[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman
lukas.funke-oss at weidmueller.com
lukas.funke-oss at weidmueller.com
Tue Jul 18 13:53:08 CEST 2023
From: Lukas Funke <lukas.funke at weidmueller.com>
This series adds two etypes to create a verified boot chain for
Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
create a bootable, signed image for ZynqMP boards using the Xilinx
Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
a '/signature' node to the SPL. The public key in the signature is read
from a certificate file and added using the 'fdt_add_pubkey' tool. The
series also contains the corresponding btool for calling 'bootgen' and
'fdt_add_pubkey'.
The following block shows an example on how to use this functionality:
spl {
filename = "boot.signed.bin";
xilinx-fsbl-auth {
psk-key-name-hint = "psk0";
ssk-key-name-hint = "ssk0";
auth-params = "ppk_select=0", "spk_id=0x00000000";
u-boot-spl-nodtb {
};
u-boot-spl-pubkey-dtb {
algo = "sha384,rsa4096";
required = "conf";
key-name-hint = "dev";
};
};
};
Changes in v3:
- Improved test coverage regarding missing libelf
- Align error message
- Fix rst headline length
- Add newline before main
- Adapted test due to property renaming
- Fixed minor python doc typo in u-boot-spl-pubkey-dtb etype
- Renamed key property from 'key-name' to 'key-name-hint'
- Fixed an issue where the build result was not found
- Fixed an issue where the version string was not reported correctly
- Improved test coverage for xilinx-fsbl-auth etype
- Changed etype from entry to section
- Changed property name "psk-filename" to "psk-key-name-hint"
- Changed property name "ssk-filename" to "ssk-key-name-hint"
- Decode spl elf file instead of reading start symbol
- Improved test coverage
- Improved documentation
Changes in v2:
- Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb
- Improved rst/python documentation
- Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb in example
- Pass additional 'keysrc_enc' parameter to Bootgen
- Added more information and terms to documentation
- Fixed typo in dts name
- Add 'keysrc-enc' property to pass down to Bootgen
- Improved documentation
- Use predictable output names for intermediated results
Lukas Funke (11):
binman: elf: Check for ELF_TOOLS availability and remove extra
semicolon
binman: Don't decompress data while signing
binman: blob_dtb: Add fake_size argument to ObtainContents()
binman: doc: Add documentation for fdt_add_pubkey bintool
binman: ftest: Add test for u_boot_spl_pubkey_dtb
binman: btool: Add fdt_add_pubkey as btool
binman: etype: Add u-boot-spl-pubkey-dtb etype
binman: doc: Add documentation for Xilinx Bootgen bintool
binman: btool: Add Xilinx Bootgen btool
binman: ftest: Add test for xilinx_fsbl_auth etype
binman: etype: Add xilinx_fsbl_auth etype
tools/binman/bintools.rst | 22 ++
tools/binman/btool/bootgen.py | 136 +++++++++++
tools/binman/btool/fdt_add_pubkey.py | 67 ++++++
tools/binman/control.py | 2 +-
tools/binman/elf.py | 14 +-
tools/binman/elf_test.py | 11 +
tools/binman/entries.rst | 110 +++++++++
tools/binman/etype/blob_dtb.py | 2 +-
tools/binman/etype/u_boot_spl_pubkey_dtb.py | 109 +++++++++
tools/binman/etype/xilinx_fsbl_auth.py | 221 ++++++++++++++++++
tools/binman/ftest.py | 94 ++++++++
tools/binman/test/280_xilinx_fsbl_auth.dts | 21 ++
.../binman/test/280_xilinx_fsbl_auth_enc.dts | 23 ++
tools/binman/test/281_spl_pubkey_dtb.dts | 16 ++
14 files changed, 839 insertions(+), 9 deletions(-)
create mode 100644 tools/binman/btool/bootgen.py
create mode 100644 tools/binman/btool/fdt_add_pubkey.py
create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py
create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
create mode 100644 tools/binman/test/280_xilinx_fsbl_auth.dts
create mode 100644 tools/binman/test/280_xilinx_fsbl_auth_enc.dts
create mode 100644 tools/binman/test/281_spl_pubkey_dtb.dts
--
2.30.2
More information about the U-Boot
mailing list