[PATCH v5 0/8] Qualcomm: teach the build system to emit signed ELF images

Tue Jul 22 17:34:50 CEST 2025

With several new Qualcomm platforms appearing on the mailing list, all
of which build U-Boot as an ELF, sign it, and then flash it to some
partition on the board, we're getting a lot of defconfigs which just
contain a debug UART and a TEXT_BASE address. This leads to needless
rebuilds in CI of effectively the same image, and needless duplication
of build instructions.

To address this, let's introduce a new tool "mkmbn.py", this is based
on the existing qtestsign[1] tool but is (currently) hardcoded to
only handle the Dragonwing and IPQ boards which use MBN header v6.
Additionally, the tool contains a lookup table that maps from a boards
DT compatible property to the load address it needs. Since it's highly
unusual for different boards using the same SoC to have different load
addresses, generic platform matching is also done (e.g. "qcom,qcm6490").

With this tool in place, we teach binman to use it and introduce
a qcom-binman.dts file to describe the image. The tool will emit a
u-boot.mbn file for supported platforms, for unsupported platforms the
u-boot MBN etype in binman will print a notice explaining that no mbn
file is built and to look at tools/qcom/mkmbn/mkmbn.py

Finally, the defconfigs are cleaned up by moving the debug UART
definitions to config fragments (since it doesn't make sense to have
them enabled by default anyway) and remove CONFIG_REMAKE_ELF. Notably,
the qcs9100_defconfig is removed entirely since the same binary can
be created with just make arguments. This platform entirely lacked
documentation to begin with, which should be addressed by future
patches.

The Qualcomm documentation is also cleaned up, a new "signing" page
is added to briefly cover the what and why of MBN signing, and board
specific pages are updated to explain the new build process.

These patches have been tested on the RB3 Gen 2, but additional
testing for other platforms would be super useful.

During development, it's become clear that BINMAN_FDT has some
problems, it's selected by default when you enable BINMAN which doesn't
feel sensible, it enables runtime code which on Qualcomm platforms
actually causes a crash during board_r init since the binman node isn't
present... Adjusting BINMAN_FDT to be disabled by default is quite a
lot more work so for now I think it's best to just add an exception
for ARCH_SNAPDRAGON.

[1]: https://github.com/msm8916-mainline/qtestsign

---
Changes in v5:
- Rebase on master (dropped trogdor chromebook series)
- Directly import the MBN signing code from qtestsign and then adjust
  it in a separate commit so it can be updated in the future.
- Disable BINMAN_FDT when ARCH_SNAPDRAGON is enabled
- Set default value for BINMAN_DTB in mach-snapdragon/Kconfig rather
  than having to set it in all defconfigs.
- Add a comment to the top of mkmbn.py explaining it's purpose.
- Link to v4: https://lore.kernel.org/r/20250613-b4-qcom-tooling-improvements-v4-0-7ea1c68779fa@linaro.org

Changes in v4:
- Rework how qtestsign code is imported to make it easier to sync with upstream in the future.
- Actually raise an exception when mkmbn fails in an unexpected way.
- Link to v3: https://lore.kernel.org/r/20250612-b4-qcom-tooling-improvements-v3-0-76f34cf216e2@linaro.org

Changes in v3:
- Fixup Makefiles and add missing qcom-binman.dts
- Adjust wording to reflect changes to build process
- Link to v2: https://lore.kernel.org/r/20250602-b4-qcom-tooling-improvements-v2-0-c7d19c0d4a8b@linaro.org

Changes in v2:
- Reworked to use binman with a plugin to build the u-boot.mbn file
- Added some fixes for binman to work with OF_UPSTREAM and with tools
  in the srctree toolpath rather than objtree for out of tree builds.
- Link to v1: https://lore.kernel.org/r/20250522-b4-qcom-tooling-improvements-v1-0-8141b8955cfb@linaro.org

---
Casey Connolly (8):
      binman: add $(srctree)/tools to toolpath
      binman: support building binman dtb when OF_UPSTREAM is enabled
      tools: qcom: introduce mkmbn library
      tools: qcom: add mkmbn.py
      binman: add support for building Qualcomm signed MBN ELF images
      configs: qualcomm: use fragments for debug UART
      qualcomm: use mkmbn via binman and stop creating ELF files
      doc: board/qualcomm: update docs for new u-boot.mbn target

 Makefile                            |   5 +
 arch/arm/Kconfig                    |   1 +
 arch/arm/dts/qcom-binman.dts        |  16 ++
 arch/arm/mach-snapdragon/Kconfig    |   4 +
 board/qualcomm/debug-qcm6490.config |   5 +
 board/qualcomm/debug-qcs9100.config |   5 +
 configs/qcm6490_defconfig           |  10 --
 configs/qcom_ipq9574_mmc_defconfig  |   1 -
 configs/qcs9100_defconfig           |   9 --
 doc/board/qualcomm/index.rst        |   1 +
 doc/board/qualcomm/rb3gen2.rst      |  25 ++--
 doc/board/qualcomm/rdp.rst          |   3 +-
 doc/board/qualcomm/signing.rst      |  43 ++++++
 dts/Makefile                        |  19 ++-
 lib/Kconfig                         |   2 +-
 tools/binman/btool/mkmbn.py         |  29 ++++
 tools/binman/etype/u_boot_mbn.py    |  53 +++++++
 tools/mkmbn                         |   1 +
 tools/qcom/mkmbn/cert.py            | 127 ++++++++++++++++
 tools/qcom/mkmbn/elf.py             | 238 ++++++++++++++++++++++++++++++
 tools/qcom/mkmbn/hashseg.py         | 281 ++++++++++++++++++++++++++++++++++++
 tools/qcom/mkmbn/mkmbn.py           | 173 ++++++++++++++++++++++
 22 files changed, 1015 insertions(+), 36 deletions(-)
---
base-commit: 71b3cd3c8908e9b2230de4f4cd24d4ef7e5a1679

// Caleb (they/them)