diff options
Diffstat (limited to 'tools/binman')
| -rw-r--r-- | tools/binman/binman.rst | 2 | ||||
| -rw-r--r-- | tools/binman/btool/openssl.py | 16 | ||||
| -rw-r--r-- | tools/binman/elf_test.py | 8 | ||||
| -rw-r--r-- | tools/binman/entries.rst | 14 | ||||
| -rw-r--r-- | tools/binman/etype/ti_dm.py | 22 | ||||
| -rw-r--r-- | tools/binman/etype/ti_secure.py | 95 | ||||
| -rw-r--r-- | tools/binman/etype/x509_cert.py | 4 | ||||
| -rw-r--r-- | tools/binman/ftest.py | 50 | ||||
| -rw-r--r-- | tools/binman/pyproject.toml | 6 | ||||
| -rw-r--r-- | tools/binman/test/225_ti_dm.dts | 13 | ||||
| -rw-r--r-- | tools/binman/test/324_ti_secure_firewall.dts | 28 | ||||
| -rw-r--r-- | tools/binman/test/325_ti_secure_firewall_missing_property.dts | 28 |
12 files changed, 270 insertions, 16 deletions
diff --git a/tools/binman/binman.rst b/tools/binman/binman.rst index 020988d955f..230e055667f 100644 --- a/tools/binman/binman.rst +++ b/tools/binman/binman.rst @@ -2060,7 +2060,7 @@ don't have access to the blobs. If the blobs are in a different directory, you can specify this with the `-I` option. -For U-Boot, you can use set the BINMAN_INDIRS environment variable to provide a +For U-Boot, you can set the BINMAN_INDIRS environment variable to provide a space-separated list of directories to search for binary blobs:: BINMAN_INDIRS="odroid-c4/fip/g12a \ diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index 7ee2683ab23..fe81a1f51b1 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -82,7 +82,7 @@ imageSize = INTEGER:{len(indata)} return self.run_cmd(*args) def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev, - config_fname, req_dist_name_dict): + config_fname, req_dist_name_dict, firewall_cert_data): """Create a certificate to be booted by system firmware Args: @@ -94,6 +94,13 @@ imageSize = INTEGER:{len(indata)} req_dist_name_dict (dict): Dictionary containing key-value pairs of req_distinguished_name section extensions, must contain extensions for C, ST, L, O, OU, CN and emailAddress + firewall_cert_data (dict): + - auth_in_place (int): The Priv ID for copying as the + specific host in firewall protected region + - num_firewalls (int): The number of firewalls in the + extended certificate + - certificate (str): Extended firewall certificate with + the information for the firewall configurations. Returns: str: Tool output @@ -121,6 +128,7 @@ basicConstraints = CA:true 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv 1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity 1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load +1.3.6.1.4.1.294.1.37 = ASN1:SEQUENCE:firewall [ swrv ] swrv = INTEGER:{sw_rev} @@ -132,7 +140,11 @@ imageSize = INTEGER:{len(indata)} [ sysfw_image_load ] destAddr = FORMAT:HEX,OCT:00000000 -authInPlace = INTEGER:2 +authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])} + +[ firewall ] +numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']} +{firewall_cert_data['certificate']} ''', file=outf) args = ['req', '-new', '-x509', '-key', key_fname, '-nodes', '-outform', 'DER', '-out', cert_fname, '-config', config_fname, diff --git a/tools/binman/elf_test.py b/tools/binman/elf_test.py index e3dee79d065..b64134123c1 100644 --- a/tools/binman/elf_test.py +++ b/tools/binman/elf_test.py @@ -249,8 +249,8 @@ class TestElf(unittest.TestCase): def testEmbedFail(self): """Test calling GetSymbolFileOffset() without elftools""" + old_val = elf.ELF_TOOLS try: - old_val = elf.ELF_TOOLS elf.ELF_TOOLS = False fname = self.ElfTestFile('embed_data') with self.assertRaises(ValueError) as e: @@ -290,8 +290,8 @@ class TestElf(unittest.TestCase): def test_read_segments_fail(self): """Test for read_loadable_segments() without elftools""" + old_val = elf.ELF_TOOLS try: - old_val = elf.ELF_TOOLS elf.ELF_TOOLS = False fname = self.ElfTestFile('embed_data') with self.assertRaises(ValueError) as e: @@ -327,8 +327,8 @@ class TestElf(unittest.TestCase): def test_get_file_offset_fail(self): """Test calling GetFileOffset() without elftools""" + old_val = elf.ELF_TOOLS try: - old_val = elf.ELF_TOOLS elf.ELF_TOOLS = False fname = self.ElfTestFile('embed_data') with self.assertRaises(ValueError) as e: @@ -351,8 +351,8 @@ class TestElf(unittest.TestCase): def test_get_symbol_from_address_fail(self): """Test calling GetSymbolFromAddress() without elftools""" + old_val = elf.ELF_TOOLS try: - old_val = elf.ELF_TOOLS elf.ELF_TOOLS = False fname = self.ElfTestFile('embed_data') with self.assertRaises(ValueError) as e: diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst index 61de7f1f4a8..254afe76074 100644 --- a/tools/binman/entries.rst +++ b/tools/binman/entries.rst @@ -1906,6 +1906,20 @@ the included board config binaries. Example:: +.. _etype_ti_dm: + +Entry: ti-dm: TI Device Manager (DM) blob +----------------------------------------- + +Properties / Entry arguments: + - ti-dm-path: Filename of file to read into the entry, typically ti-dm.bin + +This entry holds the device manager responsible for resource and power management +in K3 devices. See https://software-dl.ti.com/tisci/esd/latest/ for more information +about TI DM. + + + .. _etype_ti_secure: Entry: ti-secure: Entry containing a TI x509 certificate binary diff --git a/tools/binman/etype/ti_dm.py b/tools/binman/etype/ti_dm.py new file mode 100644 index 00000000000..0faa0bf0ca7 --- /dev/null +++ b/tools/binman/etype/ti_dm.py @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/ +# Written by Neha Malcom Francis <n-francis@ti.com> +# +# Entry-type module for TI Device Manager (DM) +# + +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg + +class Entry_ti_dm(Entry_blob_named_by_arg): + """TI Device Manager (DM) blob + + Properties / Entry arguments: + - ti-dm-path: Filename of file to read into the entry, typically ti-dm.bin + + This entry holds the device manager responsible for resource and power management + in K3 devices. See https://software-dl.ti.com/tisci/esd/latest/ for more information + about TI DM. + """ + def __init__(self, section, etype, node): + super().__init__(section, etype, node, 'ti-dm') + self.external = True diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py index d939dce5713..704dcf8a381 100644 --- a/tools/binman/etype/ti_secure.py +++ b/tools/binman/etype/ti_secure.py @@ -7,9 +7,44 @@ from binman.entry import EntryArg from binman.etype.x509_cert import Entry_x509_cert +from dataclasses import dataclass from dtoc import fdt_util +@dataclass +class Firewall(): + id: int + region: int + control : int + permissions: list + start_address: str + end_address: str + + def ensure_props(self, etype, name): + missing_props = [] + for key, val in self.__dict__.items(): + if val is None: + missing_props += [key] + + if len(missing_props): + etype.Raise(f"Subnode '{name}' is missing properties: {','.join(missing_props)}") + + def get_certificate(self) -> str: + unique_identifier = f"{self.id}{self.region}" + cert = f""" +firewallID{unique_identifier} = INTEGER:{self.id} +region{unique_identifier} = INTEGER:{self.region} +control{unique_identifier} = INTEGER:{hex(self.control)} +nPermissionRegs{unique_identifier} = INTEGER:{len(self.permissions)} +""" + for index, permission in enumerate(self.permissions): + cert += f"""permissions{unique_identifier}{index} = INTEGER:{hex(permission)} +""" + cert += f"""startAddress{unique_identifier} = FORMAT:HEX,OCT:{self.start_address:02x} +endAddress{unique_identifier} = FORMAT:HEX,OCT:{self.end_address:02x} +""" + return cert + class Entry_ti_secure(Entry_x509_cert): """Entry containing a TI x509 certificate binary @@ -17,6 +52,11 @@ class Entry_ti_secure(Entry_x509_cert): - content: List of phandles to entries to sign - keyfile: Filename of file containing key to sign binary with - sha: Hash function to be used for signing + - auth-in-place: This is an integer field that contains two pieces + of information + Lower Byte - Remains 0x02 as per our use case + ( 0x02: Move the authenticated binary back to the header ) + Upper Byte - The Host ID of the core owning the firewall Output files: - input.<unique_name> - input file passed to openssl @@ -25,6 +65,35 @@ class Entry_ti_secure(Entry_x509_cert): - cert.<unique_name> - output file generated by openssl (which is used as the entry contents) + Depending on auth-in-place information in the inputs, we read the + firewall nodes that describe the configurations of firewall that TIFS + will be doing after reading the certificate. + + The syntax of the firewall nodes are as such: + + firewall-257-0 { + id = <257>; /* The ID of the firewall being configured */ + region = <0>; /* Region number to configure */ + + control = /* The control register */ + <(FWCTRL_EN | FWCTRL_LOCK | FWCTRL_BG | FWCTRL_CACHE)>; + + permissions = /* The permission registers */ + <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + + /* More defines can be found in k3-security.h */ + + start_address = /* The Start Address of the firewall */ + <0x0 0x0>; + end_address = /* The End Address of the firewall */ + <0xff 0xffffffff>; + }; + + openssl signs the provided data, using the TI templated config file and writes the signature in this entry. This allows verification that the data is genuine. @@ -32,11 +101,20 @@ class Entry_ti_secure(Entry_x509_cert): def __init__(self, section, etype, node): super().__init__(section, etype, node) self.openssl = None + self.firewall_cert_data: dict = { + 'auth_in_place': 0x02, + 'num_firewalls': 0, + 'certificate': '', + } def ReadNode(self): super().ReadNode() self.key_fname = self.GetEntryArgsOrProps([ EntryArg('keyfile', str)], required=True)[0] + auth_in_place = fdt_util.GetInt(self._node, 'auth-in-place') + if auth_in_place: + self.firewall_cert_data['auth_in_place'] = auth_in_place + self.ReadFirewallNode() self.sha = fdt_util.GetInt(self._node, 'sha', 512) self.req_dist_name = {'C': 'US', 'ST': 'TX', @@ -46,6 +124,23 @@ class Entry_ti_secure(Entry_x509_cert): 'CN': 'TI Support', 'emailAddress': 'support@ti.com'} + def ReadFirewallNode(self): + self.firewall_cert_data['certificate'] = "" + self.firewall_cert_data['num_firewalls'] = 0 + for node in self._node.subnodes: + if 'firewall' in node.name: + firewall = Firewall( + fdt_util.GetInt(node, 'id'), + fdt_util.GetInt(node, 'region'), + fdt_util.GetInt(node, 'control'), + fdt_util.GetPhandleList(node, 'permissions'), + fdt_util.GetInt64(node, 'start_address'), + fdt_util.GetInt64(node, 'end_address'), + ) + firewall.ensure_props(self, node.name) + self.firewall_cert_data['num_firewalls'] += 1 + self.firewall_cert_data['certificate'] += firewall.get_certificate() + def GetCertificate(self, required): """Get the contents of this entry diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py index fc0bb122786..29630d1b86c 100644 --- a/tools/binman/etype/x509_cert.py +++ b/tools/binman/etype/x509_cert.py @@ -51,6 +51,7 @@ class Entry_x509_cert(Entry_collection): self.hashval_sysfw_data = None self.sysfw_inner_cert_ext_boot_block = None self.dm_data_ext_boot_block = None + self.firewall_cert_data = None def ReadNode(self): super().ReadNode() @@ -98,7 +99,8 @@ class Entry_x509_cert(Entry_collection): key_fname=self.key_fname, config_fname=config_fname, sw_rev=self.sw_rev, - req_dist_name_dict=self.req_dist_name) + req_dist_name_dict=self.req_dist_name, + firewall_cert_data=self.firewall_cert_data) elif type == 'rom': stdout = self.openssl.x509_cert_rom( cert_fname=output_fname, diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 5ace2a825dc..90482518f1e 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -88,6 +88,7 @@ FSP_S_DATA = b'fsp_s' FSP_T_DATA = b'fsp_t' ATF_BL31_DATA = b'bl31' TEE_OS_DATA = b'this is some tee OS data' +TI_DM_DATA = b'tidmtidm' ATF_BL2U_DATA = b'bl2u' OPENSBI_DATA = b'opensbi' SCP_DATA = b'scp' @@ -221,6 +222,7 @@ class TestFunctional(unittest.TestCase): TestFunctional._MakeInputFile('compress_big', COMPRESS_DATA_BIG) TestFunctional._MakeInputFile('bl31.bin', ATF_BL31_DATA) TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA) + TestFunctional._MakeInputFile('dm.bin', TI_DM_DATA) TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA) TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA) TestFunctional._MakeInputFile('scp.bin', SCP_DATA) @@ -2840,12 +2842,14 @@ class TestFunctional(unittest.TestCase): fdt_size = entries['section'].GetEntries()['u-boot-dtb'].size fdtmap_offset = entries['fdtmap'].offset + tmpdir = None try: tmpdir, updated_fname = self._SetupImageInTmpdir() with test_util.capture_sys_output() as (stdout, stderr): self._DoBinman('ls', '-i', updated_fname) finally: - shutil.rmtree(tmpdir) + if tmpdir: + shutil.rmtree(tmpdir) lines = stdout.getvalue().splitlines() expected = [ 'Name Image-pos Size Entry-type Offset Uncomp-size', @@ -2866,12 +2870,14 @@ class TestFunctional(unittest.TestCase): def testListCmdFail(self): """Test failing to list an image""" self._DoReadFile('005_simple.dts') + tmpdir = None try: tmpdir, updated_fname = self._SetupImageInTmpdir() with self.assertRaises(ValueError) as e: self._DoBinman('ls', '-i', updated_fname) finally: - shutil.rmtree(tmpdir) + if tmpdir: + shutil.rmtree(tmpdir) self.assertIn("Cannot find FDT map in image", str(e.exception)) def _RunListCmd(self, paths, expected): @@ -3000,13 +3006,15 @@ class TestFunctional(unittest.TestCase): self._CheckLz4() self._DoReadFileRealDtb('130_list_fdtmap.dts') fname = os.path.join(self._indir, 'output.extact') + tmpdir = None try: tmpdir, updated_fname = self._SetupImageInTmpdir() with test_util.capture_sys_output() as (stdout, stderr): self._DoBinman('extract', '-i', updated_fname, 'u-boot', '-f', fname) finally: - shutil.rmtree(tmpdir) + if tmpdir: + shutil.rmtree(tmpdir) data = tools.read_file(fname) self.assertEqual(U_BOOT_DATA, data) @@ -5183,12 +5191,14 @@ fdt fdtmap Extract the devicetree blob from the fdtmap data = self._DoReadFileRealDtb('207_fip_ls.dts') hdr, fents = fip_util.decode_fip(data) + tmpdir = None try: tmpdir, updated_fname = self._SetupImageInTmpdir() with test_util.capture_sys_output() as (stdout, stderr): self._DoBinman('ls', '-i', updated_fname) finally: - shutil.rmtree(tmpdir) + if tmpdir: + shutil.rmtree(tmpdir) lines = stdout.getvalue().splitlines() expected = [ 'Name Image-pos Size Entry-type Offset Uncomp-size', @@ -5393,12 +5403,14 @@ fdt fdtmap Extract the devicetree blob from the fdtmap use_real_dtb=True, extra_indirs=[os.path.join(self._indir, TEST_FDT_SUBDIR)]) + tmpdir = None try: tmpdir, updated_fname = self._SetupImageInTmpdir() with test_util.capture_sys_output() as (stdout, stderr): self._RunBinman('ls', '-i', updated_fname) finally: - shutil.rmtree(tmpdir) + if tmpdir: + shutil.rmtree(tmpdir) def testFitSubentryUsesBintool(self): """Test that binman FIT subentries can use bintools""" @@ -5455,6 +5467,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap data = self._DoReadFile('222_tee_os.dts') self.assertEqual(TEE_OS_DATA, data[:len(TEE_OS_DATA)]) + def testPackTiDm(self): + """Test that an image with a TI DM binary can be created""" + data = self._DoReadFile('225_ti_dm.dts') + self.assertEqual(TI_DM_DATA, data[:len(TI_DM_DATA)]) + def testFitFdtOper(self): """Check handling of a specified FIT operation""" entry_args = { @@ -7035,6 +7052,29 @@ fdt fdtmap Extract the devicetree blob from the fdtmap entry_args=entry_args)[0] self.assertGreater(len(data), len(TI_UNSECURE_DATA)) + def testPackTiSecureFirewall(self): + """Test that an image with a TI secured binary can be created""" + keyfile = self.TestFile('key.key') + entry_args = { + 'keyfile': keyfile, + } + data_no_firewall = self._DoReadFileDtb('296_ti_secure.dts', + entry_args=entry_args)[0] + data_firewall = self._DoReadFileDtb('324_ti_secure_firewall.dts', + entry_args=entry_args)[0] + self.assertGreater(len(data_firewall),len(data_no_firewall)) + + def testPackTiSecureFirewallMissingProperty(self): + """Test that an image with a TI secured binary can be created""" + keyfile = self.TestFile('key.key') + entry_args = { + 'keyfile': keyfile, + } + with self.assertRaises(ValueError) as e: + data_firewall = self._DoReadFileDtb('325_ti_secure_firewall_missing_property.dts', + entry_args=entry_args)[0] + self.assertRegex(str(e.exception), "Node '/binman/ti-secure': Subnode 'firewall-0-2' is missing properties: id,region") + def testPackTiSecureMissingTool(self): """Test that an image with a TI secured binary (non-functional) can be created when openssl is missing""" diff --git a/tools/binman/pyproject.toml b/tools/binman/pyproject.toml index b4b54fbaee6..ba34437fc53 100644 --- a/tools/binman/pyproject.toml +++ b/tools/binman/pyproject.toml @@ -4,11 +4,11 @@ build-backend = "setuptools.build_meta" [project] name = "binary-manager" -version = "0.0.2" +version = "0.0.6" authors = [ { name="Simon Glass", email="sjg@chromium.org" }, ] -dependencies = ["pylibfdt", "u_boot_pylib", "dtoc"] +dependencies = ["pylibfdt", "u_boot_pylib >= 0.0.6", "dtoc >= 0.0.6"] description = "Binman firmware-packaging tool" readme = "README.rst" requires-python = ">=3.7" @@ -19,7 +19,7 @@ classifiers = [ ] [project.urls] -"Homepage" = "https://u-boot.readthedocs.io/en/latest/develop/package/index.html" +"Homepage" = "https://docs.u-boot.org/en/latest/develop/package/index.html" "Bug Tracker" = "https://source.denx.de/groups/u-boot/-/issues" [project.scripts] diff --git a/tools/binman/test/225_ti_dm.dts b/tools/binman/test/225_ti_dm.dts new file mode 100644 index 00000000000..3ab754131e9 --- /dev/null +++ b/tools/binman/test/225_ti_dm.dts @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + binman { + ti-dm { + filename = "dm.bin"; + }; + }; +}; diff --git a/tools/binman/test/324_ti_secure_firewall.dts b/tools/binman/test/324_ti_secure_firewall.dts new file mode 100644 index 00000000000..7ec407fa67b --- /dev/null +++ b/tools/binman/test/324_ti_secure_firewall.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + ti-secure { + content = <&unsecure_binary>; + auth-in-place = <0xa02>; + + firewall-0-2 { + id = <0>; + region = <2>; + control = <0x31a>; + permissions = <0xc3ffff>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + }; + unsecure_binary: blob-ext { + filename = "ti_unsecure.bin"; + }; + }; +}; diff --git a/tools/binman/test/325_ti_secure_firewall_missing_property.dts b/tools/binman/test/325_ti_secure_firewall_missing_property.dts new file mode 100644 index 00000000000..24a0a996250 --- /dev/null +++ b/tools/binman/test/325_ti_secure_firewall_missing_property.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + ti-secure { + content = <&unsecure_binary>; + auth-in-place = <0xa02>; + + firewall-0-2 { + // id = <0>; + // region = <2>; + control = <0x31a>; + permissions = <0xc3ffff>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + }; + unsecure_binary: blob-ext { + filename = "ti_unsecure.bin"; + }; + }; +}; |