[PATCH v4 1/8] binman: ti-secure: Add support for firewalling entities

Manorit Chawdhry m-chawdhry at ti.com
Thu Oct 12 07:46:00 CEST 2023


Hi Simon,

On 20:41-20231011, Simon Glass wrote:
> Hi Manorit,
> 
> On Tue, 10 Oct 2023 at 23:25, Manorit Chawdhry <m-chawdhry at ti.com> wrote:
> >
> > We can now firewall entities while loading them through our secure
> > entity TIFS, the required information should be present in the
> > certificate that is being parsed by TIFS.
> >
> > The following commit adds the support to enable the certificates to be
> > generated if the firewall configurations are present in the binman dtsi
> > nodes.
> >
> > Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
> > ---
> >  tools/binman/btool/openssl.py   | 16 +++++++-
> >  tools/binman/etype/ti_secure.py | 90 +++++++++++++++++++++++++++++++++++++++++
> >  tools/binman/etype/x509_cert.py |  3 +-
> >  3 files changed, 106 insertions(+), 3 deletions(-)
> >
> 
> Reviewed-by: Simon Glass <sjg at chromium.org>
> 
> I'm still a little worried about the error reporting if the user
> leaves out a property. Does it do the right thing?
> 

I did make a test also along the lines that would check all the
firewalling properties and just auth-in-place isn't checked at this
stage and people could end up adding the firewalling node without
auth-in-place. Do you want to cover that test case as well? Regarding
the other firewalling properties ( immitating the test by removing
"id"), We get this: 

[..]
  AR      spl/common/spl/built-in.o
  LD      spl/u-boot-spl
  OBJCOPY spl/u-boot-spl-nodtb.bin
  SYM     spl/u-boot-spl.sym
  CAT     spl/u-boot-spl-dtb.bin
  COPY    spl/u-boot-spl.bin
  BINMAN  .binman_stamp
binman: id can't be None in firewall node

> Regards,
> Simon


More information about the U-Boot mailing list