[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

Michal Simek michal.simek at amd.com
Fri Jul 21 16:41:32 CEST 2023 


On 7/18/23 13:53, lukas.funke-oss at weidmueller.com wrote:
> From: Lukas Funke <lukas.funke at weidmueller.com>
> 
> 
> This series adds two etypes to create a verified boot chain for
> Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
> create a bootable, signed image for ZynqMP boards using the Xilinx
> Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
> a '/signature' node to the SPL. The public key in the signature is read
> from a certificate file and added using the 'fdt_add_pubkey' tool. The
> series also contains the corresponding btool for calling 'bootgen' and
> 'fdt_add_pubkey'.
> 
> The following block shows an example on how to use this functionality:
> 
>      spl {
>          filename = "boot.signed.bin";
> 
>          xilinx-fsbl-auth {
>              psk-key-name-hint = "psk0";
>              ssk-key-name-hint = "ssk0";
>              auth-params = "ppk_select=0", "spk_id=0x00000000";
> 
>              u-boot-spl-nodtb {
>              };
>              u-boot-spl-pubkey-dtb {
>                  algo = "sha384,rsa4096";
>                  required = "conf";
>                  key-name-hint = "dev";
>              };
>          };
>      };
> 

I was looking at binman couple of times in past but never had time to do any 
development with it. Maybe it is good opportunity to look at it now with this 
series.
Is there a way to see more verbose output?

I expect that keys should be generated as is described here.

https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w

Anyway I tried to use u-boot-spl-nodtb like this.

&binman {
	spl {
		filename = "boot.signed.bin";
	
		xilinx-fsbl-auth {
			psk-key-name-hint = "/tmp/ddd/psk0";
			ssk-key-name-hint = "/tmp/ddd/ssk0";
			auth-params = "ppk_select=0", "spk_id=0x00000000";
			pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";

			u-boot-spl-nodtb {
			};
		};
	};
};

but getting error
   BINMAN  .binman_stamp
Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
Using output directory '.'
Processing entry args:
                 of-list = avnet-ultra96-rev1 zynqmp-a2197-revA 
zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA 
zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA 
zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1 
zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4 
zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1 
zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA 
zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA 
zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA 
zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA 
zynqmp-smk-k26-revA zynqmp-dlc21-revA
           atf-bl31-path = /tftpboot/bl31.bin
             tee-os-path = /tftpboot/tee.bin
            opensbi-path =
              default-dt = zynqmp-zcu100-revC
                scp-path =
       rockchip-tpl-path =
             spl-bss-pad =
             tpl-bss-pad = 1
                 spl-dtb = y
                 tpl-dtb =
       pre-load-key-path =
Processing entry args done
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None, 
size=None, content_size=240d8
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':    - packed: offset=0x0, 
size=0x240d8, content_size=0x240d8, next_offset=240d8
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o 
./boot.spl.xilinx-fsbl-auth.bin


****** Xilinx Bootgen v2022.2.0
   **** Build date : Oct 13 2022-12:22:43
     ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.

[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and 
above. The image generated will NOT work for 1.0(ES1).
	   Use '-zynqmpes1' to generate image for 1.0(ES1)

[INFO]   : Bootimage generated successfully


             Node '/binman/spl': GetPaddedDataForEntry: size None
Node '/binman/spl/xilinx-fsbl-auth': Packing: offset=None, size=0x47280, 
content_size=47280
Node '/binman/spl/xilinx-fsbl-auth':    - packed: offset=0x0, size=0x47280, 
content_size=0x47280, next_offset=47280
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size 0x47280
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o 
./boot.spl.xilinx-fsbl-auth.bin


****** Xilinx Bootgen v2022.2.0
   **** Build date : Oct 13 2022-12:22:43
     ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.

[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and 
above. The image generated will NOT work for 1.0(ES1).
	   Use '-zynqmpes1' to generate image for 1.0(ES1)

[INFO]   : Bootimage generated successfully


             Node '/binman/spl': GetPaddedDataForEntry: size None
             Node '/binman/spl': GetData: 1 entries, total size 0x47280
             Node '/binman/spl': GetPaddedDataForEntry: size 0x47280
             Node '/binman/spl': Packing: offset=None, size=0x47280, 
content_size=47280
             Node '/binman/spl':    - packed: offset=0x0, size=0x47280, 
content_size=0x47280, next_offset=47280
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'size' to 0x47280
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'image-pos' to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'offset' 
to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'size' to 
0x47280
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 
'image-pos' to 0x0
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'size' to 0x240d8
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'image-pos' to 0x0
Section '/binman/spl': Symbol '_binman_sym_magic'
    in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':
    insert _binman_sym_magic, offset 22f80, value 4d595342, length 8
binman: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'
    in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' 
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)

Traceback (most recent call last):
   File "/home/monstr/data/disk/u-boot/./tools/binman/binman", line 134, in 
RunBinman
     ret_code = control.Binman(args)
   File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 787, in Binman
     invalid |= ProcessImage(image, args.update_fdt, args.map,
   File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 616, in 
ProcessImage
     image.WriteSymbols()
   File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 172, in 
WriteSymbols
     super().WriteSymbols(self)
   File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, 
in WriteSymbols
     entry.WriteSymbols(self)
   File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, 
in WriteSymbols
     entry.WriteSymbols(self)
   File "/home/monstr/data/disk/u-boot/tools/binman/entry.py", line 701, in 
WriteSymbols
     elf.LookupAndWriteSymbols(self.elf_fname, self, section.GetImage(),
   File "/home/monstr/data/disk/u-boot/tools/binman/elf.py", line 298, in 
LookupAndWriteSymbols
     value = section.GetImage().LookupImageSymbol(name, sym.weak,
   File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 404, in 
LookupImageSymbol
     return self.LookupSymbol(sym_name, optional, msg, base_addr,
   File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 650, 
in LookupSymbol
     raise ValueError(err)
ValueError: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'
    in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' 
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
make: *** [Makefile:1115: .binman_stamp] Error 1



with u-boot-spl-dtb it works fine.

Anyway kind of curious if that support can be more generalized that bif can be 
generated for other configurations too. It means

		xilinx-bootgen {
			pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";

			u-boot-spl-dtb {
			};
		};

you will get boot.bin which images you defined.


And regarding name "xilinx-fsbl-auth". That authentication is done by bootrom 
not by FSBL that's why you should maybe consider to rename it. And as you wrote
"arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is supported."
then I expect in future this can be extended for on other SOCs which don't have 
FSBL unless you will use it as generic name first stage bootloader.

That's why I would say xilinx-bootgen would be maybe better name even if it has 
tool name there.

Thanks,
Michal

More information about the U-Boot mailing list