binman: openssl: disable JTAG access by default

Typically boards operating in production environments will not be monitored and so will not need JTAG access unlocked. Disable the debug extension by default (set debugType = 0) unless we add the 'debug' property in the binman configs. Acked-by: Andrew Davis <afd@ti.com> Signed-off-by: Bryan Brattlof <bb@ti.com>
2026-05-05 12:46:14 +02:00 · 2025-06-02 16:56:52 -05:00 · 2025-06-02 16:56:52 -05:00 · e18472f1de
commit e18472f1de
parent f35f053755
4 changed files with 19 additions and 6 deletions
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}

    def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev,
                  config_fname, req_dist_name_dict, cert_type, bootcore,
-                  bootcore_opts, load_addr, sha):
+                  bootcore_opts, load_addr, sha, debug):
        """Create a certificate

        Args:
@ -221,9 +221,13 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
 # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
 # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT

+ # When debugging low level boot firmware it can be useful to have ROM or TIFS
+ # unlock JTAG access to the misbehaving CPUs. However in a production setting
+ # this can lead to code modification by outside parties after it's been
+ # authenticated. To gain JTAG access add the 'debug' flag to the binman config
 [ debug ]
 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:4
+ debugType = INTEGER:{ "4" if debug else "0" }
 coreDbgEn = INTEGER:0
 coreDbgSecEn = INTEGER:0
 ''', file=outf)
@ -238,7 +242,7 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
                  imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
                  hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
                  hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
-                  dm_data_ext_boot_block, bootcore_opts):
+                  dm_data_ext_boot_block, bootcore_opts, debug):
        """Create a certificate

        Args:
@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data}
 shaType  = OID:{sha_type}
 shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data}

+# When debugging low level boot firmware it can be useful to have ROM or TIFS
+# unlock JTAG access to the misbehaving CPUs. However in a production setting
+# this can lead to code modification by outside parties after it's been
+# authenticated. To gain JTAG access add the 'debug' flag to the binman config
 [ debug ]
 debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
-debugType = INTEGER:4
+debugType = INTEGER:{ "4" if debug else "0" }
 coreDbgEn = INTEGER:0
 coreDbgSecEn = INTEGER:0

--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert):
                'OU': 'Processors',
                'CN': 'TI Support',
                'emailAddress': 'support@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)

    def ReadFirewallNode(self):
        self.firewall_cert_data['certificate'] = ""
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
                    'OU': 'Processors',
                    'CN': 'TI Support',
                    'emailAddress': 'support@ti.com'}
+        self.debug = fdt_util.GetBool(self._node, 'debug', False)

    def NonCombinedGetCertificate(self, required):
        """Generate certificate for legacy boot flow
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection):
        self.sysfw_inner_cert_ext_boot_block = None
        self.dm_data_ext_boot_block = None
        self.firewall_cert_data = None
+        self.debug = False

    def ReadNode(self):
        super().ReadNode()
@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection):
                bootcore=self.bootcore,
                bootcore_opts=self.bootcore_opts,
                load_addr=self.load_addr,
-                sha=self.sha
+                sha=self.sha,
+                debug=self.debug
            )
        elif type == 'rom-combined':
            stdout = self.openssl.x509_cert_rom_combined(
@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection):
                hashval_sysfw_data=self.hashval_sysfw_data,
                sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
                dm_data_ext_boot_block=self.dm_data_ext_boot_block,
-                bootcore_opts=self.bootcore_opts
+                bootcore_opts=self.bootcore_opts,
+                debug=self.debug
            )
        if stdout is not None:
            data = tools.read_file(output_fname)