[PATCH v2 4/7] arm: dts: k3-{j721s2/j784s4}-binman: Pack HSM firmware inside tispl.bin

Beleswar Prasad Padhi b-padhi at ti.com
Wed Nov 19 11:15:17 CET 2025 

Hi Andrew, Anshul, all

Reviving this old thread, this is ready for a re-spin
now as unsigned HSM firmware is available.
Please see below.

On 08/05/25 17:29, Anshul Dalal wrote:
> On Wed May 7, 2025 at 8:53 PM IST, Andrew Davis wrote:
>> On 5/7/25 9:56 AM, Beleswar Prasad Padhi wrote:
>>> On 5/7/2025 3:09 PM, Anshul Dalal wrote:
>>>> On Tue May 6, 2025 at 4:11 PM IST, Beleswar Padhi wrote:
>>>>> Pack the HSM firmware in tispl.bin fit image so that it can be unloaded
>>>>> and used by R5 SPL to boot the HSM core. By default, point to the
>>>>> firmware for HS-SE device type. This needs to be changed to point to
>>>>> appropriate firmware when using a different device type.
>>>>>
>>>>> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
>>>>> ---
>>>>> v2: Changelog:
>>>>> None to this patch.
>>>>>
>>>>> Link to v1:
>>>>> https://lore.kernel.org/all/20250422095430.363792-4-b-padhi@ti.com/
>>>>>
>>>>>   arch/arm/dts/k3-j721s2-binman.dtsi | 12 ++++++++++++
>>>>>   arch/arm/dts/k3-j784s4-binman.dtsi | 14 ++++++++++++++
>>>>>   2 files changed, 26 insertions(+)
>>>>>
>>>>> diff --git a/arch/arm/dts/k3-j721s2-binman.dtsi b/arch/arm/dts/k3-j721s2-binman.dtsi
>>>>> index 73af184d27e..9c8b29f53bb 100644
>>>>> --- a/arch/arm/dts/k3-j721s2-binman.dtsi
>>>>> +++ b/arch/arm/dts/k3-j721s2-binman.dtsi
>>>>> @@ -273,6 +273,14 @@
>>>>>                       };
>>>>>                   };
>>>>> +#ifdef CONFIG_K3_HSM_FW
>>>>> +                hsm {
>>>>> +                    hsm: blob-ext {
>>>>> +                        filename = "ti-hsm/hsm-demo-firmware-j721s2-hs.bin";
>>>>> +                    };
>>>>> +                };
>>>>> +#endif
>>>>> +
>>>> Why do we have the hsm binaries pre-signed? Having a common binary like
>>>> the DM with signing using ti-secure might be a better option.
>>>
>>> Andrew can correct me if I am wrong,
>>> HSM is meant to run secure software stack and services like Authentication etc. It is a +1 to TIFS. To establish ROT, we need the HSM binary to be encrypted, and authenticated by TIFS first before it can do stuff by itself. DM is not a secure entity, so signing the image doesn't make sense for me.
>>>
>> I think Anshul is not suggesting that the HSM binary be unencrypted/unauthenticated.
>> Rather that the encrypting/signing be done here in binman like we do with TF-A/OP-TEE.
>> (which both are part trusted images to be loaded by TIFS).
>>
>> To that suggestion I agree, the customer will be doing the signing of this binary, right?
>> If so then since all other customer signing is done as part of binman, it makes sense
>> to also sign HSM firmware here too.
>>
>> Andrew
> Yeah, that is what I was going for. With that change it could be
> possible to also have a single binary for all platforms (gp, hs, hs-fs)
> in ti-linux-firmware?


I don't think its possible to have a single HSM firmware
for all device types currently. GP devices might not use
all security IPs which the hs-se device uses. So having
a common firmware would mean we sacrifice using
those secure services on a HS-SE capable device
as well. Of course, whenever we can support a single
TIFS binary for all device types, we can support a single
HSM too. I have copied firmware folks here (@Tanu,
@Saurabh) who can help in answering this query better,
if any follow up.

But yes, we do have the unsigned HSM firmware for each
device type now[0]: GP, HS, HS-FS. Which means we can
add the signing support here in U-Boot to match the flow
with other components like ATF/OPTEE/DM etc.

So, I will re-spin the v3 for this patch series with following
changes:
1. Dedicated remoteproc driver for booting HSM M4 core.
2. Signing HSM binary in binman/U-Boot.
3. Other minor code comments from Anshul/Andrew.

Note: We will continue to pack the HS-SE variant of HSM
firmware in tispl.bin fit image by default. Any other
variant can be packaged by changing the path in binman
node to corresponding firmware blob.

Let me know, if you have any comments over the above,
otherwise I will send out an v3 soon. Thanks!

[0]: https://git.ti.com/cgit/processor-firmware/ti-linux-firmware/commit/ti-hsm?h=ti-linux-firmware&id=560c226d763018de7adb892fc215b31286cc2831

Thanks,
Beleswar

More information about the U-Boot mailing list