[U-Boot] [RFC 9/9] ti: omap-common: Update to generate secure FIT

Simon Glass sjg at chromium.org
Tue Jun 21 00:40:10 CEST 2016 

+Masahiro for the Makefile question

Hi Andreas,

On 17 June 2016 at 10:13, Andreas Dannenberg <dannenberg at ti.com> wrote:
> Hi Simon,
> many thanks for your feedback on the series... I know it takes a lot of
> effort to digest all that stuff. We'll see how we can tackle the
> feedback one by one and send out an updated series.
>
> Regarding this patch, please see below...
>
> On Thu, Jun 16, 2016 at 09:52:52PM -0600, Simon Glass wrote:
>> Hi Andreas,
>>
>> On 15 June 2016 at 13:26, Andreas Dannenberg <dannenberg at ti.com> wrote:
>> > From: Daniel Allred <d-allred at ti.com>
>> >
>> > Adds commands so that when a secure device is in use and the SPL is
>> > built to load a FIT image (with combined u-boot binary and various
>> > DTBs), these components that get fed into the FIT are all processed to
>> > be signed/encrypted/etc. as per the operations performed by the
>> > secure-binary-image script of the TI SECDEV package.
>> >
>> > Signed-off-by: Daniel Allred <d-allred at ti.com>
>> > Signed-off-by: Andreas Dannenberg <dannenberg at ti.com>
>> > ---
>> >  arch/arm/cpu/armv7/omap-common/config_secure.mk | 57 ++++++++++++++++++++++++-
>> >  arch/arm/cpu/armv7/omap5/config.mk              |  3 ++
>> >  2 files changed, 58 insertions(+), 2 deletions(-)
>>
>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>
>> But please can you add a README for this somewhere?
>>
>> Also, can this tool be added to U-Boot instead of being external?
>
> Yes we will definitely enhance the readme in the PATCH version, this
> wasn't quite ready yet by the time we submitted the RFC.
>
> Also regarding the external singing/encryption tool this is only
> available from TI under NDA after customers engage with TI just like the
> high-secure (HS) devices themselves (you can't just buy them on
> Digi-Key). Personally I hope that we eventually lower this barrier of
> entry (and this has been brought up more than once) but as many things
> in the corporate world there is a complex decision process behind it. So
> until this strategy changes (if ever) our poor developer's hands are
> tied. All we can do for now is trying to allow this external tool to get
> hooked into the U-Boot build process in the easiest way possible which
> is already done today by way of the $TI_SECURE_DEV_PKG environmental
> variable during SPL build.

OK. That's odd because it should be the keys that are secure, not the
tool! If anything, the tool should have as many eyes on it as
possible.

>
>> >
>> > diff --git a/arch/arm/cpu/armv7/omap-common/config_secure.mk b/arch/arm/cpu/armv7/omap-common/config_secure.mk
>> > index c7bb101..c4514ad 100644
>> > --- a/arch/arm/cpu/armv7/omap-common/config_secure.mk
>> > +++ b/arch/arm/cpu/armv7/omap-common/config_secure.mk
>> > @@ -12,8 +12,8 @@ cmd_mkomapsecimg = $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \
>> >         $(if $(KBUILD_VERBOSE:1=), >/dev/null)
>> >  else
>> >  cmd_mkomapsecimg = $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \
>> > -    $(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \
>> > -    $(if $(KBUILD_VERBOSE:1=), >/dev/null)
>> > +       $(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \
>> > +       $(if $(KBUILD_VERBOSE:1=), >/dev/null)
>> >  endif
>> >  else
>> >  cmd_mkomapsecimg = echo "WARNING:" \
>> > @@ -25,6 +25,26 @@ cmd_mkomapsecimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
>> >         "variable must be defined for TI secure devices. $@ was NOT created!"
>> >  endif
>> >
>> > +ifdef CONFIG_SPL_LOAD_FIT
>> > +quiet_cmd_omapsecureimg = SECURE  $@
>> > +ifneq ($(TI_SECURE_DEV_PKG),)
>> > +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
>> > +cmd_omapsecureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
>> > +       $< $@ \
>> > +       $(if $(KBUILD_VERBOSE:1=), >/dev/null)
>> > +else
>> > +cmd_omapsecureimg = echo "WARNING:" \
>> > +       "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
>> > +       "$@ was NOT created!"; cp $< $@
>> > +endif
>> > +else
>> > +cmd_omapsecureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
>> > +       "variable must be defined for TI secure devices." \
>> > +       "$@ was NOT created!"; cp $< $@
>> > +endif
>> > +endif
>> > +
>> > +
>> >  # Standard X-LOADER target (QPSI, NOR flash)
>> >  u-boot-spl_HS_X-LOADER: $(obj)/u-boot-spl.bin
>> >         $(call if_changed,mkomapsecimg)
>> > @@ -64,3 +84,36 @@ u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin
>> >  # the mkomapsecimg command looks for a u-boot-HS_* prefix
>> >  u-boot_HS_XIP_X-LOADER: $(obj)/u-boot.bin
>> >         $(call if_changed,mkomapsecimg)
>> > +
>> > +# For supporting the SPL loading and interpreting
>> > +# of FIT images whose components are pre-processed
>> > +# before being integrated into the FIT image in order
>> > +# to secure them in some way
>> > +ifdef CONFIG_SPL_LOAD_FIT
>> > +
>> > +MKIMAGEFLAGS_u-boot_HS.img = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
>> > +       -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
>> > +       -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
>> > +       $(patsubst %,-b arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
>> > +
>> > +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
>> > +$(OF_LIST_TARGETS): dtbs
>> > +
>> > +%_HS.dtb: %.dtb
>> > +       $(call if_changed,omapsecureimg)
>> > +       $(Q)if [ -f $@ ]; then \
>> > +               cp -f $@ $<; \
>> > +       fi
>> > +
>> > +u-boot-nodtb_HS.bin: u-boot-nodtb.bin
>> > +       $(call if_changed,omapsecureimg)
>> > +
>> > +u-boot_HS.img: u-boot-nodtb_HS.bin u-boot.img $(patsubst %.dtb,%_HS.dtb,$(OF_LIST_TARGETS))
>> > +       $(call if_changed,mkimage)
>> > +       $(Q)if [ -f $@ ]; then \
>> > +               cp -f $@ u-boot.img; \
>> > +       fi
>> > +
>> > +.NOTPARALLEL: dtbs
>>
>> Why is that needed?
>
> Good catch! This issue actually caused me a fair amount of grief when
> running into it. During development we found the build process works
> with make -j1 but would fail for parallel builds (like make -j8) with
> the following error....
>
> ----------------------->8---------------------------
> $ make mrproper
> $ make dra7xx_hs_evm_defconfig
> $ make -j8
> ....
>   LD      u-boot
>   OBJCOPY u-boot-nodtb.bin
>   OBJCOPY u-boot.srec
>   SYM     u-boot.sym
>   DTC     arch/arm/dts/dra72-evm.dtb
>   DTC     arch/arm/dts/dra7-evm.dtb
>   DTC     arch/arm/dts/dra72-evm.dtb
>   DTC     arch/arm/dts/dra7-evm.dtb
> Error: arch/arm/dts/dra7-evm.dts:492.15-16 syntax error
> FATAL ERROR: Unable to parse input tree
> make[2]: *** [arch/arm/dts/dra7-evm.dtb] Error 1
> make[2]: *** Waiting for unfinished jobs....
> Error: arch/arm/dts/dra72-evm.dts:149.26-150.2 syntax error
> FATAL ERROR: Unable to parse input tree
> make[2]: *** [arch/arm/dts/dra72-evm.dtb] Error 1
> make[1]: *** [arch-dtbs] Error 2
> make: *** [dtbs] Error 2
> make: *** Waiting for unfinished jobs....
>   SHIPPED dts/dt.dtb
> ----------------------->8---------------------------

Probably you are missing a dependency somewhere - but the failure to
parse is odd. What is it missing?

>
> However with the .NOTPARALLEL: dtbs line included it works. Also when
> doing make a second time it works as well (clearly that's not a
> solution:)
>
> On my quest trying to digest/root cause this I concluded that this may
> be caused by the DTB files somehow getting compiled twice (see snippet).
> This in combination with the fact that we post-process files like
> dta7-evm.dtb (signing them) and creating new DTB files with the same
> name (like dra7-evm.dtb) replacing the old ones causes issues during the
> DTB compile step.

Yes I think it is better to create new files, since otherwise the
build system can't determine which version of the file it should
target...it assumes a single version as I understand it.

>
> Now I'm not a make guru but I tried to clean up the dependency chain as
> good as I can but could not get it to the point where each DTB file is
> only build once which most likely would allow us getting rid of
> NOPARALLEL.
>
> On a related note we wanted to keep the same names for the DTB files
> (rather than turning dra7-evm.dtb into dra7-evm-sec.dtb for example, as
> I had it initially) since it's important as they get bundled into the
> u-boot.img FIT blob so that they can be later matched by the SPL to a
> board. But it appears like that trying to keep the same names despite
> the additional signing step seems to complicate things from a make
> perspective.

Yes - best to create a new u-boot-sec.img I think.

>
> If you or anybody else has any smart suggestion how to address this in
> a better way I'd love to hear about it.

Masahiro is the expert, but my ideas are above.

Regards,
Simon

More information about the U-Boot mailing list