[U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support
Andrew F. Davis
afd at ti.com
Thu Feb 14 22:55:03 UTC 2019
On 2/13/19 9:46 PM, Lokesh Vutla wrote:
>
>
> On 14/02/19 12:07 AM, Andrew F. Davis wrote:
>> K3 HS devices require signed binaries for boot, use the SECDEV tools
>> to sign the boot artifacts during build.
>>
>> Signed-off-by: Andrew F. Davis <afd at ti.com>
>> ---
>> MAINTAINERS | 1 +
>> arch/arm/mach-k3/config.mk | 25 ++++++++++++++++++
>> arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
>> tools/k3_fit_atf.sh | 8 ++++--
>> 4 files changed, 76 insertions(+), 2 deletions(-)
>> create mode 100644 arch/arm/mach-k3/config_secure.mk
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index 18cdca9447..ac6bd8cfca 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -717,6 +717,7 @@ F: arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
>> F: arch/arm/mach-omap2/sec-common.c
>> F: arch/arm/mach-omap2/config_secure.mk
>> F: arch/arm/mach-k3/security.c
>> +F: arch/arm/mach-k3/config_secure.mk
>> F: configs/am335x_hs_evm_defconfig
>> F: configs/am335x_hs_evm_uart_defconfig
>> F: configs/am43xx_hs_evm_defconfig
>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>> index be00d79fb0..2d8f61f9db 100644
>> --- a/arch/arm/mach-k3/config.mk
>> +++ b/arch/arm/mach-k3/config.mk
>> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
>> # If external key is not provided, generate key using openssl.
>> ifeq ($(CONFIG_SYS_K3_KEY), "")
>> KEY=u-boot-spl-eckey.pem
>> +# On HS use real key or warn if not available
>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
>> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
>> +else
>> +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
>> +endif
>> +endif
>> else
>> KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
>> endif
>> @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin
>> endif
>>
>> ifdef CONFIG_ARM64
>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>> +SPL_ITS := u-boot-spl-k3_HS.its
>> +$(SPL_ITS): FORCE
>> + IS_HS=1 \
>> + $(srctree)/tools/k3_fit_atf.sh \
>> + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@
>> +
>> +ALL-y += tispl.bin_HS
>> +else
>> SPL_ITS := u-boot-spl-k3.its
>> $(SPL_ITS): FORCE
>> $(srctree)/tools/k3_fit_atf.sh \
>> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
>>
>> ALL-y += tispl.bin
>> endif
>> +endif
>> +
>> +else
>>
>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>> +ALL-y += u-boot.img_HS
>> else
>> ALL-y += u-boot.img
>> endif
>> +endif
>> +
>> +include $(srctree)/arch/arm/mach-k3/config_secure.mk
>> diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
>> new file mode 100644
>> index 0000000000..6d63c57665
>> --- /dev/null
>> +++ b/arch/arm/mach-k3/config_secure.mk
>> @@ -0,0 +1,44 @@
>> +# SPDX-License-Identifier: GPL-2.0
>> +#
>> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
>> +# Andrew F. Davis <afd at ti.com>
>> +
>> +quiet_cmd_k3secureimg = SECURE $@
>> +ifneq ($(TI_SECURE_DEV_PKG),)
>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
>> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
>> + $< $@ \
>> + $(if $(KBUILD_VERBOSE:1=), >/dev/null)
>> +else
>> +cmd_k3secureimg = echo "WARNING:" \
>> + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
>> + "$@ was NOT secured!"; cp $< $@
>> +endif
>> +else
>> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
>> + "variable must be defined for TI secure devices." \
>> + "$@ was NOT secured!"; cp $< $@
>> +endif
>> +
>> +%.dtb_HS: %.dtb FORCE
>> + $(call if_changed,k3secureimg)
>> +
>> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE
>> + $(call if_changed,k3secureimg)
>> +
>> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE
>> + $(call if_changed,mkfitimage)
>> +
>> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
>> + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
>> + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
>> + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))
>
> I guess these HS postfixed dtbs will never get cleaned. I see the same issue
> with other TI secure devices as well. Can you update the clean rules as well?
>
tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried
adding them to clean-files and CLEAN_FILES, neither worked. Outside of
manually deleting them on an appended clean rule I don't know what the
recommended trick is for this.
> Thanks and regards,
> Lokesh
>
>> +
>> +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
>> +$(OF_LIST_TARGETS): dtbs
>> +
>> +u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE
>> + $(call if_changed,k3secureimg)
>> +
>> +u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE
>> + $(call if_changed,mkimage)
>> diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
>> index 430b5ca616..4e9f69c087 100755
>> --- a/tools/k3_fit_atf.sh
>> +++ b/tools/k3_fit_atf.sh
>> @@ -21,6 +21,10 @@ if [ ! -f $TEE ]; then
>> TEE=/dev/null
>> fi
>>
>> +if [ ! -z "$IS_HS" ]; then
>> + HS_APPEND=_HS
>> +fi
>> +
>> cat << __HEADER_EOF
>> /dts-v1/;
>>
>> @@ -51,7 +55,7 @@ cat << __HEADER_EOF
>> };
>> spl {
>> description = "SPL (64-bit)";
>> - data = /incbin/("spl/u-boot-spl-nodtb.bin");
>> + data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
>> type = "standalone";
>> os = "U-Boot";
>> arch = "arm64";
>> @@ -66,7 +70,7 @@ do
>> cat << __FDT_IMAGE_EOF
>> $(basename $dtname) {
>> description = "$(basename $dtname .dtb)";
>> - data = /incbin/("$dtname");
>> + data = /incbin/("$dtname$HS_APPEND");
>> type = "flat_dt";
>> arch = "arm";
>> compression = "none";
>>
More information about the U-Boot
mailing list