From patchwork Thu Oct 8 19:38:29 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: jimmzhang X-Patchwork-Id: 527870 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 564AE1402B4 for ; Fri, 9 Oct 2015 06:40:19 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755724AbbJHTkS (ORCPT ); Thu, 8 Oct 2015 15:40:18 -0400 Received: from hqemgate16.nvidia.com ([216.228.121.65]:14735 "EHLO hqemgate16.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755264AbbJHTkS (ORCPT ); Thu, 8 Oct 2015 15:40:18 -0400 Received: from hqnvupgp07.nvidia.com (Not Verified[216.228.121.13]) by hqemgate16.nvidia.com id ; Thu, 08 Oct 2015 12:40:20 -0700 Received: from hqemhub02.nvidia.com ([172.20.150.31]) by hqnvupgp07.nvidia.com (PGP Universal service); Thu, 08 Oct 2015 12:32:41 -0700 X-PGP-Universal: processed; by hqnvupgp07.nvidia.com on Thu, 08 Oct 2015 12:32:41 -0700 Received: from jimmzhang-P9X79.nvidia.com (172.20.144.16) by hqemhub02.nvidia.com (172.20.150.31) with Microsoft SMTP Server (TLS) id 8.3.342.0; Thu, 8 Oct 2015 12:40:17 -0700 From: Jimmy Zhang To: , CC: , Jimmy Zhang Subject: [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa signing for T210 bootimage Date: Thu, 8 Oct 2015 12:38:29 -0700 Message-ID: <1444333109-3671-7-git-send-email-jimmzhang@nvidia.com> X-Mailer: git-send-email 1.8.1.5 In-Reply-To: <1444333109-3671-1-git-send-email-jimmzhang@nvidia.com> References: <1444333109-3671-1-git-send-email-jimmzhang@nvidia.com> MIME-Version: 1.0 Sender: linux-tegra-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-tegra@vger.kernel.org sign.sh runs openssl and other linux utilities to generate rsa-pss signatures for a prebuilt bootimage and inject signatures and rsa modulus into bct directly. Syntax: sign.sh sign-by-update.sh is similar to sign.sh. The difference is the signatures update are done by cbootimage with configuration keywords "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". Comparing to sign.sh, this script is relatively simple to be ported to T124/T114. Syntax: sign-by-update.sh Signed-off-by: Jimmy Zhang --- rehash.cfg | 1 + rsa_priv.pem | 27 +++++++++++++++++++++++ sign-by-update.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++ sign.sh | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 152 insertions(+) create mode 100644 rehash.cfg create mode 100644 rsa_priv.pem create mode 100755 sign-by-update.sh create mode 100755 sign.sh diff --git a/rehash.cfg b/rehash.cfg new file mode 100644 index 000000000000..c5c741bad536 --- /dev/null +++ b/rehash.cfg @@ -0,0 +1 @@ +RehashBl; diff --git a/rsa_priv.pem b/rsa_priv.pem new file mode 100644 index 000000000000..cbafc03ba35a --- /dev/null +++ b/rsa_priv.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs3Lf87UkomlfVHdw/FEz+owzgO+ZFu6/72qT+jSu7aEDZeZj +l2cgTQOnHjlmBYj6KoqwXQmY6ZWPNBT7xDqzGdvimCVRC3OGRee2uD+Itu/Qwo1F +FOb7v+l3v6lODGqDJ06aIxLicEiqK55dk5z+7dP8yyJ3pRhwiDPE4tNtlLOWgmJ/ +hENyqBHbMMzg67Qwb+aa89wfq2FRrvGOpfmrKlhqtikDnwJALBfkr7hsZGZOszHC +ii2L5T3eCaI/me2/VIGlQSjGxmaDkiG/aIZVTuIX/LuOyi4sLXJ9cIFQ7Ty/0PAk +6Ia6VyEGETQt6+JeLETX4Zc+XCnfbE/Flhs5PwIDAQABAoIBAQCMcmM/Xc4PY0Ne +W6FNicyR0vtYda4u2avVGWg50tP6XiPHtDrMO8V3IV3B9RCZUmzhsOx51NIeN5T+ +IVIvcfXNTmCZzdMRkFhODB3hNLCu5SFRs7mWs3Xj7TlxA3R3mUGPGSDgRJ5/XQ/6 +1ZbNunl38IuQ/SgBShCBOWtmUC4ay+ctm1CzBZ/7AYlauOxdoKiU2nzlwpMrX9+C +vaVKRQVYbE7EYJsWKOx6vRPU5Kjoq6StlSW4caG0ReRu9tO+xL7kZnqp1BWl3KHw +OfzLy1CmwDkV3bKFclRWWPR97nN7F95SUFIJ3bOVjU/K2TKuLtMYPPVdG4CBBeB5 +eK2Qae7ZAoGBAOprwiAvcRNWJ2W5JoCkh0L6AHXx2z+S1Bbt0laz4NyqyfPX2SMl +DJRxm/IoYRfwZf7fussI1bG7g4UP8HjfrlAzSEWVgPNMSWftOFzkv4QNr2ySjk0/ +nZRsd+zj2kxhc8ukDhiORkyEEg5gtsEUqbtdZHOiqtkNbKOPD6EGKeP7AoGBAMP3 +q5NUh9pJ2RGSkdKutloXNe0HPI6sjsCX3HHWAaFyqBtXWvRU3fIaMUpGQcPaqDCt +LhzVoNlPXdeQ7vTkBPtiYQBcs0NPI+58pnD5fgR00yTX/5ZIGKbX0NnpZ3spsQAQ +FQTXGy80+JyGMmJCDf32VGC96I9Ey5w49U23kXiNAoGAGEtiqwM/rMlY++ncW6ix +e/d85LxUBJqq8FVlXyb1PulUVLkh/8pvK1M63jXhGiIH8Aovyar4upq8XqXwPhaw +cg9ehhegbZaSZProxHfQgVcJvy7RIKBfLGqxYxOaJCBVZ91wuIrGLlfhpyvOxOPn +U0uyhWluW2BQygKhlAaXgNECgYAKDAif5RWR+3dFj14qjwqKU+ZP4K8aIX6wIRkM +PQyYWmiD/laLcE5wuycLx85XXD6DQF283LcCbS9CfgvCQm5+9OxEOHx4VvZgo8Nk +x2XOlK6+lNRlwAyDgU0T3wOPLPQGLMznEqAyK2UToU2z++77tkVdMF9b+Qr3V3Q8 +J80tgQKBgQCW2OHHUfnfRMns/d1sp/QNMag19flOT+IjvZXI5ZMy9yojlpcTSdSq +NzaahUZKtEankjMlXw2RHMYrXjtAJgwXlV4rMWxkaqUrVqq99v6M1QNx/SHjnVB+ +SYQ8PZHp0mPk/opRPydP/U5WKDcP10KRuSNRSQmvacD5gzs3B6Jhqg== +-----END RSA PRIVATE KEY----- diff --git a/sign-by-update.sh b/sign-by-update.sh new file mode 100755 index 000000000000..b3f010a41d0e --- /dev/null +++ b/sign-by-update.sh @@ -0,0 +1,59 @@ +IMAGE_FILE=$1 +KEY_FILE=$2 +TARGET_IMAGE=$IMAGE_FILE +CONFIG_FILE=update.cfg + +CBOOTIMAGE=src/cbootimage +BCT_DUMP=src/bct_dump +OBJCOPY=objcopy +OPENSSL=openssl +DD=dd +RM=rm +MV=mv +XXD=xxd + +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" +$RM -f *.sig *.tosig *.tmp *.mod *.rev + +echo " Get bl length " +BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \ + | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'` + +echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH " +$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH + +echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig + +echo " Reverse bl signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev + +echo "# Update bootloader's rsa signature, aes hash and bct's aes hash" +echo "RsaPssSigBlFile = $IMAGE_FILE.bl.sig.rev;" > $CONFIG_FILE +echo "RehashBl;" >> $CONFIG_FILE +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp + +echo " Extract the part of bct which needs to be rsa signed" +$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296 + +echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig + +echo " Reverse bct signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev + +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod +# remove prefix and LF +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 +# convert format from hexdecimal to binary +$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin +# reverse byte order" +$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev + +echo "# Update bct's rsa signature and modulus" +echo "RsaPssSigBctFile = $IMAGE_FILE.bct.sig.rev;" > $CONFIG_FILE +echo "RsaKeyModulusFile = $KEY_FILE.mod.bin.rev;" >> $CONFIG_FILE +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE.tmp $TARGET_IMAGE diff --git a/sign.sh b/sign.sh new file mode 100755 index 000000000000..8f8a353fe19f --- /dev/null +++ b/sign.sh @@ -0,0 +1,65 @@ +IMAGE_FILE=$1 +KEY_FILE=$2 +TARGET_IMAGE=$IMAGE_FILE +CONFIG_FILE=rehash.cfg + +CBOOTIMAGE=src/cbootimage +BCT_DUMP=src/bct_dump +OBJCOPY=objcopy +OPENSSL=openssl +DD=dd +RM=rm +MV=mv +XXD=xxd + +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" +$RM -f *.sig *.tosig *.tmp *.mod *.rev + +echo " Get bl length " +BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \ + | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'` + +echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH " +$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH + +echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig + +echo " Reverse bl signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev + +echo " Inject bl signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bl.sig.rev of=$IMAGE_FILE seek=9052 count=256 + +echo " Update bct aes hash and output to $IMAGE_FILE.tmp" +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp + +echo " Extract the part of bct which needs to be rsa signed" +$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296 + +echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig + +echo " Reverse bct signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev + +echo " Inject bct signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bct.sig.rev of=$IMAGE_FILE.tmp seek=800 count=256 + +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod +# remove prefix and LF +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 +# convert format from hexdecimal to binary +$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin +# reverse byte order" +$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev + +echo " Inject public key modulus into bct" +$DD conv=notrunc bs=1 if=$KEY_FILE.mod.bin.rev of=$IMAGE_FILE.tmp seek=528 count=256 + +echo " Copy the signed binary to the target file $TARGET_IMAGE" +$MV $IMAGE_FILE.tmp $TARGET_IMAGE +