[PATCH 3/7] dts: j721e: binman: Include firmware capsules binman nodes

Andrew Davis afd at ti.com
Wed Apr 10 20:38:25 CEST 2024 

On 4/10/24 1:24 PM, Jon Humphreys wrote:
> Andrew Davis <afd at ti.com> writes:
> 
>> On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
>>> Signed-off-by: Jonathan Humphreys <j-humphreys at ti.com>
>>> ---
>>>    arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>>>    1 file changed, 32 insertions(+)
>>>
>>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
>>> index 75a6e9599b9..9169551c422 100644
>>> --- a/arch/arm/dts/k3-j721e-binman.dtsi
>>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
>>> @@ -207,6 +207,29 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule-r5.dtsi"
>>> +
>>> +// Capsue update GUIDs.  See ti_armv7_common.h.
>>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
>>> +
>>> +&binman {
>>> +	capsule-sysfw {
>>> +		filename = "sysfw-capsule.bin";
>>> +		efi-capsule {
>>> +			image-index = <0x4>;
>>> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
>>> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
>>> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
>>> +			monotonic-count = <0x1>;
>>> +
>>> +			blob {
>>> +				filename = "sysfw.itb";
>>> +			};
>>> +		};
>>> +	};
>>> +};
>>> +
>>>    #endif
>>>    
>>>    #ifdef CONFIG_TARGET_J721E_A72_EVM
>>> @@ -585,4 +608,13 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule.dtsi"
>>> +&tispl_name {
>>> +	filename = "tispl.bin_unsigned";
>>
>> Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
>> but both GP and HS devices *can* boot the normal signed images (GP just strips
>> the signatures off). So no need to use the _unsigned images anymore (I'm
>> planning to just remove them at some point to prevent this confusion).
>>
> I can do that.
> 
> Note that you will then see warnings on GP devices during boot:
> 
>    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
> 

True, I'll send a fix for that.

Andrew

> Jon
> 
>> Andrew
>>
>>> +};
>>> +&uboot_name {
>>> +	filename = "u-boot.img_unsigned";
>>> +};
>>> +
>>>    #endif

More information about the U-Boot mailing list