aspeedtech-bmc / socsec Goto Github PK

View Code? Open in Web Editor NEW

9.0 9.0 11.0 4.7 MB

License: MIT License

Python 76.33% Shell 11.31% C 12.36%

socsec's People

Contributors

Stargazers

Watchers

Forkers

amboar johnydhuang guoyong7801 joshua-andersen1 gangboy1979 jamin-aspeed kjopek n2i911 jakemctigue damienlagneux

socsec's Issues

Ast2600 A1 not booted after enable secure boot

setups i am followed to complied secure boot

generate rsa public private key using opnssl .
-> openssl genrsa -out rsa_oem_dss_key.pem 1024
-> openssl rsa -in rsa_oem_dss_key.pem -pubout -out rsa_pub_oem_dss_key.pem
add public key name into this (2600-a1_mode2-rsa1024-sha224.json).
configure and compile.
programed otp memory using u-boot utility.
Burn secure boot image and boot.

problem:- during booting only two word( S2 ) print on uart console.

socsec fails to verify Mode2 AES option 1 encrypted BL1 image for A0

+ coverage run -p ./socsec verify --soc 2600 --sec_image tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/bl1.signed.bin --output tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/bl1.bin --otp_image tests/data/generated/2600-a0_mode2aes1-rsa1024-sha224/otp-all.image
Algorithm: AES_RSA_SHA
RSA length: 1024
HASH length: 224
check RoT header PASS
Verify key ...
Key Type: OEM DSS public keys
ID: 0
M:
00000000: 81 92 08 C7 80 CF 64 23  FB 51 3C 47 E1 1D 69 A7  ......d#.Q<G..i.
00000010: 0A 5F C8 06 CB C7 40 10  86 A8 97 93 E9 31 08 E4  [email protected]..
00000020: 95 63 58 56 FA C7 36 1F  95 4A 3A C2 B9 D8 25 7D  .cXV..6..J:...%}
00000030: E6 01 D0 23 56 49 69 4D  90 0D 49 4D F2 76 96 9C  ...#VIiM..IM.v..
00000040: AA 71 43 EC 0A 7B 0B 96  09 C8 CD 19 CC 1E 80 40  .qC..{.........@
00000050: 36 61 42 89 92 33 14 33  18 BD 68 CE 6F C8 66 46  6aB..3.3..h.o.fF
00000060: 5B 9A A1 04 1A 9F 67 2F  1B 33 D4 63 05 C4 9C B1  [.....g/.3.c....
00000070: 34 6A 22 25 F2 93 42 C6  7E 79 87 4D 41 59 C9 E2  4j"%..B.~y.MAY..
E:
00000000: 01 00 01                                          ...
Traceback (most recent call last):
  File "./socsec", line 1693, in <module>
    tool.run(sys.argv)
  File "./socsec", line 1649, in run
    args.func(args)
  File "./socsec", line 1683, in verify_secure_image
    self.verify.verify_secure_image(args.soc,
  File "./socsec", line 1450, in verify_secure_image
    dec_image = self.verify_rot_image(sec_image[:sign_image_size+1024],
  File "./socsec", line 1412, in verify_rot_image
    dec_image = self.mode2_decrypt(sec_image, sign_image_size,
  File "./socsec", line 1331, in mode2_decrypt
    M = int.from_bytes(key['M'], byteorder='little', signed=False)
KeyError: 'M'

It appears socsec assumes the A1 key header ABI, but the A0 ABI has a different enumeration values for the key types.

A0 support in otptool: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/otptool.py#L393-L402

A1 support in otptool: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/otptool.py#L435-L444

Key header decoding in socsec: https://github.com/AspeedTech-BMC/socsec/blob/v00.01.06/socsec.py#L1244

Header offset seems badly computed when verifying secure and OTP images compatibility

Hello,

The header offset does not seem properly computed when verifying the secure image and the OTP image compatibility.

I tried the following:

Generated secure bl1 image with header offset set to 0x10:

socsec make_secure_bl1_image \
     --soc 2600 \
     --algorithm RSA4096_SHA512 \
     --rsa_sign_key tests/keys/rsa4096.pem \
     --bl1_image tests/data/bl1.bin \
     --output tmp/bl1.signed.bin \
     --header_offset=0x10

When checking tmp/bl1.signed.bin with hexdump, the header seems properly positioned.

Generated OTP image based on 2600-a3_mode2-rsa4096-sha512-little.json config file, but specifying the header offset:

cat tests/otp/2600-a3_mode2-rsa4096-sha512-little.json
...
    "config_region": {
        "Secure Boot Mode": "Mode_2",
        "Secure crypto RSA length": "RSA4096",
        "Hash mode": "SHA512",
        "Enable image encryption": false,
        "Secure boot header offset": "0x10"
    },
...

otptool make_otp_image --key_folder tests/keys/ tests/otp/2600-a3_mode2-rsa4096-sha512-little.json --output_folder tmp

When printing the OTP image, the offset is properly displayed:

otptool print tmp/otp-all.image
...
OTP config region :
DW    BIT        Value       Description
__________________________________________________________________________
0x0   0x7        0x1         Secure Boot Mode: Mode_2
0x0   0xB :0xA   0x3         RSA mode : RSA4096
0x0   0xD :0xC   0x3         SHA mode : SHA512
0x0   0x1A       0x1         Copy Boot Image to Internal SRAM
0x0   0x1B       0x0         Disable image encryption
0x3   0xF :0x0   0x10        Secure boot header offset : 0x16
...

Verified secure image and OTP image compatibility:

socsec verify --sec_image tmp/bl1.signed.bin --otp_image tmp/otp-all.image
Algorithm: RSA_SHA
RSA length: 4096
HASH length: 512
Traceback (most recent call last):
  File "/usr/local/bin/socsec", line 4, in <module>
    __import__('pkg_resources').run_script('socsec==2.0.0', 'socsec')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 666, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1453, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/EGG-INFO/scripts/socsec", line 30, in <module>
  File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 2131, in run
  File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 2171, in verify_secure_image
  File "/usr/local/lib/python3.7/dist-packages/socsec-2.0.0-py3.7.egg/socsec/socsec.py", line 1906, in verify_secure_image
socsec.socsec.SecError: header checksum verify failed

The verification fails.

Checking at the code, the header offset is computed in socsec.py:parse_config from cfg3 and cfg3 is computed as follow:

cfg3 = struct.unpack('<I', config_region[8:12])[0]

But it seems wrong to me. If referring to how the config region is handled in otptool.py:otp_print_image_config method,
cfg3 and cfg4 variables should be:

cfg3 = struct.unpack('<I', config_region[12:16])[0]
cfg4 = struct.unpack('<I', config_region[16:20])[0]

With this change, the verification succeeds:

socsec verify --sec_image tmp/bl1.signed.bin --otp_image tmp/otp-all.image
Algorithm: RSA_SHA
RSA length: 4096
HASH length: 512
check RoT header PASS
Verify key ...
Key Type: OEM DSS RSA public keys
ID: 0
M:
00000000: 41 C0 57 A3 B4 FC 52 14  73 A0 DA 00 31 E7 E6 70  A.W...R.s...1..p
00000010: 78 AD 2E 3C 8C 0C 97 76  D2 37 C8 DE 89 95 40 C5  x..<...v.7....@.
00000020: 74 7B 61 52 E6 04 AF CE  82 CF 0A 27 50 32 B8 56  t{aR.......'P2.V
00000030: 50 88 C4 63 BC DA 4D 83  E6 75 5C 31 87 0B 27 76  P..c..M..u\1..'v
00000040: 14 DA 54 EA E7 45 29 C2  E7 04 82 FD 82 F3 FC 35  ..T..E)........5
00000050: 4E A1 A5 26 69 A3 B6 C5  7A 0F B2 D0 0B 71 F2 FC  N..&i...z....q..
00000060: C7 34 1E A6 B3 75 A6 92  C7 E5 AB 58 6E 8E 6F 0C  .4...u.....Xn.o.
00000070: 6D 94 2D 66 86 3D F3 46  32 74 E6 72 45 17 48 18  m.-f.=.F2t.rE.H.
00000080: 2D 98 5B AA B3 C8 78 05  A6 C2 97 97 A6 AE E3 E6  -.[...x.........
00000090: 38 4C 44 CA A0 83 12 BA  8B 19 EA 7B 46 59 43 EE  8LD........{FYC.
000000A0: 2C EE AC 2F EF 4F 95 B2  09 49 DA 61 60 D5 DB 1F  ,../.O...I.a`...
000000B0: E3 D3 5C 67 B6 33 9C 12  7A B6 84 5A 28 3A F0 F2  ..\g.3..z..Z(:..
000000C0: 29 AC A7 52 2F EF F8 5B  AD A9 7C FA FE 5F FA 7C  )..R/..[..|.._.|
000000D0: E0 90 2A 28 F9 74 6C F8  99 C5 9C A7 3B 41 54 B0  ..*(.tl.....;AT.
000000E0: 2C A0 55 D7 D0 29 21 0B  FD E4 B1 E4 CD 88 15 CB  ,.U..)!.........
000000F0: 5F A1 0F 3D 40 3B D0 E2  96 B1 EF B4 3D 90 B1 77  _..=@;......=..w
00000100: 8A ED 44 C9 8A 62 8A 08  B5 68 26 29 E9 F0 B5 31  ..D..b...h&)...1
00000110: B4 16 CC E8 C2 CF 8F 8B  48 9F 6B 12 6B 6B 97 26  ........H.k.kk.&
00000120: 13 DB DF 81 23 C6 04 5E  8C 4F 71 13 98 B7 65 11  ....#..^.Oq...e.
00000130: E0 69 56 84 02 3F 09 F7  06 C5 9C D1 A3 56 3A 75  .iV..?.......V:u
00000140: 82 1F 40 E8 47 72 83 5C  4A A9 2E 74 AD A2 5B 1E  [email protected].\J..t..[.
00000150: 20 E2 FF 97 C5 D5 AF 97  27 4B DB A2 B2 A3 F5 20   .......'K..... 
00000160: 05 69 76 25 74 B3 F4 E1  7D A6 A4 AC 4B EA C5 7A  .iv%t...}...K..z
00000170: 4A 3F 11 85 87 32 4E 1D  BE 56 65 E3 BE 78 10 68  J?...2N..Ve..x.h
00000180: E9 33 BC CF 37 EB 10 EB  1F 9F 6B A0 5B AC 73 9B  .3..7.....k.[.s.
00000190: 71 F0 94 59 14 5C 7B 8C  C2 FC B0 AB 11 B0 CE B5  q..Y.\{.........
000001A0: 3C CA E2 0E 5A 3D 1A 48  69 6B 69 B5 EF A6 65 75  <...Z=.Hiki...eu
000001B0: 11 B5 32 B3 F8 25 06 D8  C5 56 57 2A 42 96 68 43  ..2..%...VW*B.hC
000001C0: 0B 84 51 57 44 75 C4 33  61 E4 E6 E8 1B B3 74 C7  ..QWDu.3a.....t.
000001D0: 67 5D E4 C0 50 1F 8F 8D  74 F4 51 96 35 A4 CE C7  g]..P...t.Q.5...
000001E0: F0 02 D4 53 7E B6 FA FC  BB A8 BB BC A1 F7 56 29  ...S~.........V)
000001F0: E4 5F DC C1 04 D3 FA A7  3A 05 A5 57 B7 1E EA AB  ._......:..W....
E:
00000000: 01 00 01                                          ...
check RoT integrity PASS

If my doubts are true, I can open the corresponding PR.

Thank you.

hexdump dependency is abandoned

Here's the hexdump package listing on pypi:

https://pypi.org/project/hexdump/

The Homepage link (https://bitbucket.org/techtonik/hexdump/) points bitbucket, but repository has been removed (the link 404's). Some searching suggests the package was not migrated to e.g. Github, and it hasn't seen a release since 2016.

It's probably worth reconsidering this dependency.

Package version description in setup.py is still "1.6"

We have tags for v00.01.07 and v00.02.00, so the python package information is out of date. The version field should have been updated in the commit that was tagged with each version.

I think there are some limitations on the formatting of the value for the version field in setup.py so we'll have to figure out what the best way forward is there.

We should at least tag a v00.02.01 that bumps the package version to move beyond the current situation.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.