[PATCH v3 1/2] binman: openssl: x509: ti_secure_rom: Add support for bootcore_opts

Simon Glass sjg at chromium.org
Sun Oct 8 01:09:59 CEST 2023 

Hi Neha,

On Fri, 6 Oct 2023 at 04:07, Neha Malcom Francis <n-francis at ti.com> wrote:
>
> According to the TRMs of K3 platform of devices, the ROM boot image
> format specifies a "Core Options Field" that provides the capability to
> set the boot core in lockstep when set to 0 or to split mode when set
> to 2. Add support for providing the same from the binman DTS. Also
> modify existing test case for ensuring future coverage.
>
> Signed-off-by: Neha Malcom Francis <n-francis at ti.com>
> ---
> Link to J721E TRM: https://www.ti.com/lit/zip/spruil1
> Section 4.5.4.1 Boot Info
>
> Changes in v3:
>         - updated function comments
>         - removed inconsistency in setting bootcore_opts to 32
>
> Changes in v2:
>         - included TRM link in commit message
>
>  tools/binman/btool/openssl.py           |  6 ++++--
>  tools/binman/entries.rst                |  1 +
>  tools/binman/etype/ti_secure_rom.py     | 11 +++++++++--
>  tools/binman/etype/x509_cert.py         |  3 ++-
>  tools/binman/test/297_ti_secure_rom.dts |  1 +
>  5 files changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
> index aad3b61ae2..86cc56fbd7 100644
> --- a/tools/binman/btool/openssl.py
> +++ b/tools/binman/btool/openssl.py
> @@ -155,6 +155,7 @@ authInPlace = INTEGER:2
>              C, ST, L, O, OU, CN and emailAddress
>              cert_type (int): Certification type
>              bootcore (int): Booting core
> +            bootcore_opts(int): Booting core option (split/lockstep mode)

Please indicate what possible values are allowed

>              load_addr (int): Load address of image
>              sha (int): Hash function
>
> @@ -225,7 +226,7 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
>                    imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
>                    hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
>                    hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
> -                  dm_data_ext_boot_block):
> +                  dm_data_ext_boot_block, bootcore_opts):
>          """Create a certificate
>
>          Args:
> @@ -241,6 +242,7 @@ emailAddress           = {req_dist_name_dict['emailAddress']}
>              bootcore (int): Booting core
>              load_addr (int): Load address of image
>              sha (int): Hash function
> +            bootcore_opts (int): Boot core option (split/lockstep mode)
>
>          Returns:
>              str: Tool output
> @@ -285,7 +287,7 @@ sysfw_data=SEQUENCE:sysfw_data
>  [sbl]
>  compType = INTEGER:1
>  bootCore = INTEGER:16
> -compOpts = INTEGER:0
> +compOpts = INTEGER:{bootcore_opts}
>  destAddr = FORMAT:HEX,OCT:{load_addr:08x}
>  compSize = INTEGER:{imagesize_sbl}
>  shaType  = OID:{sha_type}
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index 801bd94674..b401f9426a 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -1900,6 +1900,7 @@ Properties / Entry arguments:
>      - core: core on which bootloader runs, valid cores are 'secure' and 'public'
>      - content: phandle of SPL in case of legacy bootflow or phandles of component binaries
>        in case of combined bootflow
> +    - core-opts (optional): split-mode (0) or lockstep mode (1) set to 0 by default

Here it is 1 but below it says 2

>
>  The following properties are only for generating a combined bootflow binary:
>      - sysfw-inner-cert: boolean if binary contains sysfw inner certificate
> diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
> index 9a7ac9e9e0..17c50cefa1 100644
> --- a/tools/binman/etype/ti_secure_rom.py
> +++ b/tools/binman/etype/ti_secure_rom.py
> @@ -32,6 +32,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
>          - core: core on which bootloader runs, valid cores are 'secure' and 'public'
>          - content: phandle of SPL in case of legacy bootflow or phandles of component binaries
>            in case of combined bootflow
> +        - core-opts (optional): split-mode (0) or lockstep mode (1) set to 0 by default
>
>      The following properties are only for generating a combined bootflow binary:
>          - sysfw-inner-cert: boolean if binary contains sysfw inner certificate
> @@ -69,6 +70,7 @@ class Entry_ti_secure_rom(Entry_x509_cert):
>          self.sw_rev = fdt_util.GetInt(self._node, 'sw-rev', 1)
>          self.sha = fdt_util.GetInt(self._node, 'sha', 512)
>          self.core = fdt_util.GetString(self._node, 'core', 'secure')
> +        self.bootcore_opts = fdt_util.GetInt(self._node, 'core-opts')
>          self.key_fname = self.GetEntryArgsOrProps([
>              EntryArg('keyfile', str)], required=True)[0]
>          if self.combined:
> @@ -97,17 +99,19 @@ class Entry_ti_secure_rom(Entry_x509_cert):
>              bytes content of the entry, which is the certificate binary for the
>                  provided data
>          """
> +        if self.bootcore_opts is None:
> +            self.bootcore_opts = 0
> +
>          if self.core == 'secure':
>              if self.countersign:
>                  self.cert_type = 3
>              else:
>                  self.cert_type = 2
>              self.bootcore = 0
> -            self.bootcore_opts = 32
>          else:
>              self.cert_type = 1
>              self.bootcore = 16
> -            self.bootcore_opts = 0
> +
>          return super().GetCertificate(required=required, type='rom')
>
>      def CombinedGetCertificate(self, required):
> @@ -126,6 +130,9 @@ class Entry_ti_secure_rom(Entry_x509_cert):
>          self.num_comps = 3
>          self.sha_type = SHA_OIDS[self.sha]
>
> +        if self.bootcore_opts is None:
> +            self.bootcore_opts = 0
> +
>          # sbl
>          self.content = fdt_util.GetPhandleList(self._node, 'content-sbl')
>          input_data_sbl = self.GetContents(required)
> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> index d028cfe38c..fc0bb12278 100644
> --- a/tools/binman/etype/x509_cert.py
> +++ b/tools/binman/etype/x509_cert.py
> @@ -136,7 +136,8 @@ class Entry_x509_cert(Entry_collection):
>                  imagesize_sysfw_data=self.imagesize_sysfw_data,
>                  hashval_sysfw_data=self.hashval_sysfw_data,
>                  sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
> -                dm_data_ext_boot_block=self.dm_data_ext_boot_block
> +                dm_data_ext_boot_block=self.dm_data_ext_boot_block,
> +                bootcore_opts=self.bootcore_opts
>              )
>          if stdout is not None:
>              data = tools.read_file(output_fname)
> diff --git a/tools/binman/test/297_ti_secure_rom.dts b/tools/binman/test/297_ti_secure_rom.dts
> index d1313769f4..1a3eca9425 100644
> --- a/tools/binman/test/297_ti_secure_rom.dts
> +++ b/tools/binman/test/297_ti_secure_rom.dts
> @@ -9,6 +9,7 @@
>         binman {
>                 ti-secure-rom {
>                         content = <&unsecure_binary>;
> +                       core-opts = <2>;

here ^

Do you think there could be a binding file in dt-bindings/ for this value?

>                 };
>                 unsecure_binary: blob-ext {
>                         filename = "ti_unsecure.bin";
> --
> 2.34.1
>

Regards,
Simon

More information about the U-Boot mailing list