[PATCH v1 2/2] sunxi: u-boot.dtsi: add support for signed SPL and U-Boot images

[Lukas Schmid]

Add conditional nodes to sunxi-u-boot.dtsi to support building signed
SPL and U-Boot images, using the same #ifdef scheme as in the Rockchip
u-boot.dtsi.  When CONFIG_SPL_FIT_SIGNATURE is enabled, the FIT image
includes hash and signature nodes for firmware, loadables, and device
trees, enabling SPL to verify U-Boot and associated binaries before
boot.

This prepares Sunxi boards for secure boot flows similar to other SoCs.

Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
---
 arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 4 deletions(-)

diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
index e1a9a7f5..bb428226 100644
--- a/arch/arm/dts/sunxi-u-boot.dtsi
+++ b/arch/arm/dts/sunxi-u-boot.dtsi
@@ -27,6 +27,38 @@
 #endif
 
 &binman {
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+	spl {
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+		filename = "spl/u-boot-spl.bin";
+#else
+		filename = "spl/sunxi-spl.bin";
+#endif
+
+		u-boot-spl-nodtb {
+		};
+
+		u-boot-spl-pubkey-dtb {
+			algo = "sha256,rsa2048";
+			required = "conf";
+			key-name-hint = "dev";
+		};
+	};
+
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+		image {
+			filename = "spl/sunxi-spl.bin";
+
+			mkimage {
+				args = "-a 0x20060 -T sunxi_toc0";
+				data-to-imagename;
+
+				u-boot-spl {
+		};
+			};
+		};
+#endif
+#endif
 	u-boot-sunxi-with-spl {
 		filename = "u-boot-sunxi-with-spl.bin";
 		pad-byte = <0xff>;
@@ -45,6 +77,9 @@
 			description = "Configuration to load U-Boot and firmware";
 			#address-cells = <1>;
 			fit,fdt-list = "of-list";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+			fit,sign;
+#endif
 
 			images {
 				uboot {
@@ -60,6 +95,11 @@
 
 					u-boot-nodtb {
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 
 #if CONFIG_SUNXI_BL31_BASE
@@ -76,6 +116,11 @@
 						filename = "bl31.bin";
 						missing-msg = "atf-bl31-sunxi";
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 #endif
 
@@ -92,6 +137,11 @@
 						missing-msg = "scp-sunxi";
 						optional;
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 #endif
 
@@ -99,6 +149,11 @@
 					description = "NAME";
 					type = "flat_dt";
 					compression = "none";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 			};
 
@@ -108,16 +163,21 @@
 				@config-SEQ {
 					description = "NAME";
 #if CONFIG_SUNXI_BL31_BASE
-					firmware = "atf";
+					firmware = "atf", "uboot";
 #else
 					firmware = "uboot";
 #endif
 #if CONFIG_SUNXI_SCP_BASE
-					loadables = "scp", "uboot";
-#else
-					loadables = "uboot";
+					loadables = "scp";
 #endif
 					fdt = "fdt-SEQ";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					signature {
+						algo = "sha256,rsa2048";
+						key-name-hint = "dev";
+						sign-images = "firmware", "loadables", "fdt";
+					};
+#endif
 				};
 			};
 		};
-- 
2.39.5