script/sign.py: introduce --ta-version Restores argument --version to script sign.py to allow user to set the trusted application version identifier in the signed header of the TA binary image. This argument was removed by [1]. This change also renames argument into --ta-version to prevent confusion with script or data structure versioning argument. [1] commit 1cdd95a2a46d ("Support offline signing of TAs.") Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

commit: 4784462707bcf0abbade58d38434c289a89f3d13 [log] [tgz]
author: Etienne Carriere <etienne.carriere@linaro.org> Mon Aug 12 11:33:24 2019 +0200
committer: Jérôme Forissier <jerome.forissier@linaro.org> Tue Aug 13 17:57:23 2019 +0200
tree: 6b10b4840d8f8903f0985c4c840def7efc62bf2c
parent: a8f769f3c2fb0f6433190aef7189523525fe498d [diff] [blame]
diff --git a/scripts/sign.py b/scripts/sign.py
index cdbd784..af46de9 100755
--- a/scripts/sign.py
+++ b/scripts/sign.py

@@ -34,12 +34,12 @@
 
         '   command:\n' +
         '     sign        Generate signed loadable TA image file.\n' +
-        '                 Takes arguments --uuid, --in, --out' +
+        '                 Takes arguments --uuid, --ta-version, --in, --out' +
         ' and --key.\n' +
         '     digest      Generate loadable TA binary image digest' +
         ' for offline\n' +
-        '                 signing. Takes arguments  --uuid, --in and' +
-        ' --dig.\n' +
+        '                 signing. Takes arguments  --uuid, --ta-version,' +
+        ' --in and --dig.\n' +
         '     stitch      Generate loadable signed TA binary image' +
         ' file from\n' +
         '                 TA raw image and its signature. Takes' +
@@ -70,6 +70,11 @@
     parser.add_argument('--key', required=True,
                         help='Name of key file (PEM format)')
     parser.add_argument(
+        '--ta-version', required=False, type=int_parse, default=0,
+        help='TA version stored as a 32-bit unsigned integer and used for\n' +
+        'rollback protection of TA install in the secure database.\n' +
+        'Defaults to 0.')
+    parser.add_argument(
         '--sig', required=False, dest='sigf',
         help='Name of signature input file, defaults to <UUID>.sig')
     parser.add_argument(
@@ -142,10 +147,12 @@
     sig_len = ceil_div(key.size() + 1, 8)
     img_size = len(img)
 
-    hdr_version = 0      # SHDR_VERSION (always 0)
+    hdr_version = args.ta_version  # struct shdr_bootstrap_ta::ta_version
+
     magic = 0x4f545348   # SHDR_MAGIC
     img_type = 1         # SHDR_BOOTSTRAP_TA
     algo = 0x70004830    # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
+
     shdr = struct.pack('<IIIIHH',
                        magic, img_type, img_size, algo, digest_len, sig_len)
     shdr_uuid = args.uuid.bytes
commit	4784462707bcf0abbade58d38434c289a89f3d13	[log] [tgz]
author	Etienne Carriere <etienne.carriere@linaro.org>	Mon Aug 12 11:33:24 2019 +0200
committer	Jérôme Forissier <jerome.forissier@linaro.org>	Tue Aug 13 17:57:23 2019 +0200
tree	6b10b4840d8f8903f0985c4c840def7efc62bf2c
parent	a8f769f3c2fb0f6433190aef7189523525fe498d [diff] [blame]