[PATCH v4 0/8] Qualcomm: teach the build system to emit signed ELF images

Casey Connolly casey.connolly at linaro.org
Tue Jun 17 11:15:37 CEST 2025 


On 6/17/25 10:26, Neil Armstrong wrote:
> On 16/06/2025 18:13, Casey Connolly wrote:
>> Hi Tom,
>>
>> So I've been testing this a bit harder (really should have noticed 
>> this sooner) and it turns out using binman makes things a whole lot 
>> more complicated...
>>
>> Specifically, the new trogdor chromebook board doesn't need binman, 
>> the U-Boot ELF is used directly since they have their own bootloader 
>> beforehand.
>>
>> But since CONFIG_BINMAN can't be enabled in a defconfig and only 
>> selected by some other Kconfig there isn't really a nice way to handle 
>> this. The trogdor board doesn't add any Kconfigs of it's own and doing 
>> something like
>>
>> depends on BINMAN if !CONFIG_SYS_COREBOOT
>>
>> would be a huge hack...
> 
> Can't you change to depends on BINMAN if CONFIG_BINMAN_DTB ?

No, since this creates a recursive dependency

> 
>>
>> This wouldn't be an issue in and of itself, but binman makes the build 
>> fail since of course the DT doesn't have a binman node and the trogdor 
>> defconfig doesn't define CONFIG_BINMAN_DTB (and shouldn't have to...).
>>
>> Possibly the easiest solution would be to allow defconfigs to set 
>> CONFIG_BINMAN, or add some additional kconfig we can use to pull it in 
>> (CONFIG_QCOM_BUILD_MBN ?), maybe the latter is the most comprehensible 
>> solution.
>>
>> I think I'll go with that unless anyone can chime in with some other 
>> suggestions.
>>
>> Kind regards,
>>
>> On 6/13/25 19:23, Casey Connolly wrote:
>>> With several new Qualcomm platforms appearing on the mailing list, all
>>> of which build U-Boot as an ELF, sign it, and then flash it to some
>>> partition on the board, we're getting a lot of defconfigs which just
>>> contain a debug UART and a TEXT_BASE address. This leads to needless
>>> rebuilds in CI of effectively the same image, and needless duplication
>>> of build instructions.
>>>
>>> To address this, let's introduce a new tool "mkmbn.py", this is based
>>> on the existing qtestsign[1] tool but is (currently) hardcoded to
>>> only handle the Dragonwing and IPQ boards which use MBN header v6.
>>> Additionally, the tool contains a lookup table that maps from a boards
>>> DT compatible property to the load address it needs. Since it's highly
>>> unusual for different boards using the same SoC to have different load
>>> addresses, generic platform matching is also done (e.g. "qcom,qcm6490").
>>>
>>> With this tool in place, we teach binman to use it and introduce
>>> a qcom-binman.dts file to describe the image. The tool will emit a
>>> u-boot.mbn file for supported platforms, for unsupported platforms the
>>> u-boot MBN etype in binman will print a notice explaining that no mbn
>>> file is built and to look at tools/qcom/mkmbn/mkmbn.py
>>>
>>> Finally, the defconfigs are cleaned up by moving the debug UART
>>> definitions to config fragments (since it doesn't make sense to have
>>> them enabled by default anyway) and remove CONFIG_REMAKE_ELF. Notably,
>>> the qcs9100_defconfig is removed entirely since the same binary can
>>> be created with just make arguments. This platform entirely lacked
>>> documentation to begin with, which should be addressed by future
>>> patches.
>>>
>>> The Qualcomm documentation is also cleaned up, a new "signing" page
>>> is added to briefly cover the what and why of MBN signing, and board
>>> specific pages are updated to explain the new build process.
>>>
>>> These patches have been tested on the RB3 Gen 2, but additional
>>> testing for other platforms would be super useful.
>>>
>>> [1]: https://github.com/msm8916-mainline/qtestsign
>>>
>>> To: Tom Rini <trini at konsulko.com>
>>> To: Neil Armstrong <neil.armstrong at linaro.org>
>>> To: Sumit Garg <sumit.garg at kernel.org>
>>> Cc: u-boot at lists.denx.de
>>> Cc: u-boot-qcom at groups.io
>>> Cc: Varadarajan Narayanan <quic_varada at quicinc.com>
>>> Cc: Balaji Selvanathan <balaji.selvanathan at oss.qualcomm.com>
>>> Cc: Aswin Murugan <aswin.murugan at oss.qualcomm.com>
>>>
>>> Signed-off-by: Casey Connolly <casey.connolly at linaro.org>
>>> ---
>>> Changes in v4:
>>> - Rework how qtestsign code is imported to make it easier to sync 
>>> with upstream in the future.
>>> - Actually raise an exception when mkmbn fails in an unexpected way.
>>> - Link to v3: https://lore.kernel.org/r/20250612-b4-qcom-tooling- 
>>> improvements-v3-0-76f34cf216e2 at linaro.org
>>>
>>> Changes in v3:
>>> - Fixup Makefiles and add missing qcom-binman.dts
>>> - Adjust wording to reflect changes to build process
>>> - Link to v2: https://lore.kernel.org/r/20250602-b4-qcom-tooling- 
>>> improvements-v2-0-c7d19c0d4a8b at linaro.org
>>>
>>> Changes in v2:
>>> - Reworked to use binman with a plugin to build the u-boot.mbn file
>>> - Added some fixes for binman to work with OF_UPSTREAM and with tools
>>>    in the srctree toolpath rather than objtree for out of tree builds.
>>> - Link to v1: https://lore.kernel.org/r/20250522-b4-qcom-tooling- 
>>> improvements-v1-0-8141b8955cfb at linaro.org
>>>
>>> ---
>>> Casey Connolly (8):
>>>        binman: add $(srctree)/tools to toolpath
>>>        binman: support building binman dtb when OF_UPSTREAM is enabled
>>>        tools: qcom: introduce mkmbn library
>>>        tools: qcom: add mkmbn.py
>>>        binman: add support for building Qualcomm signed MBN ELF images
>>>        configs: qualcomm: use fragments for debug UART
>>>        qualcomm: use mkmbn via binman and stop creating ELF files
>>>        doc: board/qualcomm: update docs for new u-boot.mbn target
>>>
>>>   Makefile                            |   5 +
>>>   arch/arm/Kconfig                    |   1 +
>>>   arch/arm/dts/qcom-binman.dts        |  16 ++
>>>   board/qualcomm/debug-qcm6490.config |   5 +
>>>   board/qualcomm/debug-qcs9100.config |   5 +
>>>   configs/qcm6490_defconfig           |  10 --
>>>   configs/qcom_defconfig              |   2 +
>>>   configs/qcom_ipq9574_mmc_defconfig  |   1 -
>>>   configs/qcs9100_defconfig           |  10 --
>>>   doc/board/qualcomm/index.rst        |   1 +
>>>   doc/board/qualcomm/rb3gen2.rst      |  27 ++--
>>>   doc/board/qualcomm/rdp.rst          |   5 +-
>>>   doc/board/qualcomm/signing.rst      |  29 ++++
>>>   dts/Makefile                        |  19 ++-
>>>   tools/binman/btool/mkmbn.py         |  29 ++++
>>>   tools/binman/etype/u_boot_mbn.py    |  53 +++++++
>>>   tools/mkmbn                         |   1 +
>>>   tools/qcom/mkmbn/cert.py            | 127 ++++++++++++++++
>>>   tools/qcom/mkmbn/elf.py             | 238 +++++++++++++++++++++++++ 
>>> +++++
>>>   tools/qcom/mkmbn/hashseg.py         | 281 +++++++++++++++++++++++++ 
>>> +++++++++++
>>>   tools/qcom/mkmbn/mkmbn.py           | 154 ++++++++++++++++++++
>>>   21 files changed, 981 insertions(+), 38 deletions(-)
>>> ---
>>> base-commit: 783f365c9dbb5c9e9341753fbad6a44dcdc7a069
>>> change-id: 20250522-b4-qcom-tooling-improvements-ab40585b11a1
>>>
>>> Casey Connolly <casey.connolly at linaro.org>
>>>
>>
> 

-- 
Casey (she/they)

More information about the U-Boot mailing list