[J-u-boot.git] / tools / k3_gen_x509_cert.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
#
# Script to add K3 specific x509 cetificate to a binary.
#

# Variables
OUTPUT=tiboot3.bin
TEMP_X509=x509-temp.cert
CERT=certificate.bin
RAND_KEY=eckey.pem
LOADADDR=0x41c00000
BOOTCORE_OPTS=0
BOOTCORE=16
DEBUG_TYPE=0
SWRV=1

gen_degen_template() {
cat << 'EOF' > degen-template.txt

asn1=SEQUENCE:rsa_key

[rsa_key]
version=INTEGER:0
modulus=INTEGER:0xDEGEN_MODULUS
pubExp=INTEGER:1
privExp=INTEGER:1
p=INTEGER:0xDEGEN_P
q=INTEGER:0xDEGEN_Q
e1=INTEGER:1
e2=INTEGER:1
coeff=INTEGER:0xDEGEN_COEFF
EOF
}

# Generate x509 Template
gen_template() {
cat << 'EOF' > x509-template.txt
 [ req ]
 distinguished_name     = req_distinguished_name
 x509_extensions        = v3_ca
 prompt                 = no
 dirstring_type         = nobmp

 [ req_distinguished_name ]
 C                      = US
 ST                     = TX
 L                      = Dallas
 O                      = Texas Instruments Incorporated
 OU                     = Processors
 CN                     = TI support
 emailAddress           = [email protected]

 [ v3_ca ]
 basicConstraints = CA:true
 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug

 [ boot_seq ]
 certType = INTEGER:TEST_CERT_TYPE
 bootCore = INTEGER:TEST_BOOT_CORE
 bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
 destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
 imageSize = INTEGER:TEST_IMAGE_LENGTH

 [ image_integrity ]
 shaType = OID:2.16.840.1.101.3.4.2.3
 shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL

 [ swrv ]
 swrv = INTEGER:TEST_SWRV

# [ encryption ]
# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT

 [ debug ]
 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
 debugType = INTEGER:TEST_DEBUG_TYPE
 coreDbgEn = INTEGER:0
 coreDbgSecEn = INTEGER:0
EOF
}

parse_key() {
	sed '/    /s/://g' key.txt | \
            awk  '!/    / {printf("\n%s\n", $0)}; /    / {printf("%s", $0)}' | \
            sed 's/    //g' | \
            awk "/$1:/{getline; print}"
}

gen_degen_key() {
# Generate a 4096 bit RSA Key
	openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
	openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
	DEGEN_MODULUS=$( parse_key 'modulus' )
	DEGEN_P=$( parse_key 'prime1' )
	DEGEN_Q=$( parse_key 'prime2' )
	DEGEN_COEFF=$( parse_key 'coefficient' )
	gen_degen_template

	sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
		-e "s/DEGEN_P/$DEGEN_P/" \
		-e "s/DEGEN_Q/$DEGEN_Q/" \
		-e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
		 degen-template.txt > degenerateKey.txt

	openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
	openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
	KEY=$RAND_KEY
	rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
}

declare -A options_help
usage() {
	if [ -n "$*" ]; then
		echo "ERROR: $*"
	fi
	echo -n "Usage: $0 "
	for option in "${!options_help[@]}"
	do
		arg=`echo ${options_help[$option]}|cut -d ':' -f1`
		if [ -n "$arg" ]; then
			arg=" $arg"
		fi
		echo -n "[-$option$arg] "
	done
	echo
	echo -e "\nWhere:"
	for option in "${!options_help[@]}"
	do
		arg=`echo ${options_help[$option]}|cut -d ':' -f1`
		txt=`echo ${options_help[$option]}|cut -d ':' -f2`
		tb="\t\t\t"
		if [ -n "$arg" ]; then
			arg=" $arg"
			tb="\t"
		fi
		echo -e "   -$option$arg:$tb$txt"
	done
	echo
	echo "Examples of usage:-"
	echo "# Example of signing the SYSFW binary with rsa degenerate key"
	echo "    $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
	echo "# Example of signing the SPL binary with rsa degenerate key"
	echo "    $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
}

options_help[b]="bin_file:Bin file that needs to be signed"
options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
options_help[r]="SWRV: Software Rev for X509 certificate"

while getopts "b:k:o:c:l:d:h:r:" opt
do
	case $opt in
	b)
		BIN=$OPTARG
	;;
	k)
		KEY=$OPTARG
	;;
	o)
		OUTPUT=$OPTARG
	;;
	l)
		LOADADDR=$OPTARG
	;;
	c)
		BOOTCORE=$OPTARG
	;;
	d)
		DEBUG_TYPE=$OPTARG
	;;
        r)
		SWRV=$OPTARG
	;;
	h)
		usage
		exit 0
	;;
	\?)
		usage "Invalid Option '-$OPTARG'"
		exit 1
	;;
	:)
		usage "Option '-$OPTARG' Needs an argument."
		exit 1
	;;
	esac
done

if [ "$#" -eq 0 ]; then
	usage "Arguments missing"
	exit 1
fi

if [ -z "$BIN" ]; then
	usage "Bin file missing in arguments"
	exit 1
fi

# Generate rsa degenerate key if user doesn't provide a key
if [ -z "$KEY" ]; then
	gen_degen_key
fi

if [ $BOOTCORE == 0 ]; then	# BOOTCORE M3, loaded by ROM
	CERTTYPE=2
elif [ $BOOTCORE == 16 ]; then	# BOOTCORE R5, loaded by ROM
	CERTTYPE=1
else				# Non BOOTCORE, loaded by SYSFW
	BOOTCORE_OPTS_VER=$(printf "%01x" 1)
	# Add input args option for SET and CLR flags.
	BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
	BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
	BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
	# Set the cert type to zero.
	# We are not using public/private key store now
	CERTTYPE=$(printf "0x%08x" 0)
fi

SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
BIN_SIZE=`cat $BIN | wc -c`
ADDR=`printf "%08x" $LOADADDR`

gen_cert() {
	#echo "Certificate being generated :"
	#echo "	LOADADDR = 0x$ADDR"
	#echo "	IMAGE_SIZE = $BIN_SIZE"
	#echo "	CERT_TYPE = $CERTTYPE"
	#echo "	DEBUG_TYPE = $DEBUG_TYPE"
	echo " SWRV = $SWRV"
	sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/"	\
		-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
		-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
		-e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
		-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
		-e "s/TEST_BOOT_ADDR/$ADDR/" \
		-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
                -e "s/TEST_SWRV/$SWRV/" \
		x509-template.txt > $TEMP_X509
	openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
}

gen_template
gen_cert
cat $CERT $BIN > $OUTPUT

# Remove all intermediate files
rm $TEMP_X509 $CERT x509-template.txt
if [ "$KEY" == "$RAND_KEY" ]; then
	rm $RAND_KEY
fi
Commit	Line	Data
ca71186a LV	1	#!/bin/bash
	2	# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
	3	#
	4	# Script to add K3 specific x509 cetificate to a binary.
	5	#
	6
	7	# Variables
	8	OUTPUT=tiboot3.bin
	9	TEMP_X509=x509-temp.cert
	10	CERT=certificate.bin
	11	RAND_KEY=eckey.pem
	12	LOADADDR=0x41c00000
	13	BOOTCORE_OPTS=0
	14	BOOTCORE=16
a2303f4c	15	DEBUG_TYPE=0
00194272	16	SWRV=1
ca71186a LV	17
	18	gen_degen_template() {
	19	cat << 'EOF' > degen-template.txt
	20
	21	asn1=SEQUENCE:rsa_key
	22
	23	[rsa_key]
	24	version=INTEGER:0
	25	modulus=INTEGER:0xDEGEN_MODULUS
	26	pubExp=INTEGER:1
	27	privExp=INTEGER:1
	28	p=INTEGER:0xDEGEN_P
	29	q=INTEGER:0xDEGEN_Q
	30	e1=INTEGER:1
	31	e2=INTEGER:1
	32	coeff=INTEGER:0xDEGEN_COEFF
	33	EOF
	34	}
	35
	36	# Generate x509 Template
	37	gen_template() {
	38	cat << 'EOF' > x509-template.txt
	39	[ req ]
	40	distinguished_name = req_distinguished_name
	41	x509_extensions = v3_ca
	42	prompt = no
	43	dirstring_type = nobmp
	44
	45	[ req_distinguished_name ]
	46	C = US
	47	ST = TX
	48	L = Dallas
	49	O = Texas Instruments Incorporated
	50	OU = Processors
	51	CN = TI support
	52	emailAddress = [email protected]
	53
	54	[ v3_ca ]
	55	basicConstraints = CA:true
	56	1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
	57	1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
	58	1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
	59	# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
	60	1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
	61
	62	[ boot_seq ]
	63	certType = INTEGER:TEST_CERT_TYPE
	64	bootCore = INTEGER:TEST_BOOT_CORE
	65	bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
	66	destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
	67	imageSize = INTEGER:TEST_IMAGE_LENGTH
	68
	69	[ image_integrity ]
	70	shaType = OID:2.16.840.1.101.3.4.2.3
	71	shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
	72
	73	[ swrv ]
00194272	74	swrv = INTEGER:TEST_SWRV
ca71186a LV	75
	76	# [ encryption ]
	77	# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
	78	# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
	79	# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
	80	# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
	81
	82	[ debug ]
	83	debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
0428a0b8	84	debugType = INTEGER:TEST_DEBUG_TYPE
ca71186a LV	85	coreDbgEn = INTEGER:0
	86	coreDbgSecEn = INTEGER:0
	87	EOF
	88	}
	89
	90	parse_key() {
cc0b3653 SG	91	sed '/ /s/://g' key.txt \| \
	92	awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' \| \
	93	sed 's/ //g' \| \
	94	awk "/$1:/{getline; print}"
ca71186a LV	95	}
	96
	97	gen_degen_key() {
	98	# Generate a 4096 bit RSA Key
	99	openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
	100	openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
	101	DEGEN_MODULUS=$( parse_key 'modulus' )
	102	DEGEN_P=$( parse_key 'prime1' )
	103	DEGEN_Q=$( parse_key 'prime2' )
	104	DEGEN_COEFF=$( parse_key 'coefficient' )
	105	gen_degen_template
	106
	107	sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
	108	-e "s/DEGEN_P/$DEGEN_P/" \
	109	-e "s/DEGEN_Q/$DEGEN_Q/" \
	110	-e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
	111	degen-template.txt > degenerateKey.txt
	112
	113	openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
	114	openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
	115	KEY=$RAND_KEY
	116	rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
	117	}
	118
	119	declare -A options_help
	120	usage() {
	121	if [ -n "$*" ]; then
	122	echo "ERROR: $*"
	123	fi
	124	echo -n "Usage: $0 "
	125	for option in "${!options_help[@]}"
	126	do
	127	arg=`echo ${options_help[$option]}\|cut -d ':' -f1`
	128	if [ -n "$arg" ]; then
	129	arg=" $arg"
	130	fi
	131	echo -n "[-$option$arg] "
	132	done
	133	echo
	134	echo -e "\nWhere:"
	135	for option in "${!options_help[@]}"
	136	do
	137	arg=`echo ${options_help[$option]}\|cut -d ':' -f1`
	138	txt=`echo ${options_help[$option]}\|cut -d ':' -f2`
	139	tb="\t\t\t"
	140	if [ -n "$arg" ]; then
	141	arg=" $arg"
	142	tb="\t"
	143	fi
	144	echo -e " -$option$arg:$tb$txt"
	145	done
	146	echo
	147	echo "Examples of usage:-"
	148	echo "# Example of signing the SYSFW binary with rsa degenerate key"
	149	echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
	150	echo "# Example of signing the SPL binary with rsa degenerate key"
	151	echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
	152	}
	153
	154	options_help[b]="bin_file:Bin file that needs to be signed"
	155	options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
	156	options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
	157	options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
	158	options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
a2303f4c	159	options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
00194272	160	options_help[r]="SWRV: Software Rev for X509 certificate"
ca71186a	161
00194272	162	while getopts "b:k:o:c:l:d:h:r:" opt
ca71186a LV	163	do
	164	case $opt in
	165	b)
	166	BIN=$OPTARG
	167	;;
	168	k)
	169	KEY=$OPTARG
	170	;;
	171	o)
	172	OUTPUT=$OPTARG
	173	;;
	174	l)
	175	LOADADDR=$OPTARG
	176	;;
	177	c)
	178	BOOTCORE=$OPTARG
	179	;;
0428a0b8 AD	180	d)
	181	DEBUG_TYPE=$OPTARG
	182	;;
00194272 YS	183	r)
	184	SWRV=$OPTARG
	185	;;
ca71186a LV	186	h)
	187	usage
	188	exit 0
	189	;;
	190	\?)
	191	usage "Invalid Option '-$OPTARG'"
	192	exit 1
	193	;;
	194	:)
	195	usage "Option '-$OPTARG' Needs an argument."
	196	exit 1
	197	;;
	198	esac
	199	done
	200
	201	if [ "$#" -eq 0 ]; then
	202	usage "Arguments missing"
	203	exit 1
	204	fi
	205
	206	if [ -z "$BIN" ]; then
	207	usage "Bin file missing in arguments"
	208	exit 1
	209	fi
	210
	211	# Generate rsa degenerate key if user doesn't provide a key
	212	if [ -z "$KEY" ]; then
	213	gen_degen_key
	214	fi
	215
	216	if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
	217	CERTTYPE=2
	218	elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
	219	CERTTYPE=1
	220	else # Non BOOTCORE, loaded by SYSFW
	221	BOOTCORE_OPTS_VER=$(printf "%01x" 1)
	222	# Add input args option for SET and CLR flags.
	223	BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
	224	BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
	225	BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
	226	# Set the cert type to zero.
	227	# We are not using public/private key store now
	228	CERTTYPE=$(printf "0x%08x" 0)
	229	fi
	230
	231	SHA_VAL=`openssl dgst -sha512 -hex $BIN \| sed -e "s/^.*= //g"`
	232	BIN_SIZE=`cat $BIN \| wc -c`
	233	ADDR=`printf "%08x" $LOADADDR`
	234
	235	gen_cert() {
	236	#echo "Certificate being generated :"
	237	#echo " LOADADDR = 0x$ADDR"
	238	#echo " IMAGE_SIZE = $BIN_SIZE"
	239	#echo " CERT_TYPE = $CERTTYPE"
0428a0b8	240	#echo " DEBUG_TYPE = $DEBUG_TYPE"
00194272	241	echo " SWRV = $SWRV"
ca71186a LV	242	sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
	243	-e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
	244	-e "s/TEST_CERT_TYPE/$CERTTYPE/" \
	245	-e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
	246	-e "s/TEST_BOOT_CORE/$BOOTCORE/" \
0428a0b8 AD	247	-e "s/TEST_BOOT_ADDR/$ADDR/" \
0428a0b8 AD	248	-e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
00194272	249	-e "s/TEST_SWRV/$SWRV/" \
0428a0b8	250	x509-template.txt > $TEMP_X509
ca71186a LV	251	openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
	252	}
	253
	254	gen_template
	255	gen_cert
	256	cat $CERT $BIN > $OUTPUT
	257
	258	# Remove all intermediate files
	259	rm $TEMP_X509 $CERT x509-template.txt
	260	if [ "$KEY" == "$RAND_KEY" ]; then
	261	rm $RAND_KEY
	262	fi