[PATCH v5 5/6] fwu: DeveloperBox: add support for FWU
Etienne Carriere
etienne.carriere at linaro.org
Tue Apr 11 19:09:53 CEST 2023
Hello Jassi,
On Tue, 11 Apr 2023 at 01:04, <jaswinder.singh at linaro.org> wrote:
>
> From: Jassi Brar <jaswinder.singh at linaro.org>
>
> Add code to support FWU_MULTI_BANK_UPDATE.
> The platform does not have gpt-partition storage for
> Banks and MetaData, rather it used SPI-NOR backed
> mtd regions for the purpose.
>
I think you should mention this change enables EFI secure boot.
> Signed-off-by: Jassi Brar <jaswinder.singh at linaro.org>
> ---
> board/socionext/developerbox/Makefile | 1 +
> board/socionext/developerbox/developerbox.c | 8 +
> board/socionext/developerbox/fwu_plat.c | 37 +++++
> configs/synquacer_developerbox_defconfig | 8 +
> doc/board/socionext/developerbox.rst | 155 +++++++++++++++++++-
> include/configs/synquacer.h | 10 ++
> 6 files changed, 213 insertions(+), 6 deletions(-)
> create mode 100644 board/socionext/developerbox/fwu_plat.c
>
> diff --git a/board/socionext/developerbox/Makefile b/board/socionext/developerbox/Makefile
> index 4a46de995a..1acd067a7e 100644
> --- a/board/socionext/developerbox/Makefile
> +++ b/board/socionext/developerbox/Makefile
> @@ -7,3 +7,4 @@
> #
>
> obj-y := developerbox.o
> +obj-$(CONFIG_FWU_MDATA_MTD) += fwu_plat.o
> diff --git a/board/socionext/developerbox/developerbox.c b/board/socionext/developerbox/developerbox.c
> index 16e14d4f7f..ce2cccf4f0 100644
> --- a/board/socionext/developerbox/developerbox.c
> +++ b/board/socionext/developerbox/developerbox.c
> @@ -20,6 +20,13 @@
>
> #if IS_ENABLED(CONFIG_EFI_HAVE_CAPSULE_SUPPORT)
> struct efi_fw_image fw_images[] = {
> +#if CONFIG_IS_ENABLED(FWU_MULTI_BANK_UPDATE)
> + {
> + .image_type_id = DEVELOPERBOX_FIP_IMAGE_GUID,
> + .fw_name = u"DEVELOPERBOX-FIP",
> + .image_index = 1,
> + },
> +#else
> {
> .image_type_id = DEVELOPERBOX_UBOOT_IMAGE_GUID,
> .fw_name = u"DEVELOPERBOX-UBOOT",
> @@ -35,6 +42,7 @@ struct efi_fw_image fw_images[] = {
> .fw_name = u"DEVELOPERBOX-OPTEE",
> .image_index = 3,
> },
> +#endif
> };
>
> struct efi_capsule_update_info update_info = {
> diff --git a/board/socionext/developerbox/fwu_plat.c b/board/socionext/developerbox/fwu_plat.c
> new file mode 100644
> index 0000000000..e5dae0ff11
> --- /dev/null
> +++ b/board/socionext/developerbox/fwu_plat.c
> @@ -0,0 +1,37 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2023, Linaro Limited
> + */
> +
> +#include <efi_loader.h>
> +#include <fwu.h>
> +#include <fwu_mdata.h>
> +#include <memalign.h>
> +#include <mtd.h>
> +
> +#define DFU_ALT_BUF_LEN 256
> +
> +/* Generate dfu_alt_info from partitions */
> +void set_dfu_alt_info(char *interface, char *devstr)
> +{
> + int ret;
> + struct mtd_info *mtd;
> +
> + ALLOC_CACHE_ALIGN_BUFFER(char, buf, DFU_ALT_BUF_LEN);
ALLOC_CACHE_ALIGN_BUFFER() should be used within local variable
definitions at block entry. Prefer:
+ ALLOC_CACHE_ALIGN_BUFFER(char, buf, DFU_ALT_BUF_LEN);
+ struct mtd_info *mtd;
+ int ret;
+
> + memset(buf, 0, sizeof(buf));
> +
> + mtd_probe_devices();
> +
> + mtd = get_mtd_device_nm("nor1");
> + if (IS_ERR_OR_NULL(mtd))
> + return;
> +
> + ret = fwu_gen_alt_info_from_mtd(buf, DFU_ALT_BUF_LEN, mtd);
> + if (ret < 0) {
> + log_err("Error: Failed to generate dfu_alt_info. (%d)\n", ret);
> + return;
> + }
> + log_debug("Make dfu_alt_info: '%s'\n", buf);
> +
> + env_set("dfu_alt_info", buf);
> +}
> diff --git a/configs/synquacer_developerbox_defconfig b/configs/synquacer_developerbox_defconfig
> index 09e12b739b..d09684153a 100644
> --- a/configs/synquacer_developerbox_defconfig
> +++ b/configs/synquacer_developerbox_defconfig
> @@ -97,3 +97,11 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
> CONFIG_EFI_CAPSULE_ON_DISK=y
> CONFIG_EFI_IGNORE_OSINDICATIONS=y
> CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> +CONFIG_EFI_SECURE_BOOT=y
> +CONFIG_FWU_MULTI_BANK_UPDATE=y
> +CONFIG_FWU_MDATA=y
> +CONFIG_FWU_MDATA_MTD=y
> +CONFIG_FWU_NUM_BANKS=2
> +CONFIG_FWU_NUM_IMAGES_PER_BANK=1
> +CONFIG_CMD_FWU_METADATA=y
> +CONFIG_TOOLS_MKFWUMDATA=y
> diff --git a/doc/board/socionext/developerbox.rst b/doc/board/socionext/developerbox.rst
> index 2d943c23be..908d3a7e6f 100644
> --- a/doc/board/socionext/developerbox.rst
> +++ b/doc/board/socionext/developerbox.rst
> @@ -57,14 +57,20 @@ Installation
>
> You can install the SNI_NOR_UBOOT.fd via NOR flash writer.
>
> -Flashing the U-Boot image on DeveloperBox requires a 96boards UART mezzanine or other mezzanine which can connect to LS-UART0 port.
> -Connect USB cable from host to the LS-UART0 and set DSW2-7 to ON, and turn the board on again. The flash writer program will be started automatically; don’t forget to turn the DSW2-7 off again after flashing.
> +Flashing the U-Boot image on DeveloperBox requires a 96boards UART mezzanine
> +or other mezzanine which can connect to LS-UART0 port.
nitpicking: ...to **the** LS-UART0..
> +Connect USB cable from host to the LS-UART0 and set DSW2-7 to ON, and turn the
> +board on again. The flash writer program will be started automatically;
> +don't forget to turn the DSW2-7 off again after flashing.
>
> -*!!CAUTION!! If you failed to write the U-Boot image on wrong address, the board can be bricked. See below page if you need to recover the bricked board. See the following page for more detail*
> +*!!CAUTION!! If you write the U-Boot image on wrong address, the board can
> +be bricked. See below page if you need to recover the bricked board. See
> +the following page for more detail*
s/detail/details/
>
> https://www.96boards.org/documentation/enterprise/developerbox/installation/board-recovery.md.html
>
> -When the serial flasher is running correctly is will show the following boot messages shown via LS-UART0::
> +When the serial flasher is running correctly is will show the following boot
s/is/it/
> +messages shown via LS-UART0::
I would replace "shown via" with "printed to LS-UART0 console".
>
>
> /*------------------------------------------*/
> @@ -81,7 +87,144 @@ Once the flasher tool is running we are ready flash the UEFI image::
> flash rawwrite 200000 100000
> >> Send SPI_NOR_UBOOT.fd via XMODEM (Control-A S in minicom) <<
>
> -*!!NOTE!! The flasher command parameter is different from the command for board recovery. U-Boot uses the offset 200000 (2-five-0, 2M in hex) and the size 100000 (1-five-0, 1M in hex).*
> +*!!NOTE!! The flasher command parameter is different from the command for
> +board recovery. U-Boot uses the offset 200000 (2-five-0, 2M in hex) and the
> +size 100000 (1-five-0, 1M in hex).*
>
> -After transferring the SPI_NOR_UBOOT.fd, turn off the DSW2-7 and reset the board.
> +After transferring the SPI_NOR_UBOOT.fd, turn off the DSW2-7 and
> +reset the board.
>
> +
> +Enable FWU Multi Bank Update
> +============================
> +
> +DeveloperBox supports the FWU Multi Bank Update. You *MUST* update both
> +*SCP firmware* and *TF-A* for this feature. This will change the layout and
Youmlean SCP-firmware and TF-A **and U-Boot**?
> +the boot process but you can switch back to the normal one by changing
> +the DSW 1-4 off.
> +
> +Configure U-Boot
> +----------------
> +
> +To enable the FWU Multi Bank Update on the DeveloperBox, you need to add
> +following configurations to configs/synquacer_developerbox_defconfig ::
Actually this change already updates defconfig file. Maybe:
- you need to add following configurations to
configs/synquacer_developerbox_defconfig
+ Board configs/synquacer_developerbox_defconfig enables default FWU
+ configuration:
> +
> + CONFIG_FWU_MULTI_BANK_UPDATE=y
> + CONFIG_FWU_MDATA=y
> + CONFIG_FWU_MDATA_MTD=y
> + CONFIG_FWU_NUM_BANKS=2
> + CONFIG_FWU_NUM_IMAGES_PER_BANK=1
> + CONFIG_CMD_FWU_METADATA=y
> +
> +And build it::
> +
> + cd u-boot/
> + export ARCH=arm64
> + export CROSS_COMPILE=aarch64-linux-gnu-
> + make synquacer_developerbox_defconfig
> + make -j `noproc`
> + cd ../
> +
> +By default, the CONFIG_FWU_NUM_BANKS and CONFIG_FWU_NUM_IMAGES_PER_BANKS are
> +set to 2 and 1 respectively. This uses FIP (Firmware Image Package) type image
> +which contains TF-A, U-Boot and OP-TEE (the OP-TEE is optional.)
s/.)/)./
> +You can use fiptool to compose the FIP image from those firmware images.
> +
> +Rebuild SCP firmware
> +--------------------
> +
> +Rebuild SCP firmware which supports FWU Multi Bank Update as below::
> +
> + cd SCP-firmware/
> + OUT=./build/product/synquacer
> + ROMFW_FILE=$OUT/scp_romfw/$SCP_BUILD_MODE/bin/scp_romfw.bin
> + RAMFW_FILE=$OUT/scp_ramfw/$SCP_BUILD_MODE/bin/scp_ramfw.bin
> + ROMRAMFW_FILE=scp_romramfw_release.bin
> +
> + make CC=arm-none-eabi-gcc PRODUCT=synquacer MODE=release
> + tr "\000" "\377" < /dev/zero | dd of=${ROMRAMFW_FILE} bs=1 count=196608
> + dd if=${ROMFW_FILE} of=${ROMRAMFW_FILE} bs=1 conv=notrunc seek=0
> + dd if=${RAMFW_FILE} of=${ROMRAMFW_FILE} bs=1 seek=65536
> + cd ../
> +
> +And you can get the `scp_romramfw_release.bin` file
Add a period '.'
> +
> +Rebuild OPTEE firmware
> +----------------------
> +
> +Rebuild OPTEE to use in new-layout fip as below::
s/fip/FIP/g
> +
> + cd optee_os/
> + make -j`nproc` PLATFORM=synquacer ARCH=arm \
> + CROSS_COMPILE64=aarch64-linux-gnu- CFG_ARM64_core=y \
> + CFG_CRYPTO_WITH_CE=y CFG_CORE_HEAP_SIZE=524288 CFG_CORE_DYN_SHM=y \
> + CFG_CORE_ARM64_PA_BITS=48 CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1
> + cp out/arm-plat-synquacer/core/tee-pager_v2.bin ../arm-trusted-firmware/
> +
> +The produced `tee-pager_v2.bin` is to be used while building TF-A next.
> +
> +
> +Rebuild TF-A and FIP
> +--------------------
> +
> +Rebuild TF-A which supports FWU Multi Bank Update as below::
> +
> + cd arm-trusted-firmware/
> + make CROSS_COMPILE=aarch64-linux-gnu- -j`nproc` PLAT=synquacer \
> + TRUSTED_BOARD_BOOT=1 SPD=opteed SQ_RESET_TO_BL2=1 GENERATE_COT=1 \
> + MBEDTLS_DIR=../mbedtls BL32=tee-pager_v2.bin \
> + BL33=../u-boot/u-boot.bin all fip fiptool
> +
> +And make a FIP image.::
> +
> + cp build/synquacer/release/fip.bin SPI_NOR_NEWFIP.fd
> + tools/fiptool/fiptool update --tb-fw build/synquacer/release/bl2.bin SPI_NOR_NEWFIP.fd
> +
> +UUIDs for the FWU Multi Bank Update
> +-----------------------------------
> +
> +FWU multi-bank update requires some UUIDs. The DeveloperBox platform uses
> +following UUIDs.
> +
> + - Location UUID for the FIP image: 17e86d77-41f9-4fd7-87ec-a55df9842de5
> + - Image type UUID for the FIP image: 10c36d7d-ca52-b843-b7b9-f9d6c501d108
> + - Image UUID for Bank0 : 5a66a702-99fd-4fef-a392-c26e261a2828
> + - Image UUID for Bank1 : a8f868a1-6e5c-4757-878d-ce63375ef2c0
> +
> +These UUIDs are used for making a FWU metadata image.
> +
> +u-boot$ ./tools/mkfwumdata -i 1 -b 2 \
> + 17e86d77-41f9-4fd7-87ec-a55df9842de5,10c36d7d-ca52-b843-b7b9-f9d6c501d108,5a66a702-99fd-4fef-a392-c26e261a2828,a8f868a1-6e5c-4757-878d-ce63375ef2c0 \
> + ../devbox-fwu-mdata.img
> +
> +Create Accept & Revert capsules
> +
> +u-boot$ ./tools/mkeficapsule -A -g 7d6dc310-52ca-43b8-b7b9-f9d6c501d108 NEWFIP_accept.Cap
> +u-boot$ ./tools/mkeficapsule -R NEWFIP_revert.Cap
> +
> +Install via flash writer
> +------------------------
> +
> +As explained in above section, the new FIP image and the FWU metadata image
> +can be installed via NOR flash writer. Note that the installation offsets for
> +the FWU multi bank update supported firmware.
This last sentence sounds strange. Is something missing?
> +
> +Once the flasher tool is running we are ready flash the images.::
> +Write the FIP image to the Bank-0 & 1 at 6MB and 10MB offset.::
> +
> + flash rawwrite 600000 180000
> + flash rawwrite a00000 180000
> + >> Send SPI_NOR_NEWFIP.fd via XMODEM (Control-A S in minicom) <<
> +
> + flash rawwrite 500000 1000
> + flash rawwrite 530000 1000
> + >> Send devbox-fwu-mdata.img via XMODEM (Control-A S in minicom) <<
> +
> +And write the new SCP firmware.::
> +
> + flash write cm3
> + >> Send scp_romramfw_release.bin via XMODEM (Control-A S in minicom) <<
> +
> +At last, turn on the DSW 3-4 on the board, and reboot.
> +Note that if DSW 3-4 is turned off, the DeveloperBox will boot from
> +the original EDK2 firmware (or non-FWU U-Boot if you already installed.)
swap the 2 last characters: s/.)/)./
> diff --git a/include/configs/synquacer.h b/include/configs/synquacer.h
> index 8f44c6f66a..cd7359c2f8 100644
> --- a/include/configs/synquacer.h
> +++ b/include/configs/synquacer.h
> @@ -40,19 +40,29 @@
>
> /* Since U-Boot 64bit PCIe support is limited, disable 64bit MMIO support */
>
> +#ifdef CONFIG_FWU_MULTI_BANK_UPDATE
> +#define DEFAULT_DFU_ALT_INFO
> +#else
> #define DEFAULT_DFU_ALT_INFO "dfu_alt_info=" \
> "mtd nor1=u-boot.bin raw 200000 100000;" \
> "fip.bin raw 180000 78000;" \
> "optee.bin raw 500000 100000\0"
> +#endif
>
> /* GUIDs for capsule updatable firmware images */
> #define DEVELOPERBOX_UBOOT_IMAGE_GUID \
> EFI_GUID(0x53a92e83, 0x4ef4, 0x473a, 0x8b, 0x0d, \
> 0xb5, 0xd8, 0xc7, 0xb2, 0xd6, 0x00)
>
> +#ifdef CONFIG_FWU_MULTI_BANK_UPDATE
> +#define DEVELOPERBOX_FIP_IMAGE_GUID \
> + EFI_GUID(0x7d6dc310, 0x52ca, 0x43b8, 0xb7, 0xb9, \
> + 0xf9, 0xd6, 0xc5, 0x01, 0xd1, 0x08)
> +#else
> #define DEVELOPERBOX_FIP_IMAGE_GUID \
> EFI_GUID(0x880866e9, 0x84ba, 0x4793, 0xa9, 0x08, \
> 0x33, 0xe0, 0xb9, 0x16, 0xf3, 0x98)
> +#endif
>
> #define DEVELOPERBOX_OPTEE_IMAGE_GUID \
> EFI_GUID(0xc1b629f1, 0xce0e, 0x4894, 0x82, 0xbf, \
> --
> 2.34.1
>
More information about the U-Boot
mailing list