[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

Simon Glass sjg at chromium.org
Tue Jul 25 23:28:36 CEST 2023 

Hi again,

On Sat, 22 Jul 2023 at 21:48, Simon Glass <sjg at chromium.org> wrote:
>
> Hi Michal,
>
> On Fri, 21 Jul 2023 at 08:41, Michal Simek <michal.simek at amd.com> wrote:
> >
> >
> >
> > On 7/18/23 13:53, lukas.funke-oss at weidmueller.com wrote:
> > > From: Lukas Funke <lukas.funke at weidmueller.com>
> > >
> > >
> > > This series adds two etypes to create a verified boot chain for
> > > Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
> > > create a bootable, signed image for ZynqMP boards using the Xilinx
> > > Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
> > > a '/signature' node to the SPL. The public key in the signature is read
> > > from a certificate file and added using the 'fdt_add_pubkey' tool. The
> > > series also contains the corresponding btool for calling 'bootgen' and
> > > 'fdt_add_pubkey'.
> > >
> > > The following block shows an example on how to use this functionality:
> > >
> > >      spl {
> > >          filename = "boot.signed.bin";
> > >
> > >          xilinx-fsbl-auth {
> > >              psk-key-name-hint = "psk0";
> > >              ssk-key-name-hint = "ssk0";
> > >              auth-params = "ppk_select=0", "spk_id=0x00000000";
> > >
> > >              u-boot-spl-nodtb {
> > >              };
> > >              u-boot-spl-pubkey-dtb {
> > >                  algo = "sha384,rsa4096";
> > >                  required = "conf";
> > >                  key-name-hint = "dev";
> > >              };
> > >          };
> > >      };
> > >
> >
> > I was looking at binman couple of times in past but never had time to do any
> > development with it. Maybe it is good opportunity to look at it now with this
> > series.
> > Is there a way to see more verbose output?
> >
>
> https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#logging
>
> > I expect that keys should be generated as is described here.
> >
> > https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w
> >
> > Anyway I tried to use u-boot-spl-nodtb like this.
> >
> > &binman {
> >         spl {
> >                 filename = "boot.signed.bin";
> >
> >                 xilinx-fsbl-auth {
> >                         psk-key-name-hint = "/tmp/ddd/psk0";
> >                         ssk-key-name-hint = "/tmp/ddd/ssk0";
> >                         auth-params = "ppk_select=0", "spk_id=0x00000000";
> >                         pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
> >
> >                         u-boot-spl-nodtb {
> >                         };
> >                 };
> >         };
> > };
> >
> > but getting error
> >    BINMAN  .binman_stamp
> > Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
> > Using output directory '.'
> > Processing entry args:
> >                  of-list = avnet-ultra96-rev1 zynqmp-a2197-revA
> > zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA
> > zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA
> > zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1
> > zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4
> > zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1
> > zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA
> > zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA
> > zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA
> > zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA
> > zynqmp-smk-k26-revA zynqmp-dlc21-revA
> >            atf-bl31-path = /tftpboot/bl31.bin
> >              tee-os-path = /tftpboot/tee.bin
> >             opensbi-path =
> >               default-dt = zynqmp-zcu100-revC
> >                 scp-path =
> >        rockchip-tpl-path =
> >              spl-bss-pad =
> >              tpl-bss-pad = 1
> >                  spl-dtb = y
> >                  tpl-dtb =
> >        pre-load-key-path =
> > Processing entry args done
> > Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None,
> > size=None, content_size=240d8
> > Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':    - packed: offset=0x0,
> > size=0x240d8, content_size=0x240d8, next_offset=240d8
> > Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
> > Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
> > Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
> > bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
> > ./boot.spl.xilinx-fsbl-auth.bin
> >
> >
> > ****** Xilinx Bootgen v2022.2.0
> >    **** Build date : Oct 13 2022-12:22:43
> >      ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
> >
> > [WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and
> > above. The image generated will NOT work for 1.0(ES1).
> >            Use '-zynqmpes1' to generate image for 1.0(ES1)
> >
> > [INFO]   : Bootimage generated successfully
>
> BTW tools are not allowed to generate output normally, so this will
> need to be suppressed somehow by the binman btool.

Actually this happens automatically. I think the above was due to
verbose being on.

I applied what patches I could from this series, so please rebase to
master (or dm/master if before the PR is applied), and resend.

Regards,
Simon

More information about the U-Boot mailing list