[PATCH RFC 2/3] WIP: getting signing nodes to work in FIT generator node

Neha Malcom Francis n-francis at ti.com
Fri Jul 28 14:48:30 CEST 2023 

Hi Simon

On 28/07/23 08:05, Simon Glass wrote:
> Hi Neha,
> 
> On Thu, 27 Jul 2023 at 06:12, Neha Malcom Francis <n-francis at ti.com> wrote:
>>
>> They need to get the contents of the FIT section beforehand, process
>> them and prepend the signing certificate to the FIT contents
>>
>> Signed-off-by: Neha Malcom Francis <n-francis at ti.com>
>> ---
>>   tools/binman/etype/collection.py | 38 +++++++++++++++++++++++---------
>>   tools/binman/etype/fit.py        |  1 +
>>   tools/binman/etype/ti_secure.py  | 13 ++++++++---
>>   tools/binman/etype/x509_cert.py  |  9 ++++++--
>>   4 files changed, 46 insertions(+), 15 deletions(-)
> 
> I am not quite sure about this, but it seems there is a bit too much magic?
> 
>  From what I can tell, you want:
> 
> @fdt-SEQ {
>     ti-secure {
>        content = <&dtb>;
>     }
>     dtb: blob-ext {
>        filename = "u-boot-spl.dtb";
>     }
> };
> 
> where the 'dtb' phande can work even though it is in a generated node.
> 

Not exactly, so the dtb phandle contains a node that is itself generated 
on the fly different for each node. More like:

@fdt-SEQ {
	ti-secure {
		content = <&dtb>;
	};
	dtb: blob-ext {
		filename = "NAME.dtb";
	};
};

But since NAME is just a string substitutions this wouldn't work I 
understand, but this example is to get the problem I'm trying to solve here.

> Is that right? If so, I suspect it could be done.
> 
> Re the fit,fdt-indir that is where I get confused...you want it to
> affect the generator somehow? How is that? The last patch gives me
> some clues but I don't understand why some nodes have the
> fit,fdt-indir property and some do not?
> 

Right, so some of our generated binaries use the SPL device tree which 
is in spl/dts and the rest use the standard U-Boot device tree from 
arch/arm/dts which is the default. So that's an independent problem I'm 
trying to fix in FIT generator.

> I suspect what would help me understand is to write a test .dts and a
> test that doesn't work, but illustrates what you want...then we might
> get closer to a suitable design. Once the design is clean, the impl
> should follow.
> 

I'll do that when I send a follow up next.

> Regards,
> Simon

-- 
Thanking You
Neha Malcom Francis

More information about the U-Boot mailing list