[PATCH v2] binman: openssl: disable JTAG access by default
Bryan Brattlof
bb at ti.com
Mon Jun 2 23:56:52 CEST 2025
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.
Acked-by: Andrew Davis <afd at ti.com>
Signed-off-by: Bryan Brattlof <bb at ti.com>
---
Hello everyone,
While digging through binman a little I noticed a few x509 extensions
that should probably need a little adjusting before the release.
Happy Hacking
~Bryan
---
Changes in v2:
- removed subject prefix for SDK backporting
- reworded note about the debug extension for the x509 certificate
- dropped encryption extension patch as it's completely independent
- Link to v1: https://lore.kernel.org/r/20250602-am62xsip-v1-0-ae8aa62b4b6e@ti.com
---
tools/binman/btool/openssl.py | 16 ++++++++++++----
tools/binman/etype/ti_secure.py | 1 +
tools/binman/etype/ti_secure_rom.py | 1 +
tools/binman/etype/x509_cert.py | 7 +++++--
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index c6df64c5316d53735fb147858b24185096254ec2..b26f087c44706f7b321347cb5014b8193b011935 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
config_fname, req_dist_name_dict, cert_type, bootcore,
- bootcore_opts, load_addr, sha):
+ bootcore_opts, load_addr, sha, debug):
"""Create a certificate
Args:
@@ -221,9 +221,13 @@ emailAddress = {req_dist_name_dict['emailAddress']}
# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
+ # When debugging low level boot firmware it can be useful to have ROM or TIFS
+ # unlock JTAG access to the misbehaving CPUs. However in a production setting
+ # this can lead to code modification by outside parties after it's been
+ # authenticated. To gain JTAG access add the 'debug' flag to the binman config
[ debug ]
debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
+ debugType = INTEGER:{ "4" if debug else "0" }
coreDbgEn = INTEGER:0
coreDbgSecEn = INTEGER:0
''', file=outf)
@@ -238,7 +242,7 @@ emailAddress = {req_dist_name_dict['emailAddress']}
imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
- dm_data_ext_boot_block, bootcore_opts):
+ dm_data_ext_boot_block, bootcore_opts, debug):
"""Create a certificate
Args:
@@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
shaType = OID:{sha_type}
shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
+# When debugging low level boot firmware it can be useful to have ROM or TIFS
+# unlock JTAG access to the misbehaving CPUs. However in a production setting
+# this can lead to code modification by outside parties after it's been
+# authenticated. To gain JTAG access add the 'debug' flag to the binman config
[ debug ]
debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-debugType = INTEGER:4
+debugType = INTEGER:{ "4" if debug else "0" }
coreDbgEn = INTEGER:0
coreDbgSecEn = INTEGER:0
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
index 420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4 100644
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
'OU': 'Processors',
'CN': 'TI Support',
'emailAddress': 'support at ti.com'}
+ self.debug = fdt_util.GetBool(self._node, 'debug', False)
def ReadFirewallNode(self):
self.firewall_cert_data['certificate'] = ""
diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
index f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4 100644
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
'OU': 'Processors',
'CN': 'TI Support',
'emailAddress': 'support at ti.com'}
+ self.debug = fdt_util.GetBool(self._node, 'debug', False)
def NonCombinedGetCertificate(self, required):
"""Generate certificate for legacy boot flow
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index 25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
self.sysfw_inner_cert_ext_boot_block = None
self.dm_data_ext_boot_block = None
self.firewall_cert_data = None
+ self.debug = False
def ReadNode(self):
super().ReadNode()
@@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
bootcore=self.bootcore,
bootcore_opts=self.bootcore_opts,
load_addr=self.load_addr,
- sha=self.sha
+ sha=self.sha,
+ debug=self.debug
)
elif type == 'rom-combined':
stdout = self.openssl.x509_cert_rom_combined(
@@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
hashval_sysfw_data=self.hashval_sysfw_data,
sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
dm_data_ext_boot_block=self.dm_data_ext_boot_block,
- bootcore_opts=self.bootcore_opts
+ bootcore_opts=self.bootcore_opts,
+ debug=self.debug
)
if stdout is not None:
data = tools.read_file(output_fname)
---
base-commit: b22a276f039f818d5564bec6637071cfc8a7e432
change-id: 20250128-am62xsip-2ce59e0621bf
Best regards,
--
Bryan Brattlof <bb at ti.com>
More information about the U-Boot
mailing list