[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman
Michal Simek
michal.simek at amd.com
Fri Jul 21 16:41:32 CEST 2023
On 7/18/23 13:53, lukas.funke-oss at weidmueller.com wrote:
> From: Lukas Funke <lukas.funke at weidmueller.com>
>
>
> This series adds two etypes to create a verified boot chain for
> Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
> create a bootable, signed image for ZynqMP boards using the Xilinx
> Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
> a '/signature' node to the SPL. The public key in the signature is read
> from a certificate file and added using the 'fdt_add_pubkey' tool. The
> series also contains the corresponding btool for calling 'bootgen' and
> 'fdt_add_pubkey'.
>
> The following block shows an example on how to use this functionality:
>
> spl {
> filename = "boot.signed.bin";
>
> xilinx-fsbl-auth {
> psk-key-name-hint = "psk0";
> ssk-key-name-hint = "ssk0";
> auth-params = "ppk_select=0", "spk_id=0x00000000";
>
> u-boot-spl-nodtb {
> };
> u-boot-spl-pubkey-dtb {
> algo = "sha384,rsa4096";
> required = "conf";
> key-name-hint = "dev";
> };
> };
> };
>
I was looking at binman couple of times in past but never had time to do any
development with it. Maybe it is good opportunity to look at it now with this
series.
Is there a way to see more verbose output?
I expect that keys should be generated as is described here.
https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w
Anyway I tried to use u-boot-spl-nodtb like this.
&binman {
spl {
filename = "boot.signed.bin";
xilinx-fsbl-auth {
psk-key-name-hint = "/tmp/ddd/psk0";
ssk-key-name-hint = "/tmp/ddd/ssk0";
auth-params = "ppk_select=0", "spk_id=0x00000000";
pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
u-boot-spl-nodtb {
};
};
};
};
but getting error
BINMAN .binman_stamp
Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
Using output directory '.'
Processing entry args:
of-list = avnet-ultra96-rev1 zynqmp-a2197-revA
zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA
zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA
zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1
zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4
zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1
zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA
zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA
zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA
zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA
zynqmp-smk-k26-revA zynqmp-dlc21-revA
atf-bl31-path = /tftpboot/bl31.bin
tee-os-path = /tftpboot/tee.bin
opensbi-path =
default-dt = zynqmp-zcu100-revC
scp-path =
rockchip-tpl-path =
spl-bss-pad =
tpl-bss-pad = 1
spl-dtb = y
tpl-dtb =
pre-load-key-path =
Processing entry args done
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None,
size=None, content_size=240d8
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': - packed: offset=0x0,
size=0x240d8, content_size=0x240d8, next_offset=240d8
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
./boot.spl.xilinx-fsbl-auth.bin
****** Xilinx Bootgen v2022.2.0
**** Build date : Oct 13 2022-12:22:43
** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and
above. The image generated will NOT work for 1.0(ES1).
Use '-zynqmpes1' to generate image for 1.0(ES1)
[INFO] : Bootimage generated successfully
Node '/binman/spl': GetPaddedDataForEntry: size None
Node '/binman/spl/xilinx-fsbl-auth': Packing: offset=None, size=0x47280,
content_size=47280
Node '/binman/spl/xilinx-fsbl-auth': - packed: offset=0x0, size=0x47280,
content_size=0x47280, next_offset=47280
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size 0x47280
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
./boot.spl.xilinx-fsbl-auth.bin
****** Xilinx Bootgen v2022.2.0
**** Build date : Oct 13 2022-12:22:43
** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and
above. The image generated will NOT work for 1.0(ES1).
Use '-zynqmpes1' to generate image for 1.0(ES1)
[INFO] : Bootimage generated successfully
Node '/binman/spl': GetPaddedDataForEntry: size None
Node '/binman/spl': GetData: 1 entries, total size 0x47280
Node '/binman/spl': GetPaddedDataForEntry: size 0x47280
Node '/binman/spl': Packing: offset=None, size=0x47280,
content_size=47280
Node '/binman/spl': - packed: offset=0x0, size=0x47280,
content_size=0x47280, next_offset=47280
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'size' to 0x47280
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'image-pos' to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'offset'
to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'size' to
0x47280
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop
'image-pos' to 0x0
File ./u-boot.dtb.out: Update node
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'size' to 0x240d8
File ./u-boot.dtb.out: Update node
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'image-pos' to 0x0
Section '/binman/spl': Symbol '_binman_sym_magic'
in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':
insert _binman_sym_magic, offset 22f80, value 4d595342, length 8
binman: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'
in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any'
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
Traceback (most recent call last):
File "/home/monstr/data/disk/u-boot/./tools/binman/binman", line 134, in
RunBinman
ret_code = control.Binman(args)
File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 787, in Binman
invalid |= ProcessImage(image, args.update_fdt, args.map,
File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 616, in
ProcessImage
image.WriteSymbols()
File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 172, in
WriteSymbols
super().WriteSymbols(self)
File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499,
in WriteSymbols
entry.WriteSymbols(self)
File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499,
in WriteSymbols
entry.WriteSymbols(self)
File "/home/monstr/data/disk/u-boot/tools/binman/entry.py", line 701, in
WriteSymbols
elf.LookupAndWriteSymbols(self.elf_fname, self, section.GetImage(),
File "/home/monstr/data/disk/u-boot/tools/binman/elf.py", line 298, in
LookupAndWriteSymbols
value = section.GetImage().LookupImageSymbol(name, sym.weak,
File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 404, in
LookupImageSymbol
return self.LookupSymbol(sym_name, optional, msg, base_addr,
File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 650,
in LookupSymbol
raise ValueError(err)
ValueError: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'
in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any'
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
make: *** [Makefile:1115: .binman_stamp] Error 1
with u-boot-spl-dtb it works fine.
Anyway kind of curious if that support can be more generalized that bif can be
generated for other configurations too. It means
xilinx-bootgen {
pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
u-boot-spl-dtb {
};
};
you will get boot.bin which images you defined.
And regarding name "xilinx-fsbl-auth". That authentication is done by bootrom
not by FSBL that's why you should maybe consider to rename it. And as you wrote
"arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is supported."
then I expect in future this can be extended for on other SOCs which don't have
FSBL unless you will use it as generic name first stage bootloader.
That's why I would say xilinx-bootgen would be maybe better name even if it has
tool name there.
Thanks,
Michal
More information about the U-Boot
mailing list