Re: [PATCH tiU2025.01 2/2] binman: openssl: disable JTAG access by default

Mon, 02 Jun 2025 14:22:09 -0700 

On 6/2/25 12:28 PM, Andrew Davis wrote:

On 6/2/25 11:56 AM, Bryan Brattlof wrote:

Typically for boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension unless asked for in the binman configs.

Signed-off-by: Bryan Brattlof <b...@ti.com>
---
  tools/binman/btool/openssl.py       | 16 ++++++++++++----
  tools/binman/etype/ti_secure.py     |  1 +
  tools/binman/etype/ti_secure_rom.py |  1 +
  tools/binman/etype/x509_cert.py     |  7 +++++--
  4 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index 
2e128e477bce87568b6d9647bbf2666f9770d732..c91d8990a1dc9151bb8fc831c0f1bff2d91b014e
 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -153,7 +153,7 @@ numFirewallRegions = 
INTEGER:{firewall_cert_data['num_firewalls']}
      def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
                    config_fname, req_dist_name_dict, cert_type, bootcore,
-                  bootcore_opts, load_addr, sha):
+                  bootcore_opts, load_addr, sha, debug):
          """Create a certificate
          Args:
@@ -214,9 +214,13 @@ emailAddress           = 
{req_dist_name_dict['emailAddress']}
   [ swrv ]
   swrv = INTEGER:{sw_rev}
+ # When debugging low level boot firmware it can be useful to have ROM or TIFS
+ # unlock JTAG access to the misbehaving CPUs. However in a production setting
+ # this can lead to code modification after it's been authenticated by outside
+ # parties. To gain JTAG access add the 'debug' flag to the binman 
configuration


Stating that adding the debug flag gets you JTAG access seems a bit misleading.
Having the debugType is a necessary but not sufficient condition for JTAG 
unlock.



I have to walk this back a little, this might only be true for TIFS which 
processes
the debug certificates after it takes over the SMS from secure ROM. Secure ROM 
may
have a different set of rules. Since this patch is updating both ROM and TIFS
certificates boot images we should focus on the ROM side.


This only sets the upper-bound on what a later supplied JTAG unlock certificate
can do, unless coreDbg* is set this should not by itself open JTAG on HS-SE
devices. For HS-FS devices I'll have to double check and if it does we should
decide if we want this unlocked by default or not.



Seems HS-FS devices are default unlocked, and so I'm not sure why we set this to
unlock for the rest of the device types here in the first place. It only seems
to be a really big foot-gun for HS-SE users :/

Let's flip the default,

Acked-by: Andrew Davis <a...@ti.com>

Also could you send v2 of this as a stand-alone patch? This change should be
independent of the encryption extension in patch [1/2].

Andrew


Andrew


   [ debug ]
   debugUID = 
FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
+ debugType = INTEGER:{ "4" if debug else "0" }
   coreDbgEn = INTEGER:0
   coreDbgSecEn = INTEGER:0
  ''', file=outf)
@@ -231,7 +235,7 @@ emailAddress           = 
{req_dist_name_dict['emailAddress']}
                    imagesize_sbl, hashval_sbl, load_addr_sysfw, 
imagesize_sysfw,
                    hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
                    hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
-                  dm_data_ext_boot_block, bootcore_opts):
+                  dm_data_ext_boot_block, bootcore_opts, debug):
          """Create a certificate
          Args:
@@ -317,9 +321,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
  shaType  = OID:{sha_type}
  shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
+# When debugging low level boot firmware it can be useful to have ROM or TIFS
+# unlock JTAG access to the misbehaving CPUs. However in a production setting
+# this can lead to code modification after it's been authenticated by outside
+# parties. To gain JTAG access add the 'debug' flag to the binman configuration
  [ debug ]
  debugUID = 
FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-debugType = INTEGER:4
+debugType = INTEGER:{ "4" if debug else "0" }
  coreDbgEn = INTEGER:0
  coreDbgSecEn = INTEGER:0
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
index 
420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4
 100644
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
                  'OU': 'Processors',
                  'CN': 'TI Support',
                  'emailAddress': 'supp...@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)
      def ReadFirewallNode(self):
          self.firewall_cert_data['certificate'] = ""
diff --git a/tools/binman/etype/ti_secure_rom.py 
b/tools/binman/etype/ti_secure_rom.py
index 
f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4
 100644
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
                      'OU': 'Processors',
                      'CN': 'TI Support',
                      'emailAddress': 'supp...@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)
      def NonCombinedGetCertificate(self, required):
          """Generate certificate for legacy boot flow
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index 
25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85
 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
          self.sysfw_inner_cert_ext_boot_block = None
          self.dm_data_ext_boot_block = None
          self.firewall_cert_data = None
+        self.debug = False
      def ReadNode(self):
          super().ReadNode()
@@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
                  bootcore=self.bootcore,
                  bootcore_opts=self.bootcore_opts,
                  load_addr=self.load_addr,
-                sha=self.sha
+                sha=self.sha,
+                debug=self.debug
              )
          elif type == 'rom-combined':
              stdout = self.openssl.x509_cert_rom_combined(
@@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
                  hashval_sysfw_data=self.hashval_sysfw_data,
                  
sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
                  dm_data_ext_boot_block=self.dm_data_ext_boot_block,
-                bootcore_opts=self.bootcore_opts
+                bootcore_opts=self.bootcore_opts,
+                debug=self.debug
              )
          if stdout is not None:
              data = tools.read_file(output_fname)

Reply via email to