +++ b/tools/binman/etype/x509_cert.py
>> @@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
>>           self.sysfw_inner_cert_ext_boot_block = None
>>           self.dm_data_ext_boot_block = None
>>           self.firewall_cert_data = None
>> +        self.debug = False
>>       def ReadNode(self):
>>           super().ReadNode()
>> @@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
>>                   bootcore=self.bootcore,
>>                   bootcore_opts=self.bootcore_opts,
>>                   load_addr=self.load_addr,
>> -                sha=self.sha
>> +                sha=self.sha,
>> +                debug=self.debug
>>               )
>>           elif type == 'rom-combined':
>>               stdout = self.openssl.x509_cert_rom_combined(
>> @@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
>>                   hashval_sysfw_data=self.hashval_sysfw_data,
>>                   sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
>>                   dm_data_ext_boot_block=self.dm_data_ext_boot_block,
>> -                bootcore_opts=self.bootcore_opts
>> +                bootcore_opts=self.bootcore_opts,
>> +                debug=self.debug
>>               )
>>           if stdout is not None:
>>               data = tools.read_file(output_fname)
>>

More information about the U-Boot mailing list