[PATCH v4 0/8] Qualcomm: teach the build system to emit signed ELF images

Neil Armstrong neil.armstrong at linaro.org
Tue Jun 17 10:26:19 CEST 2025 

On 16/06/2025 18:13, Casey Connolly wrote:
> Hi Tom,
> 
> So I've been testing this a bit harder (really should have noticed this sooner) and it turns out using binman makes things a whole lot more complicated...
> 
> Specifically, the new trogdor chromebook board doesn't need binman, the U-Boot ELF is used directly since they have their own bootloader beforehand.
> 
> But since CONFIG_BINMAN can't be enabled in a defconfig and only selected by some other Kconfig there isn't really a nice way to handle this. The trogdor board doesn't add any Kconfigs of it's own and doing something like
> 
> depends on BINMAN if !CONFIG_SYS_COREBOOT
> 
> would be a huge hack...

Can't you change to depends on BINMAN if CONFIG_BINMAN_DTB ?

> 
> This wouldn't be an issue in and of itself, but binman makes the build fail since of course the DT doesn't have a binman node and the trogdor defconfig doesn't define CONFIG_BINMAN_DTB (and shouldn't have to...).
> 
> Possibly the easiest solution would be to allow defconfigs to set CONFIG_BINMAN, or add some additional kconfig we can use to pull it in (CONFIG_QCOM_BUILD_MBN ?), maybe the latter is the most comprehensible solution.
> 
> I think I'll go with that unless anyone can chime in with some other suggestions.
> 
> Kind regards,
> 
> On 6/13/25 19:23, Casey Connolly wrote:
>> With several new Qualcomm platforms appearing on the mailing list, all
>> of which build U-Boot as an ELF, sign it, and then flash it to some
>> partition on the board, we're getting a lot of defconfigs which just
>> contain a debug UART and a TEXT_BASE address. This leads to needless
>> rebuilds in CI of effectively the same image, and needless duplication
>> of build instructions.
>>
>> To address this, let's introduce a new tool "mkmbn.py", this is based
>> on the existing qtestsign[1] tool but is (currently) hardcoded to
>> only handle the Dragonwing and IPQ boards which use MBN header v6.
>> Additionally, the tool contains a lookup table that maps from a boards
>> DT compatible property to the load address it needs. Since it's highly
>> unusual for different boards using the same SoC to have different load
>> addresses, generic platform matching is also done (e.g. "qcom,qcm6490").
>>
>> With this tool in place, we teach binman to use it and introduce
>> a qcom-binman.dts file to describe the image. The tool will emit a
>> u-boot.mbn file for supported platforms, for unsupported platforms the
>> u-boot MBN etype in binman will print a notice explaining that no mbn
>> file is built and to look at tools/qcom/mkmbn/mkmbn.py
>>
>> Finally, the defconfigs are cleaned up by moving the debug UART
>> definitions to config fragments (since it doesn't make sense to have
>> them enabled by default anyway) and remove CONFIG_REMAKE_ELF. Notably,
>> the qcs9100_defconfig is removed entirely since the same binary can
>> be created with just make arguments. This platform entirely lacked
>> documentation to begin with, which should be addressed by future
>> patches.
>>
>> The Qualcomm documentation is also cleaned up, a new "signing" page
>> is added to briefly cover the what and why of MBN signing, and board
>> specific pages are updated to explain the new build process.
>>
>> These patches have been tested on the RB3 Gen 2, but additional
>> testing for other platforms would be super useful.
>>
>> [1]: https://github.com/msm8916-mainline/qtestsign
>>
>> To: Tom Rini <trini at konsulko.com>
>> To: Neil Armstrong <neil.armstrong at linaro.org>
>> To: Sumit Garg <sumit.garg at kernel.org>
>> Cc: u-boot at lists.denx.de
>> Cc: u-boot-qcom at groups.io
>> Cc: Varadarajan Narayanan <quic_varada at quicinc.com>
>> Cc: Balaji Selvanathan <balaji.selvanathan at oss.qualcomm.com>
>> Cc: Aswin Murugan <aswin.murugan at oss.qualcomm.com>
>>
>> Signed-off-by: Casey Connolly <casey.connolly at linaro.org>
>> ---
>> Changes in v4:
>> - Rework how qtestsign code is imported to make it easier to sync with upstream in the future.
>> - Actually raise an exception when mkmbn fails in an unexpected way.
>> - Link to v3: https://lore.kernel.org/r/20250612-b4-qcom-tooling-improvements-v3-0-76f34cf216e2@linaro.org
>>
>> Changes in v3:
>> - Fixup Makefiles and add missing qcom-binman.dts
>> - Adjust wording to reflect changes to build process
>> - Link to v2: https://lore.kernel.org/r/20250602-b4-qcom-tooling-improvements-v2-0-c7d19c0d4a8b@linaro.org
>>
>> Changes in v2:
>> - Reworked to use binman with a plugin to build the u-boot.mbn file
>> - Added some fixes for binman to work with OF_UPSTREAM and with tools
>>    in the srctree toolpath rather than objtree for out of tree builds.
>> - Link to v1: https://lore.kernel.org/r/20250522-b4-qcom-tooling-improvements-v1-0-8141b8955cfb@linaro.org
>>
>> ---
>> Casey Connolly (8):
>>        binman: add $(srctree)/tools to toolpath
>>        binman: support building binman dtb when OF_UPSTREAM is enabled
>>        tools: qcom: introduce mkmbn library
>>        tools: qcom: add mkmbn.py
>>        binman: add support for building Qualcomm signed MBN ELF images
>>        configs: qualcomm: use fragments for debug UART
>>        qualcomm: use mkmbn via binman and stop creating ELF files
>>        doc: board/qualcomm: update docs for new u-boot.mbn target
>>
>>   Makefile                            |   5 +
>>   arch/arm/Kconfig                    |   1 +
>>   arch/arm/dts/qcom-binman.dts        |  16 ++
>>   board/qualcomm/debug-qcm6490.config |   5 +
>>   board/qualcomm/debug-qcs9100.config |   5 +
>>   configs/qcm6490_defconfig           |  10 --
>>   configs/qcom_defconfig              |   2 +
>>   configs/qcom_ipq9574_mmc_defconfig  |   1 -
>>   configs/qcs9100_defconfig           |  10 --
>>   doc/board/qualcomm/index.rst        |   1 +
>>   doc/board/qualcomm/rb3gen2.rst      |  27 ++--
>>   doc/board/qualcomm/rdp.rst          |   5 +-
>>   doc/board/qualcomm/signing.rst      |  29 ++++
>>   dts/Makefile                        |  19 ++-
>>   tools/binman/btool/mkmbn.py         |  29 ++++
>>   tools/binman/etype/u_boot_mbn.py    |  53 +++++++
>>   tools/mkmbn                         |   1 +
>>   tools/qcom/mkmbn/cert.py            | 127 ++++++++++++++++
>>   tools/qcom/mkmbn/elf.py             | 238 ++++++++++++++++++++++++++++++
>>   tools/qcom/mkmbn/hashseg.py         | 281 ++++++++++++++++++++++++++++++++++++
>>   tools/qcom/mkmbn/mkmbn.py           | 154 ++++++++++++++++++++
>>   21 files changed, 981 insertions(+), 38 deletions(-)
>> ---
>> base-commit: 783f365c9dbb5c9e9341753fbad6a44dcdc7a069
>> change-id: 20250522-b4-qcom-tooling-improvements-ab40585b11a1
>>
>> Casey Connolly <casey.connolly at linaro.org>
>>
>

More information about the U-Boot mailing list