[U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support

Andrew F. Davis afd at ti.com
Mon Feb 18 13:05:12 UTC 2019 

On 2/16/19 4:18 PM, Tom Rini wrote:
> On Fri, Feb 15, 2019 at 05:43:32PM +0530, Lokesh Vutla wrote:
>>
>>
>> On 2/15/2019 4:25 AM, Andrew F. Davis wrote:
>>> On 2/13/19 9:46 PM, Lokesh Vutla wrote:
>>>>
>>>>
>>>> On 14/02/19 12:07 AM, Andrew F. Davis wrote:
>>>>> K3 HS devices require signed binaries for boot, use the SECDEV tools
>>>>> to sign the boot artifacts during build.
>>>>>
>>>>> Signed-off-by: Andrew F. Davis <afd at ti.com>
>>>>> ---
>>>>>  MAINTAINERS                       |  1 +
>>>>>  arch/arm/mach-k3/config.mk        | 25 ++++++++++++++++++
>>>>>  arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
>>>>>  tools/k3_fit_atf.sh               |  8 ++++--
>>>>>  4 files changed, 76 insertions(+), 2 deletions(-)
>>>>>  create mode 100644 arch/arm/mach-k3/config_secure.mk
>>>>>
>>>>> diff --git a/MAINTAINERS b/MAINTAINERS
>>>>> index 18cdca9447..ac6bd8cfca 100644
>>>>> --- a/MAINTAINERS
>>>>> +++ b/MAINTAINERS
>>>>> @@ -717,6 +717,7 @@ F:	arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
>>>>>  F:	arch/arm/mach-omap2/sec-common.c
>>>>>  F:	arch/arm/mach-omap2/config_secure.mk
>>>>>  F:	arch/arm/mach-k3/security.c
>>>>> +F:	arch/arm/mach-k3/config_secure.mk
>>>>>  F:	configs/am335x_hs_evm_defconfig
>>>>>  F:	configs/am335x_hs_evm_uart_defconfig
>>>>>  F:	configs/am43xx_hs_evm_defconfig
>>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>>>> index be00d79fb0..2d8f61f9db 100644
>>>>> --- a/arch/arm/mach-k3/config.mk
>>>>> +++ b/arch/arm/mach-k3/config.mk
>>>>> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
>>>>>  # If external key is not provided, generate key using openssl.
>>>>>  ifeq ($(CONFIG_SYS_K3_KEY), "")
>>>>>  KEY=u-boot-spl-eckey.pem
>>>>> +# On HS use real key or warn if not available
>>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
>>>>> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
>>>>> +else
>>>>> +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
>>>>> +endif
>>>>> +endif
>>>>>  else
>>>>>  KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
>>>>>  endif
>>>>> @@ -65,6 +73,15 @@ ALL-y	+= tiboot3.bin
>>>>>  endif
>>>>>  
>>>>>  ifdef CONFIG_ARM64
>>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>> +SPL_ITS := u-boot-spl-k3_HS.its
>>>>> +$(SPL_ITS): FORCE
>>>>> +	IS_HS=1 \
>>>>> +	$(srctree)/tools/k3_fit_atf.sh \
>>>>> +	$(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@
>>>>> +
>>>>> +ALL-y	+= tispl.bin_HS
>>>>> +else
>>>>>  SPL_ITS := u-boot-spl-k3.its
>>>>>  $(SPL_ITS): FORCE
>>>>>  	$(srctree)/tools/k3_fit_atf.sh \
>>>>> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
>>>>>  
>>>>>  ALL-y	+= tispl.bin
>>>>>  endif
>>>>> +endif
>>>>> +
>>>>> +else
>>>>>  
>>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>> +ALL-y	+= u-boot.img_HS
>>>>>  else
>>>>>  ALL-y	+= u-boot.img
>>>>>  endif
>>>>> +endif
>>>>> +
>>>>> +include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>>>> diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
>>>>> new file mode 100644
>>>>> index 0000000000..6d63c57665
>>>>> --- /dev/null
>>>>> +++ b/arch/arm/mach-k3/config_secure.mk
>>>>> @@ -0,0 +1,44 @@
>>>>> +# SPDX-License-Identifier: GPL-2.0
>>>>> +#
>>>>> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
>>>>> +#	Andrew F. Davis <afd at ti.com>
>>>>> +
>>>>> +quiet_cmd_k3secureimg = SECURE  $@
>>>>> +ifneq ($(TI_SECURE_DEV_PKG),)
>>>>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
>>>>> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
>>>>> +	$< $@ \
>>>>> +	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
>>>>> +else
>>>>> +cmd_k3secureimg = echo "WARNING:" \
>>>>> +	"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
>>>>> +	"$@ was NOT secured!"; cp $< $@
>>>>> +endif
>>>>> +else
>>>>> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
>>>>> +	"variable must be defined for TI secure devices." \
>>>>> +	"$@ was NOT secured!"; cp $< $@
>>>>> +endif
>>>>> +
>>>>> +%.dtb_HS: %.dtb FORCE
>>>>> +	$(call if_changed,k3secureimg)
>>>>> +
>>>>> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE
>>>>> +	$(call if_changed,k3secureimg)
>>>>> +
>>>>> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE
>>>>> +	$(call if_changed,mkfitimage)
>>>>> +
>>>>> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
>>>>> +	-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
>>>>> +	-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
>>>>> +	$(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))
>>>>
>>>> I guess these HS postfixed dtbs will never get cleaned. I see the same issue
>>>> with other TI secure devices as well. Can you update the clean rules as well?
>>>>
>>>
>>> tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried
>>
>> Yeah, these should be cleaned as well.
>>
>>> adding them to clean-files and CLEAN_FILES, neither worked. Outside of
>>
>> looks like clean-files is relative to the current directory. You can
>> update arch/arm/dts/Makefile but it might be very generic.
>>
>> Tom, any suggestions to clean files in this case?
> 
> I guess we need to update clean-files in arch/arm/dts/Makefile then,
> yes.
> 

Then I will update that for all our extra artifacts in a separate patch
on top of this series.

Thanks,
Andrew

More information about the U-Boot mailing list