[v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support

Lim, Elly Siew Chin elly.siew.chin.lim at intel.com
Fri Jan 8 06:19:14 CET 2021


Hi Simon,

> -----Original Message-----
> From: Simon Glass <sjg at chromium.org>
> Sent: Friday, January 8, 2021 11:24 AM
> To: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> Cc: U-Boot Mailing List <u-boot at lists.denx.de>; Marek Vasut
> <marex at denx.de>; Tan, Ley Foon <ley.foon.tan at intel.com>; See, Chin Liang
> <chin.liang.see at intel.com>; Simon Goldschmidt
> <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> <tien.fong.chee at intel.com>; Westergreen, Dalon
> <dalon.westergreen at intel.com>; Gan, Yau Wai <yau.wai.gan at intel.com>
> Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node
> of FIT image with VAB support
> 
> Hi Slew Elly,
> 
> On Thu, 7 Jan 2021 at 17:57, Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> wrote:
> >
> > Hi Simon,
> >
> > > -----Original Message-----
> > > From: Simon Glass <sjg at chromium.org>
> > > Sent: Friday, January 8, 2021 12:22 AM
> > > To: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> > > Cc: U-Boot Mailing List <u-boot at lists.denx.de>; Marek Vasut
> > > <marex at denx.de>; Tan, Ley Foon <ley.foon.tan at intel.com>; See, Chin
> > > Liang <chin.liang.see at intel.com>; Simon Goldschmidt
> > > <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> > > <tien.fong.chee at intel.com>; Westergreen, Dalon
> > > <dalon.westergreen at intel.com>; Gan, Yau Wai <yau.wai.gan at intel.com>
> > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in
> > > binman node of FIT image with VAB support
> > >
> > > Hi Siew Chin,
> > >
> > > On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin
> > > <elly.siew.chin.lim at intel.com>
> > > wrote:
> > > >
> > > > Hi Simon,
> > > >
> > > > > -----Original Message-----
> > > > > From: Simon Glass <sjg at chromium.org>
> > > > > Sent: Thursday, January 7, 2021 8:37 PM
> > > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> > > > > Cc: U-Boot Mailing List <u-boot at lists.denx.de>; Marek Vasut
> > > > > <marex at denx.de>; Tan, Ley Foon <ley.foon.tan at intel.com>; See,
> > > > > Chin Liang <chin.liang.see at intel.com>; Simon Goldschmidt
> > > > > <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> > > > > <tien.fong.chee at intel.com>; Westergreen, Dalon
> > > > > <dalon.westergreen at intel.com>; Gan, Yau Wai
> > > > > <yau.wai.gan at intel.com>
> > > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename
> > > > > in binman node of FIT image with VAB support
> > > > >
> > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim
> > > > > <elly.siew.chin.lim at intel.com>
> > > > > wrote:
> > > > > >
> > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images.
> > > > > >
> > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim at intel.com>
> > > > > > ---
> > > > > >  arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22
> > > > > > ++++++++++++++++++++++
> > > > > >  1 file changed, 22 insertions(+)
> > > > > >
> > > > >
> > > > > I'm not quite sure what is happening here, but consider using
> > > > > two separate files rather than what looks like a patch over an existing
> one.
> > > > >
> > > >
> > > > There are two boot flow will use binman
> > > > (socfpga_soc64_fit-u-boot.dtsi) to
> > > generate u-boot.fit and kernel.fit:
> > > >     1. socfpga_agilex_atf_defconfig (boot via ATF)
> > > >     2. socfpga_agilex_vab_defconfig (boot via ATF with VAB
> > > > enabled, support authentication on bl31, u-boot, Linux images)
> > > >
> > > > The binman node settings are the same for both flows. With VAB
> > > > enabled, all
> > > inputs file need to be signed before generate FIT image. We would
> > > like to use different input file name to remind user that they need
> > > to sign all bl31, u-boot, Linux images when using binman to generate FIT
> image.
> > > >
> > > > Due to the binman node settings are identical and only the file
> > > > name need to
> > > be different, so we prefer to share the same
> > > socfpga_soc64_fit-u-boot.dtsi for both flows.
> > >
> > > Reviewed-by: Simon Glass <sjg at chromium.org>
> > >
> > > OK I see.
> > >
> > > Who does the signing of the inputs? Is that something binman could/should
> do?
> >
> > In our case, we will provide user Intel proprietary tools to sign the image, and
> we have our signature format.
> > User need to follow the steps and sign the Images, and call binman to convert
> into FIT image.
> > I think maybe it is not suitable to incorporate any external proprietary tools
> into binman.
> 
> Possibly, although we already have quite a few. Is the tool secret or can it be
> downloaded from somewhere? If the latter, see how cbfstool is handled.

It is licensed software. 

> 
> Regards,
> Simon


More information about the U-Boot mailing list