[PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman
Lukas Funke
lukas.funke-oss at weidmueller.com
Thu Jul 27 09:56:45 CEST 2023
Hi Michal,
On 21.07.2023 16:41, Michal Simek wrote:
>
>
> On 7/18/23 13:53, lukas.funke-oss at weidmueller.com wrote:
>> From: Lukas Funke <lukas.funke at weidmueller.com>
>>
>>
>> This series adds two etypes to create a verified boot chain for
>> Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
>> create a bootable, signed image for ZynqMP boards using the Xilinx
>> Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
>> a '/signature' node to the SPL. The public key in the signature is read
>> from a certificate file and added using the 'fdt_add_pubkey' tool. The
>> series also contains the corresponding btool for calling 'bootgen' and
>> 'fdt_add_pubkey'.
>>
>> The following block shows an example on how to use this functionality:
>>
>> spl {
>> filename = "boot.signed.bin";
>>
>> xilinx-fsbl-auth {
>> psk-key-name-hint = "psk0";
>> ssk-key-name-hint = "ssk0";
>> auth-params = "ppk_select=0", "spk_id=0x00000000";
>>
>> u-boot-spl-nodtb {
>> };
>> u-boot-spl-pubkey-dtb {
>> algo = "sha384,rsa4096";
>> required = "conf";
>> key-name-hint = "dev";
>> };
>> };
>> };
>>
>
> I was looking at binman couple of times in past but never had time to do
> any development with it. Maybe it is good opportunity to look at it now
> with this series.
> Is there a way to see more verbose output?
>
> I expect that keys should be generated as is described here.
>
> https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w
Yes.
>
> Anyway I tried to use u-boot-spl-nodtb like this.
>
> &binman {
> spl {
> filename = "boot.signed.bin";
>
> xilinx-fsbl-auth {
> psk-key-name-hint = "/tmp/ddd/psk0";
> ssk-key-name-hint = "/tmp/ddd/ssk0";
> auth-params = "ppk_select=0", "spk_id=0x00000000";
> pmufw-filename =
> "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
>
> u-boot-spl-nodtb {
> };
> };
> };
> };
>
> but getting error
> BINMAN .binman_stamp
> Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
> Using output directory '.'
> Processing entry args:
> of-list = avnet-ultra96-rev1 zynqmp-a2197-revA
> zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA
> zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA
> zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1
> zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4
> zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1
> zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB
> zynqmp-zcu104-revA zynqmp-zcu104-revC zynqmp-zcu106-revA
> zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA zynqmp-zcu1275-revA
> zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA
> zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1
> zynqmp-sm-k26-revA zynqmp-smk-k26-revA zynqmp-dlc21-revA
> atf-bl31-path = /tftpboot/bl31.bin
> tee-os-path = /tftpboot/tee.bin
> opensbi-path =
> default-dt = zynqmp-zcu100-revC
> scp-path =
> rockchip-tpl-path =
> spl-bss-pad =
> tpl-bss-pad = 1
> spl-dtb = y
> tpl-dtb =
> pre-load-key-path =
> Processing entry args done
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing:
> offset=None, size=None, content_size=240d8
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': - packed:
> offset=0x0, size=0x240d8, content_size=0x240d8, next_offset=240d8
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
> Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
> Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
> bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
> ./boot.spl.xilinx-fsbl-auth.bin
>
>
> ****** Xilinx Bootgen v2022.2.0
> **** Build date : Oct 13 2022-12:22:43
> ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
>
> [WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2)
> and above. The image generated will NOT work for 1.0(ES1).
> Use '-zynqmpes1' to generate image for 1.0(ES1)
>
> [INFO] : Bootimage generated successfully
>
>
> Node '/binman/spl': GetPaddedDataForEntry: size None
> Node '/binman/spl/xilinx-fsbl-auth': Packing: offset=None, size=0x47280,
> content_size=47280
> Node '/binman/spl/xilinx-fsbl-auth': - packed: offset=0x0,
> size=0x47280, content_size=0x47280, next_offset=47280
> Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
> Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size 0x47280
> Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8
> bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o
> ./boot.spl.xilinx-fsbl-auth.bin
>
>
> ****** Xilinx Bootgen v2022.2.0
> **** Build date : Oct 13 2022-12:22:43
> ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
>
> [WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2)
> and above. The image generated will NOT work for 1.0(ES1).
> Use '-zynqmpes1' to generate image for 1.0(ES1)
>
> [INFO] : Bootimage generated successfully
>
>
> Node '/binman/spl': GetPaddedDataForEntry: size None
> Node '/binman/spl': GetData: 1 entries, total size 0x47280
> Node '/binman/spl': GetPaddedDataForEntry: size 0x47280
> Node '/binman/spl': Packing: offset=None, size=0x47280,
> content_size=47280
> Node '/binman/spl': - packed: offset=0x0, size=0x47280,
> content_size=0x47280, next_offset=47280
> File ./u-boot.dtb.out: Update node '/binman/spl' prop 'offset' to 0x0
> File ./u-boot.dtb.out: Update node '/binman/spl' prop 'size' to 0x47280
> File ./u-boot.dtb.out: Update node '/binman/spl' prop 'image-pos' to 0x0
> File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop
> 'offset' to 0x0
> File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop
> 'size' to 0x47280
> File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop
> 'image-pos' to 0x0
> File ./u-boot.dtb.out: Update node
> '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'offset' to 0x0
> File ./u-boot.dtb.out: Update node
> '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'size' to 0x240d8
> File ./u-boot.dtb.out: Update node
> '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'image-pos' to 0x0
> Section '/binman/spl': Symbol '_binman_sym_magic'
> in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':
> insert _binman_sym_magic, offset 22f80, value 4d595342, length 8
> binman: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'
> in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry
> 'u-boot-any' not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
>
> Traceback (most recent call last):
> File "/home/monstr/data/disk/u-boot/./tools/binman/binman", line 134,
> in RunBinman
> ret_code = control.Binman(args)
> File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line
> 787, in Binman
> invalid |= ProcessImage(image, args.update_fdt, args.map,
> File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line
> 616, in ProcessImage
> image.WriteSymbols()
> File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 172,
> in WriteSymbols
> super().WriteSymbols(self)
> File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py",
> line 499, in WriteSymbols
> entry.WriteSymbols(self)
> File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py",
> line 499, in WriteSymbols
> entry.WriteSymbols(self)
> File "/home/monstr/data/disk/u-boot/tools/binman/entry.py", line 701,
> in WriteSymbols
> elf.LookupAndWriteSymbols(self.elf_fname, self, section.GetImage(),
> File "/home/monstr/data/disk/u-boot/tools/binman/elf.py", line 298,
> in LookupAndWriteSymbols
> value = section.GetImage().LookupImageSymbol(name, sym.weak,
> File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 404,
> in LookupImageSymbol
> return self.LookupSymbol(sym_name, optional, msg, base_addr,
> File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py",
> line 650, in LookupSymbol
> raise ValueError(err)
> ValueError: Section '/binman/spl': Symbol
> '_binman_u_boot_any_prop_image_pos'
> in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry
> 'u-boot-any' not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
> make: *** [Makefile:1115: .binman_stamp] Error 1
Thanks for testing/reviewing. I had the same problem. The root cause is
documented here:
https://lists.denx.de/pipermail/u-boot/2022-October/498746.html
In short: disable 'CONFIG_SPL_BINMAN_UBOOT_SYMBOLS' helps. I think the
problem should addressed in a separate discussion.
>
>
>
> with u-boot-spl-dtb it works fine.
>
> Anyway kind of curious if that support can be more generalized that bif
> can be generated for other configurations too. It means
>
> xilinx-bootgen {
> pmufw-filename =
> "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
>
> u-boot-spl-dtb {
> };
> };
>
> you will get boot.bin which images you defined.
>
>
> And regarding name "xilinx-fsbl-auth". That authentication is done by
> bootrom not by FSBL that's why you should maybe consider to rename it.
> And as you wrote
> "arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is
> supported."
> then I expect in future this can be extended for on other SOCs which
> don't have FSBL unless you will use it as generic name first stage
> bootloader.
>
> That's why I would say xilinx-bootgen would be maybe better name even if
> it has tool name there.
The name was choosen after the output it creates. However, I agree on
your idea for a more generic approach and will consider it in the next
version.
>
> Thanks,
> Michal
>
>
>
Thanks,
Lukas
More information about the U-Boot
mailing list