diff --git a/board/ti/keys/custMpk.pem b/board/ti/keys/custMpk.pem new file mode 100644 index 000000000000..adba378c8008 --- /dev/null +++ b/board/ti/keys/custMpk.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAvxSuSdh/ctNrI83rSA5l3CJN8g5PgvbttfLd23yR+m5Z/9X3 +tt4EHYrM0pXZ0eDEwfhQv/9IDJEiUJpMe4vzlgooJrOk2eCpVUEa+z5bJ2y/ysBx +ry9yIu5GASVirT7HBPaxGLYswBJuD+KbPuWmoKgGRQNBF04WH6l01oRO1nmnELgR +qQ6SHyXdf7Hy0bnyaNgzWUuCfXfM0Zz6I7T7WIjyzerVFvIsdS36YsPBCW7gBnDg +tQcJmWLZ1uTnbG3IggdQk/fi2O3RX+PQns+TVNlf3V3ON2DxqxSKBHtlp7p/30VF +fEuhW65OxpQ9jE6H0pQ8pPOf2vzyNnznDa1aQjfxKoHQbqGnZwMeh+0Au3NKaCgx +ooKaowTB6If/RX6qwZ/UOwXHg/0hcf69fzjJFhlSDuYDM40dHsk2HM1OnYIpiM2b +Kr5sX3uysjp5AGp99a0anR7NWCrPXvROgKs7T9341N40osQg2VkZLYUCXh9osUyN +uREG6S12tViMUKg3bmZ4b4MwRk00n7QYSrm7+nvFrtYyEISEbD+agDM1/E281W5g +VFDPfm2AlwT6jwsg/b2YK6E3vVn9SuxFoQmLF8lyFDO3BV4SXeJaHc4hVPbh6tVV +qifrTQnfGUCCLmaJF2XZbrPWOE6NYRbWdNTeFl9RGdVCuIPSyN5LqWmXto0CAwEA +AQKCAgAzkAwcJ0z1GnId/lJQZno8NhGckRoJuEKbR8dwlCP8VUz6Ca5H7Y9kvXDa +Hs/hn+rYgP6hYOz7XyrIX2rmJ/T6dxEwqGeC1+o59FConcIRWHpE5zuGT6JYJL5F +TuZa48bm4v8VMQvQZOjIZpkIFwao8c6HTwKAnHTB5IN/48I2hCt+Cn3RhfoOZ7Rm +4gkpaSkt+7GXlhXHb82YfujNO+hbktEamhUYlQ9EK70Wa8aqmf3gHxO0JgsEFjW8 +lJaSnultlTW8SDcx3LMUUjCYumECk4oX/VlJfmKYjPlVjkr3QQ+Cm3nNucb4K4hc +c+JL+2ERhSj8RjXL7VgbNgdPnIjvQDJuTNqecTU8xWPYrkOLQpNibbLjnutLkhJz +fMyRtmDtrsey8WiCDuCHkPJ8/f8RjL2zWI9fzTDDIzdlEKouUFGOovaHVnbua6pn +hymcu9d9FV3p2rcbj0ivCs7e8j+vhSxFJEJoAbcQdXCTi/n2uR7pLtoMNiUzsejy +d46Uz+KEU920NTwE2z6JJq8I2vegnxjc7PDDrV3/5rK04B93aXiqvwWseCpxelrI +xaMkRHbXrIXRO6MXQ3N+zNq8Dg3hjGTTvaBKuwgvqLwlXY8+Aa3ooFzEOInIOSsI +XcWqXxt/tgZgsj9RwpC42t8kbA+BkbNk9EIUa+P5kEr2P/fO7QKCAQEA4EtArnOX +D6tQF8uTw8USOZC2P9s/ez1z4jRq3oKP0Kv4tJiuIObJ/dUvGVD7aM5v2xaCfhm8 +xpk09VPUgghfG5jR5qVvQr75kCNToJQudWi4ngk1HwKJzzTO11giFEdybvTUA+Pj +fmxCM0dYYqRWZoj0hLqXlUCwxE74BFIhJVjeYbf+nTQrqpllTLoW7MTZHzGx5SXx +4dNzyVAUH49Yt2D8mgXXCkf5sGLh762wj34b/rR10Kr4O5utGMZrfTRIbuQ1pNjU +m66baPzq+mC0BzqZEW70TgEb7lOr8rcVXLOi3r36omfd9/MHx7iZD6o3K1axSO15 +grD4ZrN7Ac3QJwKCAQEA2heCoBdpvy6YUk8AO2k8qDygTdmPQRuwjjT+Z2fMslBt +D7DkpKwZ6Bl9OclcpiiLHmH+hv65KqYg+tR0RRb7PcogB9El9x7yKkGTPZEYWGky +n8P84rJpKwjnwWQvPQktI1cs3YGvZA9DQTFBavRrwuzgd1oSJq5aPQ2tme0kMvWp +l1/B/cPK+PKCi/Wfisaze1TjijP9qIeUwkdNN6WLrLU3QgsGppcg2I7RQtAIikT6 +GkuiOQAvWMsrJVV6PNrVKz4fJDJ59Rz6jbDHZNi1MEYNxQoB/Pl7QIakbfjWpHLv +8Ey7cB2JKxjQy8tmyl8WNQVbXbE6daPXcMTUmaRAKwKCAQBv1lYMJmq+T2eCVen6 +BbvOpE+bi5EdvEiaFBTtmiBnpjg+pJq+oRU60h/H+c9CNR0lGxY6Fk9An4f+g6xE +ojP6KLsQzJCrsVny+wpp2TlJJcxYULMCIVvhy60PR0zG29E9biqBPhJjKUvhEcQK +e3LxcXyq6fdHXphFajLUxLbuTl+kTgBRFoBnclFGbsubh5PTsA3J+p+fQLZNPPar +veg4l82cZykQYU8pGkUaI3sUMYd3+zd7sqRP5JHs9pMGPRmY4YW2CsAIWIn5UZNB +ARMDP76vKKn8cyUgMuxb+9pU/OVLN2NPs4bEaZQJjAwV+YPEwldny7F47xEM9JVz +EtKlAoIBAQDUt62u3GdGE/p5/ZgqWoDRTyDEDfmN9aYFbmbdEP80xQE7FrxMaZhz +K7laja6SWmUm40nQ/c45bQQp4uLtKHcxU15egX7YRBTLZl5o5IasZR79ebnEm2O8 +l9kEZeU1USf3mmWmP4GExOZCRfqaiYA6BbUCdJXTqKdXeWnkAssV8UrS3JFoJHpq +yo7OWGqefyQ8nRW6jO9SW7uaqtUD+7H6aF5XSk3YWvusfdBZrHNH+fM/hpnZovaL +Us7ogTDS/laA8PyK37jYfMVdQhmZoU1Iomt3zkUWK3gt/aWPpfAlQf4Jka4YspZB +tNiijefaZ1hPqsPs5Joyd/YAhdsfaHc1AoIBAQCn/9j6RRjRaw0ip756oad4AXHz +XBwVB2CrY96qT6Hj9Sq7tGgdskqGkOQkAivBLBizUdcWv0t1yenOsSgasQeMlvlh +B8md9cLvpKXPB3HM3rTDH/xNXe0TpVKLf7SXC8HfDyIweHwMW3QgO2DWrvI4BV/T +ckBatRNQ90HxkqGFhC/Mp529lQlyg3ifxPxJsvZOyPMUnrflAvsKQk5c2ZiQg3nZ +h7I2pjSYgCl+Ib52l8p9bf1kcrVGgPM+auzm496i0RPobFeDBoBvSoznJktHJ7+3 +NnZH+jLiZCODiQPGtQUi+T6eIZUIJF0YASpsCCtUzXCxwW3lYIDNy7UlMivF +-----END RSA PRIVATE KEY----- diff --git a/board/ti/keys/ti-degenerate-key.pem b/board/ti/keys/ti-degenerate-key.pem new file mode 100644 index 000000000000..bd7d3745ade2 --- /dev/null +++ b/board/ti/keys/ti-degenerate-key.pem @@ -0,0 +1,10 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBWwIBAAKBgQDRfrnXQaP0k6vRK/gZ+bDflSU6y1JagGeQ/b+QYuiDz14japog +8fRSu5WBsAxaSaySAUwS3L9Ppw+hGMecmyIJ494aMfZTtk1g49gU58joduiRnu7e +QSZHMnehhuNlfD7A2tAAKnxIYuabs8zHYM/SS9Ne7t3kIQMbKfUSzNy6qQIBAQIB +AQJBAOelUA376o6w3HkShXfN+shaOZYqFuTJ9exLMwsLp7DZKXB5F9I4JJ+Vkvho +k6QWs7vkhleLSYUZknXHYm26ZE0CQQDnhTtd4PTBoZPjPXOeYMJFtEdMNy0XP6ey +bcce389ugoY7BEkvASrd8PHgJQHziepgWOG4DGp33c64Hfq4zI3NAgEBAgEBAkA0 +RbK4uqoLciQluesTPU6lBy7Se3Dw0F9xBqlF5SR4KI6q+zQrHpBKyFOofMHZgizR +iCrL55cxEM146zMw3AnF +-----END RSA PRIVATE KEY----- diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index 3a4dbdd6d734..06ce272df04e 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -74,6 +74,23 @@ def x509_cert(self, cert_fname, input_fname, key_fname, cn, revision, '-sha512'] return self.run_cmd(*args) + def x509_cert_custom(self, cert_fname, key_fname, config_fname, sha): + """Create a custom certificate + + Args: + cert_fname (str): Filename of certificate to create + key_fname (str): Filename of .pem file + config_fname (str): Filename to write fconfig into + sha (int): hash function to use + + Returns: + str: Tool output + """ + args = ['req', '-new', '-x509', '-key', key_fname, '-nodes', + '-outform', 'DER', '-out', cert_fname, '-config', config_fname, + f'-sha{sha}'] + return self.run_cmd(*args) + def fetch(self, method): """Fetch handler for openssl diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py new file mode 100644 index 000000000000..7366d54bcdb6 --- /dev/null +++ b/tools/binman/etype/ti_secure.py @@ -0,0 +1,121 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 20 +# Written by Neha Malcom Francis +# + +# Support for generating x509 certificate to binary for K3 devices + +from collections import OrderedDict +import os + +from binman.entry import EntryArg +from binman.etype.x509_cert import Entry_x509_cert + +import hashlib + +from dtoc import fdt_util +from u_boot_pylib import tools + +class Entry_ti_secure(Entry_x509_cert): + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.openssl = None + + def ReadNode(self): + super().ReadNode() + self.key_fname = self.GetEntryArgsOrProps([ + EntryArg('keyfile', str)], required=True)[0] + self.sha = fdt_util.GetInt(self._node, 'sha', 512) + + def GetCertificate(self, required): + """Generate certificate for contents of this entry + + Args: + required: True if the data must be present, False if it is OK to + return None + + Returns: + bytes content of the entry, which is the certificate for the + provided data + """ + # Join up the data files to be signed + input_data = self.GetContents(required) + if input_data is None: + return None + + uniq = self.GetUniqueName() + output_fname = tools.get_output_filename('cert.%s' % uniq) + input_fname = tools.get_output_filename('input.%s' % uniq) + config_fname = tools.get_output_filename('config.%s' % uniq) + tools.write_file(input_fname, input_data) + + indata = tools.read_file(input_fname) + hashval = hashlib.sha512(indata).hexdigest() + imagesize = len(indata) + + swrev = 1 + + with open(config_fname, 'w', encoding='utf-8') as outf: + print(f''' +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no +dirstring_type = nobmp + +[ req_distinguished_name ] +C = US +ST = TX +L = Dallas +O = Texas Instruments Incorporated +OU = Processors +CN = TI Support +emailAddress = support@ti.com + +[ v3_ca ] +basicConstraints = CA:true +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv +1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity +1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load + +[ swrv ] +swrv = INTEGER:{swrev} + +[ sysfw_image_integrity ] +shaType = OID:2.16.840.1.101.3.4.2.3 +shaValue = FORMAT:HEX,OCT:{hashval} +imageSize = INTEGER:{imagesize} + +[ sysfw_image_load ] +destAddr = FORMAT:HEX,OCT:00000000 +authInPlace = INTEGER:2 + +''', file=outf) + stdout = self.openssl.x509_cert_custom( + cert_fname=output_fname, + key_fname=self.key_fname, + config_fname=config_fname, + sha=self.sha) + if stdout is not None: + data = tools.read_file(output_fname) + else: + # Bintool is missing; just use 4KB of zero data + self.record_missing_bintool(self.openssl) + data = tools.get_bytes(0, 4096) + return data + + def ObtainContents(self): + data = self.GetCertificate(False) + if data is None: + return False + self.SetContents(data) + return True + + def ProcessContents(self): + # The blob may have changed due to WriteSymbols() + data = self.GetCertificate(True) + return self.ProcessContentsUpdate(data) + + def AddBintools(self, btools): + super().AddBintools(btools) + self.openssl = self.AddBintool(btools, 'openssl') diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py new file mode 100644 index 000000000000..e0a29f500d61 --- /dev/null +++ b/tools/binman/etype/ti_secure_rom.py @@ -0,0 +1,353 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 20 +# Written by Neha Malcom Francis +# + +# Support for generating x509 certificate to binary for K3 bootloaders + +from collections import OrderedDict +import os + +from binman.entry import EntryArg +from binman.etype.x509_cert import Entry_x509_cert + +import hashlib + +from dtoc import fdt_util +from u_boot_pylib import tools + +VALID_SHAS = [256, 384, 512, 224] +SHA_OIDS = {256:'2.16.840.1.101.3.4.2.1', + 384:'2.16.840.1.101.3.4.2.2', + 512:'2.16.840.1.101.3.4.2.3', + 224:'2.16.840.1.101.3.4.2.4'} + +class Entry_ti_secure_rom(Entry_x509_cert): + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.openssl = None + + def ReadNode(self): + super().ReadNode() + self.combined = fdt_util.GetBool(self._node, 'combined', False) + self.countersign = fdt_util.GetBool(self._node, 'countersign', False) + self.load_addr = fdt_util.GetInt(self._node, 'load') + self.sw_rev = fdt_util.GetInt(self._node, 'sw-rev', 1) + self.sha = fdt_util.GetInt(self._node, 'sha', 512) + self.core = fdt_util.GetString(self._node, 'core') + self.key_fname = self.GetEntryArgsOrProps([ + EntryArg('keyfile', str)], required=True)[0] + if self.combined: + self.load_addr_sysfw = fdt_util.GetInt(self._node, 'load-sysfw') + self.load_addr_sysfw_data = fdt_util.GetInt(self._node, 'load-sysfw-data') + + def NonCombinedGetCertificate(self, required): + """Generate certificate for contents of this entry, format followed is for + devices that follow legacy boot flow + + Args: + required: True if the data must be present, False if it is OK to + return None + + Returns: + bytes content of the entry, which is the certificate for the + provided data + """ + if self.core == 'secure': + if self.countersign: + self.cert_type = 2 + else: + self.cert_type = 3 + self.bootcore = 0 + self.bootcore_opts = 32 + else: + self.cert_type = 1 + self.bootcore = 16 + if self.combined: + self.bootcore_opts = 32 + else: + self.bootcore_opts = 0 + + # Join up the data files to be signed + input_data = self.GetContents(required) + if input_data is None: + return None + + uniq = self.GetUniqueName() + output_fname = tools.get_output_filename('cert.%s' % uniq) + input_fname = tools.get_output_filename('input.%s' % uniq) + config_fname = tools.get_output_filename('config.%s' % uniq) + tools.write_file(input_fname, input_data) + + indata = tools.read_file(input_fname) + hashval = hashlib.sha512(indata).hexdigest() + imagesize = len(indata) + + with open(config_fname, 'w', encoding='utf-8') as outf: + print(f'''[ req ] + distinguished_name = req_distinguished_name + x509_extensions = v3_ca + prompt = no + dirstring_type = nobmp + + [ req_distinguished_name ] + C = US + ST = TX + L = Dallas + O = Texas Instruments Incorporated + OU = Processors + CN = TI Support + emailAddress = support@ti.com + + [ v3_ca ] + basicConstraints = CA:true + 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq + 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity + 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption + 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug + + [ boot_seq ] + certType = INTEGER:{self.cert_type} + bootCore = INTEGER:{self.bootcore} + bootCoreOpts = INTEGER:{self.bootcore_opts} + destAddr = FORMAT:HEX,OCT:{self.load_addr:08x} + imageSize = INTEGER:{imagesize} + + [ image_integrity ] + shaType = OID:{SHA_OIDS[self.sha]} + shaValue = FORMAT:HEX,OCT:{hashval} + + [ swrv ] + swrv = INTEGER:{self.sw_rev} + +# [ encryption ] +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT + + [ debug ] + debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 + debugType = INTEGER:4 + coreDbgEn = INTEGER:0 + coreDbgSecEn = INTEGER:0''', file=outf) + stdout = self.openssl.x509_cert_custom( + cert_fname=output_fname, + key_fname=self.key_fname, + config_fname=config_fname, + sha=self.sha) + if stdout is not None: + data = tools.read_file(output_fname) + else: + # Bintool is missing; just use 4KB of zero data + self.record_missing_bintool(self.openssl) + data = tools.get_bytes(0, 4096) + return data + + def CombinedGetCertificate(self, required): + """Generate certificate for contents of this entry, format followed is for + devices that follow combined boot flow + + Args: + required: True if the data must be present, False if it is OK to + return None + + Returns: + bytes content of the entry, which is the certificate for the + provided data + """ + self.sha_type = SHA_OIDS[self.sha] + uniq = self.GetUniqueName() + config_fname = tools.get_output_filename('config.%s' % uniq) + output_fname = tools.get_output_filename('cert.%s' % uniq) + + self.num_comps = 3 + + # SBL + self.content = fdt_util.GetPhandleList(self._node, 'content-sbl') + input_data_sbl = self.GetContents(required) + if input_data_sbl is None: + return None + + input_fname_sbl = tools.get_output_filename('input.%s' % uniq) + tools.write_file(input_fname_sbl, input_data_sbl) + + indata_sbl = tools.read_file(input_fname_sbl) + hashval_sbl = hashlib.sha512(indata_sbl).hexdigest() + imagesize_sbl = len(indata_sbl) + + # SYSFW + self.content = fdt_util.GetPhandleList(self._node, 'content-sysfw') + input_data_sysfw = self.GetContents(required) + if input_data_sysfw is None: + return None + + input_fname_sysfw = tools.get_output_filename('input.%s' % uniq) + tools.write_file(input_fname_sysfw, input_data_sysfw) + + indata_sysfw = tools.read_file(input_fname_sysfw) + hashval_sysfw = hashlib.sha512(indata_sysfw).hexdigest() + imagesize_sysfw = len(indata_sysfw) + + # SYSFW data + self.content = fdt_util.GetPhandleList(self._node, 'content-sysfw-data') + input_data_sysfw_data = self.GetContents(required) + if input_data_sysfw_data is None: + return None + + input_fname_sysfw_data = tools.get_output_filename('input.%s' % uniq) + tools.write_file(input_fname_sysfw_data, input_data_sysfw_data) + + indata_sysfw_data = tools.read_file(input_fname_sysfw_data) + hashval_sysfw_data = hashlib.sha512(indata_sysfw_data).hexdigest() + imagesize_sysfw_data = len(indata_sysfw_data) + + # SYSFW Inner Cert + if self.sysfw_inner_cert: + self.content = fdt_util.GetPhandleList(self._node, 'content-sysfw-inner-cert') + input_data_sysfw_inner_cert = self.GetContents(required) + if input_data_sysfw_inner_cert is None: + return None + + input_fname_sysfw_inner_cert = tools.get_output_filename('input.%s' % uniq) + tools.write_file(input_fname_sysfw_inner_cert, input_data_sysfw_inner_cert) + + indata_sysfw_inner_cert = tools.read_file(input_fname_sysfw_inner_cert) + hashval_sysfw_inner_cert = hashlib.sha512(indata_sysfw_inner_cert).hexdigest() + imagesize_sysfw_inner_cert = len(indata_sysfw_inner_cert) + self.num_comps += 1 + sysfw_inner_cert_ext_boot_sequence_string = "sysfw_inner_cert=SEQUENCE:sysfw_inner_cert" + sysfw_inner_cert_ext_boot_block = f"""[sysfw_inner_cert] +compType = INTEGER:3 +bootCore = INTEGER:0 +compOpts = INTEGER:0 +destAddr = FORMAT:HEX,OCT:00000000 +compSize = INTEGER:{imagesize_sysfw_inner_cert} +shaType = OID:{self.sha_type} +shaValue = FORMAT:HEX,OCT:{hashval_sysfw_inner_cert}""" + else: + sysfw_inner_cert_ext_boot_block = "" + imagesize_sysfw_inner_cert = 0 + + # DM data + if self.dm_data: + self.content = fdt_util.GetPhandleList(self._node, 'content-dm-data') + input_data_dm_data = self.GetContents(required) + if input_data_dm_data is None: + return None + + input_fname_dm_data = tools.get_output_filename('input.%s' % uniq) + tools.write_file(input_fname_dm_data, input_data_dm_data) + + indata_dm_data = tools.read_file(input_fname_dm_data) + hashval_dm_data = hashlib.sha512(indata_dm_data).hexdigest() + imagesize_dm_data = len(indata_dm_data) + self.num_comps += 1 + dm_data_ext_boot_sequence_string = "dm_data=SEQUENCE:dm_data" + dm_data_ext_boot_block = f"""[dm_data] +compType = INTEGER:17 +bootCore = INTEGER:16 +compOpts = INTEGER:0 +destAddr = FORMAT:HEX,OCT:{self.load_dm_data:08x} +compSize = INTEGER:{imagesize_dm_data} +shaType = OID:{self.sha_type} +shaValue = FORMAT:HEX,OCT:{hashval_dm_data}""" + else: + sysfw_inner_cert_ext_boot_block = "" + imagesize_dm_data = 0 + + self.total_size = imagesize_sbl + imagesize_sysfw + imagesize_sysfw_data + imagesize_sysfw_inner_cert + imagesize_dm_data + with open(config_fname, 'w', encoding='utf-8') as outf: + print(f'''[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no +dirstring_type = nobmp + +[ req_distinguished_name ] +C = US +ST = TX +L = Dallas +O = Texas Instruments Incorporated +OU = Processors +CN = TI Support +emailAddress = support@ti.com + +[ v3_ca ] +basicConstraints = CA:true +1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv +1.3.6.1.4.1.294.1.9=ASN1:SEQUENCE:ext_boot_info + +[swrv] +swrv=INTEGER:{self.sw_rev} + +[ext_boot_info] +extImgSize=INTEGER:{self.total_size} +numComp=INTEGER:{self.num_comps} +sbl=SEQUENCE:sbl +sysfw=SEQUENCE:sysfw +sysfw_data=SEQUENCE:sysfw_data +{sysfw_inner_cert_ext_boot_sequence_string} +{dm_data_ext_boot_sequence_string} + +[sbl] +compType = INTEGER:1 +bootCore = INTEGER:16 +compOpts = INTEGER:0 +destAddr = FORMAT:HEX,OCT:{self.load_addr:08x} +compSize = INTEGER:{imagesize_sbl} +shaType = OID:{self.sha_type} +shaValue = FORMAT:HEX,OCT:{hashval_sbl} + +[sysfw] +compType = INTEGER:2 +bootCore = INTEGER:0 +compOpts = INTEGER:0 +destAddr = FORMAT:HEX,OCT:{self.load_addr_sysfw:08x} +compSize = INTEGER:{imagesize_sysfw} +shaType = OID:{self.sha_type} +shaValue = FORMAT:HEX,OCT:{hashval_sysfw} + +[sysfw_data] +compType = INTEGER:18 +bootCore = INTEGER:0 +compOpts = INTEGER:0 +destAddr = FORMAT:HEX,OCT:{self.load_addr_sysfw_data:08x} +compSize = INTEGER:{imagesize_sysfw_data} +shaType = OID:{self.sha_type} +shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data} +{sysfw_inner_cert_ext_boot_block} +{dm_data_ext_boot_block}''', file=outf) + + def GetCertificate(self, required): + """Generate certificate based on boot flow followed by device + + Args: + required: True if the data must be present, False if it is OK to + return None + + Returns: + bytes content of the entry, which is the certificate for the + provided data + """ + if self.combined: + return self.CombinedGetCertificate(required) + else: + return self.NonCombinedGetCertificate(required) + + def ObtainContents(self): + data = self.GetCertificate(False) + if data is None: + return False + self.SetContents(data) + return True + + def ProcessContents(self): + # The blob may have changed due to WriteSymbols() + data = self.GetCertificate(True) + return self.ProcessContentsUpdate(data) + + def AddBintools(self, btools): + super().AddBintools(btools) + self.openssl = self.AddBintool(btools, 'openssl')