Blame view
tools/k3_gen_x509_cert.sh
6.16 KB
ca71186a7 tools: k3_get_x50... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
#!/bin/bash # SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause # # Script to add K3 specific x509 cetificate to a binary. # # Variables OUTPUT=tiboot3.bin TEMP_X509=x509-temp.cert CERT=certificate.bin RAND_KEY=eckey.pem LOADADDR=0x41c00000 BOOTCORE_OPTS=0 BOOTCORE=16 gen_degen_template() { cat << 'EOF' > degen-template.txt asn1=SEQUENCE:rsa_key [rsa_key] version=INTEGER:0 modulus=INTEGER:0xDEGEN_MODULUS pubExp=INTEGER:1 privExp=INTEGER:1 p=INTEGER:0xDEGEN_P q=INTEGER:0xDEGEN_Q e1=INTEGER:1 e2=INTEGER:1 coeff=INTEGER:0xDEGEN_COEFF EOF } # Generate x509 Template gen_template() { cat << 'EOF' > x509-template.txt [ req ] distinguished_name = req_distinguished_name x509_extensions = v3_ca prompt = no dirstring_type = nobmp [ req_distinguished_name ] C = US ST = TX L = Dallas O = Texas Instruments Incorporated OU = Processors CN = TI support emailAddress = support@ti.com [ v3_ca ] basicConstraints = CA:true 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv # 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug [ boot_seq ] certType = INTEGER:TEST_CERT_TYPE bootCore = INTEGER:TEST_BOOT_CORE bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR imageSize = INTEGER:TEST_IMAGE_LENGTH [ image_integrity ] shaType = OID:2.16.840.1.101.3.4.2.3 shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL [ swrv ] swrv = INTEGER:0 # [ encryption ] # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV # randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 debugType = INTEGER:4 coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 EOF } parse_key() { sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf(" %s ", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}" } gen_degen_key() { # Generate a 4096 bit RSA Key openssl genrsa -out key.pem 1024 >>/dev/null 2>&1 openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1 DEGEN_MODULUS=$( parse_key 'modulus' ) DEGEN_P=$( parse_key 'prime1' ) DEGEN_Q=$( parse_key 'prime2' ) DEGEN_COEFF=$( parse_key 'coefficient' ) gen_degen_template sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\ -e "s/DEGEN_P/$DEGEN_P/" \ -e "s/DEGEN_Q/$DEGEN_Q/" \ -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \ degen-template.txt > degenerateKey.txt openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1 openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1 KEY=$RAND_KEY rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der } declare -A options_help usage() { if [ -n "$*" ]; then echo "ERROR: $*" fi echo -n "Usage: $0 " for option in "${!options_help[@]}" do arg=`echo ${options_help[$option]}|cut -d ':' -f1` if [ -n "$arg" ]; then arg=" $arg" fi echo -n "[-$option$arg] " done echo echo -e " Where:" for option in "${!options_help[@]}" do arg=`echo ${options_help[$option]}|cut -d ':' -f1` txt=`echo ${options_help[$option]}|cut -d ':' -f2` tb="\t\t\t" if [ -n "$arg" ]; then arg=" $arg" tb="\t" fi echo -e " -$option$arg:$tb$txt" done echo echo "Examples of usage:-" echo "# Example of signing the SYSFW binary with rsa degenerate key" echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000" echo "# Example of signing the SPL binary with rsa degenerate key" echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000" } options_help[b]="bin_file:Bin file that needs to be signed" options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key." options_help[o]="output_file:Name of the final output file. default to $OUTPUT" options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" while getopts "b:k:o:c:l:h" opt do case $opt in b) BIN=$OPTARG ;; k) KEY=$OPTARG ;; o) OUTPUT=$OPTARG ;; l) LOADADDR=$OPTARG ;; c) BOOTCORE=$OPTARG ;; h) usage exit 0 ;; \?) usage "Invalid Option '-$OPTARG'" exit 1 ;; :) usage "Option '-$OPTARG' Needs an argument." exit 1 ;; esac done if [ "$#" -eq 0 ]; then usage "Arguments missing" exit 1 fi if [ -z "$BIN" ]; then usage "Bin file missing in arguments" exit 1 fi # Generate rsa degenerate key if user doesn't provide a key if [ -z "$KEY" ]; then gen_degen_key fi if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM CERTTYPE=2 elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM CERTTYPE=1 else # Non BOOTCORE, loaded by SYSFW BOOTCORE_OPTS_VER=$(printf "%01x" 1) # Add input args option for SET and CLR flags. BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0) BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32 BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG" # Set the cert type to zero. # We are not using public/private key store now CERTTYPE=$(printf "0x%08x" 0) fi SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"` BIN_SIZE=`cat $BIN | wc -c` ADDR=`printf "%08x" $LOADADDR` gen_cert() { #echo "Certificate being generated :" #echo " LOADADDR = 0x$ADDR" #echo " IMAGE_SIZE = $BIN_SIZE" #echo " CERT_TYPE = $CERTTYPE" sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \ -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ -e "s/TEST_BOOT_ADDR/$ADDR/" x509-template.txt > $TEMP_X509 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 } gen_template gen_cert cat $CERT $BIN > $OUTPUT # Remove all intermediate files rm $TEMP_X509 $CERT x509-template.txt if [ "$KEY" == "$RAND_KEY" ]; then rm $RAND_KEY fi |