diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2015-02-20 16:51:59 -0800 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-02-25 08:44:58 +0000 |
| commit | dd9c1447ac2625e8f78af07bb88a417b908ab34b (patch) | |
| tree | 0768b0de50fc1eb33d4a4c9988d133a5f6573e3b | |
| parent | 8a94ea4fbd7ef283af35ec5aa472a819f5a2a337 (diff) | |
| download | chrome-ec-dd9c1447ac2625e8f78af07bb88a417b908ab34b.tar.gz | |
cr50: enable signed RW images
This signs the RW firmware (with a non-secret key). The RO
firmware will verify the RW firmware and jump to it if it's good.
Note that this isn't the final solution, just the beginning.
BUG=chrome-os-partner:37071
BRANCH=none
TEST=manual
Build and install it. You'll see something like this:
--- UART initialized after reboot ---
[Reset cause: reset-pin hard]
[Image: RO, cr50_v1.1.2929-27e1b82-dirty 2015-02-24 14:36:29 wfrichar@wfrichar-glaptop]
[0.000444 Verifying RW image...]
[0.423742 RW image verified]
[0.423946 Jumping to image RW[0.428492 UART initialized after sysjump]
[Image: RW, cr50_v1.1.2929-27e1b82-dirty 2015-02-24 14:36:29 wfrichar@wfrichar-glaptop]
[0.428931 Inits done]
Console is enabled; type HELP for help.
>
> sysinfo
Reset flags: 0x00000c02 (reset-pin sysjump hard)
Copy: RW
Jumped: yes
Flags: unlocked
>
Change-Id: Icafa554baca135ff1f80cbce4dad5f980e7fc122
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/253081
Reviewed-by: Randall Spangler <rspangler@chromium.org>
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | Makefile.rules | 7 | ||||
| -rw-r--r-- | board/cr50/board.h | 5 | ||||
| -rw-r--r-- | board/cr50/dev_key.pem | 27 | ||||
| -rw-r--r-- | chip/g/config_chip.h | 13 | ||||
| -rw-r--r-- | common/rwsig.c | 7 |
6 files changed, 53 insertions, 9 deletions
@@ -99,6 +99,9 @@ _rw_off:=$(shell echo "$$(($(_rw_off_str)))") _rw_size_str:=$(shell echo "CONFIG_FW_RW_SIZE" | $(CPP) $(CPPFLAGS) -P \ -Ichip/$(CHIP) -Iboard/$(BOARD) -imacros include/config.h) _rw_size:=$(shell echo "$$(($(_rw_size_str)))") +_flash_base_str:=$(shell echo "CONFIG_FLASH_BASE" | $(CPP) $(CPPFLAGS) -P \ + -Ichip/$(CHIP) -Iboard/$(BOARD) -imacros include/config.h) +_flash_base:=$(shell echo "$$(($(_flash_base_str)))") # Get RSA key size from board defines _rsa_size:=$(shell echo "CONFIG_RSA_KEY_SIZE" | $(CPP) $(CPPFLAGS) -P \ diff --git a/Makefile.rules b/Makefile.rules index 80ac99d9b3..0576035c7a 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -42,7 +42,8 @@ cmd_flat_to_obj = $(CC) -T $(out)/firmware_image.lds -nostdlib $(CPPFLAGS) \ cmd_elf_to_flat = $(OBJCOPY) -O binary $^ $@ cmd_elf_to_dis = $(OBJDUMP) -D $< > $@ cmd_elf_to_hex = $(OBJCOPY) -O ihex $^ $@ -cmd_obj_to_hex = $(OBJCOPY) -O ihex $^ $@ +cmd_bin_to_hex = $(OBJCOPY) -I binary -O ihex \ + --change-addresses $(_flash_base) $^ $@ cmd_elf = $(LD) $(objs) $(LDFLAGS) -o $@ -T $< -Map $(out)/$*.map cmd_exe = $(CC) $(objs) $(HOST_TEST_LDFLAGS) -o $@ cmd_c_to_o = $(CC) $(CFLAGS) -MMD -MF $@.d -c $< -o $@ @@ -178,8 +179,8 @@ $(out)/%.flat: $(out)/%.elf $(out)/%.hex: $(out)/%.elf $(call quiet,elf_to_hex,OBJCOPY) -$(out)/$(PROJECT).hex: $(out)/$(PROJECT).obj - $(call quiet,obj_to_hex,OBJCOPY) +$(out)/$(PROJECT).hex: $(out)/$(PROJECT).bin + $(call quiet,bin_to_hex,OBJCOPY) $(out)/%.elf: $(out)/%.lds $(objs) $(call quiet,elf,LD ) diff --git a/board/cr50/board.h b/board/cr50/board.h index dff77271b8..e03544c8d5 100644 --- a/board/cr50/board.h +++ b/board/cr50/board.h @@ -21,6 +21,11 @@ */ #define CONFIG_SYSTEM_UNLOCKED +/* Not using software sync, so verify RW signature instead */ +#define CONFIG_RWSIG +#define CONFIG_RSA +#define CONFIG_SHA256 + #ifndef __ASSEMBLER__ #include "gpio_signal.h" diff --git a/board/cr50/dev_key.pem b/board/cr50/dev_key.pem new file mode 100644 index 0000000000..6f15b80652 --- /dev/null +++ b/board/cr50/dev_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsaHkxeqOorLS8/Ixp43ZnPnJ+ItBIbX4AkmKFLZyLus9NaFX +j2r+qIM0Daxsaq/qvtlnRNrQ313XH/F5e1xrdTcC4VovR8Q4wXh+hEw4Nhcz2U/c +daZMaBJUZlYEHpi2R9UXcflDS68oE5GNJT5EuGfqdpvStTFMU33Bv7cxgf3lQg2c +fhMoNNjTxzzR+ta0lmaQLZ7kh6IOIb0SoTmANvmtANPdIC4NTHk43KSRTShOTYRs +b7pbOrFq+7bmDWhgfHv7Y34Y2f0LouXlzJEfGnlpXYOX5WA9H9XMbBGwhjKNq5R6 +YHW069FyT6G28VceY+i3SMdgoEgyNPn/GHK02wIDAQABAoIBAAX35JHp0aUR0Ri1 +OInisD8f/XNGaofRb2XURrlvb+K3sLTOmPyOocPTtLoI4xOqmX6UG24q0/3NT18Z +Y/WLI2kq0gP0XcZRh36op8eWMAVRPkK89jFVxxdwFjniBf1pMCa1uDXyJBq05enS +aCWqM/DmPPCDR88iuufLP+lLJHSznt2vDjbONcU+MVtuymrBkYR/APPSl7CPNmF4 +WPhWoVbj5tgOO5XUTU/wFRLgnD2FfPiS0g26AKeriJWTeD2dZHFcmJAoFxs1du18 +1r4yAZveEcT+RgVsXa9L+/OTd+uuPVzlgEBhyP2xSiFN9TMPlpBdsWrDtx4ZFnQV +ajMVeGECgYEA11TbaI6G5xEhCaz+11v8UYIX1V9KXTJz1fuy4qyItduf27O3egAO +KhUu8nxTpj2JTj65ZPWlTahLF5UKuyAbOmyP5OZBSmZHqfATMh8jEz50mfTWgtew +KzswTtslXV8ekaVBta+aNUJrptqtpVK9PpE1yAOjmw42vk3YgbL4pzkCgYEA0y5P +R3u0pS9ZFfI7cFOFBZm2B+e6Md2P/8zmyzJakIQhHVbAWkhc6BIocUe0xSVG0ceq +3n2QPfkmWrZrUSp+5n9ouaC8ixqWrHU7xbGHLklWsq+WpI0PvNTftPS9akVJV4D9 +xD1K8lpPQuakuOmctUco2G4p1LSwbfQqwe48CLMCgYAanR5RGeyKeo9+xqborzHM +USvo71IdmrK+a9F8Op7a+z4SxW+T4JXflaarybn8/fYOeaooVEQOCRLe40jkP9+d +pPVT8TF4pJOO6WE1/Ks1Ia7/qEcq/MWFUldyJ5vCopMApVAtyHpiwsbTZIu5tzQ0 +m3XuNqTt8R/K/YwY26nn4QKBgB3gl2bNoakdIcVxF+e0aUV5kb9ckYMsjYrrOlvV +K+r2RpkYBO7A/iP3LbGZK4IY3AQh85K2wQmDjmGXHWfGU13Y+MAKdaJYiKitjV9S +1oU96v4syWtOacOVenDnj0TRuKagoUZ6RXg0PrKAXx2qL3mWL7kvHMvzJGLqAIKf +ae7xAoGAClWOT/hzzUROAVYIYszYUXrVAtCC896m8b8VRG1kL3GL/pOyKoqvVybi +Mx9V1mi/oFcBA2MGDAaJUJEQ7JYih/go3auzEmL3zQHzeLofaldFjOt2kN1ff6UF +HKyS+l/Ub1NVhHkXoVZpo6spKyMG/iPm4qr+rIvkwwfF1e2OADU= +-----END RSA PRIVATE KEY----- diff --git a/chip/g/config_chip.h b/chip/g/config_chip.h index f8afe9643e..7a3fcb65df 100644 --- a/chip/g/config_chip.h +++ b/chip/g/config_chip.h @@ -15,14 +15,19 @@ #define CONFIG_RAM_BASE 0x10000 #define CONFIG_RAM_SIZE 0x8000 -/* Describe the flash layout */ -#define CONFIG_FLASH_BASE 0x40000 -#define CONFIG_FLASH_PHYSICAL_SIZE (512 * 1024) -/* flash chip specifics */ +/* Flash chip specifics */ /* TODO(crosbug.com/p/33815): These are probably wrong. Don't use them yet. */ #define CONFIG_FLASH_BANK_SIZE 0x00000800 /* protect bank size */ #define CONFIG_FLASH_ERASE_SIZE 0x00000400 /* erase bank size */ #define CONFIG_FLASH_WRITE_SIZE 0x00000004 /* minimum write size */ + +/* Describe the flash layout */ +#define CONFIG_FLASH_BASE 0x40000 +/* TODO(wfrichar): Lying about this, so image signing works. + * I'll file a bug once this CL goes in. */ +/* #define CONFIG_FLASH_PHYSICAL_SIZE (512 * 1024) */ +#define CONFIG_FLASH_PHYSICAL_SIZE (256 * 1024) + /* Size of one firmware image in flash */ #define CONFIG_FW_IMAGE_SIZE (128 * 1024) /* Compute the rest of the flash params from these */ diff --git a/common/rwsig.c b/common/rwsig.c index 2065a3d215..6b90c6cd87 100644 --- a/common/rwsig.c +++ b/common/rwsig.c @@ -47,6 +47,8 @@ void check_rw_signature(void) if (*rw_rst == 0xffffffff) return; + CPRINTS("Verifying RW image..."); + /* Large buffer for RSA computation : could be re-use afterwards... */ res = shared_mem_acquire(3 * RSANUMBYTES, (char **)&rsa_workbuf); if (res) { @@ -59,13 +61,14 @@ void check_rw_signature(void) SHA256_update(&ctx, (void *)CONFIG_FLASH_BASE + CONFIG_FW_RW_OFF, CONFIG_FW_RW_SIZE - RSANUMBYTES); hash = SHA256_final(&ctx); + good = rsa_verify(&pkey, (void *)rw_sig, (void *)hash, rsa_workbuf); if (good) { - CPRINTS("RW image verified\n"); + CPRINTS("RW image verified"); /* Jump to the RW firmware */ system_run_image_copy(SYSTEM_IMAGE_RW); } else { - CPRINTS("RSA verify FAILED\n"); + CPRINTS("RSA verify FAILED"); pd_log_event(PD_EVENT_ACC_RW_FAIL, 0, 0, NULL); /* RW firmware is invalid : do not jump there */ if (system_is_locked()) |