[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman
Simon Glass
sjg at chromium.org
Wed Jul 19 03:08:25 CEST 2023
Hi,
On Tue, 18 Jul 2023 at 05:53, <lukas.funke-oss at weidmueller.com> wrote:
>
> From: Lukas Funke <lukas.funke at weidmueller.com>
>
>
> This series adds two etypes to create a verified boot chain for
> Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
> create a bootable, signed image for ZynqMP boards using the Xilinx
> Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
> a '/signature' node to the SPL. The public key in the signature is read
> from a certificate file and added using the 'fdt_add_pubkey' tool. The
> series also contains the corresponding btool for calling 'bootgen' and
> 'fdt_add_pubkey'.
>
> The following block shows an example on how to use this functionality:
>
> spl {
> filename = "boot.signed.bin";
>
> xilinx-fsbl-auth {
> psk-key-name-hint = "psk0";
> ssk-key-name-hint = "ssk0";
> auth-params = "ppk_select=0", "spk_id=0x00000000";
>
> u-boot-spl-nodtb {
> };
> u-boot-spl-pubkey-dtb {
> algo = "sha384,rsa4096";
> required = "conf";
> key-name-hint = "dev";
> };
> };
> };
>
>
> Changes in v3:
> - Improved test coverage regarding missing libelf
> - Align error message
> - Fix rst headline length
> - Add newline before main
> - Adapted test due to property renaming
> - Fixed minor python doc typo in u-boot-spl-pubkey-dtb etype
> - Renamed key property from 'key-name' to 'key-name-hint'
> - Fixed an issue where the build result was not found
> - Fixed an issue where the version string was not reported correctly
> - Improved test coverage for xilinx-fsbl-auth etype
> - Changed etype from entry to section
> - Changed property name "psk-filename" to "psk-key-name-hint"
> - Changed property name "ssk-filename" to "ssk-key-name-hint"
> - Decode spl elf file instead of reading start symbol
> - Improved test coverage
> - Improved documentation
>
> Changes in v2:
> - Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb
> - Improved rst/python documentation
> - Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb in example
> - Pass additional 'keysrc_enc' parameter to Bootgen
> - Added more information and terms to documentation
> - Fixed typo in dts name
> - Add 'keysrc-enc' property to pass down to Bootgen
> - Improved documentation
> - Use predictable output names for intermediated results
>
> Lukas Funke (11):
> binman: elf: Check for ELF_TOOLS availability and remove extra
> semicolon
> binman: Don't decompress data while signing
> binman: blob_dtb: Add fake_size argument to ObtainContents()
> binman: doc: Add documentation for fdt_add_pubkey bintool
> binman: ftest: Add test for u_boot_spl_pubkey_dtb
> binman: btool: Add fdt_add_pubkey as btool
> binman: etype: Add u-boot-spl-pubkey-dtb etype
> binman: doc: Add documentation for Xilinx Bootgen bintool
> binman: btool: Add Xilinx Bootgen btool
> binman: ftest: Add test for xilinx_fsbl_auth etype
> binman: etype: Add xilinx_fsbl_auth etype
>
> tools/binman/bintools.rst | 22 ++
> tools/binman/btool/bootgen.py | 136 +++++++++++
> tools/binman/btool/fdt_add_pubkey.py | 67 ++++++
> tools/binman/control.py | 2 +-
> tools/binman/elf.py | 14 +-
> tools/binman/elf_test.py | 11 +
> tools/binman/entries.rst | 110 +++++++++
> tools/binman/etype/blob_dtb.py | 2 +-
> tools/binman/etype/u_boot_spl_pubkey_dtb.py | 109 +++++++++
> tools/binman/etype/xilinx_fsbl_auth.py | 221 ++++++++++++++++++
> tools/binman/ftest.py | 94 ++++++++
> tools/binman/test/280_xilinx_fsbl_auth.dts | 21 ++
> .../binman/test/280_xilinx_fsbl_auth_enc.dts | 23 ++
> tools/binman/test/281_spl_pubkey_dtb.dts | 16 ++
> 14 files changed, 839 insertions(+), 9 deletions(-)
> create mode 100644 tools/binman/btool/bootgen.py
> create mode 100644 tools/binman/btool/fdt_add_pubkey.py
> create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py
> create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
> create mode 100644 tools/binman/test/280_xilinx_fsbl_auth.dts
> create mode 100644 tools/binman/test/280_xilinx_fsbl_auth_enc.dts
> create mode 100644 tools/binman/test/281_spl_pubkey_dtb.dts
>
> --
> 2.30.2
>
With this I get test failures:
======================================================================
ERROR: binman.ftest.TestFunctional.testXilinxFsblAuthAndEncryption
(subunit.RemotedTestCase)
binman.ftest.TestFunctional.testXilinxFsblAuthAndEncryption
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 6932, in testXilinxFsblAuthAndEncryption
self._DoReadFileRealDtb('280_xilinx_fsbl_auth_enc.dts')
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 561, in _DoReadFileRealDtb
return self._DoReadFileDtb(fname, use_real_dtb=True, update_dtb=True)[0]
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 528, in _DoReadFileDtb
retcode = self._DoTestFile(fname, map=map, update_dtb=update_dtb,
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 427, in _DoTestFile
return self._DoBinman(*args)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 343, in _DoBinman
return control.Binman(args)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py",
line 815, in Binman
invalid |= ProcessImage(image, args.update_fdt, args.map,
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py",
line 632, in ProcessImage
image.PackEntries()
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/image.py",
line 154, in PackEntries
super().Pack(0)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 433, in Pack
self._PackEntries()
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 454, in _PackEntries
offset = entry.Pack(offset)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 441, in Pack
data = self.BuildSectionData(True)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/xilinx_fsbl_auth.py",
line 213, in BuildSectionData
data = tools.read_file(bootbin_fname)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/u_boot_pylib/tools.py",
line 467, in read_file
with open(filename(fname), binary and 'rb' or 'r') as fd:
FileNotFoundError: [Errno 2] No such file or directory:
'/tmp/binman.q0wccwnl/boot.xilinx-fsbl-auth.bin'
======================================================================
ERROR: binman.ftest.TestFunctional.testXilinxFsblAuth (subunit.RemotedTestCase)
binman.ftest.TestFunctional.testXilinxFsblAuth
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 6904, in testXilinxFsblAuth
self._DoReadFileRealDtb('280_xilinx_fsbl_auth.dts')
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 561, in _DoReadFileRealDtb
return self._DoReadFileDtb(fname, use_real_dtb=True, update_dtb=True)[0]
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 528, in _DoReadFileDtb
retcode = self._DoTestFile(fname, map=map, update_dtb=update_dtb,
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 427, in _DoTestFile
return self._DoBinman(*args)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 343, in _DoBinman
return control.Binman(args)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py",
line 815, in Binman
invalid |= ProcessImage(image, args.update_fdt, args.map,
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py",
line 632, in ProcessImage
image.PackEntries()
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/image.py",
line 154, in PackEntries
super().Pack(0)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 433, in Pack
self._PackEntries()
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 454, in _PackEntries
offset = entry.Pack(offset)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py",
line 441, in Pack
data = self.BuildSectionData(True)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/xilinx_fsbl_auth.py",
line 213, in BuildSectionData
data = tools.read_file(bootbin_fname)
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/u_boot_pylib/tools.py",
line 467, in read_file
with open(filename(fname), binary and 'rb' or 'r') as fd:
FileNotFoundError: [Errno 2] No such file or directory:
'/tmp/binman.k7fg_p9o/boot.xilinx-fsbl-auth.bin'
======================================================================
FAIL: binman.ftest.TestFunctional.testSymbolsElfBad (subunit.RemotedTestCase)
binman.ftest.TestFunctional.testSymbolsElfBad
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py",
line 6242, in testSymbolsElfBad
self.assertIn(
File "/usr/lib/python3.10/unittest/case.py", line 1112, in assertIn
self.fail(self._formatMessage(msg, standardMsg))
File "/usr/lib/python3.10/unittest/case.py", line 675, in fail
raise self.failureException(msg)
AssertionError: "Section '/binman': entry '/binman/u-boot-spl-elf':
Cannot write symbols to an ELF file without Python elftools" not found
in "Python: No module named 'elftools'"
Regards,
Simon
More information about the U-Boot
mailing list