[U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support
Tom Rini
trini at konsulko.com
Sat Feb 16 22:18:46 UTC 2019
On Fri, Feb 15, 2019 at 05:43:32PM +0530, Lokesh Vutla wrote:
>
>
> On 2/15/2019 4:25 AM, Andrew F. Davis wrote:
> > On 2/13/19 9:46 PM, Lokesh Vutla wrote:
> >>
> >>
> >> On 14/02/19 12:07 AM, Andrew F. Davis wrote:
> >>> K3 HS devices require signed binaries for boot, use the SECDEV tools
> >>> to sign the boot artifacts during build.
> >>>
> >>> Signed-off-by: Andrew F. Davis <afd at ti.com>
> >>> ---
> >>> MAINTAINERS | 1 +
> >>> arch/arm/mach-k3/config.mk | 25 ++++++++++++++++++
> >>> arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
> >>> tools/k3_fit_atf.sh | 8 ++++--
> >>> 4 files changed, 76 insertions(+), 2 deletions(-)
> >>> create mode 100644 arch/arm/mach-k3/config_secure.mk
> >>>
> >>> diff --git a/MAINTAINERS b/MAINTAINERS
> >>> index 18cdca9447..ac6bd8cfca 100644
> >>> --- a/MAINTAINERS
> >>> +++ b/MAINTAINERS
> >>> @@ -717,6 +717,7 @@ F: arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
> >>> F: arch/arm/mach-omap2/sec-common.c
> >>> F: arch/arm/mach-omap2/config_secure.mk
> >>> F: arch/arm/mach-k3/security.c
> >>> +F: arch/arm/mach-k3/config_secure.mk
> >>> F: configs/am335x_hs_evm_defconfig
> >>> F: configs/am335x_hs_evm_uart_defconfig
> >>> F: configs/am43xx_hs_evm_defconfig
> >>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
> >>> index be00d79fb0..2d8f61f9db 100644
> >>> --- a/arch/arm/mach-k3/config.mk
> >>> +++ b/arch/arm/mach-k3/config.mk
> >>> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
> >>> # If external key is not provided, generate key using openssl.
> >>> ifeq ($(CONFIG_SYS_K3_KEY), "")
> >>> KEY=u-boot-spl-eckey.pem
> >>> +# On HS use real key or warn if not available
> >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> >>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
> >>> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
> >>> +else
> >>> +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
> >>> +endif
> >>> +endif
> >>> else
> >>> KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
> >>> endif
> >>> @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin
> >>> endif
> >>>
> >>> ifdef CONFIG_ARM64
> >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> >>> +SPL_ITS := u-boot-spl-k3_HS.its
> >>> +$(SPL_ITS): FORCE
> >>> + IS_HS=1 \
> >>> + $(srctree)/tools/k3_fit_atf.sh \
> >>> + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@
> >>> +
> >>> +ALL-y += tispl.bin_HS
> >>> +else
> >>> SPL_ITS := u-boot-spl-k3.its
> >>> $(SPL_ITS): FORCE
> >>> $(srctree)/tools/k3_fit_atf.sh \
> >>> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
> >>>
> >>> ALL-y += tispl.bin
> >>> endif
> >>> +endif
> >>> +
> >>> +else
> >>>
> >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> >>> +ALL-y += u-boot.img_HS
> >>> else
> >>> ALL-y += u-boot.img
> >>> endif
> >>> +endif
> >>> +
> >>> +include $(srctree)/arch/arm/mach-k3/config_secure.mk
> >>> diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
> >>> new file mode 100644
> >>> index 0000000000..6d63c57665
> >>> --- /dev/null
> >>> +++ b/arch/arm/mach-k3/config_secure.mk
> >>> @@ -0,0 +1,44 @@
> >>> +# SPDX-License-Identifier: GPL-2.0
> >>> +#
> >>> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
> >>> +# Andrew F. Davis <afd at ti.com>
> >>> +
> >>> +quiet_cmd_k3secureimg = SECURE $@
> >>> +ifneq ($(TI_SECURE_DEV_PKG),)
> >>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
> >>> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
> >>> + $< $@ \
> >>> + $(if $(KBUILD_VERBOSE:1=), >/dev/null)
> >>> +else
> >>> +cmd_k3secureimg = echo "WARNING:" \
> >>> + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
> >>> + "$@ was NOT secured!"; cp $< $@
> >>> +endif
> >>> +else
> >>> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
> >>> + "variable must be defined for TI secure devices." \
> >>> + "$@ was NOT secured!"; cp $< $@
> >>> +endif
> >>> +
> >>> +%.dtb_HS: %.dtb FORCE
> >>> + $(call if_changed,k3secureimg)
> >>> +
> >>> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE
> >>> + $(call if_changed,k3secureimg)
> >>> +
> >>> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE
> >>> + $(call if_changed,mkfitimage)
> >>> +
> >>> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
> >>> + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
> >>> + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
> >>> + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))
> >>
> >> I guess these HS postfixed dtbs will never get cleaned. I see the same issue
> >> with other TI secure devices as well. Can you update the clean rules as well?
> >>
> >
> > tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried
>
> Yeah, these should be cleaned as well.
>
> > adding them to clean-files and CLEAN_FILES, neither worked. Outside of
>
> looks like clean-files is relative to the current directory. You can
> update arch/arm/dts/Makefile but it might be very generic.
>
> Tom, any suggestions to clean files in this case?
I guess we need to update clean-files in arch/arm/dts/Makefile then,
yes.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190216/11ac90bb/attachment.sig>
More information about the U-Boot
mailing list