Skip to content
Snippets Groups Projects

Add possibility to encrypt BL* firmware and some code fixes

Closed Add possibility to encrypt BL* firmware and some code fixes
diw-atf-bl-encryption into devel
Closed Dariusz Iwanoczko requested to merge diw-atf-bl-encryption into devel
Compare
and
1 file
+ 51
10
Compare changes
  • Side-by-side
  • Inline
airoha/image/iopsys-secure-boot.mk
+ 51
10
@@ -5,8 +5,9 @@ SECURE_BOOT_ROTPK_KEY_SIZE ?= 4096
@@ -5,8 +5,9 @@ SECURE_BOOT_ROTPK_KEY_SIZE ?= 4096
SECURE_BOOT_ROTPK_HASH_ALG ?= sha512
SECURE_BOOT_ROTPK_HASH_ALG ?= sha512
SECURE_BOOT_ROTPK ?= $(SECURE_BOOT_KEY_DIR)/rot_key_$(SECURE_BOOT_ROTPK_KEY_SIZE).pem
SECURE_BOOT_ROTPK ?= $(SECURE_BOOT_KEY_DIR)/rot_key_$(SECURE_BOOT_ROTPK_KEY_SIZE).pem
SECURE_BOOT_ENC_ALG ?= aes256
SECURE_BOOT_ENCRYPT ?= y
SECURE_BOOT_ENC_KEY ?= $(SECURE_BOOT_KEY_DIR)/aes_$(SECURE_BOOT_ENC_ALG)
SECURE_BOOT_ENCRYPT_ALG ?= aes256
 
SECURE_BOOT_ENCRYPT_KEY ?= $(SECURE_BOOT_KEY_DIR)/aes_$(SECURE_BOOT_ENCRYPT_ALG)
# Temporary paths
# Temporary paths
WORK_PATH := $(STAGING_DIR_IMAGE)/nand-image
WORK_PATH := $(STAGING_DIR_IMAGE)/nand-image
@@ -14,11 +15,45 @@ CERT_PATH := $(WORK_PATH)-cert
@@ -14,11 +15,45 @@ CERT_PATH := $(WORK_PATH)-cert
UBOOT_VERSION_ID := 938f0820-2ffb-11e7-bbc9-2f21351ee6fb
UBOOT_VERSION_ID := 938f0820-2ffb-11e7-bbc9-2f21351ee6fb
 
# Call ENC_AES_KEY or ENC_AES_IV to get accordingly 32-byte (256-bit) symmetric key
 
# and 12-byte (96-bit) initialization vector (IV).
 
# Do not use makefile's shell command to prevent print the values in the console.
 
ifneq ($(SECURE_BOOT_ENCRYPT_KEY),"")
 
define ENC_AES_KEY
 
`grep -E 'key *=' $(SECURE_BOOT_ENCRYPT_KEY) | cut -d= -f2`
 
endef
 
 
define ENC_AES_IV
 
`grep -E 'iv *=' $(SECURE_BOOT_ENCRYPT_KEY) | cut -d= -f2`
 
endef
 
else # SECURE_BOOT_ENCRYPT_KEY
 
$(error Error: Path to encryption key not defined! Double check SECURE_BOOT_ENCRYPT_KEY value)
 
endif # SECURE_BOOT_ENCRYPT_KEY
 
 
# Invokes encrypt_fw to encrypt firmware binary
 
# $(1) = BL stage (1, 2, 2u, 31, 32)
 
define iopsys-encrypt-fw
 
$(STAGING_DIR_HOST)/bin/encrypt_fw \
 
-f 0 \
 
-k $(call ENC_AES_KEY) \
 
-n $(call ENC_AES_IV) \
 
-i $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1).bin \
 
-o $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.bin
 
 
$(STAGING_DIR_HOST)/bin/lzma e \
 
$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.bin \
 
$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.lzma
 
 
$(eval ENC_BL$(1) := _enc)
 
endef
 
define iopsys-precheck-secure-boot
define iopsys-precheck-secure-boot
 
@echo Secure Boot: Sanity precheck
$(if $(SECURE_BOOT_ENABLE),
$(if $(SECURE_BOOT_ENABLE),
$(if $(SECURE_BOOT_KEY_DIR),,$(error Secure boot key dir not specified!))
$(if $(SECURE_BOOT_KEY_DIR),,$(error Secure boot key dir not specified!))
$(if $(wildcard $(SECURE_BOOT_ROTPK)),,$(error Cannot find Root Of Trust Pre-shared Key in key dir!))
$(if $(wildcard $(SECURE_BOOT_ROTPK)),,$(error Cannot find Root Of Trust Pre-shared Key in key dir!))
$(if $(wildcard $(SECURE_BOOT_ENC_KEY)),,$(error Cannot find encryption key in key dir!)),)
$(if $(SECURE_BOOT_ENCRYPT),
 
$(if $(wildcard $(SECURE_BOOT_ENCRYPT_KEY)),,$(error Cannot find encryption key in key dir!))))
endef
endef
# $(1) build prefix
# $(1) build prefix
@@ -34,6 +69,12 @@ define iopsys-prepare-secure-boot
@@ -34,6 +69,12 @@ define iopsys-prepare-secure-boot
cp -pv $(SECURE_BOOT_ROTPK) $(CERT_PATH)-$(notdir $(1))/ROTkey; \
cp -pv $(SECURE_BOOT_ROTPK) $(CERT_PATH)-$(notdir $(1))/ROTkey; \
fi
fi
 
# Encrypt firmware binary
 
 
$(if $(and $(SECURE_BOOT_ENABLE),$(SECURE_BOOT_ENCRYPT)),
 
$(call iopsys-encrypt-fw,2)
 
$(call iopsys-encrypt-fw,31))
 
# This is lzma/config dependent
# This is lzma/config dependent
$(STAGING_DIR_HOST)/bin/lzma e \
$(STAGING_DIR_HOST)/bin/lzma e \
$(2) \
$(2) \
@@ -58,8 +99,8 @@ define iopsys-prepare-secure-boot
@@ -58,8 +99,8 @@ define iopsys-prepare-secure-boot
--soc-fw-key-cert $(CERT_PATH)-$(notdir $(1))/soc_fw_key.crt \
--soc-fw-key-cert $(CERT_PATH)-$(notdir $(1))/soc_fw_key.crt \
--nt-fw-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt \
--nt-fw-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt \
--nt-fw-key-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt \
--nt-fw-key-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt \
--tb-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2.bin \
--tb-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2$(ENC_BL2).bin \
--soc-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31.lzma \
--soc-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31$(ENC_BL31).lzma \
--nt-fw $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma
--nt-fw $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma
# This is mostly generic (depends on which fiptool is used though)
# This is mostly generic (depends on which fiptool is used though)
@@ -71,8 +112,8 @@ define iopsys-prepare-secure-boot
@@ -71,8 +112,8 @@ define iopsys-prepare-secure-boot
--nt-fw-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt \
--nt-fw-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt \
--nt-fw-key-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt \
--nt-fw-key-cert $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt \
--align 1024 \
--align 1024 \
--tb-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2.bin \
--tb-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2$(ENC_BL2).bin \
--soc-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31.lzma \
--soc-fw $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31$(ENC_BL31).lzma \
--nt-fw $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma \
--nt-fw $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma \
$(WORK_PATH)-$(notdir $(1))/preloader.bin
$(WORK_PATH)-$(notdir $(1))/preloader.bin
@@ -130,9 +171,9 @@ define Build/generate-rotpk-fuse
@@ -130,9 +171,9 @@ define Build/generate-rotpk-fuse
$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-ecnt_efuse \
$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-ecnt_efuse \
-s $(SECURE_BOOT_ROTPK_HASH_ALG) \
-s $(SECURE_BOOT_ROTPK_HASH_ALG) \
-r $(CERT_PATH)/rotpk_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG).bin \
-r $(CERT_PATH)/rotpk_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG).bin \
-a $(SECURE_BOOT_ENC_ALG) \
-a $(SECURE_BOOT_ENCRYPT_ALG) \
-k $$(grep -E '^key *=[A-F0-9]+$$$$' $(SECURE_BOOT_ENC_KEY) | sed -e 's/^key *=//') \
-k $(call ENC_AES_KEY) \
-o $(CERT_PATH)/ecntefuse_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG)_$(SECURE_BOOT_ENC_ALG).bin
-o $(CERT_PATH)/ecntefuse_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG)_$(SECURE_BOOT_ENCRYPT_ALG).bin
cp -rpT $(CERT_PATH) $(STAGING_DIR_IMAGE)/$$(UBOOT_TARGET)-secure_boot_keys_certs
cp -rpT $(CERT_PATH) $(STAGING_DIR_IMAGE)/$$(UBOOT_TARGET)-secure_boot_keys_certs
rm -rf $(CERT_PATH)
rm -rf $(CERT_PATH)