def burnBeeKeySelIfApplicable( self ): if self.secureBootType == uidef.kSecureBootType_BeeCrypto and self.bootDevice == uidef.kBootDevice_FlexspiNor: setBeeKey0Sel = None setBeeKey1Sel = None if self.keyStorageRegion == uidef.kKeyStorageRegion_FixedOtpmkKey: otpmkKeyOpt, otpmkEncryptedRegionStart, otpmkEncryptedRegionLength = uivar.getAdvancedSettings(uidef.kAdvancedSettings_OtpmkKey) encryptedRegionCnt = (otpmkKeyOpt & 0x000F0000) >> 16 # One PRDB means one BEE_KEY, no matter how many FAC regions it has if encryptedRegionCnt >= 0: setBeeKey0Sel = fusedef.kBeeKeySel_FromOtpmk #if encryptedRegionCnt > 1: # setBeeKey1Sel = fusedef.kBeeKeySel_FromOtpmk elif self.keyStorageRegion == uidef.kKeyStorageRegion_FlexibleUserKeys: userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_UserKeys) if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region0 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions: if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_OTPMK: setBeeKey0Sel = fusedef.kBeeKeySel_FromOtpmk elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_SW_GP2: setBeeKey0Sel = fusedef.kBeeKeySel_FromSwGp2 elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_GP4: setBeeKey0Sel = fusedef.kBeeKeySel_FromGp4 else: pass if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region1 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions: if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_OTPMK: setBeeKey1Sel = fusedef.kBeeKeySel_FromOtpmk elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_SW_GP2: setBeeKey1Sel = fusedef.kBeeKeySel_FromSwGp2 elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_GP4: setBeeKey1Sel = fusedef.kBeeKeySel_FromGp4 else: pass else: pass getBeeKeySel = self._getMcuDeviceBeeKeySel() if getBeeKeySel != None: if setBeeKey0Sel != None: getBeeKeySel = getBeeKeySel | (setBeeKey0Sel << fusedef.kEfuseShift_BeeKey0Sel) if ((getBeeKeySel & fusedef.kEfuseMask_BeeKey0Sel) >> fusedef.kEfuseShift_BeeKey0Sel) != setBeeKey0Sel: self.popupMsgBox('Fuse BOOT_CFG1[5:4] BEE_KEY0_SEL has been burned, it is program-once!') return if setBeeKey1Sel != None: getBeeKeySel = getBeeKeySel | (setBeeKey1Sel << fusedef.kEfuseShift_BeeKey1Sel) if ((getBeeKeySel & fusedef.kEfuseMask_BeeKey1Sel) >> fusedef.kEfuseShift_BeeKey1Sel) != setBeeKey1Sel: self.popupMsgBox('Fuse BOOT_CFG1[7:6] BEE_KEY1_SEL has been burned, it is program-once!') return self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseLocation_BeeKeySel, getBeeKeySel) else: pass
def _getCrtCsfImgUsrPemFilenames(self): certSettingsDict = uivar.getAdvancedSettings( uidef.kAdvancedSettings_Cert) for i in range(certSettingsDict['SRKs']): self.crtCsfUsrPemFileList[i] = self.cstCrtsFolder + '\\' self.crtCsfUsrPemFileList[i] += 'CSF' + str(i + 1) + '_1_sha256' if certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v3_1_0 and certSettingsDict[ 'useEllipticCurveCrypto'] == 'y': self.crtSrkCaPemFileList[ i] += '_' + certSettingsDict['pkiTreeKeyCn'] self.crtSrkCaPemFileList[i] += '_v3_usr_crt.pem' else: self.crtCsfUsrPemFileList[i] += '_' + str( certSettingsDict['pkiTreeKeyLen']) self.crtCsfUsrPemFileList[i] += '_65537_v3_usr_crt.pem' self.crtImgUsrPemFileList[i] = self.cstCrtsFolder + '\\' self.crtImgUsrPemFileList[i] += 'IMG' + str(i + 1) + '_1_sha256' if certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v3_1_0 and certSettingsDict[ 'useEllipticCurveCrypto'] == 'y': self.crtSrkCaPemFileList[ i] += '_' + certSettingsDict['pkiTreeKeyCn'] self.crtSrkCaPemFileList[i] += '_v3_usr_crt.pem' else: self.crtImgUsrPemFileList[i] += '_' + str( certSettingsDict['pkiTreeKeyLen']) self.crtImgUsrPemFileList[i] += '_65537_v3_usr_crt.pem'
def genCertificate(self): self.updateAllCstPathToCorrectVersion() certSettingsDict = uivar.getAdvancedSettings( uidef.kAdvancedSettings_Cert) batArg = '' batArg += ' ' + certSettingsDict['useExistingCaKey'] if certSettingsDict['cstVersion'] == uidef.kCstVersion_v3_1_0: batArg += ' ' + certSettingsDict['useEllipticCurveCrypto'] if certSettingsDict['useEllipticCurveCrypto'] == 'y': batArg += ' ' + certSettingsDict['pkiTreeKeyLen'] elif certSettingsDict['useEllipticCurveCrypto'] == 'n': batArg += ' ' + str(certSettingsDict['pkiTreeKeyLen']) else: pass elif certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v2_3_3 or certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v3_0_1: batArg += ' ' + str(certSettingsDict['pkiTreeKeyLen']) else: pass batArg += ' ' + str(certSettingsDict['pkiTreeDuration']) batArg += ' ' + str(certSettingsDict['SRKs']) if certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v3_0_1 or certSettingsDict[ 'cstVersion'] == uidef.kCstVersion_v3_1_0: batArg += ' ' + certSettingsDict['caFlagSet'] elif certSettingsDict['cstVersion'] == uidef.kCstVersion_v2_3_3: pass else: pass # We have to change system dir to the path of hab4_pki_tree.bat, or hab4_pki_tree.bat will not be ran successfully os.chdir(self.hab4PkiTreePath) os.system(self.hab4PkiTreeName + batArg) self.printLog('Certificates are generated into these folders: ' + self.cstKeysFolder + ' , ' + self.cstCrtsFolder)
def encrypteImageUsingFlexibleUserKeys(self): userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings( uidef.kAdvancedSettings_UserKeys) if userKeyCmdDict['is_boot_image'] == '1': self._setDestAppFilenameForBee() self._updateEncBatfileContent(userKeyCtrlDict, userKeyCmdDict) self._encrypteBootableImage() self._genBeeDekFilesAndShow(userKeyCtrlDict, userKeyCmdDict) elif userKeyCmdDict['is_boot_image'] == '0': pass
def _setSrkFilenames( self ): certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert) srkTableName = 'SRK' srkFuseName = 'SRK' for i in range(certSettingsDict['SRKs']): srkTableName += '_' + str(i + 1) srkFuseName += '_' + str(i + 1) srkTableName += '_table.bin' srkFuseName += '_fuse.bin' self.srkTableFilename = os.path.join(self.srkFolder, srkTableName) self.srkFuseFilename = os.path.join(self.srkFolder, srkFuseName)
def updateAllCstPathToCorrectVersion( self ): certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert) if self.lastCstVersion != certSettingsDict['cstVersion']: self.cstBinFolder = self.cstBinFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.cstKeysFolder = self.cstKeysFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.cstCrtsFolder = self.cstCrtsFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.hab4PkiTreePath = self.hab4PkiTreePath.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.srktoolPath = self.srktoolPath.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.cstBinToElftosbPath = self.cstBinToElftosbPath.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.cstCrtsToElftosbPath = self.cstCrtsToElftosbPath.replace(self.lastCstVersion, certSettingsDict['cstVersion']) self.lastCstVersion = certSettingsDict['cstVersion'] self._copyCstBinToElftosbFolder() self._copyOpensslBinToCstFolder()
def burnBeeDekData ( self ): needToBurnSwGp2 = False needToBurnGp4 = False swgp2DekFilename = None gp4DekFilename = None userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_UserKeys) if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region1 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions: if userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_SW_GP2: needToBurnSwGp2 = True swgp2DekFilename = self.beeDek1Filename elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_GP4: needToBurnGp4 = True gp4DekFilename = self.beeDek1Filename else: pass if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region0 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions: if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_SW_GP2: needToBurnSwGp2 = True swgp2DekFilename = self.beeDek0Filename elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_GP4: needToBurnGp4 = True gp4DekFilename = self.beeDek0Filename else: pass keyWords = gendef.kSecKeyLengthInBits_DEK / 32 if needToBurnSwGp2: if self._isDeviceFuseSwGp2RegionBlank(): for i in range(keyWords): val32 = self.getVal32FromBinFile(swgp2DekFilename, (i * 4)) self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseIndex_SW_GP2_0 + i, val32) else: self.popupMsgBox('Fuse SW_GP2 Region has been burned, it is program-once!') else: pass if needToBurnGp4: if self._isDeviceFuseGp4RegionBlank(): for i in range(keyWords): val32 = self.getVal32FromBinFile(gp4DekFilename, (i * 4)) self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseIndex_GP4_0 + i, val32) else: self.popupMsgBox('Fuse GP4 Region has been burned, it is program-once!') else: pass
def _updateSrkBatfileContent( self ): self._setSrkFilenames() self._getCrtSrkCaPemFilenames() self._getCrtCsfImgUsrPemFilenames() certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert) batContent = "\"" + self.srktoolPath + "\"" batContent += " -h 4" batContent += " -t " + "\"" + self.srkTableFilename + "\"" batContent += " -e " + "\"" + self.srkFuseFilename + "\"" batContent += " -d sha256" batContent += " -c " for i in range(certSettingsDict['SRKs']): if i != 0: batContent += ',' batContent += "\"" + self.crtSrkCaPemFileList[i] + "\"" batContent += " -f 1" with open(self.srkBatFilename, 'wb') as fileObj: fileObj.write(batContent) fileObj.close()
def prepareForFixedOtpmkEncryption( self ): self._prepareForBootDeviceOperation() self._showOtpmkDek() self._eraseFlexspiNorForImageLoading() otpmkKeyOpt, otpmkEncryptedRegionStart, otpmkEncryptedRegionLength = uivar.getAdvancedSettings(uidef.kAdvancedSettings_OtpmkKey) # Prepare PRDB options #--------------------------------------------------------------------------- # 0xe0120000 is an option for PRDB contruction and image encryption # bit[31:28] tag, fixed to 0x0E # bit[27:24] Key source, fixed to 0 for A0 silicon # bit[23:20] AES mode: 1 - CTR mode # bit[19:16] Encrypted region count # bit[15:00] reserved in A0 #--------------------------------------------------------------------------- encryptedRegionCnt = (otpmkKeyOpt & 0x000F0000) >> 16 if encryptedRegionCnt == 0: otpmkKeyOpt = (otpmkKeyOpt & 0xFFF0FFFF) | (0x1 << 16) encryptedRegionCnt = 1 otpmkEncryptedRegionStart[0] = rundef.kBootDeviceMemBase_FlexspiNor + gendef.kIvtOffset_NOR otpmkEncryptedRegionLength[0] = misc.align_up(os.path.getsize(self.destAppFilename), gendef.kSecFacRegionAlignedUnit) - gendef.kIvtOffset_NOR else: pass status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt, 0x4, otpmkKeyOpt) self.printLog(cmdStr) if status != boot.status.kStatus_Success: return False for i in range(encryptedRegionCnt): status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt + i * 8 + 4, 0x4, otpmkEncryptedRegionStart[i]) self.printLog(cmdStr) if status != boot.status.kStatus_Success: return False status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt + i * 8 + 8, 0x4, otpmkEncryptedRegionLength[i]) self.printLog(cmdStr) if status != boot.status.kStatus_Success: return False status, results, cmdStr = self.blhost.configureMemory(self.bootDeviceMemId, rundef.kRamFreeSpaceStart_LoadPrdbOpt) self.printLog(cmdStr) if status != boot.status.kStatus_Success: return False self._programFlexspiNorConfigBlock()