Merge branch '2023-03-29-assorted-platform-updates' into next

- Assorted TI, Apple M1, and mpc83xx improvements / cleanups.

3 files changed, 124 insertions, 7 deletions

diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
index f3a44d08acc..f013367ac36 100644
--- a/tools/binman/missing-blob-help
+++ b/tools/binman/missing-blob-help
@@ -21,13 +21,15 @@ Please read the section on SCP firmware in board/sunxi/README.sunxi64
 iot2050-seboot:
 See the documentation for IOT2050 board. Your image is missing SEBoot
 which is mandatory for board startup. Prebuilt SEBoot located at
-meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/tiboot3.bin.
-
-iot2050-sysfw:
-See the documentation for IOT2050 board. Your image is missing system
-firmware which is mandatory for board startup. Prebuilt system firmware
-located at meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/
-with sysfw prefix.
+meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin.
+
+iot2050-otpcmd:
+See the documentation for IOT2050 board. Your image is missing OTP command data
+block which is used for provisioning the customer keys to the board.
+Please refer to
+meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh
+for how to generate this binary. If you are not using secure boot or do not
+intend to provision the keys, disable CONFIG_IOT2050_EMBED_OTPCMD.
 
 k3-rti-wdt-firmware:
 If CONFIG_WDT_K3_RTI_LOAD_FW is enabled, a firmware image is needed for
diff --git a/tools/iot2050-sign-fw.sh b/tools/iot2050-sign-fw.sh
new file mode 100755
index 00000000000..4d1d79498c2
--- /dev/null
+++ b/tools/iot2050-sign-fw.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+if [ -z "$1" ]; then
+	echo "Usage: $0 KEY"
+	exit 1
+fi
+
+TEMP_X509=$(mktemp XXXXXXXX.temp)
+
+REVISION=${2:-0}
+SHA_VAL=$(openssl dgst -sha512 -hex tispl.bin | sed -e "s/^.*= //g")
+BIN_SIZE=$(stat -c %s tispl.bin)
+
+cat <<EOF >$TEMP_X509
+[ req ]
+distinguished_name     = req_distinguished_name
+x509_extensions        = v3_ca
+prompt                 = no
+dirstring_type         = nobmp
+
+[ req_distinguished_name ]
+CN                     = IOT2050 Firmware Signature
+
+[ v3_ca ]
+basicConstraints       = CA:true
+1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
+1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity
+
+[ swrv ]
+swrv = INTEGER:$REVISION
+
+[ sysfw_image_integrity ]
+shaType                = OID:2.16.840.1.101.3.4.2.3
+shaValue               = FORMAT:HEX,OCT:$SHA_VAL
+imageSize              = INTEGER:$BIN_SIZE
+EOF
+
+CERT_X509=$(mktemp XXXXXXXX.crt)
+
+openssl req -new -x509 -key $1 -nodes -outform DER -out $CERT_X509 -config $TEMP_X509 -sha512
+cat $CERT_X509 tispl.bin > tispl.bin_signed
+# currently broken in upstream
+#source/tools/binman/binman replace -i flash.bin -f tispl.bin_signed blob@0x180000
+dd if=tispl.bin_signed of=flash.bin bs=$((0x1000)) seek=$((0x180000/0x1000)) conv=notrunc
+
+rm $TEMP_X509 $CERT_X509
+
+tools/mkimage -G $1 -r -o sha256,rsa4096 -F [email protected]
+# currently broken in upstream
+#source/tools/binman/binman replace -i flash.bin -f [email protected] fit@0x380000
+dd [email protected] of=flash.bin bs=$((0x1000)) seek=$((0x380000/0x1000)) conv=notrunc
diff --git a/tools/key2dtsi.py b/tools/key2dtsi.py
new file mode 100755
index 00000000000..1dbb2cc94bf
--- /dev/null
+++ b/tools/key2dtsi.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Public key to dtsi converter.
+#
+# Copyright (c) Siemens AG, 2022
+#
+
+from argparse import ArgumentParser, FileType
+from os.path import basename, splitext
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Util.number import inverse
+
+def int_to_bytestr(n, length=None):
+    if not length:
+        length = (n.bit_length() + 7) // 8
+    byte_array = n.to_bytes(length, 'big')
+    return ' '.join(['{:02x}'.format(byte) for byte in byte_array])
+
+ap = ArgumentParser(description='Public key to dtsi converter')
+
+ap.add_argument('--hash', '-H', default='sha256',
+                help='hash to be used with key (default: sha256)')
+ap.add_argument('--required-conf', '-c', action='store_true',
+                help='mark key required for configuration')
+ap.add_argument('--required-image', '-i', action='store_true',
+                help='mark key required for image')
+ap.add_argument('--spl', '-s', action='store_true',
+                help='mark key for usage in SPL')
+ap.add_argument('key_file', metavar='KEY_FILE', type=FileType('r'),
+                help='key file (formats: X.509, PKCS#1, OpenSSH)')
+ap.add_argument('dtsi_file', metavar='DTSI_FILE', type=FileType('w'),
+                help='dtsi output file')
+
+args = ap.parse_args()
+
+key_name, _ = splitext(basename(args.key_file.name))
+
+key_data = args.key_file.read()
+key = RSA.importKey(key_data)
+
+r_squared = (2**key.size_in_bits())**2 % key.n
+n0_inverse = 2**32 - inverse(key.n, 2**32)
+
+out = args.dtsi_file
+out.write('/ {\n')
+out.write('\tsignature {\n')
+out.write('\t\tkey-{} {{\n'.format(key_name))
+out.write('\t\t\tkey-name-hint = "{}";\n'.format(key_name))
+out.write('\t\t\talgo = "{},rsa{}";\n'.format(args.hash, key.size_in_bits()))
+out.write('\t\t\trsa,num-bits = <{}>;\n'.format(key.size_in_bits()))
+out.write('\t\t\trsa,modulus = [{}];\n'.format(int_to_bytestr(key.n)))
+out.write('\t\t\trsa,exponent = [{}];\n'.format(int_to_bytestr(key.e, 8)))
+out.write('\t\t\trsa,r-squared = [{}];\n'.format(int_to_bytestr(r_squared)))
+out.write('\t\t\trsa,n0-inverse = <0x{:x}>;\n'.format(n0_inverse))
+if args.required_conf:
+    out.write('\t\t\trequired = "conf";\n')
+elif args.required_image:
+    out.write('\t\t\trequired = "image";\n')
+if args.spl:
+    out.write('\t\t\tu-boot,dm-spl;\n')
+out.write('\t\t};\n')
+out.write('\t};\n')
+out.write('};\n')