aspeedtech-bmc / socsec Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
setups i am followed to complied secure boot
problem:- during booting only two word( S2 ) print on uart console.
+ coverage run -p ./socsec verify --soc 2600 --sec_image tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/bl1.signed.bin --output tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/bl1.bin --otp_image tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/otp-all.image
Algorithm: AES_RSA_SHA
RSA length: 1024
HASH length: 224
check RoT header PASS
Verify key ...
Key Type: OEM DSS public keys
ID: 0
M:
00000000: 81 92 08 C7 80 CF 64 23 FB 51 3C 47 E1 1D 69 A7 ......d#.Q<G..i.
00000010: 0A 5F C8 06 CB C7 40 10 86 A8 97 93 E9 31 08 E4 [email protected]..
00000020: 95 63 58 56 FA C7 36 1F 95 4A 3A C2 B9 D8 25 7D .cXV..6..J:...%}
00000030: E6 01 D0 23 56 49 69 4D 90 0D 49 4D F2 76 96 9C ...#VIiM..IM.v..
00000040: AA 71 43 EC 0A 7B 0B 96 09 C8 CD 19 CC 1E 80 40 .qC..{.........@
00000050: 36 61 42 89 92 33 14 33 18 BD 68 CE 6F C8 66 46 6aB..3.3..h.o.fF
00000060: 5B 9A A1 04 1A 9F 67 2F 1B 33 D4 63 05 C4 9C B1 [.....g/.3.c....
00000070: 34 6A 22 25 F2 93 42 C6 7E 79 87 4D 41 59 C9 E2 4j"%..B.~y.MAY..
E:
00000000: 01 00 01 ...
Traceback (most recent call last):
File "./socsec", line 1693, in <module>
tool.run(sys.argv)
File "./socsec", line 1649, in run
args.func(args)
File "./socsec", line 1683, in verify_secure_image
self.verify.verify_secure_image(args.soc,
File "./socsec", line 1450, in verify_secure_image
dec_image = self.verify_rot_image(sec_image[:sign_image_size+1024],
File "./socsec", line 1412, in verify_rot_image
dec_image = self.mode2_decrypt(sec_image, sign_image_size,
File "./socsec", line 1331, in mode2_decrypt
M = int.from_bytes(key['M'], byteorder='little', signed=False)
KeyError: 'M'
It appears socsec
assumes the A1 key header ABI, but the A0 ABI has a different enumeration values for the key types.
A0 support in otptool
: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/otptool.py#L393-L402
A1 support in otptool
: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/otptool.py#L435-L444
Key header decoding in socsec
: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/socsec.py#L1244
Hello,
The header offset does not seem properly computed when verifying the secure image and the OTP image compatibility.
I tried the following:
socsec make_secure_bl1_image \
--soc 2600 \
--algorithm RSA4096_SHA512 \
--rsa_sign_key tests/keys/rsa4096.pem \
--bl1_image tests/data/bl1.bin \
--output tmp/bl1.signed.bin \
--header_offset=0x10
When checking tmp/bl1.signed.bin with hexdump, the header seems properly positioned.
cat tests/otp/2600-a3_mode2-rsa4096-sha512-little.json
...
"config_region": {
"Secure Boot Mode": "Mode_2",
"Secure crypto RSA length": "RSA4096",
"Hash mode": "SHA512",
"Enable image encryption": false,
"Secure boot header offset": "0x10"
},
...
otptool make_otp_image --key_folder tests/keys/ tests/otp/2600-a3_mode2-rsa4096-sha512-little.json --output_folder tmp
When printing the OTP image, the offset is properly displayed:
otptool print tmp/otp-all.image
...
OTP config region :
DW BIT Value Description
__________________________________________________________________________
0x0 0x7 0x1 Secure Boot Mode: Mode_2
0x0 0xB :0xA 0x3 RSA mode : RSA4096
0x0 0xD :0xC 0x3 SHA mode : SHA512
0x0 0x1A 0x1 Copy Boot Image to Internal SRAM
0x0 0x1B 0x0 Disable image encryption
0x3 0xF :0x0 0x10 Secure boot header offset : 0x16
...
socsec verify --sec_image tmp/bl1.signed.bin --otp_image tmp/otp-all.image
Algorithm: RSA_SHA
RSA length: 4096
HASH length: 512
Traceback (most recent call last):
File "/usr/local/bin/socsec", line 4, in <module>
__import__('pkg_resources').run_script('socsec==2.0.0', 'socsec')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 666, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1453, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/EGG-INFO/scripts/socsec", line 30, in <module>
File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 2131, in run
File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 2171, in verify_secure_image
File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 1906, in verify_secure_image
socsec.socsec.SecError: header checksum verify failed
The verification fails.
Checking at the code, the header offset is computed in socsec.py:parse_config from cfg3 and cfg3 is computed as follow:
cfg3 = struct.unpack('<I', config_region[8:12])[0]
But it seems wrong to me. If referring to how the config region is handled in otptool.py:otp_print_image_config method,
cfg3 and cfg4 variables should be:
cfg3 = struct.unpack('<I', config_region[12:16])[0]
cfg4 = struct.unpack('<I', config_region[16:20])[0]
With this change, the verification succeeds:
socsec verify --sec_image tmp/bl1.signed.bin --otp_image tmp/otp-all.image
Algorithm: RSA_SHA
RSA length: 4096
HASH length: 512
check RoT header PASS
Verify key ...
Key Type: OEM DSS RSA public keys
ID: 0
M:
00000000: 41 C0 57 A3 B4 FC 52 14 73 A0 DA 00 31 E7 E6 70 A.W...R.s...1..p
00000010: 78 AD 2E 3C 8C 0C 97 76 D2 37 C8 DE 89 95 40 C5 x..<...v.7....@.
00000020: 74 7B 61 52 E6 04 AF CE 82 CF 0A 27 50 32 B8 56 t{aR.......'P2.V
00000030: 50 88 C4 63 BC DA 4D 83 E6 75 5C 31 87 0B 27 76 P..c..M..u\1..'v
00000040: 14 DA 54 EA E7 45 29 C2 E7 04 82 FD 82 F3 FC 35 ..T..E)........5
00000050: 4E A1 A5 26 69 A3 B6 C5 7A 0F B2 D0 0B 71 F2 FC N..&i...z....q..
00000060: C7 34 1E A6 B3 75 A6 92 C7 E5 AB 58 6E 8E 6F 0C .4...u.....Xn.o.
00000070: 6D 94 2D 66 86 3D F3 46 32 74 E6 72 45 17 48 18 m.-f.=.F2t.rE.H.
00000080: 2D 98 5B AA B3 C8 78 05 A6 C2 97 97 A6 AE E3 E6 -.[...x.........
00000090: 38 4C 44 CA A0 83 12 BA 8B 19 EA 7B 46 59 43 EE 8LD........{FYC.
000000A0: 2C EE AC 2F EF 4F 95 B2 09 49 DA 61 60 D5 DB 1F ,../.O...I.a`...
000000B0: E3 D3 5C 67 B6 33 9C 12 7A B6 84 5A 28 3A F0 F2 ..\g.3..z..Z(:..
000000C0: 29 AC A7 52 2F EF F8 5B AD A9 7C FA FE 5F FA 7C )..R/..[..|.._.|
000000D0: E0 90 2A 28 F9 74 6C F8 99 C5 9C A7 3B 41 54 B0 ..*(.tl.....;AT.
000000E0: 2C A0 55 D7 D0 29 21 0B FD E4 B1 E4 CD 88 15 CB ,.U..)!.........
000000F0: 5F A1 0F 3D 40 3B D0 E2 96 B1 EF B4 3D 90 B1 77 _..=@;......=..w
00000100: 8A ED 44 C9 8A 62 8A 08 B5 68 26 29 E9 F0 B5 31 ..D..b...h&)...1
00000110: B4 16 CC E8 C2 CF 8F 8B 48 9F 6B 12 6B 6B 97 26 ........H.k.kk.&
00000120: 13 DB DF 81 23 C6 04 5E 8C 4F 71 13 98 B7 65 11 ....#..^.Oq...e.
00000130: E0 69 56 84 02 3F 09 F7 06 C5 9C D1 A3 56 3A 75 .iV..?.......V:u
00000140: 82 1F 40 E8 47 72 83 5C 4A A9 2E 74 AD A2 5B 1E [email protected].\J..t..[.
00000150: 20 E2 FF 97 C5 D5 AF 97 27 4B DB A2 B2 A3 F5 20 .......'K.....
00000160: 05 69 76 25 74 B3 F4 E1 7D A6 A4 AC 4B EA C5 7A .iv%t...}...K..z
00000170: 4A 3F 11 85 87 32 4E 1D BE 56 65 E3 BE 78 10 68 J?...2N..Ve..x.h
00000180: E9 33 BC CF 37 EB 10 EB 1F 9F 6B A0 5B AC 73 9B .3..7.....k.[.s.
00000190: 71 F0 94 59 14 5C 7B 8C C2 FC B0 AB 11 B0 CE B5 q..Y.\{.........
000001A0: 3C CA E2 0E 5A 3D 1A 48 69 6B 69 B5 EF A6 65 75 <...Z=.Hiki...eu
000001B0: 11 B5 32 B3 F8 25 06 D8 C5 56 57 2A 42 96 68 43 ..2..%...VW*B.hC
000001C0: 0B 84 51 57 44 75 C4 33 61 E4 E6 E8 1B B3 74 C7 ..QWDu.3a.....t.
000001D0: 67 5D E4 C0 50 1F 8F 8D 74 F4 51 96 35 A4 CE C7 g]..P...t.Q.5...
000001E0: F0 02 D4 53 7E B6 FA FC BB A8 BB BC A1 F7 56 29 ...S~.........V)
000001F0: E4 5F DC C1 04 D3 FA A7 3A 05 A5 57 B7 1E EA AB ._......:..W....
E:
00000000: 01 00 01 ...
check RoT integrity PASS
If my doubts are true, I can open the corresponding PR.
Thank you.
Here's the hexdump
package listing on pypi:
https://pypi.org/project/hexdump/
The Homepage
link (https://bitbucket.org/techtonik/hexdump/) points bitbucket, but repository has been removed (the link 404's). Some searching suggests the package was not migrated to e.g. Github, and it hasn't seen a release since 2016.
It's probably worth reconsidering this dependency.
We have tags for v00.01.07 and v00.02.00, so the python package information is out of date. The version field should have been updated in the commit that was tagged with each version.
I think there are some limitations on the formatting of the value for the version field in setup.py so we'll have to figure out what the best way forward is there.
We should at least tag a v00.02.01 that bumps the package version to move beyond the current situation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.