tools/iot2050-sign-fw.sh

   1 #!/bin/sh
   2
   3 if [ -z "$1" ]; then
   4         echo "Usage: $0 KEY"
   5         exit 1
   6 fi
   7
   8 TEMP_X509=$(mktemp XXXXXXXX.temp)
   9
  10 REVISION=${2:-0}
  11 SHA_VAL=$(openssl dgst -sha512 -hex tispl.bin | sed -e "s/^.*= //g")
  12 BIN_SIZE=$(stat -c %s tispl.bin)
  13
  14 cat <<EOF >$TEMP_X509
  15 [ req ]
  16 distinguished_name     = req_distinguished_name
  17 x509_extensions        = v3_ca
  18 prompt                 = no
  19 dirstring_type         = nobmp
  20
  21 [ req_distinguished_name ]
  22 CN                     = IOT2050 Firmware Signature
  23
  24 [ v3_ca ]
  25 basicConstraints       = CA:true
  26 1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
  27 1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity
  28
  29 [ swrv ]
  30 swrv = INTEGER:$REVISION
  31
  32 [ sysfw_image_integrity ]
  33 shaType                = OID:2.16.840.1.101.3.4.2.3
  34 shaValue               = FORMAT:HEX,OCT:$SHA_VAL
  35 imageSize              = INTEGER:$BIN_SIZE
  36 EOF
  37
  38 CERT_X509=$(mktemp XXXXXXXX.crt)
  39
  40 openssl req -new -x509 -key $1 -nodes -outform DER -out $CERT_X509 -config $TEMP_X509 -sha512
  41 cat $CERT_X509 tispl.bin > tispl.bin_signed
  42 # currently broken in upstream
  43 #source/tools/binman/binman replace -i flash.bin -f tispl.bin_signed blob@0x180000
  44 dd if=tispl.bin_signed of=flash.bin bs=$((0x1000)) seek=$((0x180000/0x1000)) conv=notrunc
  45
  46 rm $TEMP_X509 $CERT_X509
  47
  48 tools/mkimage -G $1 -r -o sha256,rsa4096 -F fit@0x380000.fit
  49 # currently broken in upstream
  50 #source/tools/binman/binman replace -i flash.bin -f fit@0x380000.fit fit@0x380000
  51 dd if=fit@0x380000.fit of=flash.bin bs=$((0x1000)) seek=$((0x380000/0x1000)) conv=notrunc