[PATCH 0/2] binman: Add support for ATF Firmware Image Package (FIP)

Simon Glass sjg at chromium.org
Wed Dec 1 17:51:08 CET 2021


Hi Sandrine,

On Wed, 1 Dec 2021 at 03:32, Sandrine Bailleux
<sandrine.bailleux at arm.com> wrote:
>
> Hi everyone,
>
> I am Sandrine Bailleux, from the Trusted Firmware-A project. Ilias
> Apalodimas CC'ed me on this thread.
>
> First of all, thanks for involving the TF-A developers in this thread
> and my apologies for the delay in responding.

Thank you for your response.

>
> On 11/25/21 6:01 PM, François Ozog wrote:
> > Hi Simon,
> >
> > On Thu, 25 Nov 2021 at 17:49, Simon Glass <sjg at chromium.org
> > <mailto:sjg at chromium.org>> wrote:
> >
> >     Hi François,
> >
> >     On Thu, 25 Nov 2021 at 08:11, François Ozog
> >     <francois.ozog at linaro.org <mailto:francois.ozog at linaro.org>> wrote:
> >     >
> >     > Hi Simon,
> >     >
> >     >
> >     >
> >     >
> >     > On Thu, 25 Nov 2021 at 15:47, Ilias Apalodimas
> >     <ilias.apalodimas at linaro.org <mailto:ilias.apalodimas at linaro.org>>
> >     wrote:
> >     >>
> >     >> +cc Sandrine
> >     >>
> >     >> On Thu, 25 Nov 2021 at 11:42, Ilias Apalodimas
> >     >> <ilias.apalodimas at linaro.org
> >     <mailto:ilias.apalodimas at linaro.org>> wrote:
> >     >> >
> >     >> > Hi Simon,
> >     >> >
> >     >> >
> >     >> > On Wed, 24 Nov 2021 at 06:09, Simon Glass <sjg at chromium.org
> >     <mailto:sjg at chromium.org>> wrote:
> >     >> > >
> >     >> > >
> >     >> > > This series adds support for the FIP format as used by ARM
> >     Trusted
> >     >> > > Firmware (in particular TF-A).
> >     >> > >
> >     >
> >     > I will use a question you use often "what problem are you trying
> >     to solve?". If FIP format is used it means that TF-A/BL2 is going to
> >     parse it and verify the hashes/signatures according to TF-A scheme.
> >     >
> >     > The packager will embed in a FIP components like Secure Monitor,
> >     Secure hypervisor, Secure partitions code and manifests.
> >     >
> >     > All in all, U-Boot will be representing a small percentage of the
> >     functionality offered by secure firmware  as a whole and it feels
> >     odd to make another implementation that is more "accessory" rather
> >     than critical for the U-Boot community. It may be a good idea but I
> >     wish you could explain it.
> >
> >     Here is a talk about Binman, its goals and how it works.
> >
> >     https://www.youtube.com/watch?v=L84ujgUXBOQ
> >
> >     Think of Binman as a separate tool that brings everything together. It
> >     has grown out of U-Boot, largely because U-Boot is the main firmware
> >     in most cases. Getting U-Boot to start up and boot successfully is the
> >     goal of this packaging process. There are lots of instructions in the
> >     tree and elsewhere about how to build an image comprising U-Boot and
> >     various binary blobs. Binman aims to provide documentation for that
> >     process and an image description that can be used to build an image
> >     reliably.
> >
> >     We are slowly converting these text instructions into an in-tree image
> >     description.
> >
> >     I believe that Binman can help bring order to the chaos that is
> >     otherwise only going to grow, with lots of shell scripts, manual
> >     instructions, obscure binary tools, etc. Binman brings everything
> >     together and makes it clear what is needing/missing to build an image.
> >
> >     >
> >     >> > > This allows images to be created containing a FIP, which
> >     itself contains
> >     >> > > various binaries. With this, image creation can be handled
> >     from an in-tree
> >     >> > > image description instead of needing to perform a lot of
> >     manual steps or
> >     >> > > custom scripts to build the FIP.
> >     >> > >
> >     >
> >     > That's not my experience of building a fip.  Packaging even Linux
> >     as a BL33 (instead of U-Boot) is very simple.
> >
> >     But not automatic. With Binman you don't need to worry about the
> >     packaging. It is done for you. You just need to find all the binary
> >     blobs that are needed.  This ability is quite important as firmware is
> >     fragmenting and getting very complicated these days.
> >
> >     Binman runs twice...once in the U-Boot tree to do a build and again
> >     later to repackage, put in a final fdtmap, add signatures and any
> >     final pieces needed.
> >
> >     See this patch for an example of complicated build instructions with
> >     Odroid-C2 (>10 binary blobs!) and how Binman can help (see the changes
> >     in the .rst file):
> >
> >     https://patchwork.ozlabs.org/project/uboot/patch/20211124040954.699821-8-sjg@chromium.org/
> >
> > That's indeed complicated! I can't comment whether this build process is
> > "canonical" as per TF-A standards so I'll let TF-A community comment.
> > Have you factored in the signature issues that Jan at Siemens has in the
> > overall process?
>
> I am a bit confused by the ask here. What input would you like from TF-A
> community? Are you asking for a code review or are you more interested
> in getting an opinion about adding support for FIP files in binman?

The latter.

>
> Regardless, I had a brief look at the patches and I have some early
> questions/comments.
>
> In the first patch, the commit message mentions that the tool parses the
> TF-A source code to get a list of supported UUIDs. However,
> tools/binman/fip_util.py seems to embed a hard-coded list of these
> UUIDs. I think I might be missing something there... Does it just mean
> that the said list was generated using some other script that parsed the
> TF-A code? Or does the tool really parse any TF-A code dynamically?

A bit of both. The tool allows creating a new version of itself with
the updates parsed from the source code. For anything other than local
use, a patch must be submitted to do the updates.

To run the tool::

    $ tools/binman/fip_util.py  -s /path/to/arm-trusted-firmware
    Warning: UUID 'UUID_NON_TRUSTED_WORLD_KEY_CERT' is not mentioned
in tbbr_config.c file
    Existing code in 'tools/binman/fip_util.py' is up-to-date

If it shows there is an update, it writes a new version of `fip_util.py`
to `fip_util.py.out`. You can change the output file using the `-i` flag.
If you have a problem, use `-D` to enable traceback debugging.c

You can see that in the docs in this patch:

http://patchwork.ozlabs.org/project/uboot/patch/20211123210849.2.Idf2f2a46d26cdecb56b6e9f40472f62fd062e346@changeid/

> As you may know, we sometimes add new image types in TF-A so I am just
> wondering how you intend to keep in sync with these changes and how
> automated the process would be.

See above.

>
> I second François' concerns about having 2 different implementations of
> fiptool, even if you're trying to solve different (or bigger) problems
> here. This could be confusing for users. Also, it is likely to generate
> maintenance work for both TF-A and U-boot projects.
>
> I am not saying the tool should stay within the TF-A project, though.
> It's been in the back of our minds for some time that this tool should
> have a life of its own, given that it packages more than just TF-A
> binaries, but also the normal world bootloader, secure payload, ...
> Also, I must admit that a python implementation looks better than a C
> implementation. Rewriting the tool in a scripting language has also been
> a goal of ours for a long time, although we never got round to do it.
>
> Simon, you've mentioned that binman has grown out of U-Boot. How
> independent is it from U-Boot right now? Are there lots of assumptions
> about U-Boot environment in it? Or is it already a general firmware
> image packager in your mind? I just want to explore the idea of
> replacing fiptool by binman in the future. I am sure we're not there
> yet, neither from TF-A perspective nor U-Boot, but I'd be keen on
> understanding how far we are. Also, this would need discussion with the
> broader TF-A community.

Binman is a general-purpose packaging tool. It has some specific
features for U-Boot, Chrome OS and coreboot so far. I think it could
cover TF-A's needs also.

A key point is that Binman has two related purposes:
- building an initial image, perhaps just for development/CI purposes
(no signatures, some blobs missing, etc.)
- building a production/real image when everything is available

This is a concept that I very much struggle to get across, the
difference between building things and packaging them. I believe it is
becoming increasingly important to make this distinction, as firmware
fragments.

Some people will prefer to have C tools instead of Python, but if that
is not a concern, then I believe Binman could be a good solution for
TF-A. A few nice properties are that it is easy to extend and has 100%
test coverage.

I would be happy to help with what TF-A needs here.

One last point is that Binman can provide an 'fdtmap' which is a full
image description. This can provide insight into every binary in the
image, whether it is in a FIP, FIT, CBFS or whatever. Binman happens
to support generating an FMAP (which is vaguely similar to FIP), which
could serve as a model for generating table-of-contents data in other
useful formats.

There is a talk here that might help to explain the goals better:

https://www.youtube.com/watch?v=L84ujgUXBOQ

This patch shows converting lots of shell commands into a binman definition:

https://patchwork.ozlabs.org/project/uboot/patch/20211124040954.699821-8-sjg@chromium.org/

Regards,
Simon


More information about the U-Boot mailing list