1# ASPEED AST2600 devices can use Aspeed's utility 'socsec'
2# to sign the SPL (pubkey written to OTP region)
3# The variables below carry default values to the spl_sign()
4# function below.
5SOCSEC_SIGN_ENABLE ?= "0"
6SOCSEC_SIGN_KEY ?= ""
7SOCSEC_SIGN_SOC ?= "2600"
8SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512"
9SOCSEC_SIGN_HELPER ?= ""
10# u-boot-aspeed-sdk commit '2c3b53489c ast2600: Modify SPL SRAM layout'
11# changes the SRAM layout so that the verification region does NOT
12# intersects the stack. The parameter below can be used to instruct
13# socsec to work in either mode (ommitting it throws a warning), but
14# newer (post v00.03.03) u-boot-aspeed-sdk need this set to false
15# A1 rsa order is little endian and A3 is big endian
16# Set big endian for A3 support
17SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false --rsa_key_order=big"
18DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", " socsec-native", "", d)}'
19
20
21# Signs the SPL binary with a pre-established key
22sign_spl_helper() {
23    signing_helper_args=""
24
25    if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then
26        bbwarn "SPL signing is only supported on AST2600 boards"
27    elif [ ! -e "${SOCSEC_SIGN_KEY}" ] ; then
28        bbfatal "Invalid socsec signing key: ${SOCSEC_SIGN_KEY}"
29    else
30        rm -f ${SPL_BINARY}.staged
31
32        if [ -n "${SOCSEC_SIGN_HELPER}" ] ; then
33            signing_helper_args="--signing_helper ${SOCSEC_SIGN_HELPER}"
34        fi
35        socsec make_secure_bl1_image \
36            --soc ${SOCSEC_SIGN_SOC}  \
37            --algorithm ${SOCSEC_SIGN_ALGO} \
38            --rsa_sign_key ${SOCSEC_SIGN_KEY} \
39            --bl1_image ${DEPLOYDIR}/${SPL_IMAGE} \
40            $signing_helper_args \
41            ${SOCSEC_SIGN_EXTRA_OPTS} \
42            --output ${SPL_BINARY}.staged
43        cp -f ${SPL_BINARY}.staged ${B}/$CONFIG_B_PATH/${SPL_BINARY}
44        mv -f ${SPL_BINARY}.staged ${DEPLOYDIR}/${SPL_IMAGE}
45    fi
46}
47
48sign_spl() {
49    mkdir -p ${DEPLOYDIR}
50    if [ -n "${UBOOT_CONFIG}" ]; then
51        for config in ${UBOOT_MACHINE}; do
52            CONFIG_B_PATH="$config"
53            cd ${B}/$config
54            sign_spl_helper
55        done
56    else
57        CONFIG_B_PATH=""
58        cd ${B}
59        sign_spl_helper
60    fi
61}
62
63verify_spl_otp() {
64    for otptool_config in ${OTPTOOL_CONFIGS} ; do
65        socsec verify \
66            --sec_image ${DEPLOYDIR}/${SPL_IMAGE} \
67            --otp_image ${DEPLOYDIR}/"$(basename ${otptool_config} .json)"-otp-all.image
68
69        if [ $? -ne 0 ]; then
70            bbfatal "Verified OTP image failed."
71        fi
72    done
73}
74
75do_deploy:append() {
76    if [ "${SOCSEC_SIGN_ENABLE}" = "1" -a -n "${SPL_BINARY}" ] ; then
77        sign_spl
78        verify_spl_otp
79    fi
80}
81