From patchwork Wed May 27 13:47:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Davis X-Patchwork-Id: 246726 List-Id: U-Boot discussion From: afd at ti.com (Andrew F. Davis) Date: Wed, 27 May 2020 09:47:54 -0400 Subject: [PATCH v2 1/2] tools: k3_gen_x509_cert: Allow selecting early JTAG debug value Message-ID: <20200527134755.3517-1-afd@ti.com> When authenticating the initial boot binary the ROM will check a debug type value in the certificate and based on that open JTAG access to that core. Make this selectable in the signing tool to allow it to be enabled or disabled based on user command line input. This does not change the default behavior. Signed-off-by: Andrew F. Davis --- Changes from v1: - Split into two patches as suggested by Lokesh - Expanded explanation for default value change tools/k3_gen_x509_cert.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh index b6d055f6f5..c6361720d3 100755 --- a/tools/k3_gen_x509_cert.sh +++ b/tools/k3_gen_x509_cert.sh @@ -12,6 +12,7 @@ RAND_KEY=eckey.pem LOADADDR=0x41c00000 BOOTCORE_OPTS=0 BOOTCORE=16 +DEBUG_TYPE=4 gen_degen_template() { cat << 'EOF' > degen-template.txt @@ -79,7 +80,7 @@ cat << 'EOF' > x509-template.txt [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:4 + debugType = INTEGER:TEST_DEBUG_TYPE coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 EOF @@ -151,8 +152,9 @@ options_help[k]="key_file:file with key inside it. If not provided script genera options_help[o]="output_file:Name of the final output file. default to $OUTPUT" options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" +options_help[d]="debug_type: Debug type, set to 0 to disable early JTAG. Default to $DEBUG_TYPE" -while getopts "b:k:o:c:l:h" opt +while getopts "b:k:o:c:l:d:h" opt do case $opt in b) @@ -170,6 +172,9 @@ do c) BOOTCORE=$OPTARG ;; + d) + DEBUG_TYPE=$OPTARG + ;; h) usage exit 0 @@ -224,12 +229,15 @@ gen_cert() { #echo " LOADADDR = 0x$ADDR" #echo " IMAGE_SIZE = $BIN_SIZE" #echo " CERT_TYPE = $CERTTYPE" + #echo " DEBUG_TYPE = $DEBUG_TYPE" sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \ -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ - -e "s/TEST_BOOT_ADDR/$ADDR/" x509-template.txt > $TEMP_X509 + -e "s/TEST_BOOT_ADDR/$ADDR/" \ + -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ + x509-template.txt > $TEMP_X509 openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 } From patchwork Wed May 27 13:47:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Davis X-Patchwork-Id: 246727 List-Id: U-Boot discussion From: afd at ti.com (Andrew F. Davis) Date: Wed, 27 May 2020 09:47:55 -0400 Subject: [PATCH v2 2/2] tools: k3_gen_x509_cert: Set default early HS JTAG access to disabled In-Reply-To: <20200527134755.3517-1-afd@ti.com> References: <20200527134755.3517-1-afd@ti.com> Message-ID: <20200527134755.3517-2-afd@ti.com> When authenticating the initial boot binary the ROM will check a debug type value in the certificate and based on that open JTAG access to that core. This only effects HS devices as non-HS device ROM allows JTAG by default. This can be useful for HS developers working in the early boot stage, before SYSFW is loaded. After that point the JTAG access can be changed based on board configurations passed to SYSFW. This access can also be a large security problem as JTAG access on HS devices can be used to circumvent the chain-of-trust controls. Accidentally leaving this open defeats the security on HS, due to this change the default to disabled. This should only effect those working on early HS boot code, which is a limited crowd who will already know how to re-enable this access as needed. Signed-off-by: Andrew F. Davis --- Changes from v1: - Split into two patches as suggested by Lokesh - Expanded explanation for default value change tools/k3_gen_x509_cert.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh index c6361720d3..298cec1313 100755 --- a/tools/k3_gen_x509_cert.sh +++ b/tools/k3_gen_x509_cert.sh @@ -12,7 +12,7 @@ RAND_KEY=eckey.pem LOADADDR=0x41c00000 BOOTCORE_OPTS=0 BOOTCORE=16 -DEBUG_TYPE=4 +DEBUG_TYPE=0 gen_degen_template() { cat << 'EOF' > degen-template.txt @@ -152,7 +152,7 @@ options_help[k]="key_file:file with key inside it. If not provided script genera options_help[o]="output_file:Name of the final output file. default to $OUTPUT" options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" -options_help[d]="debug_type: Debug type, set to 0 to disable early JTAG. Default to $DEBUG_TYPE" +options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" while getopts "b:k:o:c:l:d:h" opt do