Re: [RFC PATCH] binman: bintool: etype: Add support for ti-secure entry

28 Feb 2023

Hi Neha,
On Fri, 24 Feb 2023 at 05:03, Neha Malcom Francis n-francis@ti.com wrote:
...
core-secdev-k3 is the TI security development package provided for K3
platform devices. This tool helps sign bootloader images with the x509
ceritificate header.
Signed-off-by: Neha Malcom Francis n-francis@ti.com
This patch depends on https://patchwork.ozlabs.org/project/uboot/patch/20230224115101.563729-1-n-f...
and on ongoing development in https://git.ti.com/cgit/security-development-tools/core-secdev-k3
tools/binman/btool/tisecuretool.py            |  72 +++++++++++
 tools/binman/etype/ti_secure.py               | 114 ++++++++++++++++++
 tools/binman/ftest.py                         |  36 ++++++
 tools/binman/test/278_ti_secure_rom.dts       |  11 ++
 tools/binman/test/279_ti_secure.dts           |  11 ++
 .../binman/test/280_ti_secure_nofilename.dts  |  10 ++
 tools/binman/test/281_ti_secure_combined.dts  |  12 ++
 7 files changed, 266 insertions(+)
 create mode 100644 tools/binman/btool/tisecuretool.py
 create mode 100644 tools/binman/etype/ti_secure.py
 create mode 100644 tools/binman/test/278_ti_secure_rom.dts
 create mode 100644 tools/binman/test/279_ti_secure.dts
 create mode 100644 tools/binman/test/280_ti_secure_nofilename.dts
 create mode 100644 tools/binman/test/281_ti_secure_combined.dts
Now that I see what you are doing, this it not quite the right way.
See this hack-up of how you can call the openssl thing. Basically you
should not have a shell script in the way, but instead make your
bintool do it.
https://github.com/sjg20/u-boot/commit/03c0d74f81106570b18d8e4fe7a3355bfeb0d...
I suppose we can have an openssl bintool that others build on top of?
Regards,
Simon
...

diff --git a/tools/binman/btool/tisecuretool.py b/tools/binman/btool/tisecuretool.py
new file mode 100644
index 0000000000..5102bb1f7d
--- /dev/null
+++ b/tools/binman/btool/tisecuretool.py
@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+# Written by Neha Malcom Francis n-francis@ti.com
+#
+"""Bintool implementation for TI security development tools



+tisecuretool helps add x509 certification for bootloader images for K3 platform devices



+Source code:
+https://git.ti.com/cgit/security-development-tools/core-secdev-k3/"""



+import os



+from binman import bintool
+from patman import tout
+from patman import tools



+class Bintooltisecuretool(bintool.Bintool):

"""Signing tool for TI bootloaders"""
name = 'tisecuretool'
def __init__(self, name):
   super().__init__(name, 'TI secure tool')



def sign_binary_secure(self, fname, out_fname):
   """Create a signed binary



   Args:


       fname (str): Filename to sign


       out_fname (str): Output filename



   Returns:


       str: Tool output


       or None


   """


   tool_path = self.get_path()


   script_path = os.path.join(tool_path, 'scripts/secure-binary-image.sh')


   args = [


       'sh',


       script_path,


       fname,


       out_fname


       ]


   output = self.run_cmd(*args, add_name=False)


   return output



def sign_binary_rom(self, args):
   """Create a signed binary that is booted by ROM



   Args:


       fname (str): Filename to sign


       out_fname (str): Output filename"""


   tool_path = self.get_path()


   script_path = os.path.join(tool_path, 'scripts/secure-rom-boot-image.sh')


   #args.insert(0, script_path)


   args.insert(0, script_path)


   output = self.run_cmd(*args, add_name=False)


   return output



def fetch(self, method):
   """Fetch handler for TI secure tool



   This builds the tool from source



   Returns:


       True if the file was fetched, None if a method other than FETCH_SOURCE


       was requested


   """


   if method != bintool.FETCH_SOURCE:


       return None


   result = self.fetch_from_git(


       'git://git.ti.com/security-development-tools/core-secdev-k3.git', 'tisecuretool')


   return result



diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
new file mode 100644
index 0000000000..26f81ff8e8
--- /dev/null
+++ b/tools/binman/etype/ti_secure.py
@@ -0,0 +1,114 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+# Written by Neha Malcom Francis n-francis@ti.com
+#
+# Entry-type module for signed binaries for TI K3 platform
+#



+from binman.etype.blob import Entry_blob
+from binman import bintool



+from dtoc import fdt_util
+from patman import terminal
+from patman import tools
+from patman import tout



+class Entry_ti_secure(Entry_blob):

"""An entry which contains a signed x509 binary for signing TI
General Purpose as well as High-Security devices.

Properties / Entry arguments:
  - filename: filename of binary file to be secured



Output files:
   - filename_x509 - output file generated by secure x509 signing script (which


       used as entry contents)


"""
def __init__(self, section, etype, node):
   super().__init__(section, etype, node)


   self.filename = fdt_util.GetString(self._node, 'filename')


   self.core = fdt_util.GetString(self._node, 'core', 'secure')


   self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)


   self.sw_rev = fdt_util.GetInt(self._node, 'sw-rev', 1)


   self.sysfw_cert = fdt_util.GetBool(self._node, 'sysfw-cert', False)


   self.secure = fdt_util.GetBool(self._node, 'secure', False)


   self.combined = fdt_util.GetBool(self._node, 'combined', False)


   self.split_dm = fdt_util.GetBool(self._node, 'split-dm', False)


   self.sysfw_filename = fdt_util.GetString(self._node, 'sysfw-filename')


   self.sysfw_load_addr = fdt_util.GetInt(self._node, 'sysfw-load', 0x40000)


   self.sysfw_data_filename = fdt_util.GetString(self._node, 'sysfw-data-filename')


   self.sysfw_data_load_addr = fdt_util.GetInt(self._node, 'sysfw-data-load', 0x7f000)


   self.sysfw_inner_cert = fdt_util.GetString(self._node, 'sysfw-inner-cert', "")


   self.dm_data_filename = fdt_util.GetString(self._node, 'dm-data-filename')


   self.dm_data_load_addr = fdt_util.GetInt(self._node, 'dm-data-load', 0x41c80000)


   self.sysfw_inner_cert_filename = fdt_util.GetString(self._node, 'sysfw-inner-cert-filename')


   self.toolpresent = False


   if not self.filename:


       self.Raise("ti_secure must have a 'filename' property")



def _SignBinarySecure(self):
   infilename = self.filename


   outfilename = infilename + '_signed'



   data = self.tisecuretool.sign_binary_secure(infilename, outfilename)



   if data is None:


       # Bintool is missing, create a zeroed binary


       self.record_missing_bintool(self.tisecuretool)


       return tools.get_bytes(0, 1024)



   return tools.read_file(outfilename)



def _SignBinaryROM(self):
   input_fname = self.filename


   output_fname = input_fname + "_x509"


   if self.combined:


       args = [


           '-b', input_fname,


           '-l', hex(self.load_addr),


           '-s', self.sysfw_filename,


           '-m', hex(self.sysfw_load_addr),


           '-a', self.sysfw_inner_cert,


           '-d', self.sysfw_data_filename,


           '-n', hex(self.sysfw_data_load_addr),


           '-r', str(self.sw_rev),


           '-o', output_fname,


       ]


       if self.split_dm:


           args.extend(['-t', self.dm_data_filename, '-y', hex(self.dm_data_load_addr)])


   else:


       args = [


           '-a', self.core,


           '-b', input_fname,


           '-o', output_fname,


           '-l', hex(self.load_addr),


           '-r', str(self.sw_rev),



       ]


       if self.sysfw_cert == True:


           args.insert(0, '-u')



   out = self.tisecuretool.sign_binary_rom(args)



   if out is None:


       # Bintool is missing, create a zeroed binary


       self.record_missing_bintool(self.tisecuretool)


       return tools.get_bytes(0, 1024)



   return tools.read_file(output_fname)



def ProcessContents(self):
   if self.secure:


       data = self._SignBinarySecure()


   else:


       data = self._SignBinaryROM()


   return self.ProcessContentsUpdate(data)



def AddBintools(self, btools):
   #super().AddBintools(btools)


   col = terminal.Color()


   self.tisecuretool = self.AddBintool(btools, 'tisecuretool')


   out = self.tisecuretool.fetch_tool(bintool.FETCH_SOURCE, col, True)


   if out == bintool.FAIL:


       # Bintool is missing, record missing


       self.record_missing_bintool(self.tisecuretool)



\ No newline at end of file
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index bf902341c5..72cce0ef02 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -97,6 +97,7 @@ PRE_LOAD_MAGIC        = b'UBSH'
 PRE_LOAD_VERSION      = 0x11223344.to_bytes(4, 'big')
 PRE_LOAD_HDR_SIZE     = 0x00001000.to_bytes(4, 'big')
 TI_BOARD_CONFIG_DATA  = b'\x00\x01'
+TIX509DATA            = b'letsgo'
# Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@@ -206,6 +207,7 @@ class TestFunctional(unittest.TestCase):
         TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
         TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
         TestFunctional._MakeInputFile('scp.bin', SCP_DATA)

   TestFunctional._MakeInputFile('to_sign.bin', TIX509DATA)

   # Add a few .dtb files for testing
   TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,



@@ -6398,5 +6400,39 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
         configlen_noheader = TI_BOARD_CONFIG_DATA*4
         self.assertGreater(data, configlen_noheader)

def testTISecureROMImageMissingTool(self):
   """Test that a TI secure signed ROM booted image can be generated although tisecuretool is missing"""


   with test_util.capture_sys_output() as (_, stderr):


       data = self._DoTestFile('278_ti_secure_rom.dts',


           force_missing_bintools='tisecuretool')


   err = stderr.getvalue()


   self.assertRegex(err,


                    "Image 'image'.*missing bintools.*: tisecuretool")



def testTISecureImageMissingTool(self):
   """Test that a TI secure signed image can be generated although tisecuretool is missing"""


   with test_util.capture_sys_output() as (_, stderr):


       data = self._DoTestFile('279_ti_secure.dts',


           force_missing_bintools='tisecuretool')


   err = stderr.getvalue()


   self.assertRegex(err,


                    "Image 'image'.*missing bintools.*: tisecuretool")



def testTISecureNoFilename(self):
   """Test that a missing 'filename' property is detected"""


   with self.assertRaises(ValueError) as e:


       self._DoTestFile('280_ti_secure_nofilename.dts')


   self.assertIn("ti_secure must have a 'filename' property",


                 str(e.exception))



def testTISecureImageCombinedMissingTool(self):
   """Test that a TI secure signed image can be generated although tisecuretool is missing"""


   with test_util.capture_sys_output() as (_, stderr):


       data = self._DoTestFile('281_ti_secure_combined.dts',


           force_missing_bintools='tisecuretool')


   err = stderr.getvalue()


   self.assertRegex(err,


                    "Image 'image'.*missing bintools.*: tisecuretool")




if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/278_ti_secure_rom.dts b/tools/binman/test/278_ti_secure_rom.dts
new file mode 100644
index 0000000000..67a6a9de8d
--- /dev/null
+++ b/tools/binman/test/278_ti_secure_rom.dts
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;



+/ {

  binman {


                  ti-secure {


                          filename = "to_sign.bin";


                          sysfw-cert;


                  };


  };



+};
diff --git a/tools/binman/test/279_ti_secure.dts b/tools/binman/test/279_ti_secure.dts
new file mode 100644
index 0000000000..0e60984013
--- /dev/null
+++ b/tools/binman/test/279_ti_secure.dts
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;



+/ {

  binman {


                  ti-secure {


                          filename = "to_sign.bin";


                          secure;


                  };


  };



+};
diff --git a/tools/binman/test/280_ti_secure_nofilename.dts b/tools/binman/test/280_ti_secure_nofilename.dts
new file mode 100644
index 0000000000..928a50a499
--- /dev/null
+++ b/tools/binman/test/280_ti_secure_nofilename.dts
@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;



+/ {

  binman {


                  ti-secure {


                          secure;


                  };


  };



+};
diff --git a/tools/binman/test/281_ti_secure_combined.dts b/tools/binman/test/281_ti_secure_combined.dts
new file mode 100644
index 0000000000..aadb5a4306
--- /dev/null
+++ b/tools/binman/test/281_ti_secure_combined.dts
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;



+/ {

  binman {


                  ti-secure {


                          filename = "to_sign.bin";


                          combined;


                          split-dm;


                  };


  };



+};
2.34.1

    

Re: [RFC PATCH] binman: bintool: etype: Add support for ti-secure entry

Simon Glass

Signed-off-by: Neha Malcom Francis n-francis@ti.com

+};