Sign.sh runs openssl and other linux utilities to generate rsa-pss signatures for bootloader and bct and inject them into bct directly. Syntax: sign.sh <bootimage> <rsa_key.pem> Another way to update signature is to use configuration keyword "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile". Details are explained in man page. Signed-off-by: Jimmy Zhang <jimmzhang@xxxxxxxxxx> --- rehash.cfg | 1 + rsa_priv.pem | 27 +++++++++++++++++++++++++ sign.sh | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 rehash.cfg create mode 100644 rsa_priv.pem create mode 100755 sign.sh diff --git a/rehash.cfg b/rehash.cfg new file mode 100644 index 000000000000..c5c741bad536 --- /dev/null +++ b/rehash.cfg @@ -0,0 +1 @@ +RehashBl; diff --git a/rsa_priv.pem b/rsa_priv.pem new file mode 100644 index 000000000000..cbafc03ba35a --- /dev/null +++ b/rsa_priv.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs3Lf87UkomlfVHdw/FEz+owzgO+ZFu6/72qT+jSu7aEDZeZj +l2cgTQOnHjlmBYj6KoqwXQmY6ZWPNBT7xDqzGdvimCVRC3OGRee2uD+Itu/Qwo1F +FOb7v+l3v6lODGqDJ06aIxLicEiqK55dk5z+7dP8yyJ3pRhwiDPE4tNtlLOWgmJ/ +hENyqBHbMMzg67Qwb+aa89wfq2FRrvGOpfmrKlhqtikDnwJALBfkr7hsZGZOszHC +ii2L5T3eCaI/me2/VIGlQSjGxmaDkiG/aIZVTuIX/LuOyi4sLXJ9cIFQ7Ty/0PAk +6Ia6VyEGETQt6+JeLETX4Zc+XCnfbE/Flhs5PwIDAQABAoIBAQCMcmM/Xc4PY0Ne +W6FNicyR0vtYda4u2avVGWg50tP6XiPHtDrMO8V3IV3B9RCZUmzhsOx51NIeN5T+ +IVIvcfXNTmCZzdMRkFhODB3hNLCu5SFRs7mWs3Xj7TlxA3R3mUGPGSDgRJ5/XQ/6 +1ZbNunl38IuQ/SgBShCBOWtmUC4ay+ctm1CzBZ/7AYlauOxdoKiU2nzlwpMrX9+C +vaVKRQVYbE7EYJsWKOx6vRPU5Kjoq6StlSW4caG0ReRu9tO+xL7kZnqp1BWl3KHw +OfzLy1CmwDkV3bKFclRWWPR97nN7F95SUFIJ3bOVjU/K2TKuLtMYPPVdG4CBBeB5 +eK2Qae7ZAoGBAOprwiAvcRNWJ2W5JoCkh0L6AHXx2z+S1Bbt0laz4NyqyfPX2SMl +DJRxm/IoYRfwZf7fussI1bG7g4UP8HjfrlAzSEWVgPNMSWftOFzkv4QNr2ySjk0/ +nZRsd+zj2kxhc8ukDhiORkyEEg5gtsEUqbtdZHOiqtkNbKOPD6EGKeP7AoGBAMP3 +q5NUh9pJ2RGSkdKutloXNe0HPI6sjsCX3HHWAaFyqBtXWvRU3fIaMUpGQcPaqDCt +LhzVoNlPXdeQ7vTkBPtiYQBcs0NPI+58pnD5fgR00yTX/5ZIGKbX0NnpZ3spsQAQ +FQTXGy80+JyGMmJCDf32VGC96I9Ey5w49U23kXiNAoGAGEtiqwM/rMlY++ncW6ix +e/d85LxUBJqq8FVlXyb1PulUVLkh/8pvK1M63jXhGiIH8Aovyar4upq8XqXwPhaw +cg9ehhegbZaSZProxHfQgVcJvy7RIKBfLGqxYxOaJCBVZ91wuIrGLlfhpyvOxOPn +U0uyhWluW2BQygKhlAaXgNECgYAKDAif5RWR+3dFj14qjwqKU+ZP4K8aIX6wIRkM +PQyYWmiD/laLcE5wuycLx85XXD6DQF283LcCbS9CfgvCQm5+9OxEOHx4VvZgo8Nk +x2XOlK6+lNRlwAyDgU0T3wOPLPQGLMznEqAyK2UToU2z++77tkVdMF9b+Qr3V3Q8 +J80tgQKBgQCW2OHHUfnfRMns/d1sp/QNMag19flOT+IjvZXI5ZMy9yojlpcTSdSq +NzaahUZKtEankjMlXw2RHMYrXjtAJgwXlV4rMWxkaqUrVqq99v6M1QNx/SHjnVB+ +SYQ8PZHp0mPk/opRPydP/U5WKDcP10KRuSNRSQmvacD5gzs3B6Jhqg== +-----END RSA PRIVATE KEY----- diff --git a/sign.sh b/sign.sh new file mode 100755 index 000000000000..8f8a353fe19f --- /dev/null +++ b/sign.sh @@ -0,0 +1,65 @@ +IMAGE_FILE=$1 +KEY_FILE=$2 +TARGET_IMAGE=$IMAGE_FILE +CONFIG_FILE=rehash.cfg + +CBOOTIMAGE=src/cbootimage +BCT_DUMP=src/bct_dump +OBJCOPY=objcopy +OPENSSL=openssl +DD=dd +RM=rm +MV=mv +XXD=xxd + +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev" +$RM -f *.sig *.tosig *.tmp *.mod *.rev + +echo " Get bl length " +BL_LENGTH=`$BCT_DUMP $IMAGE_FILE | grep "Bootloader\[0\].Length" \ + | awk -F ' ' '{print $4}' | awk -F ';' '{print $1}'` + +echo " Extract bootloader to $IMAGE_FILE.bl.tosig, length $BL_LENGTH " +$DD bs=1 skip=32768 if=$IMAGE_FILE of=$IMAGE_FILE.bl.tosig count=$BL_LENGTH + +echo " Calculate rsa signature for bl and save to $IMAGE_FILE.bl.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.tosig + +echo " Reverse bl signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig $IMAGE_FILE.bl.sig.rev + +echo " Inject bl signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bl.sig.rev of=$IMAGE_FILE seek=9052 count=256 + +echo " Update bct aes hash and output to $IMAGE_FILE.tmp" +$CBOOTIMAGE -s tegra210 -u $CONFIG_FILE $IMAGE_FILE $IMAGE_FILE.tmp + +echo " Extract the part of bct which needs to be rsa signed" +$DD bs=1 if=$IMAGE_FILE.tmp of=$IMAGE_FILE.bct.tosig count=8944 skip=1296 + +echo " Calculate rsa signature for bct and save to $IMAGE_FILE.bct.sig" +$OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 \ + -sign $KEY_FILE -out $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.tosig + +echo " Reverse bct signature to meet tegra soc signature ordering" +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bct.sig $IMAGE_FILE.bct.sig.rev + +echo " Inject bct signature into bct" +$DD conv=notrunc bs=1 if=$IMAGE_FILE.bct.sig.rev of=$IMAGE_FILE.tmp seek=800 count=256 + +echo " Create public key modulus from key file $KEY_FILE and save to $KEY_FILE.mod" +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod +# remove prefix and LF +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512 +# convert format from hexdecimal to binary +$XXD -r -p -l 256 $KEY_FILE.mod.tmp $KEY_FILE.mod.bin +# reverse byte order" +$OBJCOPY -I binary --reverse-bytes=256 $KEY_FILE.mod.bin $KEY_FILE.mod.bin.rev + +echo " Inject public key modulus into bct" +$DD conv=notrunc bs=1 if=$KEY_FILE.mod.bin.rev of=$IMAGE_FILE.tmp seek=528 count=256 + +echo " Copy the signed binary to the target file $TARGET_IMAGE" +$MV $IMAGE_FILE.tmp $TARGET_IMAGE + -- 1.8.1.5 -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html