/socsec

Primary LanguagePythonMIT LicenseMIT

ASPEED Secure Boot

ASPEED BMC support root of trust (RoT) measurement. The following chapters will introduce the secure image generation tool socsec and otp image generation tool otptool.

SOCSEC

This tool is used to generate RoT image.

Usage

Setting Up

sudo apt-get install python3 python3-pip python3-virtualenv
virtualenv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
python3 setup.py install

Key Generation

  • RSA private key
openssl genrsa -out rsa_key.pem 4096
  • RSA public key
openssl rsa -in rsa_key.pem -pubout -out rsa_key-public.pem
  • ECDSA private key
openssl ecparam -name secp384r1 -genkey -out ecdsa_key.pem
  • ECDSA public key
openssl ec -in ecdsa_key.pem -pubout -out ecdsa_key-public.pem
  • AES key
openssl rand 32 > aes_key.bin

How to use

  • RoT image generating command
usage: socsec make_secure_bl1_image [-h] [--soc SOC] [--bl1_image BL1_IMAGE]
                                    [--stack_intersects_verification_region {true,false}]
                                    [--header_offset HEADER_OFFSET]
                                    [--rsa_sign_key RSA_SIGN_KEY]
                                    [--ecdsa_sign_key ECDSA_SIGN_KEY]
                                    [--rsa_key_order ORDER]
                                    [--gcm_aes_key GCM_AES_KEY]
                                    [--output OUTPUT] [--algorithm ALGORITHM]
                                    [--rsa_padding PADDING]
                                    [--revision_id REVISION_ID]
                                    [--signing_helper [APP]]
                                    [--signing_helper_with_files [APP]]
                                    [--enc_offset ENC_OFFSET]
                                    [--aes_key [AES_KEY]] [--key_in_otp]
                                    [--rsa_aes [RSA_AES]]
                                    [--flash_patch_offset FLASH_PATCH_OFFSET]
                                    [--cot_algorithm [ALGORITHM]]
                                    [--cot_verify_key [COT_VERIFY_KEY] |
                                    --cot_digest COT_DIGEST]

optional arguments:
  -h, --help            show this help message and exit
  --soc SOC             soc id (e.g. 2600, 1030, 1060)
  --bl1_image BL1_IMAGE
                        Bootloader 1 Image (e.g. u-boot-spl.bin), which will
                        be verified by soc
  --stack_intersects_verification_region {true,false}
                        By default, the maximum size of SPL images socsec will
                        sign is 60KB, since, historically, the SoCs have been
                        using the top of the SRAM for the SPL execution stack.
                        However, on 2600 (A1) and above SoCs, an additional
                        24KB SRAM can be used for the stack, allowing the
                        verification region to occupy the entire 64KB
                        (including signature). For these models of boards,
                        this layout will also be the default in future SDK
                        releases. Use this parameter to explicitly indicate
                        that the SPL image being signed has (=true) or has not
                        (=false) the SPL stack overlapping the 64KB
                        verification region. With this argument set to
                        'false', socsec will sign SPL images up towards 64KB
                        (including 512B signature)
  --header_offset HEADER_OFFSET
                        RoT header offset
  --rsa_sign_key RSA_SIGN_KEY
                        Path to RSA private key file, which will use to sign
                        BL1_IMAGE
  --ecdsa_sign_key ECDSA_SIGN_KEY
                        Path to ECDSA private key file, which will use to sign
                        BL1_IMAGE
  --rsa_key_order ORDER
                        This value the OTP setting(e.g. little, big), default
                        value is "little". If RSA padding mode is PSS,
                        rsa_key_order will be big endian
  --gcm_aes_key GCM_AES_KEY
                        Path to aes private key file, which will use to sign
                        BL1_IMAGE
  --output OUTPUT       Output file name
  --algorithm ALGORITHM
                        Algorithm to use (default: NONE e.g. AES_GCM,
                        AES_RSA2048_SHA256, RSA2048_SHA256, ...), RSA algo
                        support RSA1024, RSA2048, RSA3072 and RSA4096, HASH
                        algo support SHA224, SHA256, SHA384 and SHA512
  --rsa_padding PADDING
                        Algorithm to use (default: pkcs1 e.g. pkcs1, pss), RSA
                        support pkcs1 padding or pss padding
  --revision_id REVISION_ID
                        Revision id for rollback prevention (0 <= REVISION_ID
                        <= 64)
  --signing_helper [APP]
                        Path to helper used for signing
  --signing_helper_with_files [APP]
                        Path to helper used for signing using files
  --flash_patch_offset FLASH_PATCH_OFFSET
                        Flash patch offset for ast2605

enc_group:
  Enable aes encryption in mode 2

  --enc_offset ENC_OFFSET
                        Offset where encryption start
  --aes_key [AES_KEY]   Path to aes key file
  --key_in_otp          aes key is storing in otp
  --rsa_aes [RSA_AES]   Path to RSA public key file, which is used to encrypt
                        aes key
  • Verify command The verify tool can check the validity of the combination of OTP image and RoT secure image.
usage: socsec verify [-h] --sec_image IMAGE [--output IMAGE] --otp_image IMAGE
                     [--cot_offset IMAGE]

optional arguments:
  -h, --help          show this help message and exit
  --sec_image IMAGE   Path to secure image
  --output IMAGE      Output non-secure image
  --otp_image IMAGE   Path to otp image
  --cot_offset IMAGE  Offset for every image, e.g. 0x10000:0x100000

Here is an example to make RoT image.

  • RoT secure image with mode 2 RSA4096_SHA512
socsec make_secure_bl1_image \
    --algorithm RSA4096_SHA512 \
    --bl1_image path/to/u-boot-spl.bin \
    --output path/to/s_u-boot-spl.bin \
    --rsa_sign_key path/to/test_oem_dss_private_key_4096_1.pem \
    --rsa_key_order big

The --signing_helper option can be used to specify any external program for signing hashes. The data to sign (including padding e.g. PKCS1-v1.5) is fed via STDIN and the signed data is returned via STDOUT. Arguments for a signing helper is --rsa_sign_key in make_secure_bl1_image. If the signing helper exits with a non-zero exit code, it means failure. Here's an example invocation:

/path/to/my_signing_program /path/to/privatekey.pem

--signing_helper_with_files is similar to --signing_helper except that a temporary file is used to communicate with the helper instead of STDIN and STDOUT. This is useful in situations where the signing helper is using code which is outputting diagnostics on STDOUT instead of STDERR. Here's an example invocation

/path/to/my_signing_program_with_files \
/path/to/privatekey.pem /tmp/path/to/communication_file

Here is an example of socsec verify.

socsec verify --soc 2600 --sec_image /path/to/s_u-boot-spl.bin --otp_image /path/to/otp-all.image

--sec_image is the RoT secure image which is generated by make_secure_bl1_image.

--otp_image is the OTP image which is generated by the otptool, the otptool will introduce in next chapter.

--output is an option which can output the unsigned an unencrypted image.

OTP Tool

AST2600 built-in 64Kbit one time programmable (OTP) memory for configuration, strap, key storage, patch and user data. Each memory bit cell inside the OTP memory is capable to be programmed once. Typically, the data stored the OTP memory are non-volatile and can preserve permanently, but to improve the FIT (failure in time) of the OTP memory, ECC is recommended to enable.

Make OTP image

Using this tool to generate the otp image, and using OTP Utility to program that image into OTP memory.

usage: otptool make_otp_image [-h] [--key_folder KEY_FOLDER]
                              [--user_data_folder USER_DATA_FOLDER]
                              [--output_folder OUTPUT_FOLDER]
                              [--no_last_bit]
                              config

positional arguments:
  config                configuration file

optional arguments:
  -h, --help            show this help message and exit
  --key_folder KEY_FOLDER
                        key folder
  --user_data_folder USER_DATA_FOLDER
                        user data folder
  --output_folder OUTPUT_FOLDER
                        output folder
  --no_last_bit         (develop)remove last bit in OTP header

Argument

  • config: the config file is a json format document, which content otp data region, otp config region and otp strap description. Below is an example.

  • key_folder: put all key file into key folder

  • output_folder: the generated otp image will put into this folder.

Output

  • otp-all.image: a programmable image, use u-boot otp utility to program this image, which contain all region of otp.

  • *.image: a programmable image, use u-boot otp utility to program this image configs/ast2600/security/otp/sample.json is an example for all otp config and otp strap.

  • otp-data.bin: raw data of otp data region.

data_region object is to describe the otp data region, which contain key, user data, otp patch, and ecc code. The figure below is data region layout. When ecc_region enable, otp tool will generate the ECC code. The otp patch should put inside user data region (non-secure region). Data region

Print OTP image

usage: otptool print [-h] otp_image

positional arguments:
  otp_image   OTP image

optional arguments:
  -h, --help  show this help message and exit