[PATCH v2 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman
Simon Glass
sjg at chromium.org
Fri Jul 7 19:35:48 CEST 2023
Hi Lukas,
On Thu, 6 Jul 2023 at 09:38, <lukas.funke-oss at weidmueller.com> wrote:
>
> From: Lukas Funke <lukas.funke at weidmueller.com>
>
>
> This series adds two etypes to create a verified boot chain for
> Xilinx ZynqMP devices. The first etype 'xilinx_fsbl_auth' is used to
> create a bootable, signed image for ZynqMP boards using the Xilinx
> Bootgen tool. The second etype 'u_boot_spl_pubkey_dtb' is used to add
> a '/signature' node to the SPL. The public key in the signature is read
> from a certificate file and added using the 'fdt_add_pubkey' tool. The
> series also contains the corresponding btool for calling 'bootgen' and
> 'fdt_add_pubkey'
>
> The following block shows an example on how to use this functionality:
>
> spl {
> filename = "boot.signed.bin";
>
> xilinx_fsbl_auth {
> psk-filename = "psk0.pem";
> ssk-filename = "ssk0.pem";
> auth-params = "ppk_select=0", "spk_id=0x00000000";
>
> u_boot_spl_nodtb {
> };
> u_boot_spl_pubkey_dtb {
> algo = "sha384,rsa4096";
> required = "conf";
> key-name = "dev";
> };
> };
> };
>
>
> Changes in v2:
> - Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb
> - Improved rst/python documentation
> - Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb in example
> - Pass additional 'keysrc_enc' parameter to Bootgen
> - Added more information and terms to documentation
> - Fixed typo in dts name
> - Add 'keysrc-enc' property to pass down to Bootgen
> - Improved documentation
> - Use predictable output names for intermediated results
>
> Lukas Funke (11):
> binman: elf: Check for ELF_TOOLS availability and remove extra
> semicolon
> binman: Don't decompress data while signing
> binman: blob_dtb: Add fake_size argument to ObtainContents()
> binman: doc: Add documentation for fdt_add_pubkey bintool
> binman: ftest: Add test for u_boot_spl_pubkey_dtb
> binman: btool: Add fdt_add_pubkey as btool
> binman: etype: Add u_boot_spl_pubkey_dtb etype
> binman: doc: Add documentation for Xilinx Bootgen bintool
> binman: btool: Add Xilinx Bootgen btool
> binman: ftest: Add test for xilinx_fsbl_auth etype
> binman: etype: Add xilinx_fsbl_auth etype
>
> tools/binman/bintools.rst | 22 ++
> tools/binman/btool/bootgen.py | 136 +++++++++++++
> tools/binman/btool/fdt_add_pubkey.py | 67 ++++++
> tools/binman/control.py | 2 +-
> tools/binman/elf.py | 10 +-
> tools/binman/entries.rst | 92 +++++++++
> tools/binman/etype/blob_dtb.py | 2 +-
> tools/binman/etype/u_boot_spl_pubkey_dtb.py | 109 ++++++++++
> tools/binman/etype/xilinx_fsbl_auth.py | 213 ++++++++++++++++++++
> tools/binman/ftest.py | 42 +++-
> tools/binman/test/280_xilinx_fsbl_auth.dts | 23 +++
> tools/binman/test/281_spl_pubkey_dtb.dts | 16 ++
> 12 files changed, 727 insertions(+), 7 deletions(-)
> create mode 100644 tools/binman/btool/bootgen.py
> create mode 100644 tools/binman/btool/fdt_add_pubkey.py
> create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py
> create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
> create mode 100644 tools/binman/test/280_xilinx_fsbl_auth.dts
> create mode 100644 tools/binman/test/281_spl_pubkey_dtb.dts
>
> --
> 2.30.2
>
This looks pretty good to me. I've made comments on individual
patches. Please do make sure that the docs are enough to understand
the feature - e.g. describing each field. You may need to link to some
'forever' docs somewhere too.
Regards,
Simon
More information about the U-Boot
mailing list