[u-boot PATCH 1/3] tools: binman: add ti-secure entry type

Roger Quadros rogerq at kernel.org
Mon May 9 09:29:34 CEST 2022


This entry type is used to create a secured binary
for use with K3 High Security (HS) devices.

This allows us to no longer depend on k3_fit_atf.sh for
A53 SPL and u-boot image generation for HS devices.

We still depend on the availability of an external
tool provided by the TI_SECURE_DEV_PKG environment
variable to secure the binaries.

Signed-off-by: Roger Quadros <rogerq at kernel.org>
---
 Makefile                            |  1 +
 tools/binman/entries.rst            | 15 ++++++++
 tools/binman/etype/ti_secure.py     | 59 +++++++++++++++++++++++++++++
 tools/binman/ftest.py               |  7 ++++
 tools/binman/test/225_ti_secure.dts | 14 +++++++
 5 files changed, 96 insertions(+)
 create mode 100644 tools/binman/etype/ti_secure.py
 create mode 100644 tools/binman/test/225_ti_secure.dts

diff --git a/Makefile b/Makefile
index ad83d60dc3..d9aac41d60 100644
--- a/Makefile
+++ b/Makefile
@@ -1328,6 +1328,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
 		$(foreach f,$(BINMAN_INDIRS),-I $(f)) \
 		-a atf-bl31-path=${BL31} \
 		-a tee-os-path=${TEE} \
+		-a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \
 		-a opensbi-path=${OPENSBI} \
 		-a default-dt=$(default_dt) \
 		-a scp-path=$(SCP) \
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 484cde5c80..c9faad51b6 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1788,3 +1788,18 @@ may be used instead.
 
 
 
+Entry: ti-secure: Entry containing a Secured binary blob
+--------------------------------------------------------
+
+Properties / Entry arguments:
+    - filename: Filename of file to sign and read into entry
+
+Texas Instruments High-Security (HS) devices need secure binaries to be
+provided. This entry uses an external tool to append a x509 certificate
+to the file provided in the filename property and places it in the entry.
+
+The path for the external tool is fetched from TI_SECURE_DEV_PKG
+environment variable.
+
+
+
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
new file mode 100644
index 0000000000..86772994bc
--- /dev/null
+++ b/tools/binman/etype/ti_secure.py
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+
+# Support for secure binaries for TI K3 platform
+
+from collections import OrderedDict
+import os
+
+from binman.entry import Entry, EntryArg
+
+from dtoc import fdt_util
+from patman import tools
+
+class Entry_ti_secure(Entry):
+    """An entry which contains a secure binary for High-Security (HS) device use.
+
+    Properties / Entry arguments:
+	- filename: filename of binary file to be secured
+
+    Output files:
+        - filename_HS - output file generated by secure uility (which is
+            used as the entry contents)
+
+    """
+    def __init__(self, section, etype, node):
+        super().__init__(section, etype, node)
+        self.filename = fdt_util.GetString(self._node, 'filename')
+        self.toolpresent = False
+        if not self.filename:
+            self.Raise("ti_secure must have a 'filename' property")
+        self.toolspath, = self.GetEntryArgsOrProps(
+            [EntryArg('ti-secure-dev-pkg-path', str)])
+        if not self.toolspath:
+            print("WARNING: TI_SECURE_DEV_PKG environment " \
+                  "variable must be defined for TI secure devices. " +
+                  self.filename + " was NOT secured!")
+            return
+
+        self.tool = self.toolspath + "/scripts/secure-binary-image.sh"
+        self.toolpresent = os.path.exists(self.tool)
+        if not self.toolpresent:
+            print(self.tool + " not found. " +
+                  self.filename + " was NOT secured!")
+
+    def ObtainContents(self):
+        input_fname = self.filename
+        output_fname =  input_fname + "_HS"
+        args = [
+            input_fname, output_fname,
+        ]
+        if self.toolpresent:
+            stdout = tools.Run(self.tool, *args)
+        else:
+            stdout = tools.Run('cp', *args)
+            print(output_fname + ' not secured!')
+
+        self.SetContents(tools.ReadFile(output_fname))
+        return True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 8f00db6945..996e4d9aa6 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -91,6 +91,7 @@ SCP_DATA              = b'scp'
 TEST_FDT1_DATA        = b'fdt1'
 TEST_FDT2_DATA        = b'test-fdt2'
 ENV_DATA              = b'var1=1\nvar2="2"'
+TI_UNSECURE_DATA      = b'this is some unsecure data'
 
 # Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@@ -201,6 +202,7 @@ class TestFunctional(unittest.TestCase):
                                       TEST_FDT2_DATA)
 
         TestFunctional._MakeInputFile('env.txt', ENV_DATA)
+        TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
 
         cls.have_lz4 = comp_util.HAVE_LZ4
 
@@ -5321,6 +5323,11 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
         self.assertIn("Node '/binman/fit': Unknown operation 'unknown'",
                       str(exc.exception))
 
+    def testPackTisecure(self):
+        """Test that an image with a TI secured binary can be created"""
+        data = self._DoReadFile('225_ti_secure.dts')
+        securedata = tools.ReadFile('ti_unsecure.bin_HS')
+        self.assertGreater(len(securedata), len(data))
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/225_ti_secure.dts b/tools/binman/test/225_ti_secure.dts
new file mode 100644
index 0000000000..1a9f4374f9
--- /dev/null
+++ b/tools/binman/test/225_ti_secure.dts
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		ti-secure {
+			filename = "ti_unsecure.bin";
+		};
+	};
+};
-- 
2.17.1



More information about the U-Boot mailing list