[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

Simon Glass sjg at chromium.org
Sun Jul 23 05:48:28 CEST 2023 

Hi Michal,

On Fri, 21 Jul 2023 at 08:41, Michal Simek <michal.simek at amd.com> wrote:
>
>
>
> On 7/18/23 13:53, lukas.funke-oss at weidmueller.com wrote:
> > From: Lukas Funke <lukas.funke at weidmueller.com>
> >
> >
> > This series adds two etypes to create a verified boot chain for
> > Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
> > create a bootable, signed image for ZynqMP boards using the Xilinx
> > Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
> > a '/signature' node to the SPL. The public key in the signature is read
> > from a certificate file and added using the 'fdt_add_pubkey' tool. The
> > series also contains the corresponding btool for calling 'bootgen' and
> > 'fdt_add_pubkey'.
> >
> > The following block shows an example on how to use this functionality:
> >
> >      spl {
> >          filename = "boot.signed.bin";
> >
> >          xilinx-fsbl-auth {
> >              psk-key-name-hint = "psk0";
> >              ssk-key-name-hint = "ssk0";
> >              auth-params = "ppk_select=0", "spk_id=0x00000000";
> >
> >              u-boot-spl-nodtb {
> >              };
> >              u-boot-spl-pubkey-dtb {
> >                  algo = "sha384,rsa4096";
> >                  required = "conf";
> >                  key-name-hint = "dev";
> >              };
> >          };
> >      };
> >
>
> I was looking at binman couple of times in past but never had time to do any
> development with it. Maybe it is good opportunity to look at it now with this
> series.
> Is there a way to see more verbose output?
>

https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#logging

> I expect that keys should be generated as is described here.
>
> https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w
>
> Anyway I tried to use u-boot-spl-nodtb like this.
>
> &binman {
>         spl {
>                 filename = "boot.signed.bin";
>
>                 xilinx-fsbl-auth {
>                         psk-key-name-hint = "/tmp/ddd/psk0";
>                         ssk-key-name-hint = "/tmp/ddd/ssk0";
>                         auth-params = "ppk_select=0", "spk_id=0x00000000";
>                         pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
>
>                         u-boot-spl-nodtb {
>                         };
>                 };
>         };
> };
>
> but getting error
>    BINMAN  .binman_stamp
> Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
> Using output directory '.'
> Processing entry args:
>                  of-list = avnet-ultra96-rev1 zynqmp-a2197-revA
> zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA
> zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA
> zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1
> zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4
> zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1
> zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA
> zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA
> zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA
> zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA
> zynqmp-smk-k26-revA zynqmp-dlc21-revA
>            atf-bl31-path = /tftpboot/bl31.bin
>              tee-os-path = /tftpboot/tee.bin
>             opensbi-path =
>               default-dt = zynqmp-zcu100-revC
>                 scp-path =
>        rockchip-tpl-path =
>              spl-bss-pad =
>              tpl-bss-pad = 1
>                  spl-dtb = y
>                  tpl-dtb =
>        pre-load-key-path =
> Processing entry args done
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None,
> size=None, content_size=240d8
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':    - packed: offset=0x0,
> size=0x240d8, content_size=0x240d8, next_offset=240d8
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
> Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
> Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
> bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
> ./boot.spl.xilinx-fsbl-auth.bin
>
>
> ****** Xilinx Bootgen v2022.2.0
>    **** Build date : Oct 13 2022-12:22:43
>      ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
>
> [WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and
> above. The image generated will NOT work for 1.0(ES1).
>            Use '-zynqmpes1' to generate image for 1.0(ES1)
>
> [INFO]   : Bootimage generated successfully

BTW tools are not allowed to generate output normally, so this will
need to be suppressed somehow by the binman btool.

Regards,
Simon

More information about the U-Boot mailing list