From: Bryan Brattlof <bb@ti.com>
Date: Mon, 2 Jun 2025 21:56:52 +0000 (-0500)
Subject: binman: openssl: disable JTAG access by default
X-Git-Tag: v2025.10-rc1~91^2~38
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e18472f1dee609b2ee8a492985bf77a5012e4d01;p=pandora-u-boot.git

binman: openssl: disable JTAG access by default

Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.

Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>
---

diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index c6df64c5316..b26f087c447 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
 
     def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
                   config_fname, req_dist_name_dict, cert_type, bootcore,
-                  bootcore_opts, load_addr, sha):
+                  bootcore_opts, load_addr, sha, debug):
         """Create a certificate
 
         Args:
@@ -221,9 +221,13 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
 # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
 # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
 
+ # When debugging low level boot firmware it can be useful to have ROM or TIFS
+ # unlock JTAG access to the misbehaving CPUs. However in a production setting
+ # this can lead to code modification by outside parties after it's been
+ # authenticated. To gain JTAG access add the 'debug' flag to the binman config
  [ debug ]
  debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
+ debugType = INTEGER:{ "4" if debug else "0" }
  coreDbgEn = INTEGER:0
  coreDbgSecEn = INTEGER:0
 ''', file=outf)
@@ -238,7 +242,7 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
                   imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
                   hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
                   hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
-                  dm_data_ext_boot_block, bootcore_opts):
+                  dm_data_ext_boot_block, bootcore_opts, debug):
         """Create a certificate
 
         Args:
@@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
 shaType  = OID:{sha_type}
 shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}
 
+# When debugging low level boot firmware it can be useful to have ROM or TIFS
+# unlock JTAG access to the misbehaving CPUs. However in a production setting
+# this can lead to code modification by outside parties after it's been
+# authenticated. To gain JTAG access add the 'debug' flag to the binman config
 [ debug ]
 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-debugType = INTEGER:4
+debugType = INTEGER:{ "4" if debug else "0" }
 coreDbgEn = INTEGER:0
 coreDbgSecEn = INTEGER:0
 
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
index 420ee263e4f..f6caa0286d9 100644
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
                 'OU': 'Processors',
                 'CN': 'TI Support',
                 'emailAddress': 'support@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)
 
     def ReadFirewallNode(self):
         self.firewall_cert_data['certificate'] = ""
diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
index f6fc3f90f84..7e90c655940 100644
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
                     'OU': 'Processors',
                     'CN': 'TI Support',
                     'emailAddress': 'support@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)
 
     def NonCombinedGetCertificate(self, required):
         """Generate certificate for legacy boot flow
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index 25e6808b7f9..b6e8b0b4fb0 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
         self.sysfw_inner_cert_ext_boot_block = None
         self.dm_data_ext_boot_block = None
         self.firewall_cert_data = None
+        self.debug = False
 
     def ReadNode(self):
         super().ReadNode()
@@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
                 bootcore=self.bootcore,
                 bootcore_opts=self.bootcore_opts,
                 load_addr=self.load_addr,
-                sha=self.sha
+                sha=self.sha,
+                debug=self.debug
             )
         elif type == 'rom-combined':
             stdout = self.openssl.x509_cert_rom_combined(
@@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
                 hashval_sysfw_data=self.hashval_sysfw_data,
                 sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
                 dm_data_ext_boot_block=self.dm_data_ext_boot_block,
-                bootcore_opts=self.bootcore_opts
+                bootcore_opts=self.bootcore_opts,
+                debug=self.debug
             )
         if stdout is not None:
             data = tools.read_file(output_fname)