diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk deleted file mode 100644 index cbf9c10210a..00000000000 --- a/arch/arm/mach-k3/config.mk +++ /dev/null @@ -1,103 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0+ -# -# Copyright (C) 2017-2018 Texas Instruments Incorporated - http://www.ti.com/ -# Lokesh Vutla - -ifdef CONFIG_SPL_BUILD - -# Openssl is required to generate x509 certificate. -# Error out if openssl is not available. -ifeq ($(shell which openssl),) -$(error "No openssl in $(PATH), consider installing openssl") -endif - -IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c) -MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE)) - -ifeq ($(CONFIG_SYS_K3_KEY), "") -KEY="" -# On HS use real key or warn if not available -ifeq ($(CONFIG_TI_SECURE_DEVICE),y) -ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),) -KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem -else -$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!") -endif -endif -else -KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) -endif - -# X509 SWRV default -SWRV = $(CONFIG_K3_X509_SWRV) -# On HS use SECDEV provided software revision or warn if not available -ifeq ($(CONFIG_TI_SECURE_DEVICE),y) -ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/swrv.txt),) -SWRV= $(shell cat $(TI_SECURE_DEV_PKG)/keys/swrv.txt) -else -$(warning "WARNING: Software revision file not found. Default may not work on HS hardware.") -endif -endif - -# tiboot3.bin is mandated by ROM and ROM only supports R5 boot. -# So restrict tiboot3.bin creation for CPU_V7R. -ifdef CONFIG_CPU_V7R -image_check: $(obj)/u-boot-spl.bin FORCE - @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \ - echo "===============================================" >&2; \ - echo "ERROR: Final Image too big. " >&2; \ - echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \ - echo "===============================================" >&2; \ - exit 1; \ - fi - -tiboot3.bin: image_check FORCE - $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \ - -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY) - -INPUTS-y += tiboot3.bin -endif - -ifdef CONFIG_ARM64 - -ifeq ($(CONFIG_SOC_K3_J721E),) -export DM := /dev/null -endif - -ifeq ($(CONFIG_TI_SECURE_DEVICE),y) -SPL_ITS := u-boot-spl-k3_HS.its -$(SPL_ITS): export IS_HS=1 -INPUTS-y += tispl.bin_HS -INPUTS-y += tispl.bin -tispl.bin: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) -else -SPL_ITS := u-boot-spl-k3.its -INPUTS-y += tispl.bin -endif - -ifeq ($(CONFIG_SPL_OF_LIST),) -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE) -else -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST) -endif - -quiet_cmd_k3_mkits = MKITS $@ -cmd_k3_mkits = \ - $(srctree)/tools/k3_fit_atf.sh \ - $(CONFIG_K3_ATF_LOAD_ADDR) \ - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@ - -$(SPL_ITS): FORCE - $(call cmd,k3_mkits) -endif - -else - -ifeq ($(CONFIG_TI_SECURE_DEVICE),y) -INPUTS-y += u-boot.img_HS -else -INPUTS-y += u-boot.img -endif -endif - -include $(srctree)/arch/arm/mach-k3/config_secure.mk diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh deleted file mode 100755 index 7bc07ad0746..00000000000 --- a/tools/k3_fit_atf.sh +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ -# -# script to generate FIT image source for K3 Family boards with -# ATF, OPTEE, SPL and multiple device trees (given on the command line). -# Inspired from board/sunxi/mksunxi_fit_atf.sh -# -# usage: $0 [ [&2 - ATF=/dev/null -fi - -[ -z "$TEE" ] && TEE="bl32.bin" - -if [ ! -f $TEE ]; then - echo "WARNING OPTEE file $TEE NOT found, resulting might be non-functional" >&2 - TEE=/dev/null -fi - -[ -z "$DM" ] && DM="dm.bin" - -if [ ! -e $DM ]; then - echo "WARNING DM file $DM NOT found, resulting might be non-functional" >&2 - DM=/dev/null -fi - -if [ ! -z "$IS_HS" ]; then - HS_APPEND=_HS -fi - -cat << __HEADER_EOF -/dts-v1/; - -/ { - description = "Configuration to load ATF and SPL"; - #address-cells = <1>; - - images { - atf { - description = "ARM Trusted Firmware"; - data = /incbin/("$ATF"); - type = "firmware"; - arch = "arm64"; - compression = "none"; - os = "arm-trusted-firmware"; - load = <$1>; - entry = <$1>; - }; - tee { - description = "OPTEE"; - data = /incbin/("$TEE"); - type = "tee"; - arch = "arm64"; - compression = "none"; - os = "tee"; - load = <0x9e800000>; - entry = <0x9e800000>; - }; - dm { - description = "DM binary"; - data = /incbin/("$DM"); - type = "firmware"; - arch = "arm32"; - compression = "none"; - os = "DM"; - load = <0x89000000>; - entry = <0x89000000>; - }; - spl { - description = "SPL (64-bit)"; - data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND"); - type = "standalone"; - os = "U-Boot"; - arch = "arm64"; - compression = "none"; - load = <0x80080000>; - entry = <0x80080000>; - }; -__HEADER_EOF - -# shift through ATF load address in the command line arguments -shift - -for dtname in $* -do - cat << __FDT_IMAGE_EOF - $(basename $dtname) { - description = "$(basename $dtname .dtb)"; - data = /incbin/("$dtname$HS_APPEND"); - type = "flat_dt"; - arch = "arm"; - compression = "none"; - }; -__FDT_IMAGE_EOF -done - -cat << __CONF_HEADER_EOF - }; - configurations { - default = "$(basename $1)"; - -__CONF_HEADER_EOF - -for dtname in $* -do - cat << __CONF_SECTION_EOF - $(basename $dtname) { - description = "$(basename $dtname .dtb)"; - firmware = "atf"; - loadables = "tee", "dm", "spl"; - fdt = "$(basename $dtname)"; - }; -__CONF_SECTION_EOF -done - -cat << __ITS_EOF - }; -}; -__ITS_EOF diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh deleted file mode 100755 index d9cde07417c..00000000000 --- a/tools/k3_gen_x509_cert.sh +++ /dev/null @@ -1,262 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause -# -# Script to add K3 specific x509 cetificate to a binary. -# - -# Variables -OUTPUT=tiboot3.bin -TEMP_X509=x509-temp.cert -CERT=certificate.bin -RAND_KEY=eckey.pem -LOADADDR=0x41c00000 -BOOTCORE_OPTS=0 -BOOTCORE=16 -DEBUG_TYPE=0 -SWRV=1 - -gen_degen_template() { -cat << 'EOF' > degen-template.txt - -asn1=SEQUENCE:rsa_key - -[rsa_key] -version=INTEGER:0 -modulus=INTEGER:0xDEGEN_MODULUS -pubExp=INTEGER:1 -privExp=INTEGER:1 -p=INTEGER:0xDEGEN_P -q=INTEGER:0xDEGEN_Q -e1=INTEGER:1 -e2=INTEGER:1 -coeff=INTEGER:0xDEGEN_COEFF -EOF -} - -# Generate x509 Template -gen_template() { -cat << 'EOF' > x509-template.txt - [ req ] - distinguished_name = req_distinguished_name - x509_extensions = v3_ca - prompt = no - dirstring_type = nobmp - - [ req_distinguished_name ] - C = US - ST = TX - L = Dallas - O = Texas Instruments Incorporated - OU = Processors - CN = TI support - emailAddress = support@ti.com - - [ v3_ca ] - basicConstraints = CA:true - 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq - 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity - 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv -# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption - 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug - - [ boot_seq ] - certType = INTEGER:TEST_CERT_TYPE - bootCore = INTEGER:TEST_BOOT_CORE - bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS - destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR - imageSize = INTEGER:TEST_IMAGE_LENGTH - - [ image_integrity ] - shaType = OID:2.16.840.1.101.3.4.2.3 - shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL - - [ swrv ] - swrv = INTEGER:TEST_SWRV - -# [ encryption ] -# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV -# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS -# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX -# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT - - [ debug ] - debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:TEST_DEBUG_TYPE - coreDbgEn = INTEGER:0 - coreDbgSecEn = INTEGER:0 -EOF -} - -parse_key() { - sed '/ /s/://g' key.txt | \ - awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \ - sed 's/ //g' | \ - awk "/$1:/{getline; print}" -} - -gen_degen_key() { -# Generate a 4096 bit RSA Key - openssl genrsa -out key.pem 1024 >>/dev/null 2>&1 - openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1 - DEGEN_MODULUS=$( parse_key 'modulus' ) - DEGEN_P=$( parse_key 'prime1' ) - DEGEN_Q=$( parse_key 'prime2' ) - DEGEN_COEFF=$( parse_key 'coefficient' ) - gen_degen_template - - sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\ - -e "s/DEGEN_P/$DEGEN_P/" \ - -e "s/DEGEN_Q/$DEGEN_Q/" \ - -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \ - degen-template.txt > degenerateKey.txt - - openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1 - openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1 - KEY=$RAND_KEY - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der -} - -declare -A options_help -usage() { - if [ -n "$*" ]; then - echo "ERROR: $*" - fi - echo -n "Usage: $0 " - for option in "${!options_help[@]}" - do - arg=`echo ${options_help[$option]}|cut -d ':' -f1` - if [ -n "$arg" ]; then - arg=" $arg" - fi - echo -n "[-$option$arg] " - done - echo - echo -e "\nWhere:" - for option in "${!options_help[@]}" - do - arg=`echo ${options_help[$option]}|cut -d ':' -f1` - txt=`echo ${options_help[$option]}|cut -d ':' -f2` - tb="\t\t\t" - if [ -n "$arg" ]; then - arg=" $arg" - tb="\t" - fi - echo -e " -$option$arg:$tb$txt" - done - echo - echo "Examples of usage:-" - echo "# Example of signing the SYSFW binary with rsa degenerate key" - echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000" - echo "# Example of signing the SPL binary with rsa degenerate key" - echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000" -} - -options_help[b]="bin_file:Bin file that needs to be signed" -options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key." -options_help[o]="output_file:Name of the final output file. default to $OUTPUT" -options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE" -options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR" -options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE" -options_help[r]="SWRV: Software Rev for X509 certificate" - -while getopts "b:k:o:c:l:d:h:r:" opt -do - case $opt in - b) - BIN=$OPTARG - ;; - k) - KEY=$OPTARG - ;; - o) - OUTPUT=$OPTARG - ;; - l) - LOADADDR=$OPTARG - ;; - c) - BOOTCORE=$OPTARG - ;; - d) - DEBUG_TYPE=$OPTARG - ;; - r) - SWRV=$OPTARG - ;; - h) - usage - exit 0 - ;; - \?) - usage "Invalid Option '-$OPTARG'" - exit 1 - ;; - :) - usage "Option '-$OPTARG' Needs an argument." - exit 1 - ;; - esac -done - -if [ "$#" -eq 0 ]; then - usage "Arguments missing" - exit 1 -fi - -if [ -z "$BIN" ]; then - usage "Bin file missing in arguments" - exit 1 -fi - -# Generate rsa degenerate key if user doesn't provide a key -if [ -z "$KEY" ]; then - gen_degen_key -fi - -if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM - CERTTYPE=2 -elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM - CERTTYPE=1 -else # Non BOOTCORE, loaded by SYSFW - BOOTCORE_OPTS_VER=$(printf "%01x" 1) - # Add input args option for SET and CLR flags. - BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0) - BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32 - BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG" - # Set the cert type to zero. - # We are not using public/private key store now - CERTTYPE=$(printf "0x%08x" 0) -fi - -SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"` -BIN_SIZE=`cat $BIN | wc -c` -ADDR=`printf "%08x" $LOADADDR` - -gen_cert() { - #echo "Certificate being generated :" - #echo " LOADADDR = 0x$ADDR" - #echo " IMAGE_SIZE = $BIN_SIZE" - #echo " CERT_TYPE = $CERTTYPE" - #echo " DEBUG_TYPE = $DEBUG_TYPE" - #echo " SWRV = $SWRV" - sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \ - -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \ - -e "s/TEST_CERT_TYPE/$CERTTYPE/" \ - -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \ - -e "s/TEST_BOOT_CORE/$BOOTCORE/" \ - -e "s/TEST_BOOT_ADDR/$ADDR/" \ - -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \ - -e "s/TEST_SWRV/$SWRV/" \ - x509-template.txt > $TEMP_X509 - openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512 -} - -gen_template -gen_cert -cat $CERT $BIN > $OUTPUT - -# Remove all intermediate files -rm $TEMP_X509 $CERT x509-template.txt -if [ "$KEY" == "$RAND_KEY" ]; then - rm $RAND_KEY -fi