• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 97 subscribers
  • Views 218 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] How to sign u-boot binary on an external secure key server

Hong Guan64
Guru 72580 points
Part Number: AM625


BINMAN tool is currently used to sign u-boot binary in Linux SDK, where the signing key is locatable under Linux SDK folder. There's a need to use the signing key stored in the external secure key server when switching to the production key. The FAQ discuss options on how to sign u-boot binary on an external secure key server using AM62x Linux SDK as an example. 

  • +1
    TI__Guru 72580 points

    Summary on u-boot build and code sign with BINMAN tool
    - build u-boot binary/artifacts
    - pack intermediate artifacts
    - sign binary artifacts (x.509 certificate)
    - re-pack x.509 certificate & binary/artifacts

    Options for code sign on external secure key server (i.e. HSM based)
    Option A - oneshot for u-boot build and code sign
    The entire u-boot build and sign in oneshot, where BINMAN tool on "openssl.py" needs to be ported to call pkcs#11 engine or library/plugin provided by the HSM vendor.
    - configure openssl to load the engine in openssl.cnf file
    - call openssl (i.e. BINMAN openssl.py) to interface with HSM via pkcs11 engine plugin

    Option B - decompose into steps, like u-boot build, code sign, repack...
    - <binman_hsm_sign.sh>: the shell script to generate the new x.509 certificate taking the BIMMAN pre-generated artifacts as input.

    - tiboot3.bin.sign.log: the log from re-signing tiboot3.bin with the cmd as listed below, where the offset (0x0) is from "tiboot3-am62x-hs-evm.bin.map" under R5 u-boot build folder

    ./binman_hsm_sign.sh tiboot3-am62x-hs-evm.bin custMpk.pem 1 \
config.tiboot3-am62x-hs-evm.bin.ti-secure-rom 0 > tiboot3.bin.sign.log

    - "tispl.bin.sign.log": the log from re-signing tispl.img with the cmd as listed below, where the offsets are from the attached "ti-spl.map" [1]

    ./binman_hsm_sign.sh tispl.bin custMpk.pem 5 \
config.ti-spl.fit.images.atf.ti-secure 0x158 \
config.ti-spl.fit.images.tee.ti-secure 0xd670 \
config.ti-spl.fit.images.dm.ti-secure 0x84b14 \
config.ti-spl.fit.images.spl.ti-secure	0xb4a14 \
config.ti-spl.fit.images.fdt-0.ti-secure 0x10b584 > tispl.bin.sign.log

    - u-boot.img.sign.log: the log from re-signing u-boot.img with the cmd as listed below, where all offsets are from the attached "u-boot.map" [1]

    ./binman_hsm_sign.sh u-boot.img custMpk.pem 2 \
config.u-boot.fit.images.uboot.ti-secure 0x12c \
config.u-boot.fit.images.fdt-0.ti-secure 0x1404f0 > u-boot.img.sign.

    The new x.509 certificate may be generated on an external secure key server, where openssl cmd in the attached script needs to be ported to run via PKCS.11 engine supported by the external secure key server (i.e. HSM based) as for the Option A

    [1] I'm attaching two example *.map files (ti-spl.map & u-boot.map) from A53 u-boot build for reference. The offsets from the two map files are used when calling <binman_hsm_sign.sh> to re-sign/re-pack tispl.bin & u-boot.img

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/2211.binman_5F00_hsm_5F00_sign.sh

    Fullscreen tiboot3.bin.sign.log Download 
    ============================================================================
Re-generate/re-sign the pre-generated artifacts from BINMAN with the new key
============================================================================
Total argument number: 5
All arguments: tiboot3-am62x-hs-evm.bin custMpk.pem 1 config.tiboot3-am62x-hs-evm.bin.ti-secure-rom 0
- INPUT:  the pre-signed BIN w/ dummy/test key :== tiboot3-am62x-hs-evm.bin
- INPUT:  the new signing key :== custMpk.pem
- INPUT:  the x.509 cert number in the pre-signed BIN :== 1
- OUTPUT: the new signed BIN :== tiboot3-am62x-hs-evm.bin.sign
cert_num:= 1
- INPUT:  the x.509 config :== config.tiboot3-am62x-hs-evm.bin.ti-secure-rom
- INPUT:  the x.509 config offset :== 0
- OUTPUT: the new x.509 certificate := config.tiboot3-am62x-hs-evm.bin.ti-secure-rom.cert
Re-geneate/re-pack the signed binary (tiboot3-am62x-hs-evm.bin.sign) with the new x.509 certificate (config.tiboot3-am62x-hs-evm.bin.ti-secure-rom.cert)

    Fullscreen tispl.bin.sign.log Download 
    ============================================================================
Re-generate/re-sign the pre-generated artifacts from BINMAN with the new key
============================================================================
Total argument number: 13
All arguments: tispl.bin custMpk.pem 5 config.ti-spl.fit.images.atf.ti-secure 0x158 config.ti-spl.fit.images.tee.ti-secure 0xd670 config.ti-spl.fit.images.dm.ti-secure 0x84b14 config.ti-spl.fit.images.spl.ti-secure 0xb4a14 config.ti-spl.fit.images.fdt-0.ti-secure 0x10b584
- INPUT:  the pre-signed BIN w/ dummy/test key :== tispl.bin
- INPUT:  the new signing key :== custMpk.pem
- INPUT:  the x.509 cert number in the pre-signed BIN :== 5
- OUTPUT: the new signed BIN :== tispl.bin.sign
cert_num:= 1
- INPUT:  the x.509 config :== config.ti-spl.fit.images.atf.ti-secure
- INPUT:  the x.509 config offset :== 0x158
- OUTPUT: the new x.509 certificate := config.ti-spl.fit.images.atf.ti-secure.cert
Re-geneate/re-pack the signed binary (tispl.bin.sign) with the new x.509 certificate (config.ti-spl.fit.images.atf.ti-secure.cert)
cert_num:= 2
- INPUT:  the x.509 config :== config.ti-spl.fit.images.tee.ti-secure
- INPUT:  the x.509 config offset :== 0xd670
- OUTPUT: the new x.509 certificate := config.ti-spl.fit.images.tee.ti-secure.cert
Re-geneate/re-pack the signed binary (tispl.bin.sign) with the new x.509 certificate (config.ti-spl.fit.images.tee.ti-secure.cert)
cert_num:= 3
- INPUT:  the x.509 config :== config.ti-spl.fit.images.dm.ti-secure
- INPUT:  the x.509 config offset :== 0x84b14
- OUTPUT: the new x.509 certificate := config.ti-spl.fit.images.dm.ti-secure.cert
Re-geneate/re-pack the signed binary (tispl.bin.sign) with the new x.509 certificate (config.ti-spl.fit.images.dm.ti-secure.cert)
cert_num:= 4
- INPUT:  the x.509 config :== config.ti-spl.fit.images.spl.ti-secure
- INPUT:  the x.509 config offset :== 0xb4a14
- OUTPUT: the new x.509 certificate := config.ti-spl.fit.images.spl.ti-secure.cert
Re-geneate/re-pack the signed binary (tispl.bin.sign) with the new x.509 certificate (config.ti-spl.fit.images.spl.ti-secure.cert)
cert_num:= 5
- INPUT:  the x.509 config :== config.ti-spl.fit.images.fdt-0.ti-secure
- INPUT:  the x.509 config offset :== 0x10b584
- OUTPUT: the new x.509 certificate := config.ti-spl.fit.images.fdt-0.ti-secure.cert
Re-geneate/re-pack the signed binary (tispl.bin.sign) with the new x.509 certificate (config.ti-spl.fit.images.fdt-0.ti-secure.cert)

    Fullscreen u-boot.img.sign.log Download 
    ============================================================================
Re-generate/re-sign the pre-generated artifacts from BINMAN with the new key
============================================================================
Total argument number: 7
All arguments: u-boot.img custMpk.pem 2 config.u-boot.fit.images.uboot.ti-secure 0x12c config.u-boot.fit.images.fdt-0.ti-secure 0x1404f0
- INPUT:  the pre-signed BIN w/ dummy/test key :== u-boot.img
- INPUT:  the new signing key :== custMpk.pem
- INPUT:  the x.509 cert number in the pre-signed BIN :== 2
- OUTPUT: the new signed BIN :== u-boot.img.sign
cert_num:= 1
- INPUT:  the x.509 config :== config.u-boot.fit.images.uboot.ti-secure
- INPUT:  the x.509 config offset :== 0x12c
- OUTPUT: the new x.509 certificate := config.u-boot.fit.images.uboot.ti-secure.cert
Re-geneate/re-pack the signed binary (u-boot.img.sign) with the new x.509 certificate (config.u-boot.fit.images.uboot.ti-secure.cert)
cert_num:= 2
- INPUT:  the x.509 config :== config.u-boot.fit.images.fdt-0.ti-secure
- INPUT:  the x.509 config offset :== 0x1404f0
- OUTPUT: the new x.509 certificate := config.u-boot.fit.images.fdt-0.ti-secure.cert
Re-geneate/re-pack the signed binary (u-boot.img.sign) with the new x.509 certificate (config.u-boot.fit.images.fdt-0.ti-secure.cert)

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/ti_2D00_spl.map

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/u_2D00_boot.map