Typically boards operating in production environments will not be monitored and so will not need JTAG access unlocked. Disable the debug extension by default (set debugType = 0) unless we add the 'debug' property in the binman configs.
Acked-by: Andrew Davis <a...@ti.com> Signed-off-by: Bryan Brattlof <b...@ti.com> --- Hello everyone, While digging through binman a little I noticed a few x509 extensions that should probably need a little adjusting before the release. Happy Hacking ~Bryan --- Changes in v2: - removed subject prefix for SDK backporting - reworded note about the debug extension for the x509 certificate - dropped encryption extension patch as it's completely independent - Link to v1: https://lore.kernel.org/r/20250602-am62xsip-v1-0-ae8aa62b4...@ti.com --- tools/binman/btool/openssl.py | 16 ++++++++++++---- tools/binman/etype/ti_secure.py | 1 + tools/binman/etype/ti_secure_rom.py | 1 + tools/binman/etype/x509_cert.py | 7 +++++-- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index c6df64c5316d53735fb147858b24185096254ec2..b26f087c44706f7b321347cb5014b8193b011935 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']} def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev, config_fname, req_dist_name_dict, cert_type, bootcore, - bootcore_opts, load_addr, sha): + bootcore_opts, load_addr, sha, debug): """Create a certificate Args: @@ -221,9 +221,13 @@ emailAddress = {req_dist_name_dict['emailAddress']} # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT + # When debugging low level boot firmware it can be useful to have ROM or TIFS + # unlock JTAG access to the misbehaving CPUs. However in a production setting + # this can lead to code modification by outside parties after it's been + # authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:4 + debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 ''', file=outf) @@ -238,7 +242,7 @@ emailAddress = {req_dist_name_dict['emailAddress']} imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw, hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data, hashval_sysfw_data, sysfw_inner_cert_ext_boot_block, - dm_data_ext_boot_block, bootcore_opts): + dm_data_ext_boot_block, bootcore_opts, debug): """Create a certificate Args: @@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data} shaType = OID:{sha_type} shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data} +# When debugging low level boot firmware it can be useful to have ROM or TIFS +# unlock JTAG access to the misbehaving CPUs. However in a production setting +# this can lead to code modification by outside parties after it's been +# authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 -debugType = INTEGER:4 +debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py index 420ee263e4f92727657d949d45a63c99809ecafa..f6caa0286d97c774fa4f2931f82ee9a98677b8d4 100644 --- a/tools/binman/etype/ti_secure.py +++ b/tools/binman/etype/ti_secure.py @@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert): 'OU': 'Processors', 'CN': 'TI Support', 'emailAddress': 'supp...@ti.com'} + self.debug = fdt_util.GetBool(self._node, 'debug', False) def ReadFirewallNode(self): self.firewall_cert_data['certificate'] = "" diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py index f6fc3f90f84ab1b0a9c806a966d508abfd6f3eee..7e90c655940902b266507cf142680d984b8d22d4 100644 --- a/tools/binman/etype/ti_secure_rom.py +++ b/tools/binman/etype/ti_secure_rom.py @@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert): 'OU': 'Processors', 'CN': 'TI Support', 'emailAddress': 'supp...@ti.com'} + self.debug = fdt_util.GetBool(self._node, 'debug', False) def NonCombinedGetCertificate(self, required): """Generate certificate for legacy boot flow diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py index 25e6808b7f94cee76e18e2b5de22c09f91e3afd3..b6e8b0b4fb099871d8e7f731ee3e7c5d52e98b85 100644 --- a/tools/binman/etype/x509_cert.py +++ b/tools/binman/etype/x509_cert.py @@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection): self.sysfw_inner_cert_ext_boot_block = None self.dm_data_ext_boot_block = None self.firewall_cert_data = None + self.debug = False def ReadNode(self): super().ReadNode() @@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection): bootcore=self.bootcore, bootcore_opts=self.bootcore_opts, load_addr=self.load_addr, - sha=self.sha + sha=self.sha, + debug=self.debug ) elif type == 'rom-combined': stdout = self.openssl.x509_cert_rom_combined( @@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection): hashval_sysfw_data=self.hashval_sysfw_data, sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block, dm_data_ext_boot_block=self.dm_data_ext_boot_block, - bootcore_opts=self.bootcore_opts + bootcore_opts=self.bootcore_opts, + debug=self.debug ) if stdout is not None: data = tools.read_file(output_fname) --- base-commit: b22a276f039f818d5564bec6637071cfc8a7e432 change-id: 20250128-am62xsip-2ce59e0621bf Best regards, -- Bryan Brattlof <b...@ti.com>
