diff options
| author | Bryan Brattlof <[email protected]> | 2025-06-02 16:56:52 -0500 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2025-06-25 13:43:34 -0600 |
| commit | e18472f1dee609b2ee8a492985bf77a5012e4d01 (patch) | |
| tree | 20a1251986df325c133f50999416971ba17f4758 /tools/binman/btool | |
| parent | f35f053755f98e077389517f80ad7da81b031787 (diff) | |
binman: openssl: disable JTAG access by default
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.
Acked-by: Andrew Davis <[email protected]>
Signed-off-by: Bryan Brattlof <[email protected]>
Diffstat (limited to 'tools/binman/btool')
| -rw-r--r-- | tools/binman/btool/openssl.py | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index c6df64c5316..b26f087c447 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']} def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev, config_fname, req_dist_name_dict, cert_type, bootcore, - bootcore_opts, load_addr, sha): + bootcore_opts, load_addr, sha, debug): """Create a certificate Args: @@ -221,9 +221,13 @@ emailAddress = {req_dist_name_dict['emailAddress']} # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT + # When debugging low level boot firmware it can be useful to have ROM or TIFS + # unlock JTAG access to the misbehaving CPUs. However in a production setting + # this can lead to code modification by outside parties after it's been + # authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:4 + debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 ''', file=outf) @@ -238,7 +242,7 @@ emailAddress = {req_dist_name_dict['emailAddress']} imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw, hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data, hashval_sysfw_data, sysfw_inner_cert_ext_boot_block, - dm_data_ext_boot_block, bootcore_opts): + dm_data_ext_boot_block, bootcore_opts, debug): """Create a certificate Args: @@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data} shaType = OID:{sha_type} shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data} +# When debugging low level boot firmware it can be useful to have ROM or TIFS +# unlock JTAG access to the misbehaving CPUs. However in a production setting +# this can lead to code modification by outside parties after it's been +# authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 -debugType = INTEGER:4 +debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 |