Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cmake script to update otp.json from privateaes.bin #536

Merged
merged 1 commit into from
Oct 1, 2024
Merged

Add cmake script to update otp.json from privateaes.bin #536

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion bootloaders/encrypted/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,17 @@ add_executable(enc_bootloader
aes.S
)

# Add command to update otp.json if privateaes.bin changes
add_custom_command(OUTPUT ${CMAKE_CURRENT_LIST_DIR}/otp.json
COMMAND ${CMAKE_COMMAND} -P "${CMAKE_CURRENT_LIST_DIR}/update-key.cmake"
DEPENDS ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin)
# Copy that otp.json file to build directory
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/otp.json
COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_CURRENT_LIST_DIR}/otp.json" "${CMAKE_CURRENT_BINARY_DIR}/otp.json"
DEPENDS ${CMAKE_CURRENT_LIST_DIR}/otp.json)
add_custom_target(otp_json DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/otp.json)
add_dependencies(enc_bootloader otp_json)

# pull in common dependencies
target_link_libraries(enc_bootloader pico_stdlib pico_rand)

Expand Down Expand Up @@ -39,7 +50,6 @@ endfunction()
add_linker_script(enc_bootloader "0x20070000" "64k")

# configure otp output
configure_file(${CMAKE_CURRENT_LIST_DIR}/otp.json ${CMAKE_CURRENT_BINARY_DIR}/otp.json COPYONLY)
pico_set_otp_key_output_file(enc_bootloader ${CMAKE_CURRENT_BINARY_DIR}/otp.json)

# sign, hash, and clear SRAM
Expand Down
122 changes: 45 additions & 77 deletions bootloaders/encrypted/otp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,78 +1,46 @@
{
"30:0": {
"ecc": true,
"value": [
"0x00",
"0x01",
"0x02",
"0x03",
"0x04",
"0x05",
"0x06",
"0x07",
"0x08",
"0x09",
"0x0a",
"0x0b",
"0x0c",
"0x0d",
"0x0e",
"0x0f",
"0x00",
"0x10",
"0x20",
"0x30",
"0x40",
"0x50",
"0x60",
"0x70",
"0x80",
"0x90",
"0xA0",
"0xB0",
"0xC0",
"0xD0",
"0xE0",
"0xF0"
]
},
"OTP_DATA_KEY1": [
0,
0,
1,
1,
2,
2,
3,
3,
4,
4,
5,
5,
6,
6,
7,
7
],
"OTP_DATA_KEY1_VALID": "0x010101",
"OTP_DATA_KEY2": [
7,
7,
6,
6,
5,
5,
4,
4,
3,
3,
2,
2,
1,
1,
0,
0
],
"OTP_DATA_KEY2_VALID": "0x010101",
"PAGE30_LOCK0": "0x4a4a4a"
}
"30:0" :
{
"ecc" : true,
"value" :
[
"0x00",
"0x01",
"0x02",
"0x03",
"0x04",
"0x05",
"0x06",
"0x07",
"0x08",
"0x09",
"0x0a",
"0x0b",
"0x0c",
"0x0d",
"0x0e",
"0x0f",
"0x00",
"0x10",
"0x20",
"0x30",
"0x40",
"0x50",
"0x60",
"0x70",
"0x80",
"0x90",
"0xa0",
"0xb0",
"0xc0",
"0xd0",
"0xe0",
"0xf0"
]
},
"OTP_DATA_KEY1" : [ 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7 ],
"OTP_DATA_KEY1_VALID" : "0x010101",
"OTP_DATA_KEY2" : [ 7, 7, 6, 6, 5, 5, 4, 4, 3, 3, 2, 2, 1, 1, 0, 0 ],
"OTP_DATA_KEY2_VALID" : "0x010101",
"PAGE30_LOCK0" : "0x4a4a4a"
}
23 changes: 23 additions & 0 deletions bootloaders/encrypted/update-key.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
if (CMAKE_VERSION VERSION_LESS 3.19)
# Check if keyfile is not the default, and print warning
file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
if (NOT ${key_file} STREQUAL "000102030405060708090a0b0c0d0e0f00102030405060708090a0b0c0d0e0f0")
message(WARNING
"Encrypted bootloader AES key not updated in otp.json file, as CMake version is < 3.19"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this should be a fatal error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is a fatal error then I don't think it will work if the key file has been changed with older CMake versions, as this script gets run whenever the file is changed (and on first build), and on older CMake versions it has no way to parse the JSON file to check if the key in the JSON file matches the privateaes.bin file

" - you will need to change the key in otp.json manually and re-run the build"
)
endif()
else()
# Read the JSON file.
file(READ ${CMAKE_CURRENT_LIST_DIR}/otp.json json_string)
# Read the key file
file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)

# adds '0x' prefix, comma suffix, and quotes for every byte
string(REGEX REPLACE "([0-9a-f][0-9a-f])" "\"0x\\1\", " key_file ${key_file})
set(key_file_json "[${key_file}]")

string(JSON json_string SET ${json_string} "30:0" "value" ${key_file_json})

file(WRITE ${CMAKE_CURRENT_LIST_DIR}/otp.json ${json_string})
endif()
Loading