[u-boot PATCH 1/3] tools: binman: add ti-secure entry type
Roger Quadros
rogerq at kernel.org
Mon May 9 09:29:34 CEST 2022
This entry type is used to create a secured binary
for use with K3 High Security (HS) devices.
This allows us to no longer depend on k3_fit_atf.sh for
A53 SPL and u-boot image generation for HS devices.
We still depend on the availability of an external
tool provided by the TI_SECURE_DEV_PKG environment
variable to secure the binaries.
Signed-off-by: Roger Quadros <rogerq at kernel.org>
---
Makefile | 1 +
tools/binman/entries.rst | 15 ++++++++
tools/binman/etype/ti_secure.py | 59 +++++++++++++++++++++++++++++
tools/binman/ftest.py | 7 ++++
tools/binman/test/225_ti_secure.dts | 14 +++++++
5 files changed, 96 insertions(+)
create mode 100644 tools/binman/etype/ti_secure.py
create mode 100644 tools/binman/test/225_ti_secure.dts
diff --git a/Makefile b/Makefile
index ad83d60dc3..d9aac41d60 100644
--- a/Makefile
+++ b/Makefile
@@ -1328,6 +1328,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
$(foreach f,$(BINMAN_INDIRS),-I $(f)) \
-a atf-bl31-path=${BL31} \
-a tee-os-path=${TEE} \
+ -a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \
-a opensbi-path=${OPENSBI} \
-a default-dt=$(default_dt) \
-a scp-path=$(SCP) \
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 484cde5c80..c9faad51b6 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1788,3 +1788,18 @@ may be used instead.
+Entry: ti-secure: Entry containing a Secured binary blob
+--------------------------------------------------------
+
+Properties / Entry arguments:
+ - filename: Filename of file to sign and read into entry
+
+Texas Instruments High-Security (HS) devices need secure binaries to be
+provided. This entry uses an external tool to append a x509 certificate
+to the file provided in the filename property and places it in the entry.
+
+The path for the external tool is fetched from TI_SECURE_DEV_PKG
+environment variable.
+
+
+
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
new file mode 100644
index 0000000000..86772994bc
--- /dev/null
+++ b/tools/binman/etype/ti_secure.py
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+
+# Support for secure binaries for TI K3 platform
+
+from collections import OrderedDict
+import os
+
+from binman.entry import Entry, EntryArg
+
+from dtoc import fdt_util
+from patman import tools
+
+class Entry_ti_secure(Entry):
+ """An entry which contains a secure binary for High-Security (HS) device use.
+
+ Properties / Entry arguments:
+ - filename: filename of binary file to be secured
+
+ Output files:
+ - filename_HS - output file generated by secure uility (which is
+ used as the entry contents)
+
+ """
+ def __init__(self, section, etype, node):
+ super().__init__(section, etype, node)
+ self.filename = fdt_util.GetString(self._node, 'filename')
+ self.toolpresent = False
+ if not self.filename:
+ self.Raise("ti_secure must have a 'filename' property")
+ self.toolspath, = self.GetEntryArgsOrProps(
+ [EntryArg('ti-secure-dev-pkg-path', str)])
+ if not self.toolspath:
+ print("WARNING: TI_SECURE_DEV_PKG environment " \
+ "variable must be defined for TI secure devices. " +
+ self.filename + " was NOT secured!")
+ return
+
+ self.tool = self.toolspath + "/scripts/secure-binary-image.sh"
+ self.toolpresent = os.path.exists(self.tool)
+ if not self.toolpresent:
+ print(self.tool + " not found. " +
+ self.filename + " was NOT secured!")
+
+ def ObtainContents(self):
+ input_fname = self.filename
+ output_fname = input_fname + "_HS"
+ args = [
+ input_fname, output_fname,
+ ]
+ if self.toolpresent:
+ stdout = tools.Run(self.tool, *args)
+ else:
+ stdout = tools.Run('cp', *args)
+ print(output_fname + ' not secured!')
+
+ self.SetContents(tools.ReadFile(output_fname))
+ return True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 8f00db6945..996e4d9aa6 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -91,6 +91,7 @@ SCP_DATA = b'scp'
TEST_FDT1_DATA = b'fdt1'
TEST_FDT2_DATA = b'test-fdt2'
ENV_DATA = b'var1=1\nvar2="2"'
+TI_UNSECURE_DATA = b'this is some unsecure data'
# Subdirectory of the input dir to use to put test FDTs
TEST_FDT_SUBDIR = 'fdts'
@@ -201,6 +202,7 @@ class TestFunctional(unittest.TestCase):
TEST_FDT2_DATA)
TestFunctional._MakeInputFile('env.txt', ENV_DATA)
+ TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
cls.have_lz4 = comp_util.HAVE_LZ4
@@ -5321,6 +5323,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
self.assertIn("Node '/binman/fit': Unknown operation 'unknown'",
str(exc.exception))
+ def testPackTisecure(self):
+ """Test that an image with a TI secured binary can be created"""
+ data = self._DoReadFile('225_ti_secure.dts')
+ securedata = tools.ReadFile('ti_unsecure.bin_HS')
+ self.assertGreater(len(securedata), len(data))
if __name__ == "__main__":
unittest.main()
diff --git a/tools/binman/test/225_ti_secure.dts b/tools/binman/test/225_ti_secure.dts
new file mode 100644
index 0000000000..1a9f4374f9
--- /dev/null
+++ b/tools/binman/test/225_ti_secure.dts
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ ti-secure {
+ filename = "ti_unsecure.bin";
+ };
+ };
+};
--
2.17.1
More information about the U-Boot
mailing list