broadcom/cygnus: add secimage and sign bootblock

secimage is a tool which adds a header and signature to the binary first loaded by the soc. ARM core frequency is set to 1 Ghz. BUG=chrome-os-partner:36421 BRANCH=broadcom-firmware TEST=booted b0 board Change-Id: Ia08600d45c47ee4f08d253980036916e44b0044a Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 36284d1b242c26b0b5aac2894f7ed1790da1ef15 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/197155 Original-Reviewed-by: Scott Branden <sbranden@broadcom.com> Original-Reviewed-by: Julius Werner <jwerner@chromium.org> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iaddd24006b368c8f37e075cb51e151e985029f3b Original-Reviewed-on: https://chromium-review.googlesource.com/264417 Reviewed-on: http://review.coreboot.org/9914 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-02-09 18:15:17 -08:00
parent cb6bb3bc47
commit e1741c512c
12 changed files with 679 additions and 2 deletions
--- a/util/broadcom/secimage/crypto.c
+++ b/util/broadcom/secimage/crypto.c
@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2015 Broadcom Corporation
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation version 2.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include "secimage.h"
+#include <openssl/hmac.h>
+
+
+/*----------------------------------------------------------------------
+ * Name    : HmacSha256Hash
+ * Purpose :
+ * Input   : none
+ * Output  : none
+ *---------------------------------------------------------------------*/
+int HmacSha256Hash(uint8_t *data, uint32_t len, uint8_t *hash, uint8_t *key)
+{
+	HMAC_CTX hctx;
+
+	HMAC_CTX_init(&hctx);
+	HMAC_Init_ex(&hctx, key, 32, EVP_sha256(), NULL);
+
+	/*
+	 * FIXME: why we need this? NULL means to use whatever there is?
+	 * if removed, result is different
+	 */
+	HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL);
+	HMAC_Update(&hctx, data, len);
+	HMAC_Final(&hctx, hash, NULL);
+
+	HMAC_CTX_cleanup(&hctx);
+	return 0;
+}
+
+
+/*----------------------------------------------------------------------
+ * Name    : AppendHMACSignature
+ * Purpose : Appends HMAC signature at the end of the data
+ *---------------------------------------------------------------------*/
+int AppendHMACSignature(uint8_t *data, uint32_t length, char *filename,
+			uint32_t offset)
+{
+	uint8_t  hmackey[32];
+	uint32_t len;
+	uint32_t status;
+	uint8_t *digest = data + length;
+
+	len = ReadBinaryFile(filename, hmackey, 32);
+	if (len != 32) {
+		printf("Error reading hmac key file\n");
+		return 0;
+	}
+
+	status = HmacSha256Hash(&data[offset], length - offset, digest,
+				hmackey);
+
+	if (status) {
+		printf("HMAC-SHA256 hash error\n");
+		return 0;
+	}
+
+	return 32;
+}