[PATCH 00/12] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

lukas.funke-oss at weidmueller.com lukas.funke-oss at weidmueller.com
Thu Jun 29 16:59:13 CEST 2023 

From: Lukas Funke <lukas.funke at weidmueller.com>


This series adds two etypes to create a verified boot chain for
Xilinx ZynqMP devices. The first etype 'xilinx_fsbl_auth' is used to
create a bootable, signed image for ZynqMP boards using the Xilinx
Bootgen tool. The second etype 'u_boot_spl_pubkey_dtb' is used to add
a '/signature' node to the SPL. The public key in the signature is read
from a certificate file and added using the 'fdt_add_pubkey' tool. The
series also contains the corresponding btool for calling 'bootgen' and
'fdt_add_pubkey'

The following block shows an example on how to use this functionality:

    spl {
        filename = "boot.signed.bin";

        xilinx_fsbl_auth {
            psk-filename = "psk0.pem";
            ssk-filename = "ssk0.pem";
            auth-params = "ppk_select=0", "spk_id=0x00000000";

            u_boot_spl_nodtb {
            };
            u_boot_spl_pubkey_dtb {
                algo = "sha384,rsa4096";
                required = "conf";
                key-name = "dev";
            };
        };
    };



Lukas Funke (12):
  binman: elf: Check for ELF_TOOLS availability and remove extra
    semicolon
  binman: mkimage: Remove extra colon
  binman: Don't decompress data while signing
  binman: blob_dtb: Add fake_size argument to ObtainContents()
  binman: doc: Add documentation for fdt_add_pubkey bintool
  binman: ftest: Add test for u_boot_spl_pubkey_dtb
  binman: btool: Add fdt_add_pubkey as btool
  binman: etype: Add u_boot_spl_pubkey_dtb etype
  binman: doc: Add documentation for Xilinx Bootgen bintool
  binman: btool: Add Xilinx Bootgen btool
  binman: ftest: Add test for xilinx_fsbl_auth etype
  binman: etype: Add xilinx_fsbl_auth etype

 tools/binman/bintools.rst                   |  22 +++
 tools/binman/btool/bootgen.py               |  82 +++++++++
 tools/binman/btool/fdt_add_pubkey.py        |  67 +++++++
 tools/binman/control.py                     |   2 +-
 tools/binman/elf.py                         |  10 +-
 tools/binman/etype/blob_dtb.py              |   2 +-
 tools/binman/etype/mkimage.py               |   2 +-
 tools/binman/etype/u_boot_spl_pubkey_dtb.py | 105 +++++++++++
 tools/binman/etype/xilinx_fsbl_auth.py      | 186 ++++++++++++++++++++
 tools/binman/ftest.py                       |  42 ++++-
 tools/binman/test/280_xilinx_fsb_auth.dts   |  22 +++
 tools/binman/test/281_spl_pubkey_dtb.dts    |  16 ++
 12 files changed, 550 insertions(+), 8 deletions(-)
 create mode 100644 tools/binman/btool/bootgen.py
 create mode 100644 tools/binman/btool/fdt_add_pubkey.py
 create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py
 create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
 create mode 100644 tools/binman/test/280_xilinx_fsb_auth.dts
 create mode 100644 tools/binman/test/281_spl_pubkey_dtb.dts

-- 
2.30.2

More information about the U-Boot mailing list