On June 2, 2025 thus sayeth Andrew Davis:
> On 6/2/25 12:28 PM, Andrew Davis wrote:
> > On 6/2/25 11:56 AM, Bryan Brattlof wrote:
> > > Typically for boards operating in production environments will not be
> > > monitored and so will not need JTAG access unlocked. Disable the debug
> > > extension unless asked for in the binman configs.
> > >
> > > Signed-off-by: Bryan Brattlof <b...@ti.com>
> > > ---
> > > tools/binman/btool/openssl.py | 16 ++++++++++++----
> > > tools/binman/etype/ti_secure.py | 1 +
> > > tools/binman/etype/ti_secure_rom.py | 1 +
> > > tools/binman/etype/x509_cert.py | 7 +++++--
> > > 4 files changed, 19 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
> > > index
> > > 2e128e477bce87568b6d9647bbf2666f9770d732..c91d8990a1dc9151bb8fc831c0f1bff2d91b014e
> > > 100644
> > > --- a/tools/binman/btool/openssl.py
> > > +++ b/tools/binman/btool/openssl.py
> > > @@ -153,7 +153,7 @@ numFirewallRegions =
> > > INTEGER:{firewall_cert_data['num_firewalls']}
> > > def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
> > > config_fname, req_dist_name_dict, cert_type, bootcore,
> > > - bootcore_opts, load_addr, sha):
> > > + bootcore_opts, load_addr, sha, debug):
> > > """Create a certificate
> > > Args:
> > > @@ -214,9 +214,13 @@ emailAddress =
> > > {req_dist_name_dict['emailAddress']}
> > > [ swrv ]
> > > swrv = INTEGER:{sw_rev}
> > > + # When debugging low level boot firmware it can be useful to have ROM
> > > or TIFS
> > > + # unlock JTAG access to the misbehaving CPUs. However in a production
> > > setting
> > > + # this can lead to code modification after it's been authenticated by
> > > outside
> > > + # parties. To gain JTAG access add the 'debug' flag to the binman
> > > configuration
> >
> > Stating that adding the debug flag gets you JTAG access seems a bit
> > misleading.
> > Having the debugType is a necessary but not sufficient condition for JTAG
> > unlock.
> >
>
> I have to walk this back a little, this might only be true for TIFS which
> processes
> the debug certificates after it takes over the SMS from secure ROM. Secure
> ROM may
> have a different set of rules. Since this patch is updating both ROM and TIFS
> certificates boot images we should focus on the ROM side.
>
> > This only sets the upper-bound on what a later supplied JTAG unlock
> > certificate
> > can do, unless coreDbg* is set this should not by itself open JTAG on HS-SE
> > devices. For HS-FS devices I'll have to double check and if it does we
> > should
> > decide if we want this unlocked by default or not.
> >
>
> Seems HS-FS devices are default unlocked, and so I'm not sure why we set this
> to
> unlock for the rest of the device types here in the first place. It only seems
> to be a really big foot-gun for HS-SE users :/
>
> Let's flip the default,
>
> Acked-by: Andrew Davis <a...@ti.com>
>
> Also could you send v2 of this as a stand-alone patch? This change should be
> independent of the encryption extension in patch [1/2].
Yep I'll drop the encryption extension patch until I can poke around
binman a little more.
Thanks for double checking all this Andrew
~Bryan
