[PATCH v2 4/7] arm: dts: k3-{j721s2/j784s4}-binman: Pack HSM firmware inside tispl.bin
Beleswar Prasad Padhi
b-padhi at ti.com
Wed May 7 16:56:36 CEST 2025
On 5/7/2025 3:09 PM, Anshul Dalal wrote:
> On Tue May 6, 2025 at 4:11 PM IST, Beleswar Padhi wrote:
>> Pack the HSM firmware in tispl.bin fit image so that it can be unloaded
>> and used by R5 SPL to boot the HSM core. By default, point to the
>> firmware for HS-SE device type. This needs to be changed to point to
>> appropriate firmware when using a different device type.
>>
>> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
>> ---
>> v2: Changelog:
>> None to this patch.
>>
>> Link to v1:
>> https://lore.kernel.org/all/20250422095430.363792-4-b-padhi@ti.com/
>>
>> arch/arm/dts/k3-j721s2-binman.dtsi | 12 ++++++++++++
>> arch/arm/dts/k3-j784s4-binman.dtsi | 14 ++++++++++++++
>> 2 files changed, 26 insertions(+)
>>
>> diff --git a/arch/arm/dts/k3-j721s2-binman.dtsi b/arch/arm/dts/k3-j721s2-binman.dtsi
>> index 73af184d27e..9c8b29f53bb 100644
>> --- a/arch/arm/dts/k3-j721s2-binman.dtsi
>> +++ b/arch/arm/dts/k3-j721s2-binman.dtsi
>> @@ -273,6 +273,14 @@
>>
>> };
>> };
>> +#ifdef CONFIG_K3_HSM_FW
>> + hsm {
>> + hsm: blob-ext {
>> + filename = "ti-hsm/hsm-demo-firmware-j721s2-hs.bin";
>> + };
>> + };
>> +#endif
>> +
> Why do we have the hsm binaries pre-signed? Having a common binary like
> the DM with signing using ti-secure might be a better option.
Andrew can correct me if I am wrong,
HSM is meant to run secure software stack and services like
Authentication etc. It is a +1 to TIFS. To establish ROT, we need the
HSM binary to be encrypted, and authenticated by TIFS first before it
can do stuff by itself. DM is not a secure entity, so signing the image
doesn't make sense for me.
>
> Regards,
>
>> dm {
>> ti-secure {
>> content = <&dm>;
>> @@ -306,7 +314,11 @@
>> conf-0 {
>> description = "k3-j721s2-common-proc-board";
>> firmware = "atf";
>> +#ifdef CONFIG_K3_HSM_FW
>> + loadables = "hsm", "tee", "dm", "spl";
>> +#else
>> loadables = "tee", "dm", "spl";
>> +#endif
>> fdt = "fdt-0";
>> };
>> };
>> diff --git a/arch/arm/dts/k3-j784s4-binman.dtsi b/arch/arm/dts/k3-j784s4-binman.dtsi
>> index cb1fbc65923..7c8e580a8a3 100644
>> --- a/arch/arm/dts/k3-j784s4-binman.dtsi
>> +++ b/arch/arm/dts/k3-j784s4-binman.dtsi
>> @@ -159,6 +159,16 @@
>>
>> fit {
>> images {
>> +
>> +#ifdef CONFIG_K3_HSM_FW
>> + hsm {
>> + hsm: blob-ext {
>> + filename = "ti-hsm/hsm-demo-firmware-j784s4-hs.bin";
>> + };
>> + };
>> +
>> +#endif
>> +
>> dm {
>> ti-secure {
>> content = <&dm>;
>> @@ -194,7 +204,11 @@
>> conf-0 {
>> description = BOARD_DESCRIPTION;
>> firmware = "atf";
>> +#ifdef CONFIG_K3_HSM_FW
>> + loadables = "hsm", "tee", "dm", "spl";
>> +#else
>> loadables = "tee", "dm", "spl";
>> +#endif
>> fdt = "fdt-0";
>> };
>> };
More information about the U-Boot
mailing list