@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Copyright (c) 2015, NVIDIA CORPORATION. All rights reserved.
+# Copyright (c) 2016, NVIDIA CORPORATION. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms and conditions of the GNU General Public License,
@@ -18,11 +18,8 @@
# project.
#
set -e
-IMAGE_FILE=$1
-KEY_FILE=$2
-TARGET_IMAGE=$IMAGE_FILE
-CONFIG_FILE=config.tmp
+CONFIG_FILE=config.tmp
CBOOTIMAGE=../src/cbootimage
BCT_DUMP=../src/bct_dump
OBJCOPY=objcopy
@@ -33,41 +30,91 @@ MV=mv
XXD=xxd
CUT=cut
-echo "Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod"
-$RM -f *.sig *.tosig *.tmp *.mod
-echo "Get bl length "
-BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length"\
- | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'`
+usage ()
+{
+ echo -e "
+Usage: ./sign.sh <soc> <boot_image> <rsa_priv_key>
+ Where,
+ soc: tegra124, tegra210
+ boot_image: image generated by cbootimage,
+ priv_key: rsa key file in .pem format."
+
+ exit 1;
+}
+
+sign_image ()
+{
+ local bct_length=$(($3 + $4));
+
+ echo "Get bl length "
+ local bl_length=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length"\
+ | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'`
+
+ echo "Extract bootloader to $IMAGE_FILE.bl.tosig, length ${bl_length}"
+ $DD bs=1 skip=$2 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig \
+ count=${bl_length}
+
+ echo "Calculate rsa signature for bootloader and save to $IMAGE_FILE.bl.sig"
+ $OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig
-echo "Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH"
-$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH
+ echo "Update bootloader's rsa signature, aes hash and bct's aes hash"
+ echo "RsaPssSigBlFile = $IMAGE_FILE.bl.sig;" > $CONFIG_FILE
+ echo "RehashBl;" >> $CONFIG_FILE
+ $CBOOTIMAGE -s $1 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp
-echo "Calculate rsa signature for bootloader and save to $IMAGE_FILE.bl.sig"
-$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
- -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig
+ echo "Extract the part of bct which needs to be rsa signed"
+ $DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig skip=$3 count=$4
-echo "Update bootloader's rsa signature, aes hash and bct's aes hash"
-echo "RsaPssSigBlFile = $IMAGE_FILE.bl.sig;" > $CONFIG_FILE
-echo "RehashBl;" >> $CONFIG_FILE
-$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp
+ echo "Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig"
+ $OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
+ -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig
-echo "Extract the part of bct which needs to be rsa signed"
-$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296
+ echo "Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod"
+ $OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod
+ # remove prefix
+ $CUT -d= -f2 < $KEY_FILE.mod > $KEY_FILE.mod.tmp
-echo "Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig"
-$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \
- -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig
+ # convert from hexdecimal to binary
+ $XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin
-echo "Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod"
-$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod
-# remove prefix
-$CUT -d= -f2 < $KEY_FILE.mod > $KEY_FILE.mod.tmp
+ echo "Update bct's rsa signature and modulus"
+ echo "RsaPssSigBctFile = $IMAGE_FILE.bct.sig;" > $CONFIG_FILE
+ echo "RsaKeyModulusFile = $KEY_FILE.mod.bin;" >> $CONFIG_FILE
+ echo ""
+ $CBOOTIMAGE -s $1 -u $CONFIG_FILE $IMAGE_FILE.tmp $TARGET_IMAGE
+
+ echo ""
+ $DD bs=1 if=$TARGET_IMAGE of=${soc}.bct count=${bct_length}
+ echo ""
+ echo "Signed bct ${soc}.bct has been successfully generated!";
+
+ #echo "Get rid of all temporary files: *.sig, *.tosig, *.tmp, *.mod, *.mod.bin"
+ $RM -f *.sig *.tosig *.tmp *.mod *.mod.bin
+}
+
+
+soc=$1 # tegra124, tegra210
+
+if [[ "${soc}" == tegra124 ]]; then
+ bl_block_offset=16384; # emmc: 16384, spi_flash: 32768: default: emmc
+ bct_signed_offset=1712;
+ bct_signed_length=6480;
+elif [ "${soc}" = tegra210 ]; then
+ bl_block_offset=32768; # emmc: 16384, spi_flash: 32768: default: spi
+ bct_signed_offset=1296;
+ bct_signed_length=8944;
+elif [[ "${soc}" != tegra124 && \
+ "${soc}" != tegra210 ]]; then
+ echo "Error: Invalid target device($soc).";
+ usage;
+fi;
+
+IMAGE_FILE=$2;
+KEY_FILE=$3;
+TARGET_IMAGE=$IMAGE_FILE
-# convert from hexdecimal to binary
-$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin
+echo "Sign ${soc} ${IMAGE_FILE} with key ${KEY_FILE}"
+sign_image "$soc" "$bl_block_offset" "$bct_signed_offset" "$bct_signed_length"
-echo "Update bct's rsa signature and modulus"
-echo "RsaPssSigBctFile = $IMAGE_FILE.bct.sig;" > $CONFIG_FILE
-echo "RsaKeyModulusFile = $KEY_FILE.mod.bin;" >> $CONFIG_FILE
-$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE.tmp $TARGET_IMAGE
1. use parameter <soc> to specify boot image type. ie, tegra124, tegra210 2. Along signing bootimage, also generate signed bct, ie, tegra124.bct, tegra210.bct. User should use this signed bct when flashing target. Example: $ ./sign.sh tegra124 t124.img rsa_priv.pem Signed-off-by: Jimmy Zhang <jimmzhang@nvidia.com> --- samples/sign.sh | 115 +++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 81 insertions(+), 34 deletions(-)