diff options
Diffstat (limited to 'tools/k3_gen_x509_cert.sh')
| -rwxr-xr-x | tools/k3_gen_x509_cert.sh | 262 |
1 files changed, 0 insertions, 262 deletions
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh deleted file mode 100755 index d9cde07417c..00000000000 --- a/tools/k3_gen_x509_cert.sh +++ /dev/null @@ -1,262 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause -# -# Script to add K3 specific x509 cetificate to a binary. -# - -# Variables -OUTPUT=tiboot3.bin -TEMP_X509=x509-temp.cert -CERT=certificate.bin -RAND_KEY=eckey.pem -LOADADDR=0x41c00000 -BOOTCORE_OPTS=0 -BOOTCORE=16 -DEBUG_TYPE=0 -SWRV=1 - -gen_degen_template() { -cat << 'EOF' > degen-template.txt - -asn1=SEQUENCE:rsa_key - -[rsa_key] -version=INTEGER:0 -modulus=INTEGER:0xDEGEN_MODULUS -pubExp=INTEGER:1 -privExp=INTEGER:1 -p=INTEGER:0xDEGEN_P -q=INTEGER:0xDEGEN_Q -e1=INTEGER:1 -e2=INTEGER:1 -coeff=INTEGER:0xDEGEN_COEFF -EOF -} - -# Generate x509 Template -gen_template() { -cat << 'EOF' > x509-template.txt - [ req ] - distinguished_name = req_distinguished_name - x509_extensions = v3_ca - prompt = no - dirstring_type = nobmp - - [ req_distinguished_name ] - C = US - ST = TX - L = Dallas - O = Texas Instruments Incorporated - OU = Processors - CN = TI support - emailAddress = support@ti.com - - [ v3_ca ] - basicConstraints = CA:true - 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq - 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity - 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv -# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption - 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug - - [ boot_seq ] - certType = INTEGER:TEST_CERT_TYPE - bootCore = INTEGER:TEST_BOOT_CORE - bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS - destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR - imageSize = INTEGER:TEST_IMAGE_LENGTH - - [ image_integrity ] - shaType = OID:2.16.840.1.101.3.4.2.3 - shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL - - [ swrv ] - swrv = INTEGER:TEST_SWRV - -# [ encryption ] -# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV -# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS -# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX -# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT - - [ debug ] - debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:TEST_DEBUG_TYPE - coreDbgEn = INTEGER:0 - coreDbgSecEn = INTEGER:0 -EOF -} - -parse_key() { - sed '/ /s/://g' key.txt | \ - awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \ - sed 's/ //g' | \ - awk "/$1:/{getline; print}" -} - -gen_degen_key() { -# Generate a 4096 bit RSA Key - openssl genrsa -out key.pem 1024 >>/dev/null 2>&1 - openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1 - DEGEN_MODULUS=$( parse_key 'modulus' ) - DEGEN_P=$( parse_key 'prime1' ) - DEGEN_Q=$( parse_key 'prime2' ) - DEGEN_COEFF=$( parse_key 'coefficient' ) - gen_degen_template - - sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\ - -e "s/DEGEN_P/$DEGEN_P/" \ - -e "s/DEGEN_Q/$DEGEN_Q/" \ - -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \ - degen-template.txt > degenerateKey.txt - - openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1 - openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1 - KEY=$RAND_KEY - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der -} - -declare -A options_help -usage() { - if [ -n "$*" ]; then - echo "ERROR: $*" - fi - echo -n "Usage: $0 " - for option in "${!options_help[@]}" - do - arg=`echo ${options_help[$option]}|cut -d ':' -f1` - if [ -n "$arg" ]; then - arg=" $arg" - fi - echo -n "[-$option$arg] " - done - echo - echo -e "\nWhere:" - for option in "${!options_help[@]}" - do - arg=`echo ${options_help[$option]}|cut -d ':' -f1` - txt=`echo ${options_help[$option]}|cut -d ':' -f2` - tb="\t\t\t" - if [ -n "$arg" ]; then - arg=" $arg" - tb="\t" - fi - echo -e " -$option$arg:$tb$txt" - done - echo - echo "Examples of usage:-" - echo "# Example of signing the SYSFW binary with rsa degenerate key" - echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000" - echo "# Example of signing the SPL binary with rsa degenerate key" - echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000" -} - -options_help[b]="bin_file:Bin file that needs to be signed" -options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key." -options_help[o]="output_file:Name of the final output file. default to $OUTPUT" -options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" -options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" -options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" -options_help[r]="SWRV: Software Rev for X509 certificate" - -while getopts "b:k:o:c:l:d:h:r:" opt -do - case $opt in - b) - BIN=$OPTARG - ;; - k) - KEY=$OPTARG - ;; - o) - OUTPUT=$OPTARG - ;; - l) - LOADADDR=$OPTARG - ;; - c) - BOOTCORE=$OPTARG - ;; - d) - DEBUG_TYPE=$OPTARG - ;; - r) - SWRV=$OPTARG - ;; - h) - usage - exit 0 - ;; - \?) - usage "Invalid Option '-$OPTARG'" - exit 1 - ;; - :) - usage "Option '-$OPTARG' Needs an argument." - exit 1 - ;; - esac -done - -if [ "$#" -eq 0 ]; then - usage "Arguments missing" - exit 1 -fi - -if [ -z "$BIN" ]; then - usage "Bin file missing in arguments" - exit 1 -fi - -# Generate rsa degenerate key if user doesn't provide a key -if [ -z "$KEY" ]; then - gen_degen_key -fi - -if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM - CERTTYPE=2 -elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM - CERTTYPE=1 -else # Non BOOTCORE, loaded by SYSFW - BOOTCORE_OPTS_VER=$(printf "%01x" 1) - # Add input args option for SET and CLR flags. - BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0) - BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32 - BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG" - # Set the cert type to zero. - # We are not using public/private key store now - CERTTYPE=$(printf "0x%08x" 0) -fi - -SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"` -BIN_SIZE=`cat $BIN | wc -c` -ADDR=`printf "%08x" $LOADADDR` - -gen_cert() { - #echo "Certificate being generated :" - #echo " LOADADDR = 0x$ADDR" - #echo " IMAGE_SIZE = $BIN_SIZE" - #echo " CERT_TYPE = $CERTTYPE" - #echo " DEBUG_TYPE = $DEBUG_TYPE" - #echo " SWRV = $SWRV" - sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ - -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ - -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ - -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \ - -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ - -e "s/TEST_BOOT_ADDR/$ADDR/" \ - -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ - -e "s/TEST_SWRV/$SWRV/" \ - x509-template.txt > $TEMP_X509 - openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 -} - -gen_template -gen_cert -cat $CERT $BIN > $OUTPUT - -# Remove all intermediate files -rm $TEMP_X509 $CERT x509-template.txt -if [ "$KEY" == "$RAND_KEY" ]; then - rm $RAND_KEY -fi |