From c0c758b201eb1daba9fec4cd919a934a6aa571b5 Mon Sep 17 00:00:00 2001
From: Denis Pynkin <denis.pynkin@collabora.com>
Date: Sun, 9 Feb 2020 23:53:32 +0300
Subject: [PATCH] imx6: add open part for HAB signing
This directory contain the open part of Apertis super root keys used for
signing U-Boot and FIT kernel image for i.MX-based boards (SabreLite).
The private keys and password are set in CI/CD as a secret, however all bits are available
in [open repository](https://gitlab.apertis.org/infrastructure/apertis-imx-srk).
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
---
.../CSF1_1_sha256_2048_65537_v3_usr_crt.pem | 79 ++++++++++++++++++
.../IMG1_1_sha256_2048_65537_v3_usr_crt.pem | 79 ++++++++++++++++++
sign/imx6/SRK_1_2_3_4_table.bin | Bin 0 -> 1088 bytes
sign/imx6/readme.md | 14 ++++
4 files changed, 172 insertions(+)
create mode 100644 sign/imx6/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
create mode 100644 sign/imx6/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
create mode 100644 sign/imx6/SRK_1_2_3_4_table.bin
create mode 100644 sign/imx6/readme.md
diff --git a/sign/imx6/CSF1_1_sha256_2048_65537_v3_usr_crt.pem b/sign/imx6/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
new file mode 100644
index 00000000..89cbe7c1
--- /dev/null
+++ b/sign/imx6/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 305419897 (0x12345679)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=SRK1_sha256_2048_65537_v3_ca
+ Validity
+ Not Before: Jun 23 12:17:40 2019 GMT
+ Not After : Jun 18 12:17:40 2039 GMT
+ Subject: CN=CSF1_1_sha256_2048_65537_v3_usr
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:a9:e4:66:ab:90:b5:54:f4:1b:9d:37:2b:3d:dd:
+ 7f:e6:9f:e8:03:26:4f:a9:e0:64:e2:e7:6b:cf:c1:
+ 33:df:32:c8:a8:60:87:2a:58:c1:2c:03:58:e4:70:
+ cb:89:b1:2a:86:8f:69:ea:70:e9:5e:22:7b:5c:9b:
+ ab:8e:6d:f8:03:b7:23:d9:fa:c6:51:92:6e:fb:b2:
+ 2f:8c:eb:f4:ae:c8:74:3a:90:c3:ad:05:e1:1d:3a:
+ 1c:46:fb:b6:9a:d6:56:9a:20:bd:61:cc:73:cd:a2:
+ ba:fd:4d:14:c1:fe:f2:88:bc:27:c6:5b:19:e9:86:
+ 52:9d:3d:4f:3e:c8:7c:ae:54:41:03:c6:c1:54:64:
+ f9:f2:f3:71:f5:2f:b8:ed:4a:71:07:ce:76:1f:90:
+ c3:38:a2:22:51:d3:88:04:c9:7b:b3:72:59:80:5c:
+ 06:31:68:5c:76:66:f9:f2:2a:39:be:0e:b1:37:76:
+ c1:65:a4:39:3d:66:c2:3e:97:55:7d:d0:5b:24:95:
+ 79:bb:26:1f:2e:54:02:14:0c:84:e8:2c:28:f6:77:
+ 4b:f8:84:67:05:a3:d6:f5:9d:aa:4b:52:88:43:ed:
+ de:d7:80:e8:69:47:e1:03:58:5d:0a:29:89:de:0c:
+ bf:69:70:03:00:1d:13:12:e4:1e:56:c3:23:cb:6c:
+ 08:ad
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ F3:5A:26:E0:EC:25:14:9A:E8:C1:C2:58:58:4D:CA:F4:28:60:2D:F5
+ X509v3 Authority Key Identifier:
+ keyid:26:24:AA:0E:88:E8:36:34:55:6A:03:DB:A7:7F:DA:95:8D:82:DF:CD
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 32:77:fb:f1:7d:ee:ef:5a:ce:36:fb:a8:6b:1e:73:87:63:22:
+ 46:e6:04:36:f7:71:53:05:7c:c5:46:f7:e1:40:45:d7:e3:f2:
+ bc:6a:81:b6:71:8b:c8:3c:29:21:6a:79:ad:fe:03:d0:a9:05:
+ 7c:b8:4b:59:ba:0f:3b:fe:dd:ff:56:b4:b1:ee:4a:fb:86:de:
+ 71:bc:d9:29:1b:ae:48:ba:a0:df:9e:12:7b:9f:87:67:7a:bb:
+ b3:ce:28:8a:c1:bb:e0:2a:71:c4:37:40:87:e5:d6:76:fd:82:
+ 07:7e:0f:e7:16:ff:74:69:b2:bd:1d:88:e8:4e:dd:bd:61:d4:
+ bf:8f:2c:56:df:10:62:c3:b7:d8:1e:c2:bf:c8:ba:9a:7d:35:
+ 3b:a2:f4:34:37:b7:3e:a2:8b:6b:ac:c3:ab:20:88:32:cf:ff:
+ c2:fb:d1:28:e6:16:1d:6b:83:51:b9:54:de:09:6a:d0:11:78:
+ 2a:58:ca:9c:82:8c:de:e9:e7:09:ed:db:24:55:13:43:2d:a9:
+ 29:a2:4c:08:0a:4c:a4:fa:b8:f1:fa:ac:b1:06:09:dc:63:b3:
+ 80:b2:9e:c2:84:91:24:92:76:e3:3d:23:05:02:cf:df:90:37:
+ 74:50:74:6a:f2:61:d1:bc:00:44:73:0b:7f:58:2f:f0:71:47:
+ 19:a5:aa:33
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIEEjRWeTANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxT
+UksxX3NoYTI1Nl8yMDQ4XzY1NTM3X3YzX2NhMB4XDTE5MDYyMzEyMTc0MFoXDTM5
+MDYxODEyMTc0MFowKjEoMCYGA1UEAwwfQ1NGMV8xX3NoYTI1Nl8yMDQ4XzY1NTM3
+X3YzX3VzcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnkZquQtVT0
+G503Kz3df+af6AMmT6ngZOLna8/BM98yyKhghypYwSwDWORwy4mxKoaPaepw6V4i
+e1ybq45t+AO3I9n6xlGSbvuyL4zr9K7IdDqQw60F4R06HEb7tprWVpogvWHMc82i
+uv1NFMH+8oi8J8ZbGemGUp09Tz7IfK5UQQPGwVRk+fLzcfUvuO1KcQfOdh+Qwzii
+IlHTiATJe7NyWYBcBjFoXHZm+fIqOb4OsTd2wWWkOT1mwj6XVX3QWySVebsmHy5U
+AhQMhOgsKPZ3S/iEZwWj1vWdqktSiEPt3teA6GlH4QNYXQopid4Mv2lwAwAdExLk
+HlbDI8tsCK0CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPNaJuDsJRSa6MHC
+WFhNyvQoYC31MB8GA1UdIwQYMBaAFCYkqg6I6DY0VWoD26d/2pWNgt/NMA0GCSqG
+SIb3DQEBCwUAA4IBAQAyd/vxfe7vWs42+6hrHnOHYyJG5gQ293FTBXzFRvfhQEXX
+4/K8aoG2cYvIPCkhanmt/gPQqQV8uEtZug87/t3/VrSx7kr7ht5xvNkpG65IuqDf
+nhJ7n4dneruzziiKwbvgKnHEN0CH5dZ2/YIHfg/nFv90abK9HYjoTt29YdS/jyxW
+3xBiw7fYHsK/yLqafTU7ovQ0N7c+ootrrMOrIIgyz//C+9Eo5hYda4NRuVTeCWrQ
+EXgqWMqcgoze6ecJ7dskVRNDLakpokwICkyk+rjx+qyxBgncY7OAsp7ChJEkknbj
+PSMFAs/fkDd0UHRq8mHRvABEcwt/WC/wcUcZpaoz
+-----END CERTIFICATE-----
diff --git a/sign/imx6/IMG1_1_sha256_2048_65537_v3_usr_crt.pem b/sign/imx6/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
new file mode 100644
index 00000000..591289a4
--- /dev/null
+++ b/sign/imx6/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 305419898 (0x1234567a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=SRK1_sha256_2048_65537_v3_ca
+ Validity
+ Not Before: Jun 23 12:17:41 2019 GMT
+ Not After : Jun 18 12:17:41 2039 GMT
+ Subject: CN=IMG1_1_sha256_2048_65537_v3_usr
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:d7:c4:06:6b:76:54:ad:29:7a:bf:ea:82:f5:0b:
+ dd:07:a5:d2:13:71:4d:1e:2f:b9:1c:e1:45:6c:8c:
+ a5:7f:d7:ed:98:39:83:bf:33:3f:16:e4:37:a1:c7:
+ 15:81:85:ca:81:8d:20:5d:de:5f:53:6c:ac:2b:3c:
+ 07:7d:69:86:a2:e9:d1:b4:20:78:b0:8e:0e:b9:5f:
+ cf:a8:bd:01:cc:5b:ac:f2:22:da:6f:5f:da:03:2e:
+ eb:4c:7c:85:9d:26:de:80:da:91:92:af:27:9c:36:
+ f5:6a:5d:dc:b5:55:91:3a:35:18:fb:d8:64:99:89:
+ 8f:81:66:77:67:af:21:7b:06:54:d5:c2:e0:76:e1:
+ d2:f4:20:47:2a:2f:7e:73:39:0e:0e:8b:6d:fc:9b:
+ 3a:90:6d:df:ad:41:0e:2a:d8:60:39:a4:bc:e6:05:
+ 35:84:15:51:04:43:59:d5:72:19:d9:9c:e7:4b:a3:
+ 42:b2:e6:51:22:48:9c:7b:4d:9d:f8:f6:e5:88:8e:
+ fa:44:a8:b6:89:ae:4f:da:83:fd:91:63:0d:8d:eb:
+ 36:f0:e3:e9:2f:62:f8:83:92:9e:c7:39:b1:b3:3c:
+ 33:31:22:58:3b:83:3c:17:d6:1d:8c:53:28:e7:23:
+ 1d:15:a2:40:73:b4:e2:15:9c:fc:f0:3c:3d:e9:c2:
+ 8e:b3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ A2:E1:DB:BC:1B:F1:93:54:50:A1:9E:44:B1:D6:FE:F9:B1:56:32:F8
+ X509v3 Authority Key Identifier:
+ keyid:26:24:AA:0E:88:E8:36:34:55:6A:03:DB:A7:7F:DA:95:8D:82:DF:CD
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 53:4f:9c:c1:ff:52:a8:a4:8e:bf:c7:af:61:5d:67:46:24:e7:
+ a6:ce:eb:ac:25:2b:48:e3:75:1c:b4:64:4a:c8:19:a9:44:f9:
+ f1:5b:04:c3:2f:99:06:3b:d3:93:81:65:ba:12:5d:2b:82:c4:
+ 98:b5:15:d6:10:c6:28:b6:b5:a4:f3:d1:93:1a:b2:5e:16:36:
+ 4d:6c:85:59:bb:3a:51:52:d9:63:1c:70:2b:c3:6b:b7:69:24:
+ 86:e2:54:a8:96:f7:7c:4a:81:2b:8e:97:8b:85:63:93:36:43:
+ aa:f2:54:ad:11:91:aa:a4:98:71:a1:27:c7:fe:b3:0a:ed:52:
+ c2:27:53:16:35:02:f9:30:c2:64:bf:0a:1f:b1:12:79:42:39:
+ 21:df:fc:6b:23:d3:ae:34:27:68:f4:d2:dd:af:df:09:54:ef:
+ 8b:30:b9:b9:11:22:c8:46:9d:fa:61:61:23:b9:69:38:eb:c2:
+ 32:5f:2a:5e:67:e7:eb:21:3d:61:0a:9f:b4:58:d1:29:a1:9e:
+ ec:99:15:25:26:ff:06:2a:2d:50:a9:cf:db:f2:ec:a2:09:99:
+ 7b:7d:81:d8:14:f3:ec:21:07:52:3f:a7:02:4b:7f:bd:03:6d:
+ cb:02:1e:39:cc:de:94:c5:11:3d:0f:39:2a:ad:d3:0c:3b:c6:
+ f9:95:aa:40
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIEEjRWejANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxT
+UksxX3NoYTI1Nl8yMDQ4XzY1NTM3X3YzX2NhMB4XDTE5MDYyMzEyMTc0MVoXDTM5
+MDYxODEyMTc0MVowKjEoMCYGA1UEAwwfSU1HMV8xX3NoYTI1Nl8yMDQ4XzY1NTM3
+X3YzX3VzcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANfEBmt2VK0p
+er/qgvUL3Qel0hNxTR4vuRzhRWyMpX/X7Zg5g78zPxbkN6HHFYGFyoGNIF3eX1Ns
+rCs8B31phqLp0bQgeLCODrlfz6i9AcxbrPIi2m9f2gMu60x8hZ0m3oDakZKvJ5w2
+9Wpd3LVVkTo1GPvYZJmJj4Fmd2evIXsGVNXC4Hbh0vQgRyovfnM5Dg6LbfybOpBt
+361BDirYYDmkvOYFNYQVUQRDWdVyGdmc50ujQrLmUSJInHtNnfj25YiO+kSotomu
+T9qD/ZFjDY3rNvDj6S9i+IOSnsc5sbM8MzEiWDuDPBfWHYxTKOcjHRWiQHO04hWc
+/PA8PenCjrMCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKLh27wb8ZNUUKGe
+RLHW/vmxVjL4MB8GA1UdIwQYMBaAFCYkqg6I6DY0VWoD26d/2pWNgt/NMA0GCSqG
+SIb3DQEBCwUAA4IBAQBTT5zB/1KopI6/x69hXWdGJOemzuusJStI43UctGRKyBmp
+RPnxWwTDL5kGO9OTgWW6El0rgsSYtRXWEMYotrWk89GTGrJeFjZNbIVZuzpRUtlj
+HHArw2u3aSSG4lSolvd8SoErjpeLhWOTNkOq8lStEZGqpJhxoSfH/rMK7VLCJ1MW
+NQL5MMJkvwofsRJ5Qjkh3/xrI9OuNCdo9NLdr98JVO+LMLm5ESLIRp36YWEjuWk4
+68IyXypeZ+frIT1hCp+0WNEpoZ7smRUlJv8GKi1Qqc/b8uyiCZl7fYHYFPPsIQdS
+P6cCS3+9A23LAh45zN6UxRE9DzkqrdMMO8b5lapA
+-----END CERTIFICATE-----
diff --git a/sign/imx6/SRK_1_2_3_4_table.bin b/sign/imx6/SRK_1_2_3_4_table.bin
new file mode 100644
index 0000000000000000000000000000000000000000..66bd3b3f53e85a0f8c5947992fb9ee35b4328b93
GIT binary patch
literal 1088
zcmV-G1i$;&1VBLH0S_Sn004ji000B8Yz3Tv6=gQt%X&(tMW^vhc`N6fnj>d!{**E4
z`Mn-%$sBF^r7McX;pZxh1M7nD;Gz#J6{dKsIZAZtUM#HzB2WsN(jLsDU;=^JFC(-6
zXMMvUn3TsrU?xOdi5l8kg8I*JvND6$5#*`U65PuemXV^=!pG`<O_j0WP}Q-Uew5yR
z){1M^7|@W-IzRrynk7~`wm#Z4;#AB1R%rzaCgYtbTjA2crvYQ3$%m%g{&1KcZHed(
zZ`-bxi6zu+5YgVS()T?I^HD%XWWS+Dvy8pKJ^VAW#n#=ZRf_z4wT_uu_5O7bAdkXw
zij1oWlj!MAcF=Ghy#;1PaP$)a00H3v4<P^m0Du7i00Y=k3M~^B%Jy!w*C?86%51O!
z=l|mdB|h}my2`mZssQo7UKL%Rmw0we!fUh$nvy$Kus7xG&I|%$DXsiJa_x^xinr7O
zdqQx8pvL?Hn#}1U*2i*l(o5vKO6$k}{&cqMwNI&iXJt+SW7AIxGd}S^fIvKu5<lg*
zP`*D0`+1Ti1CX7<Zen$%-X;HoBzjw@W}dvgP@~EJxacMtV1L{~UF0pBh^`ltphg88
zvP(DBG-z;o1q)N&0$)=bH`Py&!4O<JSD(S8iKkgAs84aOqcO)0t&&Nc^b9X%1(%tp
zPM1+1wnh)Se}&UHKRf?@b7Vc&|6Tw<feLK5ciRB~0pS4;ApigXfB^si1GqV_K)vQ~
z#mP1_5i8Loy5D*U_#%>5{X{u!#%zKt6USje-KGITY^{>=@PSv=aH!7UD<H{$P7Oci
zneCQ~Bieh{JLzEBw~V$|)pMXcxT>AuLO?klxzXL%_YbC8BeV1~eK>Om;GaoQf)?Fd
zDb|aptJ$<EO}?8>=<^<j+^hR{B{+*^jL&;3&JqRV?Qd||V}Ad3%F^z&^u7#;k)MEv
z#CrwXhgEXpASoS3>G1Zf7>%p!M=dZKzBV(izS$sx2CZfmOe#5*b#u0bs_@ZpOC6ez
zL^+toM1H)ILIV@{q;)|(Yit|Eu%dX~t*VKmV%=ZJZmLS@G37Uq4*>uH;Q<dJ0001h
z0RR94)YygM807zG*nKX;FVOP5Gv%@6^^*>tgluF>-oTzMzHMh_<*c=mlAWS-PMmWV
zsv_slArp%O;CC_*xW-c@_BsK`Xw84PRt@H?4;03zV_lrzzTzR2nNPrvmT(}czsla;
zGpQ2svu(2L=kR&U+DyeJ4NQuhQMp}Ozs8}kuA}Qm3~I&r0h9l7skfU|)NnLQMhlwo
zO^?(4(y!Y!=O6$T_sn{zV7Czq`4+4PB+vTToV%@1Sd#lqY>e1;(bnRjVFa3QZo!u{
zw?sY4MbM-Ig}>RU;S`cK*z5>Nr3Z#WJ+y&d4IybitG`O(V6qTfKTp@Zl_K;kRwhx2
G0RRD@Cl<;8
literal 0
HcmV?d00001
diff --git a/sign/imx6/readme.md b/sign/imx6/readme.md
new file mode 100644
index 00000000..043994b7
--- /dev/null
+++ b/sign/imx6/readme.md
@@ -0,0 +1,14 @@
+This directory contains the open part of Apertis super root keys used for
+signing U-Boot and FIT kernel image for i.MX-based boards (SabreLite).
+
+The private keys and password are set in CI/CD as a secret, however all bits are available
+in [open repository](https://gitlab.apertis.org/infrastructure/apertis-imx-srk).
+
+The [CST tool](https://gitlab.apertis.org/pkg/development/imx-code-signing-tool) is needed
+to sign binaries with the help of templates provided in this directory as well.
+
+For correct boot you have to fuse the board with the signature from the file `SRK_1_2_3_4_table.bin`.
+
+More information can be obtained from:
+- https://gitlab.apertis.org/third-party/u-boot/blob/master/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt
+- https://boundarydevices.com/high-assurance-boot-hab-dummies/
--
GitLab