From 812dee8d0a6180fda31455e40925abd0d634e9e1 Mon Sep 17 00:00:00 2001 From: Lucjan Bryndza Date: Mon, 23 Aug 2021 13:03:54 +0200 Subject: [PATCH] [CP-305] Add sign update package in secure mode Add signing package when the secure mode is enabled Signed-off-by: Lucjan Bryndza --- cmake/modules/AddPackage.cmake | 18 +++++++- tools/secureboot_sign_package.sh | 70 ++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 2 deletions(-) create mode 100755 tools/secureboot_sign_package.sh diff --git a/cmake/modules/AddPackage.cmake b/cmake/modules/AddPackage.cmake index 99406ee5622d0b8ba839965cc804339f83f313b1..471ccc861675eb46f115cb374756a08c03ca8457 100644 --- a/cmake/modules/AddPackage.cmake +++ b/cmake/modules/AddPackage.cmake @@ -76,8 +76,22 @@ function(add_update_package SOURCE_TARGET) WORKING_DIRECTORY ${CMAKE_BINARY_DIR} COMMENT "Generating update image" ) - message("Adding '${SOURCE_TARGET}-UpdatePackage' target") - add_custom_target(${SOURCE_TARGET}-UpdatePackage + + add_custom_command( + OUTPUT ${UPDATE_PKG}.sig DEPENDS ${UPDATE_PKG} + COMMAND ${CMAKE_SOURCE_DIR}/tools/secureboot_sign_package.sh ${CST_PATH} ${ELFTOSB_PATH} ${SRK_TABLE} ${CSF_KEY} ${IMG_KEY} ${UPDATE_PKG} + COMMENT "Generating update signature" + WORKING_DIRECTORY ${CMAKE_BINARY_DIR} ) + message("Adding '${SOURCE_TARGET}-UpdatePackage' target") + if(ENABLE_SECURE_BOOT) + add_custom_target(${SOURCE_TARGET}-UpdatePackage + DEPENDS ${UPDATE_PKG}.sig + ) + else() + add_custom_target(${SOURCE_TARGET}-UpdatePackage + DEPENDS ${UPDATE_PKG} + ) + endif() endfunction() diff --git a/tools/secureboot_sign_package.sh b/tools/secureboot_sign_package.sh new file mode 100755 index 0000000000000000000000000000000000000000..6389cc98eef98a018c40feb5292d5510a7382f37 --- /dev/null +++ b/tools/secureboot_sign_package.sh @@ -0,0 +1,70 @@ +#!/bin/bash -e +# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved. +# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md + +usage() { +cat << ==usage +Usage: $(basename "$0") [cst_path] [elf2sb_path] [srk_table] [csf_key] [img_key] [file] + cst_path: NXP cst tool path + elf2sb_path: NXP elf2sb tool path + srk_table: SRK table binary file + csf_key: CSF key + img_key: Image sign key + file: File to sign +==usage +exit 1 +} + + +# Generate SRK file from the template +#param in SRK template input +#param SRK output file +gen_srk_from_template() { + sed "s|startAddress =.*|startAddress=0x80ff0000;|g + s|\${SRK_INDEX}|0|g + s|\${SRK_TABLE}|${SRK_TABLE}|g + s|\${CSF_KEY}|${CSF_KEY}|g + s|\${IMG_KEY}|${IMG_KEY}|g + " "$1" > $2 +} + + +if [ $# -ne 6 ]; then + echo "Error! Invalid argument count" + usage + exit 1 +fi + +CST_PATH="$1" +ELF2SB_PATH="$2" +SRK_TABLE="$3" +CSF_KEY="$4" +IMG_KEY="$5" +FILE_TO_SIGN="$6" + + +# Script root dir +SCRIPT_DIR=$(dirname "$(readlink -f "$0")") + +#File search +if [ ! -f "$FILE_TO_SIGN" ]; then + echo "Error! Unable to find file to signature" + exit 1 +fi +#temporary authenticated file HAB +TEMP_HAB_FILE="$(mktemp)" + +# Generate SRK template +gen_srk_from_template "$SCRIPT_DIR/../config/imx_authenticated_hab.cmake_template" "$TEMP_HAB_FILE" + +# Generate SHA 256 binary signature +openssl dgst -binary -sha256 "$FILE_TO_SIGN" > "$FILE_TO_SIGN.sig" +# Minimum size of binary is 4k +truncate -s 4k "${FILE_TO_SIGN}.sig" +# Convert to srec (acceptable by the tool) +arm-none-eabi-objcopy --change-addresses=0x80ff1000 --input-target=binary --output-target=srec "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec" +rm "$FILE_TO_SIGN.sig" +# Final signing using the tool +"$SCRIPT_DIR/../config/elftosb_wrapper.sh" "$ELF2SB_PATH" "$CST_PATH" -f imx -V -c "$TEMP_HAB_FILE" -o "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec" +# Remove temporary files generated by the NXP tools +rm "$TEMP_HAB_FILE" csf.bin input.csf "${FILE_TO_SIGN}_nopadding.sig" "${FILE_TO_SIGN}.srec" temp.bin