def burnBeeKeySelIfApplicable( self ):
if self.secureBootType == uidef.kSecureBootType_BeeCrypto and self.bootDevice == uidef.kBootDevice_FlexspiNor:
setBeeKey0Sel = None
setBeeKey1Sel = None
if self.keyStorageRegion == uidef.kKeyStorageRegion_FixedOtpmkKey:
otpmkKeyOpt, otpmkEncryptedRegionStart, otpmkEncryptedRegionLength = uivar.getAdvancedSettings(uidef.kAdvancedSettings_OtpmkKey)
encryptedRegionCnt = (otpmkKeyOpt & 0x000F0000) >> 16
# One PRDB means one BEE_KEY, no matter how many FAC regions it has
if encryptedRegionCnt >= 0:
setBeeKey0Sel = fusedef.kBeeKeySel_FromOtpmk
#if encryptedRegionCnt > 1:
# setBeeKey1Sel = fusedef.kBeeKeySel_FromOtpmk
elif self.keyStorageRegion == uidef.kKeyStorageRegion_FlexibleUserKeys:
userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_UserKeys)
if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region0 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions:
if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_OTPMK:
setBeeKey0Sel = fusedef.kBeeKeySel_FromOtpmk
elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_SW_GP2:
setBeeKey0Sel = fusedef.kBeeKeySel_FromSwGp2
elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_GP4:
setBeeKey0Sel = fusedef.kBeeKeySel_FromGp4
else:
pass
if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region1 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions:
if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_OTPMK:
setBeeKey1Sel = fusedef.kBeeKeySel_FromOtpmk
elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_SW_GP2:
setBeeKey1Sel = fusedef.kBeeKeySel_FromSwGp2
elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_GP4:
setBeeKey1Sel = fusedef.kBeeKeySel_FromGp4
else:
pass
else:
pass
getBeeKeySel = self._getMcuDeviceBeeKeySel()
if getBeeKeySel != None:
if setBeeKey0Sel != None:
getBeeKeySel = getBeeKeySel | (setBeeKey0Sel << fusedef.kEfuseShift_BeeKey0Sel)
if ((getBeeKeySel & fusedef.kEfuseMask_BeeKey0Sel) >> fusedef.kEfuseShift_BeeKey0Sel) != setBeeKey0Sel:
self.popupMsgBox('Fuse BOOT_CFG1[5:4] BEE_KEY0_SEL has been burned, it is program-once!')
return
if setBeeKey1Sel != None:
getBeeKeySel = getBeeKeySel | (setBeeKey1Sel << fusedef.kEfuseShift_BeeKey1Sel)
if ((getBeeKeySel & fusedef.kEfuseMask_BeeKey1Sel) >> fusedef.kEfuseShift_BeeKey1Sel) != setBeeKey1Sel:
self.popupMsgBox('Fuse BOOT_CFG1[7:6] BEE_KEY1_SEL has been burned, it is program-once!')
return
self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseLocation_BeeKeySel, getBeeKeySel)
else:
pass
def _getCrtCsfImgUsrPemFilenames(self):
certSettingsDict = uivar.getAdvancedSettings(
uidef.kAdvancedSettings_Cert)
for i in range(certSettingsDict['SRKs']):
self.crtCsfUsrPemFileList[i] = self.cstCrtsFolder + '\\'
self.crtCsfUsrPemFileList[i] += 'CSF' + str(i + 1) + '_1_sha256'
if certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v3_1_0 and certSettingsDict[
'useEllipticCurveCrypto'] == 'y':
self.crtSrkCaPemFileList[
i] += '_' + certSettingsDict['pkiTreeKeyCn']
self.crtSrkCaPemFileList[i] += '_v3_usr_crt.pem'
else:
self.crtCsfUsrPemFileList[i] += '_' + str(
certSettingsDict['pkiTreeKeyLen'])
self.crtCsfUsrPemFileList[i] += '_65537_v3_usr_crt.pem'
self.crtImgUsrPemFileList[i] = self.cstCrtsFolder + '\\'
self.crtImgUsrPemFileList[i] += 'IMG' + str(i + 1) + '_1_sha256'
if certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v3_1_0 and certSettingsDict[
'useEllipticCurveCrypto'] == 'y':
self.crtSrkCaPemFileList[
i] += '_' + certSettingsDict['pkiTreeKeyCn']
self.crtSrkCaPemFileList[i] += '_v3_usr_crt.pem'
else:
self.crtImgUsrPemFileList[i] += '_' + str(
certSettingsDict['pkiTreeKeyLen'])
self.crtImgUsrPemFileList[i] += '_65537_v3_usr_crt.pem'
def genCertificate(self):
self.updateAllCstPathToCorrectVersion()
certSettingsDict = uivar.getAdvancedSettings(
uidef.kAdvancedSettings_Cert)
batArg = ''
batArg += ' ' + certSettingsDict['useExistingCaKey']
if certSettingsDict['cstVersion'] == uidef.kCstVersion_v3_1_0:
batArg += ' ' + certSettingsDict['useEllipticCurveCrypto']
if certSettingsDict['useEllipticCurveCrypto'] == 'y':
batArg += ' ' + certSettingsDict['pkiTreeKeyLen']
elif certSettingsDict['useEllipticCurveCrypto'] == 'n':
batArg += ' ' + str(certSettingsDict['pkiTreeKeyLen'])
else:
pass
elif certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v2_3_3 or certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v3_0_1:
batArg += ' ' + str(certSettingsDict['pkiTreeKeyLen'])
else:
pass
batArg += ' ' + str(certSettingsDict['pkiTreeDuration'])
batArg += ' ' + str(certSettingsDict['SRKs'])
if certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v3_0_1 or certSettingsDict[
'cstVersion'] == uidef.kCstVersion_v3_1_0:
batArg += ' ' + certSettingsDict['caFlagSet']
elif certSettingsDict['cstVersion'] == uidef.kCstVersion_v2_3_3:
pass
else:
pass
# We have to change system dir to the path of hab4_pki_tree.bat, or hab4_pki_tree.bat will not be ran successfully
os.chdir(self.hab4PkiTreePath)
os.system(self.hab4PkiTreeName + batArg)
self.printLog('Certificates are generated into these folders: ' +
self.cstKeysFolder + ' , ' + self.cstCrtsFolder)
def encrypteImageUsingFlexibleUserKeys(self):
userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings(
uidef.kAdvancedSettings_UserKeys)
if userKeyCmdDict['is_boot_image'] == '1':
self._setDestAppFilenameForBee()
self._updateEncBatfileContent(userKeyCtrlDict, userKeyCmdDict)
self._encrypteBootableImage()
self._genBeeDekFilesAndShow(userKeyCtrlDict, userKeyCmdDict)
elif userKeyCmdDict['is_boot_image'] == '0':
pass
def _setSrkFilenames( self ):
certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert)
srkTableName = 'SRK'
srkFuseName = 'SRK'
for i in range(certSettingsDict['SRKs']):
srkTableName += '_' + str(i + 1)
srkFuseName += '_' + str(i + 1)
srkTableName += '_table.bin'
srkFuseName += '_fuse.bin'
self.srkTableFilename = os.path.join(self.srkFolder, srkTableName)
self.srkFuseFilename = os.path.join(self.srkFolder, srkFuseName)
def updateAllCstPathToCorrectVersion( self ):
certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert)
if self.lastCstVersion != certSettingsDict['cstVersion']:
self.cstBinFolder = self.cstBinFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.cstKeysFolder = self.cstKeysFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.cstCrtsFolder = self.cstCrtsFolder.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.hab4PkiTreePath = self.hab4PkiTreePath.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.srktoolPath = self.srktoolPath.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.cstBinToElftosbPath = self.cstBinToElftosbPath.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.cstCrtsToElftosbPath = self.cstCrtsToElftosbPath.replace(self.lastCstVersion, certSettingsDict['cstVersion'])
self.lastCstVersion = certSettingsDict['cstVersion']
self._copyCstBinToElftosbFolder()
self._copyOpensslBinToCstFolder()
def burnBeeDekData ( self ):
needToBurnSwGp2 = False
needToBurnGp4 = False
swgp2DekFilename = None
gp4DekFilename = None
userKeyCtrlDict, userKeyCmdDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_UserKeys)
if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region1 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions:
if userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_SW_GP2:
needToBurnSwGp2 = True
swgp2DekFilename = self.beeDek1Filename
elif userKeyCtrlDict['region1_key_src'] == uidef.kUserKeySource_GP4:
needToBurnGp4 = True
gp4DekFilename = self.beeDek1Filename
else:
pass
if userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_Region0 or userKeyCtrlDict['region_sel'] == uidef.kUserRegionSel_BothRegions:
if userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_SW_GP2:
needToBurnSwGp2 = True
swgp2DekFilename = self.beeDek0Filename
elif userKeyCtrlDict['region0_key_src'] == uidef.kUserKeySource_GP4:
needToBurnGp4 = True
gp4DekFilename = self.beeDek0Filename
else:
pass
keyWords = gendef.kSecKeyLengthInBits_DEK / 32
if needToBurnSwGp2:
if self._isDeviceFuseSwGp2RegionBlank():
for i in range(keyWords):
val32 = self.getVal32FromBinFile(swgp2DekFilename, (i * 4))
self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseIndex_SW_GP2_0 + i, val32)
else:
self.popupMsgBox('Fuse SW_GP2 Region has been burned, it is program-once!')
else:
pass
if needToBurnGp4:
if self._isDeviceFuseGp4RegionBlank():
for i in range(keyWords):
val32 = self.getVal32FromBinFile(gp4DekFilename, (i * 4))
self.burnMcuDeviceFuseByBlhost(fusedef.kEfuseIndex_GP4_0 + i, val32)
else:
self.popupMsgBox('Fuse GP4 Region has been burned, it is program-once!')
else:
pass
def _updateSrkBatfileContent( self ):
self._setSrkFilenames()
self._getCrtSrkCaPemFilenames()
self._getCrtCsfImgUsrPemFilenames()
certSettingsDict = uivar.getAdvancedSettings(uidef.kAdvancedSettings_Cert)
batContent = "\"" + self.srktoolPath + "\""
batContent += " -h 4"
batContent += " -t " + "\"" + self.srkTableFilename + "\""
batContent += " -e " + "\"" + self.srkFuseFilename + "\""
batContent += " -d sha256"
batContent += " -c "
for i in range(certSettingsDict['SRKs']):
if i != 0:
batContent += ','
batContent += "\"" + self.crtSrkCaPemFileList[i] + "\""
batContent += " -f 1"
with open(self.srkBatFilename, 'wb') as fileObj:
fileObj.write(batContent)
fileObj.close()
def prepareForFixedOtpmkEncryption( self ):
self._prepareForBootDeviceOperation()
self._showOtpmkDek()
self._eraseFlexspiNorForImageLoading()
otpmkKeyOpt, otpmkEncryptedRegionStart, otpmkEncryptedRegionLength = uivar.getAdvancedSettings(uidef.kAdvancedSettings_OtpmkKey)
# Prepare PRDB options
#---------------------------------------------------------------------------
# 0xe0120000 is an option for PRDB contruction and image encryption
# bit[31:28] tag, fixed to 0x0E
# bit[27:24] Key source, fixed to 0 for A0 silicon
# bit[23:20] AES mode: 1 - CTR mode
# bit[19:16] Encrypted region count
# bit[15:00] reserved in A0
#---------------------------------------------------------------------------
encryptedRegionCnt = (otpmkKeyOpt & 0x000F0000) >> 16
if encryptedRegionCnt == 0:
otpmkKeyOpt = (otpmkKeyOpt & 0xFFF0FFFF) | (0x1 << 16)
encryptedRegionCnt = 1
otpmkEncryptedRegionStart[0] = rundef.kBootDeviceMemBase_FlexspiNor + gendef.kIvtOffset_NOR
otpmkEncryptedRegionLength[0] = misc.align_up(os.path.getsize(self.destAppFilename), gendef.kSecFacRegionAlignedUnit) - gendef.kIvtOffset_NOR
else:
pass
status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt, 0x4, otpmkKeyOpt)
self.printLog(cmdStr)
if status != boot.status.kStatus_Success:
return False
for i in range(encryptedRegionCnt):
status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt + i * 8 + 4, 0x4, otpmkEncryptedRegionStart[i])
self.printLog(cmdStr)
if status != boot.status.kStatus_Success:
return False
status, results, cmdStr = self.blhost.fillMemory(rundef.kRamFreeSpaceStart_LoadPrdbOpt + i * 8 + 8, 0x4, otpmkEncryptedRegionLength[i])
self.printLog(cmdStr)
if status != boot.status.kStatus_Success:
return False
status, results, cmdStr = self.blhost.configureMemory(self.bootDeviceMemId, rundef.kRamFreeSpaceStart_LoadPrdbOpt)
self.printLog(cmdStr)
if status != boot.status.kStatus_Success:
return False
self._programFlexspiNorConfigBlock()
