[PATCH v4 0/3] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

lukas.funke-oss at weidmueller.com lukas.funke-oss at weidmueller.com
Thu Aug 3 17:22:12 CEST 2023 

From: Lukas Funke <lukas.funke at weidmueller.com>


This series adds one etype to create a verified boot chain for
Xilinx ZynqMP devices. The etype 'xilinx-bootgen' is used to
create a bootable, signed image for ZynqMP boards using the Xilinx
Bootgen tool. The series also contains the corresponding btool for
calling 'bootgen'.

The following block shows an example on how to use this functionality:

    spl {
        filename = "boot.signed.bin";

        xilinx-bootgen {
            psk-key-name-hint = "psk0";
            ssk-key-name-hint = "ssk0";
            pmufw-filename = "pmu-firmware.elf";
            auth-params = "ppk_select=0", "spk_id=0x00000000";

            u-boot-spl-nodtb {
            };
            u-boot-spl-pubkey-dtb {
                algo = "sha384,rsa4096";
                required = "conf";
                key-name-hint = "dev";
            };
        };
    };


Changes in v4:
- Fixed some typos
- Add test to check for missing bootgen tool
- Renamed etype from "xilinx-fsbl-auth" to "xilinx-bootgen"
- Add detection of missing bintool
- Promote 'pmufw-filename' to required property

Changes in v3:
- Fixed an issue where the build result was not found
- Fixed an issue where the version string was not reported correctly
- Improved test coverage for xilinx-fsbl-auth etype
- Changed etype from entry to section
- Changed property name "psk-filename" to "psk-key-name-hint"
- Changed property name "ssk-filename" to "ssk-key-name-hint"
- Decode spl elf file instead of reading start symbol
- Improved test coverage
- Improved documentation

Changes in v2:
- Pass additional 'keysrc_enc' parameter to Bootgen
- Added more information and terms to documentation
- Fixed typo in dts name
- Add 'keysrc-enc' property to pass down to Bootgen
- Improved documentation
- Use predictable output names for intermediated results

Lukas Funke (3):
  binman: btool: Add Xilinx Bootgen btool
  binman: ftest: Add test for xilinx-bootgen etype
  binman: etype: Add xilinx-bootgen etype

 tools/binman/bintools.rst                     |   2 +-
 tools/binman/btool/bootgen.py                 | 137 +++++++++++
 tools/binman/entries.rst                      |  75 ++++++
 tools/binman/etype/xilinx_bootgen.py          | 225 ++++++++++++++++++
 tools/binman/ftest.py                         |  75 ++++++
 tools/binman/test/307_xilinx_bootgen_sign.dts |  22 ++
 .../test/308_xilinx_bootgen_sign_enc.dts      |  24 ++
 7 files changed, 559 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/btool/bootgen.py
 create mode 100644 tools/binman/etype/xilinx_bootgen.py
 create mode 100644 tools/binman/test/307_xilinx_bootgen_sign.dts
 create mode 100644 tools/binman/test/308_xilinx_bootgen_sign_enc.dts

-- 
2.30.2

More information about the U-Boot mailing list