Message ID | 1444333109-3671-7-git-send-email-jimmzhang@nvidia.com |
---|---|
State | Superseded, archived |
Headers | show |
On 10/08/2015 01:38 PM, Jimmy Zhang wrote: > sign.sh runs openssl and other linux utilities to generate rsa-pss > signatures for a prebuilt bootimage and inject signatures and rsa > modulus into bct directly. > > Syntax: sign.sh <bootimage> <rsa_key.pem> > > sign-by-update.sh is similar to sign.sh. The difference is the > signatures update are done by cbootimage with configuration > keywords "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". > Comparing to sign.sh, this script is relatively simple to be ported > to T124/T114. > > Syntax: sign-by-update.sh <bootimage> <rsa_key.pem> > diff --git a/rsa_priv.pem b/rsa_priv.pem I hope this is some random private key you generated just for the purposes of demonstration... > diff --git a/sign-by-update.sh b/sign-by-update.sh Let's put these example files in an examples directory or something like that. Should we update the Makefile to install the examples into some doc directory? > new file mode 100755 > index 000000000000..b3f010a41d0e > --- /dev/null > +++ b/sign-by-update.sh > @@ -0,0 +1,59 @@ > +IMAGE_FILE=$1 > +KEY_FILE=$2 There's no #! line here. I'd suggest adding "set -e" so there is some simple error-checking. > +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" Why a space at the start of the echo'd data? (Or the end in other commands) Quotes aren't needed either, at least for this command. Similar comments for all the other echo statements. > +echo " Reverse bl signature to meet tegra soc signature ordering" > +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev Should cbootimage do this itself; this feels like an issue related to packing the data into the BCT which is what cbootimage handles... > +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" > +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod > +# remove prefix and LF -noout then -out? > +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 I'd suggest using cut for that in case the prefix changes; `cut -d= f2`. > diff --git a/sign.sh b/sign.sh Likely all the comments for sign-by-update.sh apply here too. I expect these scripts are very similar. Can the script take a cmdline argument to request the update type (dd vs. a all to cbootimage -u) so that all the common logic isn't duplicated? > +echo " Copy the signed binary to the target file $TARGET_IMAGE" > +$MV $IMAGE_FILE.tmp $TARGET_IMAGE > + There's a blank line at EOF there. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> -----Original Message----- > From: linux-tegra-owner@vger.kernel.org [mailto:linux-tegra- > owner@vger.kernel.org] On Behalf Of Stephen Warren > Sent: Thursday, October 08, 2015 1:58 PM > To: Jimmy Zhang > Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org > Subject: Re: [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa > signing for T210 bootimage > > On 10/08/2015 01:38 PM, Jimmy Zhang wrote: > > sign.sh runs openssl and other linux utilities to generate rsa-pss > > signatures for a prebuilt bootimage and inject signatures and rsa > > modulus into bct directly. > > > > Syntax: sign.sh <bootimage> <rsa_key.pem> > > > > sign-by-update.sh is similar to sign.sh. The difference is the > > signatures update are done by cbootimage with configuration keywords > > "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". > > Comparing to sign.sh, this script is relatively simple to be ported to > > T124/T114. > > > > Syntax: sign-by-update.sh <bootimage> <rsa_key.pem> > > > diff --git a/rsa_priv.pem b/rsa_priv.pem > > I hope this is some random private key you generated just for the purposes > of demonstration... > This key is generated by openssl. It is used on my fused board. I will replace it with another random generated 2048 bit long modulus private key file. > > diff --git a/sign-by-update.sh b/sign-by-update.sh > > Let's put these example files in an examples directory or something like that. > > Should we update the Makefile to install the examples into some doc > directory? > I am not sure how to change Makefile. > > new file mode 100755 > > index 000000000000..b3f010a41d0e > > --- /dev/null > > +++ b/sign-by-update.sh > > @@ -0,0 +1,59 @@ > > +IMAGE_FILE=$1 > > +KEY_FILE=$2 > > There's no #! line here. > Will do. > I'd suggest adding "set -e" so there is some simple error-checking. > > > +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" > > Why a space at the start of the echo'd data? (Or the end in other > commands) Quotes aren't needed either, at least for this command. > Similar comments for all the other echo statements. > OK. Will clean it up. > > +echo " Reverse bl signature to meet tegra soc signature ordering" > > +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig > > +$IMAGE_FILE.bl.sig.rev > > Should cbootimage do this itself; this feels like an issue related to packing the > data into the BCT which is what cbootimage handles... > OK. I will add a function to handle this issue. > > +echo " Create public key modulus from key file $KEY_FILE and save to > $KEY_FILE.mod" > > +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod # > > +remove prefix and LF > > -noout then -out? > No. They are different options. Without -noout, private key is printed to output file as well. > > +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 > > I'd suggest using cut for that in case the prefix changes; `cut -d= f2`. > Not sure how to use 'cut'. Instead, will use 'sed' > > diff --git a/sign.sh b/sign.sh > > Likely all the comments for sign-by-update.sh apply here too. > > I expect these scripts are very similar. Can the script take a cmdline argument > to request the update type (dd vs. a all to cbootimage -u) so that all the > common logic isn't duplicated? > > > +echo " Copy the signed binary to the target file $TARGET_IMAGE" > > +$MV $IMAGE_FILE.tmp $TARGET_IMAGE > > + > > There's a blank line at EOF there. > Will remove it. > -- > To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the > body of a message to majordomo@vger.kernel.org More majordomo info at > http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10/08/2015 08:00 PM, Jimmy Zhang wrote: > Stephen Warren wrote at Thursday, October 08, 2015 1:58 PM: >> On 10/08/2015 01:38 PM, Jimmy Zhang wrote: >>> sign.sh runs openssl and other linux utilities to generate rsa-pss >>> signatures for a prebuilt bootimage and inject signatures and rsa >>> modulus into bct directly. >>> >>> Syntax: sign.sh <bootimage> <rsa_key.pem> >>> >>> sign-by-update.sh is similar to sign.sh. The difference is the >>> signatures update are done by cbootimage with configuration keywords >>> "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". >>> Comparing to sign.sh, this script is relatively simple to be ported to >>> T124/T114. >>> >>> Syntax: sign-by-update.sh <bootimage> <rsa_key.pem> >>> diff --git a/sign-by-update.sh b/sign-by-update.sh >> >> Let's put these example files in an examples directory or something like that. >> >> Should we update the Makefile to install the examples into some doc >> directory? > > I am not sure how to change Makefile. I'm sure Allen can give you an example quickly, although just having the files in the source distribution (in a sub-dir) is probably fine for now. >>> +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 >> >> I'd suggest using cut for that in case the prefix changes; `cut -d= f2`. > > Not sure how to use 'cut'. Instead, will use 'sed' You can can just use the cut command I gave, this maps to this as the entire replacement for dd: cut -d= -f2 < $KEY_FILE.mod > $KEY_FILE.mod.tmp -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
I am considering to remove sample sign.sh because 1. It is kind of hacking. 2. Reversing byte order operation can be removed from sample two but not sign.sh If you agree, I will remove sign.sh and then rename sign-by-update.sh to sign.sh > -----Original Message----- > From: Stephen Warren [mailto:swarren@wwwdotorg.org] > Sent: Thursday, October 08, 2015 7:09 PM > To: Jimmy Zhang > Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org > Subject: Re: [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa > signing for T210 bootimage > > On 10/08/2015 08:00 PM, Jimmy Zhang wrote: > > Stephen Warren wrote at Thursday, October 08, 2015 1:58 PM: > >> On 10/08/2015 01:38 PM, Jimmy Zhang wrote: > >>> sign.sh runs openssl and other linux utilities to generate rsa-pss > >>> signatures for a prebuilt bootimage and inject signatures and rsa > >>> modulus into bct directly. > >>> > >>> Syntax: sign.sh <bootimage> <rsa_key.pem> > >>> > >>> sign-by-update.sh is similar to sign.sh. The difference is the > >>> signatures update are done by cbootimage with configuration keywords > >>> "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". > >>> Comparing to sign.sh, this script is relatively simple to be ported > >>> to T124/T114. > >>> > >>> Syntax: sign-by-update.sh <bootimage> <rsa_key.pem> > > >>> diff --git a/sign-by-update.sh b/sign-by-update.sh > >> > >> Let's put these example files in an examples directory or something like > that. > >> > >> Should we update the Makefile to install the examples into some doc > >> directory? > > > > I am not sure how to change Makefile. > > I'm sure Allen can give you an example quickly, although just having the files > in the source distribution (in a sub-dir) is probably fine for now. > OK. > >>> +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 > >> > >> I'd suggest using cut for that in case the prefix changes; `cut -d= f2`. > > > > Not sure how to use 'cut'. Instead, will use 'sed' > > You can can just use the cut command I gave, this maps to this as the entire > replacement for dd: > > cut -d= -f2 < $KEY_FILE.mod > $KEY_FILE.mod.tmp OK. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10/09/2015 11:11 AM, Jimmy Zhang wrote: > I am considering to remove sample sign.sh because > 1. It is kind of hacking. > 2. Reversing byte order operation can be removed from sample two but not sign.sh > > If you agree, I will remove sign.sh and then rename sign-by-update.sh to sign.sh I must admit I wondered why you went to the trouble of enhancing cbootimage to be able to update the signatures and then provided a sample script that didn't use cbootimage:-) Having a single sample script that only uses cbootimage sounds fine to me. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Oct 08, 2015 at 08:09:16PM -0600, Stephen Warren wrote: > On 10/08/2015 08:00 PM, Jimmy Zhang wrote: > > Stephen Warren wrote at Thursday, October 08, 2015 1:58 PM: > >> On 10/08/2015 01:38 PM, Jimmy Zhang wrote: > >> > >> Should we update the Makefile to install the examples into some doc > >> directory? > > > > I am not sure how to change Makefile. > > I'm sure Allen can give you an example quickly, although just having the > files in the source distribution (in a sub-dir) is probably fine for now. You can add a "doc_DATA = example1.txt" line to Makefile.am and that will cause the example1.txt to get installed into: ${prefix}/share/doc/cbootimage -Allen -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/rehash.cfg b/rehash.cfg new file mode 100644 index 000000000000..c5c741bad536 --- /dev/null +++ b/rehash.cfg @@ -0,0 +1 @@ +RehashBl; diff --git a/rsa_priv.pem b/rsa_priv.pem new file mode 100644 index 000000000000..cbafc03ba35a --- /dev/null +++ b/rsa_priv.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs3Lf87UkomlfVHdw/FEz+owzgO+ZFu6/72qT+jSu7aEDZeZj +l2cgTQOnHjlmBYj6KoqwXQmY6ZWPNBT7xDqzGdvimCVRC3OGRee2uD+Itu/Qwo1F +FOb7v+l3v6lODGqDJ06aIxLicEiqK55dk5z+7dP8yyJ3pRhwiDPE4tNtlLOWgmJ/ +hENyqBHbMMzg67Qwb+aa89wfq2FRrvGOpfmrKlhqtikDnwJALBfkr7hsZGZOszHC +ii2L5T3eCaI/me2/VIGlQSjGxmaDkiG/aIZVTuIX/LuOyi4sLXJ9cIFQ7Ty/0PAk +6Ia6VyEGETQt6+JeLETX4Zc+XCnfbE/Flhs5PwIDAQABAoIBAQCMcmM/Xc4PY0Ne +W6FNicyR0vtYda4u2avVGWg50tP6XiPHtDrMO8V3IV3B9RCZUmzhsOx51NIeN5T+ +IVIvcfXNTmCZzdMRkFhODB3hNLCu5SFRs7mWs3Xj7TlxA3R3mUGPGSDgRJ5/XQ/6 +1ZbNunl38IuQ/SgBShCBOWtmUC4ay+ctm1CzBZ/7AYlauOxdoKiU2nzlwpMrX9+C +vaVKRQVYbE7EYJsWKOx6vRPU5Kjoq6StlSW4caG0ReRu9tO+xL7kZnqp1BWl3KHw +OfzLy1CmwDkV3bKFclRWWPR97nN7F95SUFIJ3bOVjU/K2TKuLtMYPPVdG4CBBeB5 +eK2Qae7ZAoGBAOprwiAvcRNWJ2W5JoCkh0L6AHXx2z+S1Bbt0laz4NyqyfPX2SMl +DJRxm/IoYRfwZf7fussI1bG7g4UP8HjfrlAzSEWVgPNMSWftOFzkv4QNr2ySjk0/ +nZRsd+zj2kxhc8ukDhiORkyEEg5gtsEUqbtdZHOiqtkNbKOPD6EGKeP7AoGBAMP3 +q5NUh9pJ2RGSkdKutloXNe0HPI6sjsCX3HHWAaFyqBtXWvRU3fIaMUpGQcPaqDCt +LhzVoNlPXdeQ7vTkBPtiYQBcs0NPI+58pnD5fgR00yTX/5ZIGKbX0NnpZ3spsQAQ +FQTXGy80+JyGMmJCDf32VGC96I9Ey5w49U23kXiNAoGAGEtiqwM/rMlY++ncW6ix +e/d85LxUBJqq8FVlXyb1PulUVLkh/8pvK1M63jXhGiIH8Aovyar4upq8XqXwPhaw +cg9ehhegbZaSZProxHfQgVcJvy7RIKBfLGqxYxOaJCBVZ91wuIrGLlfhpyvOxOPn +U0uyhWluW2BQygKhlAaXgNECgYAKDAif5RWR+3dFj14qjwqKU+ZP4K8aIX6wIRkM +PQyYWmiD/laLcE5wuycLx85XXD6DQF283LcCbS9CfgvCQm5+9OxEOHx4VvZgo8Nk +x2XOlK6+lNRlwAyDgU0T3wOPLPQGLMznEqAyK2UToU2z++77tkVdMF9b+Qr3V3Q8 +J80tgQKBgQCW2OHHUfnfRMns/d1sp/QNMag19flOT+IjvZXI5ZMy9yojlpcTSdSq +NzaahUZKtEankjMlXw2RHMYrXjtAJgwXlV4rMWxkaqUrVqq99v6M1QNx/SHjnVB+ +SYQ8PZHp0mPk/opRPydP/U5WKDcP10KRuSNRSQmvacD5gzs3B6Jhqg== +-----END RSA PRIVATE KEY----- diff --git a/sign-by-update.sh b/sign-by-update.sh new file mode 100755 index 000000000000..b3f010a41d0e --- /dev/null +++ b/sign-by-update.sh @@ -0,0 +1,59 @@ +IMAGE_FILE=$1 +KEY_FILE=$2 +TARGET_IMAGE=$IMAGE_FILE +CONFIG_FILE=update.cfg + +CBOOTIMAGE=src/cbootimage +BCT_DUMP=src/bct_dump +OBJCOPY=objcopy +OPENSSL=openssl +DD=dd +RM=rm +MV=mv +XXD=xxd + +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" +$RM -f *.sig *.tosig *.tmp *.mod *.rev + +echo " Get bl length " +BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \ + | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'` + +echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH " +$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH + +echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig + +echo " Reverse bl signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev + +echo "# Update bootloader's rsa signature, aes hash and bct's aes hash" +echo "RsaPssSigBlFile = $IMAGE_FILE.bl.sig.rev;" > $CONFIG_FILE +echo "RehashBl;" >> $CONFIG_FILE +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp + +echo " Extract the part of bct which needs to be rsa signed" +$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296 + +echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig + +echo " Reverse bct signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev + +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod +# remove prefix and LF +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 +# convert format from hexdecimal to binary +$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin +# reverse byte order" +$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev + +echo "# Update bct's rsa signature and modulus" +echo "RsaPssSigBctFile = $IMAGE_FILE.bct.sig.rev;" > $CONFIG_FILE +echo "RsaKeyModulusFile = $KEY_FILE.mod.bin.rev;" >> $CONFIG_FILE +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE.tmp $TARGET_IMAGE diff --git a/sign.sh b/sign.sh new file mode 100755 index 000000000000..8f8a353fe19f --- /dev/null +++ b/sign.sh @@ -0,0 +1,65 @@ +IMAGE_FILE=$1 +KEY_FILE=$2 +TARGET_IMAGE=$IMAGE_FILE +CONFIG_FILE=rehash.cfg + +CBOOTIMAGE=src/cbootimage +BCT_DUMP=src/bct_dump +OBJCOPY=objcopy +OPENSSL=openssl +DD=dd +RM=rm +MV=mv +XXD=xxd + +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" +$RM -f *.sig *.tosig *.tmp *.mod *.rev + +echo " Get bl length " +BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \ + | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'` + +echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH " +$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH + +echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig + +echo " Reverse bl signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev + +echo " Inject bl signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bl.sig.rev of=$IMAGE_FILE seek=9052 count=256 + +echo " Update bct aes hash and output to $IMAGE_FILE.tmp" +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp + +echo " Extract the part of bct which needs to be rsa signed" +$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296 + +echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig + +echo " Reverse bct signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev + +echo " Inject bct signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bct.sig.rev of=$IMAGE_FILE.tmp seek=800 count=256 + +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod +# remove prefix and LF +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 +# convert format from hexdecimal to binary +$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin +# reverse byte order" +$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev + +echo " Inject public key modulus into bct" +$DD conv=notrunc bs=1 if=$KEY_FILE.mod.bin.rev of=$IMAGE_FILE.tmp seek=528 count=256 + +echo " Copy the signed binary to the target file $TARGET_IMAGE" +$MV $IMAGE_FILE.tmp $TARGET_IMAGE +
sign.sh runs openssl and other linux utilities to generate rsa-pss signatures for a prebuilt bootimage and inject signatures and rsa modulus into bct directly. Syntax: sign.sh <bootimage> <rsa_key.pem> sign-by-update.sh is similar to sign.sh. The difference is the signatures update are done by cbootimage with configuration keywords "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". Comparing to sign.sh, this script is relatively simple to be ported to T124/T114. Syntax: sign-by-update.sh <bootimage> <rsa_key.pem> Signed-off-by: Jimmy Zhang <jimmzhang@nvidia.com> --- rehash.cfg | 1 + rsa_priv.pem | 27 +++++++++++++++++++++++ sign-by-update.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++ sign.sh | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 152 insertions(+) create mode 100644 rehash.cfg create mode 100644 rsa_priv.pem create mode 100755 sign-by-update.sh create mode 100755 sign.sh