Message ID | 1443819420-26562-4-git-send-email-jimmzhang@nvidia.com |
---|---|
State | Superseded, archived |
Headers | show |
On 10/02/2015 02:56 PM, Jimmy Zhang wrote: > Add support to dump rsa pubkey, bct's rsa-pss signature and > bootloader's rsa-pss signature. It also seems to dump some AES hashes too. > diff --git a/src/bct_dump.c b/src/bct_dump.c > +static void format_rsa_param(char const * message, void * data) > +{ > + u_int8_t *rsa = (u_int8_t *)data; > + int byte_index; > + > + printf("%s", message); > + for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES; > + ++byte_index) { > + printf("%02x", *rsa++); > + > + if (byte_index && ((byte_index + 1) % 64 == 0)) > + printf(";\n"); > + } > + > + if (byte_index && (byte_index % 64 != 0)) > + printf(";\n"); > +} The same comment about hard-coding ARSE_RSA_PARAM_MAX_BYTES applies here as in the previous commit. It would be nice if this function wrote the values to a file. That way, the output of bct_dump would be something you could feed into cbootimage directly. With this patch, the user has to manually convert the inline hex data into a binary file before the output is useful. Still, solving that might be challenging. If bct_dump wrote to a user-supplied filename, the files could simply be named "${filename}.RsaKeyModulus" etc. However, since bct_dump prints to stdout, that's not possible. Perhaps since bct_dump is mostly a debug aid, we can live with this issue for now. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> -----Original Message----- > From: Stephen Warren [mailto:swarren@wwwdotorg.org] > Sent: Wednesday, October 07, 2015 9:45 AM > To: Jimmy Zhang > Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org > Subject: Re: [tegrarcm PATCH v2 3/4] Add support to dump rsa related fields > for t210 > > On 10/02/2015 02:56 PM, Jimmy Zhang wrote: > > Add support to dump rsa pubkey, bct's rsa-pss signature and > > bootloader's rsa-pss signature. > > It also seems to dump some AES hashes too. > > > diff --git a/src/bct_dump.c b/src/bct_dump.c > > > +static void format_rsa_param(char const * message, void * data) { > > + u_int8_t *rsa = (u_int8_t *)data; > > + int byte_index; > > + > > + printf("%s", message); > > + for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES; > > + ++byte_index) { > > + printf("%02x", *rsa++); > > + > > + if (byte_index && ((byte_index + 1) % 64 == 0)) > > + printf(";\n"); > > + } > > + > > + if (byte_index && (byte_index % 64 != 0)) > > + printf(";\n"); > > +} > > The same comment about hard-coding ARSE_RSA_PARAM_MAX_BYTES > applies here as in the previous commit. > > It would be nice if this function wrote the values to a file. That way, the > output of bct_dump would be something you could feed into cbootimage > directly. With this patch, the user has to manually convert the inline hex data > into a binary file before the output is useful. > > Still, solving that might be challenging. If bct_dump wrote to a user-supplied > filename, the files could simply be named "${filename}.RsaKeyModulus" etc. > However, since bct_dump prints to stdout, that's not possible. Perhaps since > bct_dump is mostly a debug aid, we can live with this issue for now. Maybe we should add a command line option to save RsaKey modulus to a given file. I can come up another patch after this series is merged. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10/07/2015 12:57 PM, Jimmy Zhang wrote: > > >> -----Original Message----- >> From: Stephen Warren [mailto:swarren@wwwdotorg.org] >> Sent: Wednesday, October 07, 2015 9:45 AM >> To: Jimmy Zhang >> Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org >> Subject: Re: [tegrarcm PATCH v2 3/4] Add support to dump rsa related fields >> for t210 >> >> On 10/02/2015 02:56 PM, Jimmy Zhang wrote: >>> Add support to dump rsa pubkey, bct's rsa-pss signature and >>> bootloader's rsa-pss signature. >> >> It also seems to dump some AES hashes too. >> >>> diff --git a/src/bct_dump.c b/src/bct_dump.c >> >>> +static void format_rsa_param(char const * message, void * data) { >>> + u_int8_t *rsa = (u_int8_t *)data; >>> + int byte_index; >>> + >>> + printf("%s", message); >>> + for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES; >>> + ++byte_index) { >>> + printf("%02x", *rsa++); >>> + >>> + if (byte_index && ((byte_index + 1) % 64 == 0)) >>> + printf(";\n"); >>> + } >>> + >>> + if (byte_index && (byte_index % 64 != 0)) >>> + printf(";\n"); >>> +} >> >> The same comment about hard-coding ARSE_RSA_PARAM_MAX_BYTES >> applies here as in the previous commit. >> >> It would be nice if this function wrote the values to a file. That way, the >> output of bct_dump would be something you could feed into cbootimage >> directly. With this patch, the user has to manually convert the inline hex data >> into a binary file before the output is useful. >> >> Still, solving that might be challenging. If bct_dump wrote to a user-supplied >> filename, the files could simply be named "${filename}.RsaKeyModulus" etc. >> However, since bct_dump prints to stdout, that's not possible. Perhaps since >> bct_dump is mostly a debug aid, we can live with this issue for now. > > Maybe we should add a command line option to save RsaKey modulus to a given file. I can come up another patch after this series is merged. That would work. The issue is there are 3 tokens which implies 3 command-line options (and may be more tokens if we extend cbootimage to support N BCT copies, N bootloaders, etc.). Perhaps best would be: bct_dump foo.bin -> Prints results to stdout, with inline dumps of the RSA fields bct_dump -o foo.cfg foo.bin -> "Prints" results to foo.cfg, and puts all the RSA fields (as binary) into foo.cfg.RsaKeyModulus (and a variety of other auto-named files)? -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> -----Original Message----- > From: Stephen Warren [mailto:swarren@wwwdotorg.org] > Sent: Wednesday, October 07, 2015 12:29 PM > To: Jimmy Zhang > Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org > Subject: Re: [tegrarcm PATCH v2 3/4] Add support to dump rsa related fields > for t210 > > On 10/07/2015 12:57 PM, Jimmy Zhang wrote: > > > > > >> -----Original Message----- > >> From: Stephen Warren [mailto:swarren@wwwdotorg.org] > >> Sent: Wednesday, October 07, 2015 9:45 AM > >> To: Jimmy Zhang > >> Cc: Allen Martin; Stephen Warren; linux-tegra@vger.kernel.org > >> Subject: Re: [tegrarcm PATCH v2 3/4] Add support to dump rsa related > >> fields for t210 > >> > >> On 10/02/2015 02:56 PM, Jimmy Zhang wrote: > >>> Add support to dump rsa pubkey, bct's rsa-pss signature and > >>> bootloader's rsa-pss signature. > >> > >> It also seems to dump some AES hashes too. > >> > >>> diff --git a/src/bct_dump.c b/src/bct_dump.c > >> > >>> +static void format_rsa_param(char const * message, void * data) { > >>> + u_int8_t *rsa = (u_int8_t *)data; > >>> + int byte_index; > >>> + > >>> + printf("%s", message); > >>> + for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES; > >>> + ++byte_index) { > >>> + printf("%02x", *rsa++); > >>> + > >>> + if (byte_index && ((byte_index + 1) % 64 == 0)) > >>> + printf(";\n"); > >>> + } > >>> + > >>> + if (byte_index && (byte_index % 64 != 0)) > >>> + printf(";\n"); > >>> +} > >> > >> The same comment about hard-coding ARSE_RSA_PARAM_MAX_BYTES > applies > >> here as in the previous commit. > >> > >> It would be nice if this function wrote the values to a file. That > >> way, the output of bct_dump would be something you could feed into > >> cbootimage directly. With this patch, the user has to manually > >> convert the inline hex data into a binary file before the output is useful. > >> > >> Still, solving that might be challenging. If bct_dump wrote to a > >> user-supplied filename, the files could simply be named > "${filename}.RsaKeyModulus" etc. > >> However, since bct_dump prints to stdout, that's not possible. > >> Perhaps since bct_dump is mostly a debug aid, we can live with this issue > for now. > > > > Maybe we should add a command line option to save RsaKey modulus to a > given file. I can come up another patch after this series is merged. > > That would work. The issue is there are 3 tokens which implies 3 command- > line options (and may be more tokens if we extend cbootimage to support N > BCT copies, N bootloaders, etc.). > > Perhaps best would be: > > bct_dump foo.bin > -> Prints results to stdout, with inline dumps of the RSA fields > > bct_dump -o foo.cfg foo.bin > -> "Prints" results to foo.cfg, and puts all the RSA fields (as binary) > into foo.cfg.RsaKeyModulus (and a variety of other auto-named files)? OK. Will do. -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/bct_dump.c b/src/bct_dump.c index be7b85dc72d6..27e3dbb5e6be 100644 --- a/src/bct_dump.c +++ b/src/bct_dump.c @@ -30,6 +30,8 @@ cbootimage_soc_config * g_soc_config; static void format_u32_hex8(char const * message, void * data); static void format_u32(char const * message, void * data); static void format_chipuid(char const * message, void * data); +static void format_hex_16_bytes(char const * message, void * data); +static void format_rsa_param(char const * message, void * data); typedef void (*format_function)(char const * message, void * data); @@ -42,6 +44,7 @@ typedef struct { typedef union { u_int32_t val; u_int8_t uid[16]; + u_int8_t rsa_param[256]; } param_types; #define MAX_PARAM_SIZE sizeof(param_types) @@ -54,6 +57,9 @@ static value_data const values[] = { { token_odm_data, "OdmData = ", format_u32_hex8 }, { token_secure_jtag_control, "JtagCtrl = ", format_u32_hex8 }, { token_secure_debug_control, "DebugCtrl = ", format_u32_hex8 }, + { token_crypto_hash, "BCT AES Hash = ", format_hex_16_bytes }, + { token_rsa_key_modulus, "RsaKeyModulus = ", format_rsa_param }, + { token_rsa_pss_sig_bct, "RsaPssSigBct = ", format_rsa_param }, { token_unique_chip_id, "ChipUid = ", format_chipuid }, { token_bootloader_used, "# Bootloader used = ", format_u32 }, { token_bootloaders_max, "# Bootloaders max = ", format_u32 }, @@ -72,6 +78,8 @@ static value_data const bl_values[] = { { token_bl_load_addr, "Load address = ", format_u32_hex8 }, { token_bl_entry_point, "Entry point = ", format_u32_hex8 }, { token_bl_attribute, "Attributes = ", format_u32_hex8 }, + { token_bl_crypto_hash, "Bl AES Hash = ", format_hex_16_bytes }, + { token_rsa_pss_sig_bl, "RsaPssSigBl = ", format_rsa_param }, }; static value_data const mts_values[] = { @@ -108,6 +116,36 @@ static void format_chipuid(char const * message, void * data) printf("%s%s;\n", message, uid_str); } +static void format_hex_16_bytes(char const * message, void * data) +{ + u_int8_t *p_byte = (u_int8_t *)data; + int byte_index; + + printf("%s", message); + for (byte_index = 0; byte_index < 16; ++byte_index) + printf("%02x", *p_byte++); + + printf(";\n"); +} + +static void format_rsa_param(char const * message, void * data) +{ + u_int8_t *rsa = (u_int8_t *)data; + int byte_index; + + printf("%s", message); + for (byte_index = 0; byte_index < ARSE_RSA_PARAM_MAX_BYTES; + ++byte_index) { + printf("%02x", *rsa++); + + if (byte_index && ((byte_index + 1) % 64 == 0)) + printf(";\n"); + } + + if (byte_index && (byte_index % 64 != 0)) + printf(";\n"); +} + /*****************************************************************************/ static void usage(void) { diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c index 91a42ec8367f..10e2a4756e1a 100644 --- a/src/t210/nvbctlib_t210.c +++ b/src/t210/nvbctlib_t210.c @@ -109,6 +109,8 @@ parse_token t210_root_token_list[] = { token_bootloaders_max, token_bct_size, token_hash_size, + token_crypto_hash, + token_bl_crypto_hash, token_crypto_offset, token_crypto_length, token_max_bct_search_blks, @@ -2034,6 +2036,11 @@ t210_getbl_param(u_int32_t set, sizeof(nvboot_hash)); break; + case token_rsa_pss_sig_bl: + memcpy(data, &bct_ptr->bootloader[set].signature.rsa_pss_sig, + sizeof(nvboot_rsa_pss_sig)); + break; + default: return -ENODATA; } @@ -2130,6 +2137,15 @@ t210_bct_get_value(parse_token id, void *data, u_int8_t *bct) memcpy(data, &(bct_ptr->unique_chip_id), sizeof(nvboot_ecid)); break; + case token_rsa_key_modulus: + memcpy(data, &bct_ptr->key, sizeof(nvboot_rsa_key_modulus)); + break; + + case token_rsa_pss_sig_bct: + memcpy(data, &bct_ptr->signature.rsa_pss_sig, + sizeof(nvboot_rsa_pss_sig)); + break; + case token_reserved_offset: *((u_int32_t *)data) = (u_int8_t *)&(samplebct.reserved) - (u_int8_t *)&samplebct;
Add support to dump rsa pubkey, bct's rsa-pss signature and bootloader's rsa-pss signature. Signed-off-by: Jimmy Zhang <jimmzhang@nvidia.com> --- src/bct_dump.c | 38 ++++++++++++++++++++++++++++++++++++++ src/t210/nvbctlib_t210.c | 16 ++++++++++++++++ 2 files changed, 54 insertions(+)