Re: [U-Boot] [PATCH v3 5/6] binman: add ROM image signing for Bay Trail SoC
Hi Bin, On Mon, 4 Dec 2017 14:30:03 +0800 Bin Meng bmeng...@gmail.com wrote: ... > > diff --git a/arch/x86/dts/u-boot.dtsi b/arch/x86/dts/u-boot.dtsi > > index 7e37d4f394..98e2309108 100644 > > --- a/arch/x86/dts/u-boot.dtsi > > +++ b/arch/x86/dts/u-boot.dtsi > > @@ -15,6 +15,13 @@ > > sort-by-pos; > > pad-byte = <0xff>; > > size = ; > > +#ifdef CONFIG_BAYTRAIL_SECURE_BOOT > > This needs to be a generic macro like CONFIG_SECURE_BOOT as this > affects all x86 rom images. OK, will fix it. > > + sign; > > +#ifdef CONFIG_SYS_SOC > > I believe CONFIG_SYS_SOC is defined by every board, so no need to do > #ifdef here. OK, I can drop it. ... > > +OEM_PRIV_KEY_FILE_NAME = 'oemkey.pem' > > +OEM_PUB_KEY_FILE_NAME = 'pub_oemkey.pem' > > +OEM_PUBKEY_BIN_FILE_NAME = 'pub_oemkey.bin' > > +OEM_PUBKEY_AND_SIG_FILE_NAME = 'oem_pub_sig.bin' > > This deserves a comment block on how there files are generated on the host. OK. ... > > +# FSP Stage2 size is 0x1f400. For debug FSP it is 0x2f400, > > +# you must change it here wenn building with debug FSP image! > > typo: wenn -> when OK, thanks. > > +FSP_STAGE_2_SIZE = 0x1f400 > > +FSP_UPD_SIZE = 0xc00 > > +IBB_SIZE = 0x1fc00 > > +MANIFEST_SIZE = 0x400 > > +OEM_BLOCK_MAX_SIZE = 0x190 > > +U_BOOT_ROM_SIZE = 0x80 > > Can this file size be determined from the CONFIG_ROM_SIZE? > > > +ROMFILE_SYS_TEXT_BASE = 0x0070 > > and calculate this by ourselves? I cannot invest more time on this, I'm having many issues to add coverage tests for this file, so I'll give it up. We are far beyond the planned efforts for this topic and I cannot spend time to polish this further, sorry. Thanks, Anatolij ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [PATCH v3 5/6] binman: add ROM image signing for Bay Trail SoC
Hi Anatolij,
On Fri, Nov 17, 2017 at 9:16 AM, Anatolij Gustschin wrote:
> Generate u-boot-verified.rom image containing Secure Boot Manifest
> when secure boot option is enabled.
>
> Signed-off-by: Anatolij Gustschin
> ---
> NOTE: This patch applies on top of binman changes in binman-working
> branch in git://git.denx.de/u-boot-dm.git
>
> Changes in v3:
> - New patch. Moved signing script functionality (secure_boot_helper.py
>in first series) to binman. The signing is enabled automatically
>via u-boot.dtsi when secure boot option is enabled
> - Clean up all temporary files generated by signing script
>
> arch/x86/dts/u-boot.dtsi | 7 +
> tools/binman/signing/baytrail.py | 313
> +++
> tools/binman/signing/signer.py | 3 +
> 3 files changed, 323 insertions(+)
> create mode 100644 tools/binman/signing/baytrail.py
>
> diff --git a/arch/x86/dts/u-boot.dtsi b/arch/x86/dts/u-boot.dtsi
> index 7e37d4f394..98e2309108 100644
> --- a/arch/x86/dts/u-boot.dtsi
> +++ b/arch/x86/dts/u-boot.dtsi
> @@ -15,6 +15,13 @@
> sort-by-pos;
> pad-byte = <0xff>;
> size = ;
> +#ifdef CONFIG_BAYTRAIL_SECURE_BOOT
This needs to be a generic macro like CONFIG_SECURE_BOOT as this
affects all x86 rom images.
> + sign;
> +#ifdef CONFIG_SYS_SOC
I believe CONFIG_SYS_SOC is defined by every board, so no need to do
#ifdef here.
> + socname = CONFIG_SYS_SOC;
> +#endif
> +#endif
> +
> #ifdef CONFIG_HAVE_INTEL_ME
> intel-descriptor {
> filename = CONFIG_FLASH_DESCRIPTOR_FILE;
> diff --git a/tools/binman/signing/baytrail.py
> b/tools/binman/signing/baytrail.py
> new file mode 100644
> index 00..3bfbbedb5d
> --- /dev/null
> +++ b/tools/binman/signing/baytrail.py
> @@ -0,0 +1,313 @@
> +# Copyright (c) 2017 DENX Software Engineering
> +# Written by Markus Valentin
> +# Adapted for binman integration: Anatolij Gustschin
> +#
> +# SPDX-License-Identifier: GPL-2.0+
> +#
> +# Functions for signing the binman output image for Bay Trail SoC
> +#
> +
> +import binascii
> +import logging, sys
> +import os
> +
> +from hashlib import sha256
> +from os.path import basename, isfile, splitext
> +from os.path import join as pjoin
> +from struct import pack
> +
> +import OpenSSL
> +from OpenSSL import crypto
> +from cryptography import x509
> +from cryptography.hazmat.backends import default_backend
> +
> +FSP_FILE_NAME = "fsp-sb.bin"
> +FSP_STAGE2_FILE_NAME = "fsp_stage2.bin"
> +U_BOOT_ROM_FILE_NAME = 'u-boot.rom'
> +OUTPUT_FILE_NAME = 'u-boot-verified.rom'
> +U_BOOT_TO_SIGN_FILE_NAME = 'u-boot-to-sign.bin'
> +IBB_FILE_NAME = 'ibb.bin'
> +FPF_CONFIG_FILE_NAME = 'fpf_config.txt'
> +SIGNED_MANIFEST_FILE_NAME = 'signed_manifest.bin'
> +UNSIGNED_MANIFEST_FILE_NAME = 'un'+SIGNED_MANIFEST_FILE_NAME
> +OEM_FILE_NAME = 'oemdata.bin'
> +
> +OEM_PRIV_KEY_FILE_NAME = 'oemkey.pem'
> +OEM_PUB_KEY_FILE_NAME = 'pub_oemkey.pem'
> +OEM_PUBKEY_BIN_FILE_NAME = 'pub_oemkey.bin'
> +OEM_PUBKEY_AND_SIG_FILE_NAME = 'oem_pub_sig.bin'
This deserves a comment block on how there files are generated on the host.
> +
> +FIT_PUB_KEY_FILE_NAME = "dev.crt"
> +
> +# FSP Stage2 size is 0x1f400. For debug FSP it is 0x2f400,
> +# you must change it here wenn building with debug FSP image!
typo: wenn -> when
> +FSP_STAGE_2_SIZE = 0x1f400
> +FSP_UPD_SIZE = 0xc00
> +IBB_SIZE = 0x1fc00
> +MANIFEST_SIZE = 0x400
> +OEM_BLOCK_MAX_SIZE = 0x190
> +U_BOOT_ROM_SIZE = 0x80
Can this file size be determined from the CONFIG_ROM_SIZE?
> +ROMFILE_SYS_TEXT_BASE = 0x0070
and calculate this by ourselves?
> +
> +MANIFEST_IDENTIFIER = b'$VBM'
> +VERSION = 1
> +SECURE_VERSION_NUMBER = 2
> +OEM_DATA_PREAMBLE = '01000200'
> +
> +oem_data_hash_files = []
> +
> +
> +def append_binary_files(first_file, second_file, new_file):
> +with open(new_file, 'wb') as f:
> +f.write(bytearray(open(first_file, 'rb').read()))
> +f.write(bytearray(open(second_file, 'rb').read()))
> +
> +
> +# This function creates the OEM-Data block which must be inserted
> +# into the Bay Trail Secure Boot Manifest.
> +def assemble_oem_data(file_path):
> +file_size = 0
> +with open(file_path, 'wb') as f:
> +f.write(binascii.unhexlify(OEM_DATA_PREAMBLE))
> +file_size += 4
> +for hash_file in oem_data_hash_files:
> +f.write(open(hash_file, 'rb').read())
> +file_size += 32
> +pad_file_with_zeros(f, OEM_BLOCK_MAX_SIZE-file_size)
> +
> +
> +# This function creates the final U-Boot ROM image from
> +# the original u-boot.rom and the signed Initial Boot Block
> +# which contains the Secure Boot Manifest
> +def assemble_secure_boot_image(u_boot_rom, signed_ibb):
> +data = bytearray(open(u_boot_rom, 'rb').read())
> +ibb = bytearray(open(signed_ibb, 'rb').read())
> +data[-(MANIFEST_SIZE+IBB_SIZE):] = ibb
> +open(OUTPUT_FILE_NAME, 'wb').write(data)
> +
> +
Re: [U-Boot] [PATCH v3 5/6] binman: add ROM image signing for Bay Trail SoC
Hi Simon, On Mon, 20 Nov 2017 08:40:32 -0700 Simon Glass s...@chromium.org wrote: > Hi Anatolij, > > On 16 November 2017 at 18:16, Anatolij Gustschin wrote: > > Generate u-boot-verified.rom image containing Secure Boot Manifest > > when secure boot option is enabled. > > > > Signed-off-by: Anatolij Gustschin > > --- > > NOTE: This patch applies on top of binman changes in binman-working > > branch in git://git.denx.de/u-boot-dm.git > > > > Changes in v3: > > - New patch. Moved signing script functionality (secure_boot_helper.py > >in first series) to binman. The signing is enabled automatically > >via u-boot.dtsi when secure boot option is enabled > > - Clean up all temporary files generated by signing script > > > > arch/x86/dts/u-boot.dtsi | 7 + > > tools/binman/signing/baytrail.py | 313 > > +++ > > tools/binman/signing/signer.py | 3 + > > 3 files changed, 323 insertions(+) > > create mode 100644 tools/binman/signing/baytrail.py > > > > This is a really nice use of binman, integrating various things to > make it work. It makes me wish we had this for FIT verified boot, > since at present you need manual steps. > > To finish this, please add a test and info in the binman README about > the signing feature (x86-specific stuff can stay where it is). OK. ... > > +FSP_FILE_NAME = "fsp-sb.bin" > > Please use ' throughout if you can OK. ... > > +SIGNED_MANIFEST_FILE_NAME = 'signed_manifest.bin' > > +UNSIGNED_MANIFEST_FILE_NAME = 'un'+SIGNED_MANIFEST_FILE_NAME > > space around + OK. ... > > + > > +oem_data_hash_files = [] > > comment? OK. ... > > + > > +def append_binary_files(first_file, second_file, new_file): > > function comment. Please fix globally. There is a standard format for > these, describing args and return value. OK, done in v4. ... > > +# This function creates the final U-Boot ROM image from > > +# the original u-boot.rom and the signed Initial Boot Block > > +# which contains the Secure Boot Manifest > > +def assemble_secure_boot_image(u_boot_rom, signed_ibb): > > +data = bytearray(open(u_boot_rom, 'rb').read()) > > +ibb = bytearray(open(signed_ibb, 'rb').read()) > > +data[-(MANIFEST_SIZE+IBB_SIZE):] = ibb > > +open(OUTPUT_FILE_NAME, 'wb').write(data) > > Should probably use > > with open(OUTPUT_FILE_NAME, 'wb') as fd: >fd.write(data) > > so that the file gets closed here. OK, will fix. ... > > +assemble_secure_boot_image(u_boot_rom, signed_ibb) > > + > > +# Cleanup temporary files > > Instead of this, can you create a tmpdir and remove the whole directory? OK, will rework for v4. Thanks, Anatolij ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [PATCH v3 5/6] binman: add ROM image signing for Bay Trail SoC
Hi Anatolij,
On 16 November 2017 at 18:16, Anatolij Gustschin wrote:
> Generate u-boot-verified.rom image containing Secure Boot Manifest
> when secure boot option is enabled.
>
> Signed-off-by: Anatolij Gustschin
> ---
> NOTE: This patch applies on top of binman changes in binman-working
> branch in git://git.denx.de/u-boot-dm.git
>
> Changes in v3:
> - New patch. Moved signing script functionality (secure_boot_helper.py
>in first series) to binman. The signing is enabled automatically
>via u-boot.dtsi when secure boot option is enabled
> - Clean up all temporary files generated by signing script
>
> arch/x86/dts/u-boot.dtsi | 7 +
> tools/binman/signing/baytrail.py | 313
> +++
> tools/binman/signing/signer.py | 3 +
> 3 files changed, 323 insertions(+)
> create mode 100644 tools/binman/signing/baytrail.py
>
This is a really nice use of binman, integrating various things to
make it work. It makes me wish we had this for FIT verified boot,
since at present you need manual steps.
To finish this, please add a test and info in the binman README about
the signing feature (x86-specific stuff can stay where it is).
> diff --git a/arch/x86/dts/u-boot.dtsi b/arch/x86/dts/u-boot.dtsi
> index 7e37d4f394..98e2309108 100644
> --- a/arch/x86/dts/u-boot.dtsi
> +++ b/arch/x86/dts/u-boot.dtsi
> @@ -15,6 +15,13 @@
> sort-by-pos;
> pad-byte = <0xff>;
> size = ;
> +#ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> + sign;
> +#ifdef CONFIG_SYS_SOC
> + socname = CONFIG_SYS_SOC;
> +#endif
> +#endif
> +
> #ifdef CONFIG_HAVE_INTEL_ME
> intel-descriptor {
> filename = CONFIG_FLASH_DESCRIPTOR_FILE;
> diff --git a/tools/binman/signing/baytrail.py
> b/tools/binman/signing/baytrail.py
> new file mode 100644
> index 00..3bfbbedb5d
> --- /dev/null
> +++ b/tools/binman/signing/baytrail.py
> @@ -0,0 +1,313 @@
> +# Copyright (c) 2017 DENX Software Engineering
> +# Written by Markus Valentin
> +# Adapted for binman integration: Anatolij Gustschin
> +#
> +# SPDX-License-Identifier: GPL-2.0+
> +#
> +# Functions for signing the binman output image for Bay Trail SoC
> +#
> +
> +import binascii
> +import logging, sys
> +import os
> +
> +from hashlib import sha256
> +from os.path import basename, isfile, splitext
> +from os.path import join as pjoin
> +from struct import pack
> +
> +import OpenSSL
> +from OpenSSL import crypto
> +from cryptography import x509
> +from cryptography.hazmat.backends import default_backend
> +
> +FSP_FILE_NAME = "fsp-sb.bin"
Please use ' throughout if you can
> +FSP_STAGE2_FILE_NAME = "fsp_stage2.bin"
> +U_BOOT_ROM_FILE_NAME = 'u-boot.rom'
> +OUTPUT_FILE_NAME = 'u-boot-verified.rom'
> +U_BOOT_TO_SIGN_FILE_NAME = 'u-boot-to-sign.bin'
> +IBB_FILE_NAME = 'ibb.bin'
> +FPF_CONFIG_FILE_NAME = 'fpf_config.txt'
> +SIGNED_MANIFEST_FILE_NAME = 'signed_manifest.bin'
> +UNSIGNED_MANIFEST_FILE_NAME = 'un'+SIGNED_MANIFEST_FILE_NAME
space around +
> +OEM_FILE_NAME = 'oemdata.bin'
> +
> +OEM_PRIV_KEY_FILE_NAME = 'oemkey.pem'
> +OEM_PUB_KEY_FILE_NAME = 'pub_oemkey.pem'
> +OEM_PUBKEY_BIN_FILE_NAME = 'pub_oemkey.bin'
> +OEM_PUBKEY_AND_SIG_FILE_NAME = 'oem_pub_sig.bin'
> +
> +FIT_PUB_KEY_FILE_NAME = "dev.crt"
> +
> +# FSP Stage2 size is 0x1f400. For debug FSP it is 0x2f400,
> +# you must change it here wenn building with debug FSP image!
> +FSP_STAGE_2_SIZE = 0x1f400
> +FSP_UPD_SIZE = 0xc00
> +IBB_SIZE = 0x1fc00
> +MANIFEST_SIZE = 0x400
> +OEM_BLOCK_MAX_SIZE = 0x190
> +U_BOOT_ROM_SIZE = 0x80
> +ROMFILE_SYS_TEXT_BASE = 0x0070
> +
> +MANIFEST_IDENTIFIER = b'$VBM'
> +VERSION = 1
> +SECURE_VERSION_NUMBER = 2
> +OEM_DATA_PREAMBLE = '01000200'
> +
> +oem_data_hash_files = []
comment?
> +
> +
> +def append_binary_files(first_file, second_file, new_file):
function comment. Please fix globally. There is a standard format for
these, describing args and return value.
> +with open(new_file, 'wb') as f:
> +f.write(bytearray(open(first_file, 'rb').read()))
> +f.write(bytearray(open(second_file, 'rb').read()))
> +
> +
> +# This function creates the OEM-Data block which must be inserted
> +# into the Bay Trail Secure Boot Manifest.
> +def assemble_oem_data(file_path):
> +file_size = 0
> +with open(file_path, 'wb') as f:
> +f.write(binascii.unhexlify(OEM_DATA_PREAMBLE))
> +file_size += 4
> +for hash_file in oem_data_hash_files:
> +f.write(open(hash_file, 'rb').read())
> +file_size += 32
> +pad_file_with_zeros(f, OEM_BLOCK_MAX_SIZE-file_size)
> +
> +
> +# This function creates the final U-Boot ROM image from
> +# the original u-boot.rom and the signed Initial Boot Block
> +# which contains the Secure Boot Manifest
> +def assemble_secure_boot_image(u_boot_rom, signed_ibb):
> +data = bytearray(open(u_boot_rom, 'rb').read())
> +ibb = bytearray(open(signed_ibb, 'rb').
[U-Boot] [PATCH v3 5/6] binman: add ROM image signing for Bay Trail SoC
Generate u-boot-verified.rom image containing Secure Boot Manifest
when secure boot option is enabled.
Signed-off-by: Anatolij Gustschin
---
NOTE: This patch applies on top of binman changes in binman-working
branch in git://git.denx.de/u-boot-dm.git
Changes in v3:
- New patch. Moved signing script functionality (secure_boot_helper.py
in first series) to binman. The signing is enabled automatically
via u-boot.dtsi when secure boot option is enabled
- Clean up all temporary files generated by signing script
arch/x86/dts/u-boot.dtsi | 7 +
tools/binman/signing/baytrail.py | 313 +++
tools/binman/signing/signer.py | 3 +
3 files changed, 323 insertions(+)
create mode 100644 tools/binman/signing/baytrail.py
diff --git a/arch/x86/dts/u-boot.dtsi b/arch/x86/dts/u-boot.dtsi
index 7e37d4f394..98e2309108 100644
--- a/arch/x86/dts/u-boot.dtsi
+++ b/arch/x86/dts/u-boot.dtsi
@@ -15,6 +15,13 @@
sort-by-pos;
pad-byte = <0xff>;
size = ;
+#ifdef CONFIG_BAYTRAIL_SECURE_BOOT
+ sign;
+#ifdef CONFIG_SYS_SOC
+ socname = CONFIG_SYS_SOC;
+#endif
+#endif
+
#ifdef CONFIG_HAVE_INTEL_ME
intel-descriptor {
filename = CONFIG_FLASH_DESCRIPTOR_FILE;
diff --git a/tools/binman/signing/baytrail.py b/tools/binman/signing/baytrail.py
new file mode 100644
index 00..3bfbbedb5d
--- /dev/null
+++ b/tools/binman/signing/baytrail.py
@@ -0,0 +1,313 @@
+# Copyright (c) 2017 DENX Software Engineering
+# Written by Markus Valentin
+# Adapted for binman integration: Anatolij Gustschin
+#
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Functions for signing the binman output image for Bay Trail SoC
+#
+
+import binascii
+import logging, sys
+import os
+
+from hashlib import sha256
+from os.path import basename, isfile, splitext
+from os.path import join as pjoin
+from struct import pack
+
+import OpenSSL
+from OpenSSL import crypto
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+
+FSP_FILE_NAME = "fsp-sb.bin"
+FSP_STAGE2_FILE_NAME = "fsp_stage2.bin"
+U_BOOT_ROM_FILE_NAME = 'u-boot.rom'
+OUTPUT_FILE_NAME = 'u-boot-verified.rom'
+U_BOOT_TO_SIGN_FILE_NAME = 'u-boot-to-sign.bin'
+IBB_FILE_NAME = 'ibb.bin'
+FPF_CONFIG_FILE_NAME = 'fpf_config.txt'
+SIGNED_MANIFEST_FILE_NAME = 'signed_manifest.bin'
+UNSIGNED_MANIFEST_FILE_NAME = 'un'+SIGNED_MANIFEST_FILE_NAME
+OEM_FILE_NAME = 'oemdata.bin'
+
+OEM_PRIV_KEY_FILE_NAME = 'oemkey.pem'
+OEM_PUB_KEY_FILE_NAME = 'pub_oemkey.pem'
+OEM_PUBKEY_BIN_FILE_NAME = 'pub_oemkey.bin'
+OEM_PUBKEY_AND_SIG_FILE_NAME = 'oem_pub_sig.bin'
+
+FIT_PUB_KEY_FILE_NAME = "dev.crt"
+
+# FSP Stage2 size is 0x1f400. For debug FSP it is 0x2f400,
+# you must change it here wenn building with debug FSP image!
+FSP_STAGE_2_SIZE = 0x1f400
+FSP_UPD_SIZE = 0xc00
+IBB_SIZE = 0x1fc00
+MANIFEST_SIZE = 0x400
+OEM_BLOCK_MAX_SIZE = 0x190
+U_BOOT_ROM_SIZE = 0x80
+ROMFILE_SYS_TEXT_BASE = 0x0070
+
+MANIFEST_IDENTIFIER = b'$VBM'
+VERSION = 1
+SECURE_VERSION_NUMBER = 2
+OEM_DATA_PREAMBLE = '01000200'
+
+oem_data_hash_files = []
+
+
+def append_binary_files(first_file, second_file, new_file):
+with open(new_file, 'wb') as f:
+f.write(bytearray(open(first_file, 'rb').read()))
+f.write(bytearray(open(second_file, 'rb').read()))
+
+
+# This function creates the OEM-Data block which must be inserted
+# into the Bay Trail Secure Boot Manifest.
+def assemble_oem_data(file_path):
+file_size = 0
+with open(file_path, 'wb') as f:
+f.write(binascii.unhexlify(OEM_DATA_PREAMBLE))
+file_size += 4
+for hash_file in oem_data_hash_files:
+f.write(open(hash_file, 'rb').read())
+file_size += 32
+pad_file_with_zeros(f, OEM_BLOCK_MAX_SIZE-file_size)
+
+
+# This function creates the final U-Boot ROM image from
+# the original u-boot.rom and the signed Initial Boot Block
+# which contains the Secure Boot Manifest
+def assemble_secure_boot_image(u_boot_rom, signed_ibb):
+data = bytearray(open(u_boot_rom, 'rb').read())
+ibb = bytearray(open(signed_ibb, 'rb').read())
+data[-(MANIFEST_SIZE+IBB_SIZE):] = ibb
+open(OUTPUT_FILE_NAME, 'wb').write(data)
+
+
+# Constructs a complete Secure Boot Manifest which is just missing
+# the OEM publickey and the manifest signature
+def create_unsigned_secure_boot_manifest(unsigned_manifest,
+ oem_file='oemdata.bin',
+ ibb='ibb.bin'):
+with open(unsigned_manifest, 'wb') as f:
+f.write(MANIFEST_IDENTIFIER)
+f.write(pack('i', VERSION))
+f.write(pack('i', MANIFEST_SIZE))
+f.write(pack('i', SECURE_VERSION_NUMBER))
+pad_file_with_zeros(f, 4)
+hash_function = sha256()
+hash_function.update(bytearray(open(ibb, 'rb').read()))
+f.write(hash_function.digest()[::-1])
+pad_file
