[PATCH v3 18/19] k3: tools: config.mk: Update makefile and remove scripts
Neha Malcom Francis
n-francis at ti.com
Fri Apr 21 14:32:02 CEST 2023
Since binman is used to package bootloader images for all K3 devices, we
do not have to rely on the earlier methods to package them.
config.mk has been edited to only have binman required make commands.
Scripts that were used to generate x509 certificate for tiboot3.bin and
generate tispl.bin have also been removed.
Signed-off-by: Neha Malcom Francis <n-francis at ti.com>
---
arch/arm/mach-k3/config.mk | 92 -------------
tools/k3_fit_atf.sh | 123 -----------------
tools/k3_gen_x509_cert.sh | 262 -------------------------------------
3 files changed, 477 deletions(-)
delete mode 100755 tools/k3_fit_atf.sh
delete mode 100755 tools/k3_gen_x509_cert.sh
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index b342a56538..39767196a7 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -11,34 +11,6 @@ ifeq ($(shell which openssl),)
$(error "No openssl in $(PATH), consider installing openssl")
endif
-IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
-MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
-
-ifeq ($(CONFIG_SYS_K3_KEY), "")
-KEY=""
-# On HS use real key or warn if not available
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
-KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
-else
-$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
-endif
-endif
-else
-KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
-endif
-
-# X509 SWRV default
-SWRV = $(CONFIG_K3_X509_SWRV)
-# On HS use SECDEV provided software revision or warn if not available
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/swrv.txt),)
-SWRV= $(shell cat $(TI_SECURE_DEV_PKG)/keys/swrv.txt)
-else
-$(warning "WARNING: Software revision file not found. Default may not work on HS hardware.")
-endif
-endif
-
O ?= .
# Board config binary artifacts necessary for packaging of tiboot3.bin
@@ -88,68 +60,4 @@ INPUTS-y += schema.yaml
INPUTS-y += custMpk.pem
INPUTS-y += ti-degenerate-key.pem
endif
-
-# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
-# So restrict tiboot3.bin creation for CPU_V7R.
-ifndef CONFIG_BINMAN
-ifdef CONFIG_CPU_V7R
-image_check: $(obj)/u-boot-spl.bin FORCE
- @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \
- echo "===============================================" >&2; \
- echo "ERROR: Final Image too big. " >&2; \
- echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
- echo "===============================================" >&2; \
- exit 1; \
- fi
-
-tiboot3.bin: image_check FORCE
- $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -r $(SWRV) -k $(KEY)
-
-INPUTS-y += tiboot3.bin
-endif
-endif
-
-ifdef CONFIG_ARM64
-
-ifeq ($(CONFIG_SOC_K3_J721E),)
-export DM := /dev/null
endif
-
-ifndef CONFIG_BINMAN
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-SPL_ITS := u-boot-spl-k3_HS.its
-$(SPL_ITS): export IS_HS=1
-INPUTS-y += tispl.bin_HS
-else
-SPL_ITS := u-boot-spl-k3.its
-INPUTS-y += tispl.bin
-endif
-endif
-
-ifeq ($(CONFIG_SPL_OF_LIST),)
-LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
-else
-LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
-endif
-
-quiet_cmd_k3_mkits = MKITS $@
-cmd_k3_mkits = \
- $(srctree)/tools/k3_fit_atf.sh \
- $(CONFIG_K3_ATF_LOAD_ADDR) \
- $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
-
-$(SPL_ITS): FORCE
- $(call cmd,k3_mkits)
-endif
-
-else
-
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-INPUTS-y += u-boot.img_HS
-else
-INPUTS-y += u-boot.img
-endif
-endif
-
-include $(srctree)/arch/arm/mach-k3/config_secure.mk
diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
deleted file mode 100755
index 7bc07ad074..0000000000
--- a/tools/k3_fit_atf.sh
+++ /dev/null
@@ -1,123 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0+
-#
-# script to generate FIT image source for K3 Family boards with
-# ATF, OPTEE, SPL and multiple device trees (given on the command line).
-# Inspired from board/sunxi/mksunxi_fit_atf.sh
-#
-# usage: $0 <atf_load_addr> <dt_name> [<dt_name> [<dt_name] ...]
-
-[ -z "$ATF" ] && ATF="bl31.bin"
-
-if [ ! -f $ATF ]; then
- echo "WARNING ATF file $ATF NOT found, resulting binary is non-functional" >&2
- ATF=/dev/null
-fi
-
-[ -z "$TEE" ] && TEE="bl32.bin"
-
-if [ ! -f $TEE ]; then
- echo "WARNING OPTEE file $TEE NOT found, resulting might be non-functional" >&2
- TEE=/dev/null
-fi
-
-[ -z "$DM" ] && DM="dm.bin"
-
-if [ ! -e $DM ]; then
- echo "WARNING DM file $DM NOT found, resulting might be non-functional" >&2
- DM=/dev/null
-fi
-
-if [ ! -z "$IS_HS" ]; then
- HS_APPEND=_HS
-fi
-
-cat << __HEADER_EOF
-/dts-v1/;
-
-/ {
- description = "Configuration to load ATF and SPL";
- #address-cells = <1>;
-
- images {
- atf {
- description = "ARM Trusted Firmware";
- data = /incbin/("$ATF");
- type = "firmware";
- arch = "arm64";
- compression = "none";
- os = "arm-trusted-firmware";
- load = <$1>;
- entry = <$1>;
- };
- tee {
- description = "OPTEE";
- data = /incbin/("$TEE");
- type = "tee";
- arch = "arm64";
- compression = "none";
- os = "tee";
- load = <0x9e800000>;
- entry = <0x9e800000>;
- };
- dm {
- description = "DM binary";
- data = /incbin/("$DM");
- type = "firmware";
- arch = "arm32";
- compression = "none";
- os = "DM";
- load = <0x89000000>;
- entry = <0x89000000>;
- };
- spl {
- description = "SPL (64-bit)";
- data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
- type = "standalone";
- os = "U-Boot";
- arch = "arm64";
- compression = "none";
- load = <0x80080000>;
- entry = <0x80080000>;
- };
-__HEADER_EOF
-
-# shift through ATF load address in the command line arguments
-shift
-
-for dtname in $*
-do
- cat << __FDT_IMAGE_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- data = /incbin/("$dtname$HS_APPEND");
- type = "flat_dt";
- arch = "arm";
- compression = "none";
- };
-__FDT_IMAGE_EOF
-done
-
-cat << __CONF_HEADER_EOF
- };
- configurations {
- default = "$(basename $1)";
-
-__CONF_HEADER_EOF
-
-for dtname in $*
-do
- cat << __CONF_SECTION_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- firmware = "atf";
- loadables = "tee", "dm", "spl";
- fdt = "$(basename $dtname)";
- };
-__CONF_SECTION_EOF
-done
-
-cat << __ITS_EOF
- };
-};
-__ITS_EOF
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
deleted file mode 100755
index d9cde07417..0000000000
--- a/tools/k3_gen_x509_cert.sh
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
-#
-# Script to add K3 specific x509 cetificate to a binary.
-#
-
-# Variables
-OUTPUT=tiboot3.bin
-TEMP_X509=x509-temp.cert
-CERT=certificate.bin
-RAND_KEY=eckey.pem
-LOADADDR=0x41c00000
-BOOTCORE_OPTS=0
-BOOTCORE=16
-DEBUG_TYPE=0
-SWRV=1
-
-gen_degen_template() {
-cat << 'EOF' > degen-template.txt
-
-asn1=SEQUENCE:rsa_key
-
-[rsa_key]
-version=INTEGER:0
-modulus=INTEGER:0xDEGEN_MODULUS
-pubExp=INTEGER:1
-privExp=INTEGER:1
-p=INTEGER:0xDEGEN_P
-q=INTEGER:0xDEGEN_Q
-e1=INTEGER:1
-e2=INTEGER:1
-coeff=INTEGER:0xDEGEN_COEFF
-EOF
-}
-
-# Generate x509 Template
-gen_template() {
-cat << 'EOF' > x509-template.txt
- [ req ]
- distinguished_name = req_distinguished_name
- x509_extensions = v3_ca
- prompt = no
- dirstring_type = nobmp
-
- [ req_distinguished_name ]
- C = US
- ST = TX
- L = Dallas
- O = Texas Instruments Incorporated
- OU = Processors
- CN = TI support
- emailAddress = support at ti.com
-
- [ v3_ca ]
- basicConstraints = CA:true
- 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
- 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
- 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
-# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
- 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
-
- [ boot_seq ]
- certType = INTEGER:TEST_CERT_TYPE
- bootCore = INTEGER:TEST_BOOT_CORE
- bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
- destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
- imageSize = INTEGER:TEST_IMAGE_LENGTH
-
- [ image_integrity ]
- shaType = OID:2.16.840.1.101.3.4.2.3
- shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
-
- [ swrv ]
- swrv = INTEGER:TEST_SWRV
-
-# [ encryption ]
-# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
-# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
-# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
-# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
-
- [ debug ]
- debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:TEST_DEBUG_TYPE
- coreDbgEn = INTEGER:0
- coreDbgSecEn = INTEGER:0
-EOF
-}
-
-parse_key() {
- sed '/ /s/://g' key.txt | \
- awk '!/ / {printf("\n%s\n", $0)}; / / {printf("%s", $0)}' | \
- sed 's/ //g' | \
- awk "/$1:/{getline; print}"
-}
-
-gen_degen_key() {
-# Generate a 4096 bit RSA Key
- openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
- openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
- DEGEN_MODULUS=$( parse_key 'modulus' )
- DEGEN_P=$( parse_key 'prime1' )
- DEGEN_Q=$( parse_key 'prime2' )
- DEGEN_COEFF=$( parse_key 'coefficient' )
- gen_degen_template
-
- sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
- -e "s/DEGEN_P/$DEGEN_P/" \
- -e "s/DEGEN_Q/$DEGEN_Q/" \
- -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
- degen-template.txt > degenerateKey.txt
-
- openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
- openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
- KEY=$RAND_KEY
- rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
-}
-
-declare -A options_help
-usage() {
- if [ -n "$*" ]; then
- echo "ERROR: $*"
- fi
- echo -n "Usage: $0 "
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- if [ -n "$arg" ]; then
- arg=" $arg"
- fi
- echo -n "[-$option$arg] "
- done
- echo
- echo -e "\nWhere:"
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- txt=`echo ${options_help[$option]}|cut -d ':' -f2`
- tb="\t\t\t"
- if [ -n "$arg" ]; then
- arg=" $arg"
- tb="\t"
- fi
- echo -e " -$option$arg:$tb$txt"
- done
- echo
- echo "Examples of usage:-"
- echo "# Example of signing the SYSFW binary with rsa degenerate key"
- echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
- echo "# Example of signing the SPL binary with rsa degenerate key"
- echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
-}
-
-options_help[b]="bin_file:Bin file that needs to be signed"
-options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
-options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
-options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
-options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
-options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
-options_help[r]="SWRV: Software Rev for X509 certificate"
-
-while getopts "b:k:o:c:l:d:h:r:" opt
-do
- case $opt in
- b)
- BIN=$OPTARG
- ;;
- k)
- KEY=$OPTARG
- ;;
- o)
- OUTPUT=$OPTARG
- ;;
- l)
- LOADADDR=$OPTARG
- ;;
- c)
- BOOTCORE=$OPTARG
- ;;
- d)
- DEBUG_TYPE=$OPTARG
- ;;
- r)
- SWRV=$OPTARG
- ;;
- h)
- usage
- exit 0
- ;;
- \?)
- usage "Invalid Option '-$OPTARG'"
- exit 1
- ;;
- :)
- usage "Option '-$OPTARG' Needs an argument."
- exit 1
- ;;
- esac
-done
-
-if [ "$#" -eq 0 ]; then
- usage "Arguments missing"
- exit 1
-fi
-
-if [ -z "$BIN" ]; then
- usage "Bin file missing in arguments"
- exit 1
-fi
-
-# Generate rsa degenerate key if user doesn't provide a key
-if [ -z "$KEY" ]; then
- gen_degen_key
-fi
-
-if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
- CERTTYPE=2
-elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
- CERTTYPE=1
-else # Non BOOTCORE, loaded by SYSFW
- BOOTCORE_OPTS_VER=$(printf "%01x" 1)
- # Add input args option for SET and CLR flags.
- BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
- BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
- BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
- # Set the cert type to zero.
- # We are not using public/private key store now
- CERTTYPE=$(printf "0x%08x" 0)
-fi
-
-SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
-BIN_SIZE=`cat $BIN | wc -c`
-ADDR=`printf "%08x" $LOADADDR`
-
-gen_cert() {
- #echo "Certificate being generated :"
- #echo " LOADADDR = 0x$ADDR"
- #echo " IMAGE_SIZE = $BIN_SIZE"
- #echo " CERT_TYPE = $CERTTYPE"
- #echo " DEBUG_TYPE = $DEBUG_TYPE"
- #echo " SWRV = $SWRV"
- sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
- -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
- -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
- -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
- -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
- -e "s/TEST_BOOT_ADDR/$ADDR/" \
- -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
- -e "s/TEST_SWRV/$SWRV/" \
- x509-template.txt > $TEMP_X509
- openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
-}
-
-gen_template
-gen_cert
-cat $CERT $BIN > $OUTPUT
-
-# Remove all intermediate files
-rm $TEMP_X509 $CERT x509-template.txt
-if [ "$KEY" == "$RAND_KEY" ]; then
- rm $RAND_KEY
-fi
--
2.34.1
More information about the U-Boot
mailing list