def generate_master_boot_image(image_conf: click.File) -> None:
"""Generate MasterBootImage from json configuration file."""
config_data = json.load(image_conf)
config = elftosb_helper.MasterBootImageConfig(config_data)
app = load_binary(config.input_image_file)
load_addr = config.output_image_exec_address
trustzone = _get_trustzone(config)
image_type = _get_master_boot_image_type(config)
dual_boot_version = config.dual_boot_version
firmware_version = config.firmware_version
cert_block = None
signature_provider = None
if MasterBootImageType.is_signed(image_type):
cert_config = elftosb_helper.CertificateBlockConfig(config_data)
cert_block = _get_cert_block_v31(cert_config)
if cert_config.use_isk:
signing_private_key_path = cert_config.isk_private_key_file
else:
signing_private_key_path = cert_config.main_root_private_key_file
signature_provider = SignatureProvider.create(
f'type=file;file_path={signing_private_key_path}')
mbi = MasterBootImageN4Analog(app=app,
load_addr=load_addr,
image_type=image_type,
trust_zone=trustzone,
dual_boot_version=dual_boot_version,
firmware_version=firmware_version,
cert_block=cert_block,
signature_provider=signature_provider)
mbi_data = mbi.export()
write_file(mbi_data, config.master_boot_output_file, mode='wb')
def generate_trustzone_binary(tzm_conf: click.File) -> None:
"""Generate TrustZone binary from json configuration file."""
config_data = load_configuration(tzm_conf.name)
check_config(config_data, TrustZone.get_validation_schemas())
trustzone = TrustZone.from_config(config_data)
tz_data = trustzone.export()
output_file = config_data["tzpOutputFile"]
write_file(tz_data, output_file, mode="wb")
click.echo(f"Success. (Trustzone binary: {output_file} created.)")
def generate_trustzone_binary(tzm_conf: click.File) -> None:
"""Generate TrustZone binary from json configuration file."""
config_data = json.load(tzm_conf)
config = elftosb_helper.TrustZoneConfig(config_data)
trustzone = TrustZone.custom(family=config.family,
revision=config.revision,
customizations=config.presets)
tz_data = trustzone.export()
write_file(tz_data, config.output_file, mode="wb")
def generate_master_boot_image(image_conf: click.File) -> None:
"""Generate MasterBootImage from json configuration file."""
config_data = json.load(image_conf)
config = elftosb_helper.MasterBootImageConfig(config_data)
app = load_binary(config.input_image_file)
load_addr = config.output_image_exec_address
trustzone = _get_trustzone(config)
image_type = _get_master_boot_image_type(config)
dual_boot_version = config.dual_boot_version
firmware_version = config.firmware_version
cert_block = None
signature_provider = None
if MasterBootImageType.is_signed(image_type):
cert_config = elftosb_helper.CertificateBlockConfig(config_data)
root_certs = [
load_binary(cert_file) for cert_file in cert_config.root_certs # type: ignore
]
user_data = None
if cert_config.isk_sign_data_path:
user_data = load_binary(cert_config.isk_sign_data_path)
isk_private_key = None
if cert_config.isk_private_key_file:
isk_private_key = load_private_key(cert_config.isk_private_key_file)
assert isinstance(isk_private_key, EllipticCurvePrivateKeyWithSerialization)
isk_cert = None
if cert_config.isk_certificate:
cert_data = load_binary(cert_config.isk_certificate)
isk_cert = ECC.import_key(cert_data)
ca_flag = not cert_config.use_isk
cert_block = CertBlockV3(
root_certs=root_certs, ca_flag=ca_flag,
used_root_cert=cert_config.main_root_cert_id, constraints=cert_config.isk_constraint,
isk_private_key=isk_private_key, isk_cert=isk_cert, # type: ignore
user_data=user_data
)
if cert_config.use_isk:
signing_private_key_path = cert_config.isk_private_key_file
else:
signing_private_key_path = cert_config.main_root_private_key_file
signature_provider = SignatureProvider.create(f'type=file;file_path={signing_private_key_path}')
assert config.master_boot_output_file
mbi = MasterBootImageN4Analog(
app=app, load_addr=load_addr, image_type=image_type,
trust_zone=trustzone, dual_boot_version=dual_boot_version,
firmware_version=firmware_version,
cert_block=cert_block,
signature_provider=signature_provider
)
mbi_data = mbi.export()
write_file(mbi_data, config.master_boot_output_file, mode='wb')
def test_write_file(data_dir, tmpdir):
"""Test writing data to data using write_file."""
data = load_binary(data_dir, "file.bin")
text = load_file(data_dir, "file.txt")
write_file(data, tmpdir, "file.bin", mode="wb")
write_file(text, tmpdir, "file.txt")
assert filecmp.cmp(os.path.join(data_dir, "file.bin"),
os.path.join(tmpdir, "file.bin"))
assert filecmp.cmp(os.path.join(data_dir, "file.txt"),
os.path.join(tmpdir, "file.txt"))
def generate_master_boot_image(image_conf: click.File) -> None:
"""Generate MasterBootImage from json configuration file.
:param image_conf: master boot image json configuration file.
"""
config_data = load_configuration(image_conf.name)
mbi_cls = get_mbi_class(config_data)
check_config(config_data, mbi_cls.get_validation_schemas())
mbi = mbi_cls()
mbi.load_from_config(config_data)
mbi_data = mbi.export()
mbi_output_file_path = config_data["masterBootOutputFile"]
write_file(mbi_data, mbi_output_file_path, mode="wb")
click.echo(
f"Success. (Master Boot Image: {mbi_output_file_path} created.)")
def generate_secure_binary_31(container_conf: click.File) -> None:
"""Geneate SecureBinary image from json configuration file.
:param container_conf: configuration file
:raises SPSDKError: Raised when there is no signing key
"""
config_data = load_configuration(container_conf.name)
schemas = SecureBinary31.get_validation_schemas(
include_test_configuration=True)
schemas.append(
ValidationSchemas.get_schema_file(SB3_SCH_FILE)["sb3_output"])
check_config(config_data, schemas)
sb3 = SecureBinary31.load_from_config(config_data)
sb3_data = sb3.export()
sb3_output_file_path = config_data["containerOutputFile"]
write_file(sb3_data, sb3_output_file_path, mode="wb")
click.echo(
f"Success. (Secure binary 3.1: {sb3_output_file_path} created.)")
def generate_master_boot_image(image_conf: click.File) -> None:
"""Generate MasterBootImage from json configuration file."""
config_data = json.load(image_conf)
config = elftosb_helper.MasterBootImageConfig(config_data)
app = load_binary(config.input_image_file)
load_addr = config.output_image_exec_address
trustzone = _get_trustzone(config)
image_type = _get_master_boot_image_type(config)
dual_boot_version = config.dual_boot_version
firmware_version = config.firmware_version
assert config.master_boot_output_file
mbi = MasterBootImageN4Analog(app=app,
load_addr=load_addr,
image_type=image_type,
trust_zone=trustzone,
dual_boot_version=dual_boot_version,
firmware_version=firmware_version)
mbi_data = mbi.export()
write_file(mbi_data, config.master_boot_output_file, mode='wb')
def generate_secure_binary(container_conf: click.File) -> None:
"""Geneate SecureBinary image from json configuration file."""
config_data = json.load(container_conf)
config = elftosb_helper.SB31Config(config_data)
timestamp = config.timestamp
if timestamp is None:
# in our case, timestamp is the number of seconds since "Jan 1, 2000"
timestamp = int(
(datetime.now() - datetime(2000, 1, 1)).total_seconds())
if isinstance(timestamp, str):
timestamp = int(timestamp, 0)
final_data = bytes()
assert isinstance(config.main_curve_name, str)
# COMMANDS
pck = None
if config.is_encrypted:
assert isinstance(config.container_keyblob_enc_key_path, str)
pck = bytes.fromhex(load_text(config.container_keyblob_enc_key_path))
sb_cmd_block = SecureBinary31Commands(
curve_name=config.main_curve_name,
is_encrypted=config.is_encrypted,
kdk_access_rights=config.kdk_access_rights,
pck=pck,
timestamp=timestamp,
)
commands = elftosb_helper.get_cmd_from_json(config)
sb_cmd_block.set_commands(commands)
commands_data = sb_cmd_block.export()
# CERTIFICATE BLOCK
cert_block = _get_cert_block_v31(config)
data_cb = cert_block.export()
# SB FILE HEADER
sb_header = SecureBinary31Header(firmware_version=config.firmware_version,
description=config.description,
curve_name=config.main_curve_name,
timestamp=timestamp,
is_nxp_container=config.is_nxp_container)
sb_header.block_count = sb_cmd_block.block_count
sb_header.image_total_length += len(sb_cmd_block.final_hash) + len(data_cb)
# TODO: use proper signature len calculation
sb_header.image_total_length += 2 * len(sb_cmd_block.final_hash)
sb_header_data = sb_header.export()
final_data += sb_header_data
# HASH OF PREVIOUS BLOCK
final_data += sb_cmd_block.final_hash
final_data += data_cb
# SIGNATURE
assert isinstance(config.main_signing_key, str)
private_key_data = load_binary(config.main_signing_key)
data_to_sign = final_data
signature = internal_backend.ecc_sign(private_key_data, data_to_sign)
assert internal_backend.ecc_verify(private_key_data, signature,
data_to_sign)
final_data += signature
final_data += commands_data
write_file(final_data, config.container_output, mode='wb')