On 6/2/25 11:56 AM, Bryan Brattlof wrote:
Typically for boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension unless asked for in the binman configs.
Signed-off-by: Bryan Brattlof <b...@ti.com>
---
tools/binman/btool/openssl.py | 16 ++++++++++++----
tools/binman/etype/ti_secure.py | 1 +
tools/binman/etype/ti_secure_rom.py | 1 +
tools/binman/etype/x509_cert.py | 7 +++++--
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index
2e128e477bce87568b6d9647bbf2666f9770d732..c91d8990a1dc9151bb8fc831c0f1bff2d91b014e
100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -153,7 +153,7 @@ numFirewallRegions =
INTEGER:{firewall_cert_data['num_firewalls']}
def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
config_fname, req_dist_name_dict, cert_type, bootcore,
- bootcore_opts, load_addr, sha):
+ bootcore_opts, load_addr, sha, debug):
"""Create a certificate
Args:
@@ -214,9 +214,13 @@ emailAddress =
{req_dist_name_dict['emailAddress']}
[ swrv ]
swrv = INTEGER:{sw_rev}
+ # When debugging low level boot firmware it can be useful to have ROM or TIFS
+ # unlock JTAG access to the misbehaving CPUs. However in a production setting
+ # this can lead to code modification after it's been authenticated by outside
+ # parties. To gain JTAG access add the 'debug' flag to the binman
configuration
Stating that adding the debug flag gets you JTAG access seems a bit misleading.
Having the debugType is a necessary but not sufficient condition for JTAG
unlock.
This only sets the upper-bound on what a later supplied JTAG unlock certificate
can do, unless coreDbg* is set this should not by itself open JTAG on HS-SE
devices. For HS-FS devices I'll have to double check and if it does we should
decide if we want this unlocked by default or not.
Andrew
[ debug ]
debugUID =
FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
+ debugType = INTEGER:{ "4" if debug else "0" }
coreDbgEn = INTEGER:0
coreDbgSecEn = INTEGER:0
''', file=outf)
@@ -231,7 +235,7 @@ emailAddress =
{req_dist_name_dict['emailAddress']}
imagesize_sbl, hashval_sbl, load_addr_sysfw,
imagesize_sysfw,
hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
- dm_data_ext_boot_block, bootcore_opts):
+ dm_data_ext_boot_block, bootcore_opts, debug):
"""Create a certificate
Args:
@@ -317,9 +321,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
shaType = OID:{sha_type}
shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
+# When debugging low level boot firmware it can be useful to have ROM or TIFS
+# unlock JTAG access to the misbehaving CPUs. However in a production setting
+# this can lead to code modification after it's been authenticated by outside
+# parties. To gain JTAG access add the 'debug' flag to the binman configuration
[ debug ]
debugUID =
FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-debugType = INTEGER:4
+debugType = INTEGER:{ "4" if debug else "0" }
coreDbgEn = INTEGER:0
coreDbgSecEn = INTEGER:0
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
index
420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4
100644
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
'OU': 'Processors',
'CN': 'TI Support',
'emailAddress': 'supp...@ti.com'}
+ self.debug = fdt_util.GetBool(self._node, 'debug', False)
def ReadFirewallNode(self):
self.firewall_cert_data['certificate'] = ""
diff --git a/tools/binman/etype/ti_secure_rom.py
b/tools/binman/etype/ti_secure_rom.py
index
f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4
100644
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
'OU': 'Processors',
'CN': 'TI Support',
'emailAddress': 'supp...@ti.com'}
+ self.debug = fdt_util.GetBool(self._node, 'debug', False)
def NonCombinedGetCertificate(self, required):
"""Generate certificate for legacy boot flow
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index
25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85
100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
self.sysfw_inner_cert_ext_boot_block = None
self.dm_data_ext_boot_block = None
self.firewall_cert_data = None
+ self.debug = False
def ReadNode(self):
super().ReadNode()
@@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
bootcore=self.bootcore,
bootcore_opts=self.bootcore_opts,
load_addr=self.load_addr,
- sha=self.sha
+ sha=self.sha,
+ debug=self.debug
)
elif type == 'rom-combined':
stdout = self.openssl.x509_cert_rom_combined(
@@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
hashval_sysfw_data=self.hashval_sysfw_data,
sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
dm_data_ext_boot_block=self.dm_data_ext_boot_block,
- bootcore_opts=self.bootcore_opts
+ bootcore_opts=self.bootcore_opts,
+ debug=self.debug
)
if stdout is not None:
data = tools.read_file(output_fname)
