[PATCH v2 4/7] arm: dts: k3-{j721s2/j784s4}-binman: Pack HSM firmware inside tispl.bin

Anshul Dalal anshuld at ti.com
Thu May 8 13:59:20 CEST 2025 

On Wed May 7, 2025 at 8:53 PM IST, Andrew Davis wrote:
> On 5/7/25 9:56 AM, Beleswar Prasad Padhi wrote:
>> 
>> On 5/7/2025 3:09 PM, Anshul Dalal wrote:
>>> On Tue May 6, 2025 at 4:11 PM IST, Beleswar Padhi wrote:
>>>> Pack the HSM firmware in tispl.bin fit image so that it can be unloaded
>>>> and used by R5 SPL to boot the HSM core. By default, point to the
>>>> firmware for HS-SE device type. This needs to be changed to point to
>>>> appropriate firmware when using a different device type.
>>>>
>>>> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
>>>> ---
>>>> v2: Changelog:
>>>> None to this patch.
>>>>
>>>> Link to v1:
>>>> https://lore.kernel.org/all/20250422095430.363792-4-b-padhi@ti.com/
>>>>
>>>>   arch/arm/dts/k3-j721s2-binman.dtsi | 12 ++++++++++++
>>>>   arch/arm/dts/k3-j784s4-binman.dtsi | 14 ++++++++++++++
>>>>   2 files changed, 26 insertions(+)
>>>>
>>>> diff --git a/arch/arm/dts/k3-j721s2-binman.dtsi b/arch/arm/dts/k3-j721s2-binman.dtsi
>>>> index 73af184d27e..9c8b29f53bb 100644
>>>> --- a/arch/arm/dts/k3-j721s2-binman.dtsi
>>>> +++ b/arch/arm/dts/k3-j721s2-binman.dtsi
>>>> @@ -273,6 +273,14 @@
>>>>                       };
>>>>                   };
>>>> +#ifdef CONFIG_K3_HSM_FW
>>>> +                hsm {
>>>> +                    hsm: blob-ext {
>>>> +                        filename = "ti-hsm/hsm-demo-firmware-j721s2-hs.bin";
>>>> +                    };
>>>> +                };
>>>> +#endif
>>>> +
>>> Why do we have the hsm binaries pre-signed? Having a common binary like
>>> the DM with signing using ti-secure might be a better option.
>> 
>> 
>> Andrew can correct me if I am wrong,
>> HSM is meant to run secure software stack and services like Authentication etc. It is a +1 to TIFS. To establish ROT, we need the HSM binary to be encrypted, and authenticated by TIFS first before it can do stuff by itself. DM is not a secure entity, so signing the image doesn't make sense for me.
>> 
>
> I think Anshul is not suggesting that the HSM binary be unencrypted/unauthenticated.
> Rather that the encrypting/signing be done here in binman like we do with TF-A/OP-TEE.
> (which both are part trusted images to be loaded by TIFS).
>
> To that suggestion I agree, the customer will be doing the signing of this binary, right?
> If so then since all other customer signing is done as part of binman, it makes sense
> to also sign HSM firmware here too.
>
> Andrew

Yeah, that is what I was going for. With that change it could be
possible to also have a single binary for all platforms (gp, hs, hs-fs)
in ti-linux-firmware?

Also, why are we not adding an unsigned variant of the hsm binary in
tispl.bin_unsigned?

[snip]

More information about the U-Boot mailing list