2 # SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
4 # Script to add K3 specific x509 cetificate to a binary.
9 TEMP_X509=x509-temp.cert
18 gen_degen_template() {
19 cat << 'EOF' > degen-template.txt
25 modulus=INTEGER:0xDEGEN_MODULUS
32 coeff=INTEGER:0xDEGEN_COEFF
36 # Generate x509 Template
38 cat << 'EOF' > x509-template.txt
40 distinguished_name = req_distinguished_name
41 x509_extensions = v3_ca
43 dirstring_type = nobmp
45 [ req_distinguished_name ]
49 O = Texas Instruments Incorporated
52 emailAddress = support@ti.com
55 basicConstraints = CA:true
56 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
57 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
58 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
59 # 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
60 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
63 certType = INTEGER:TEST_CERT_TYPE
64 bootCore = INTEGER:TEST_BOOT_CORE
65 bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
66 destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
67 imageSize = INTEGER:TEST_IMAGE_LENGTH
70 shaType = OID:2.16.840.1.101.3.4.2.3
71 shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
74 swrv = INTEGER:TEST_SWRV
77 # initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
78 # randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
79 # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
80 # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
83 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
84 debugType = INTEGER:TEST_DEBUG_TYPE
86 coreDbgSecEn = INTEGER:0
91 sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
95 # Generate a 4096 bit RSA Key
96 openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
97 openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
98 DEGEN_MODULUS=$( parse_key 'modulus' )
99 DEGEN_P=$( parse_key 'prime1' )
100 DEGEN_Q=$( parse_key 'prime2' )
101 DEGEN_COEFF=$( parse_key 'coefficient' )
104 sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
105 -e "s/DEGEN_P/$DEGEN_P/" \
106 -e "s/DEGEN_Q/$DEGEN_Q/" \
107 -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
108 degen-template.txt > degenerateKey.txt
110 openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
111 openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
113 rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
116 declare -A options_help
122 for option in "${!options_help[@]}"
124 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
125 if [ -n "$arg" ]; then
128 echo -n "[-$option$arg] "
132 for option in "${!options_help[@]}"
134 arg=`echo ${options_help[$option]}|cut -d ':' -f1`
135 txt=`echo ${options_help[$option]}|cut -d ':' -f2`
137 if [ -n "$arg" ]; then
141 echo -e " -$option$arg:$tb$txt"
144 echo "Examples of usage:-"
145 echo "# Example of signing the SYSFW binary with rsa degenerate key"
146 echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
147 echo "# Example of signing the SPL binary with rsa degenerate key"
148 echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
151 options_help[b]="bin_file:Bin file that needs to be signed"
152 options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
153 options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
154 options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
155 options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
156 options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
157 options_help[r]="SWRV: Software Rev for X509 certificate"
159 while getopts "b:k:o:c:l:d:h:r:" opt
188 usage "Invalid Option '-$OPTARG'"
192 usage "Option '-$OPTARG' Needs an argument."
198 if [ "$#" -eq 0 ]; then
199 usage "Arguments missing"
203 if [ -z "$BIN" ]; then
204 usage "Bin file missing in arguments"
208 # Generate rsa degenerate key if user doesn't provide a key
209 if [ -z "$KEY" ]; then
213 if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
215 elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
217 else # Non BOOTCORE, loaded by SYSFW
218 BOOTCORE_OPTS_VER=$(printf "%01x" 1)
219 # Add input args option for SET and CLR flags.
220 BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
221 BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
222 BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
223 # Set the cert type to zero.
224 # We are not using public/private key store now
225 CERTTYPE=$(printf "0x%08x" 0)
228 SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
229 BIN_SIZE=`cat $BIN | wc -c`
230 ADDR=`printf "%08x" $LOADADDR`
233 #echo "Certificate being generated :"
234 #echo " LOADADDR = 0x$ADDR"
235 #echo " IMAGE_SIZE = $BIN_SIZE"
236 #echo " CERT_TYPE = $CERTTYPE"
237 #echo " DEBUG_TYPE = $DEBUG_TYPE"
239 sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
240 -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
241 -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
242 -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
243 -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
244 -e "s/TEST_BOOT_ADDR/$ADDR/" \
245 -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
246 -e "s/TEST_SWRV/$SWRV/" \
247 x509-template.txt > $TEMP_X509
248 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
253 cat $CERT $BIN > $OUTPUT
255 # Remove all intermediate files
256 rm $TEMP_X509 $CERT x509-template.txt
257 if [ "$KEY" == "$RAND_KEY" ]; then