[PATCH] mkimage: Add support for bundling TEE in mkimage -f auto
Quentin Schulz
quentin.schulz at cherry.de
Mon Nov 24 16:05:22 CET 2025
Hi Marek,
On 11/19/25 12:20 AM, Marek Vasut wrote:
> Introduce two new parameters to be used with mkimage -f auto to bundle
> TEE image into fitImage, using auto-generated fitImage. Add -z to specify
> TEE file name and -Z to specify TEE load and entry point address. This is
> meant to be used with systems which boot all of TEE, Linux and its DT from
> a single fitImage, all booted by U-Boot.
>
> Example invocation:
> "
> $ mkimage -E -A arm -C none -e 0xc0008000 -a 0xc0008000 -f auto \
> -d arch/arm/boot/zImage \
> -b arch/arm/boot/dts/st/stm32mp135f-dhcor-dhsbc.dtb \
> -z ../optee_os/out/arm-plat-stm32mp1/core/tee-raw.bin \
> -Z 0xde000000 \
> /path/to/output/fitImage
> "
>
> Documentation update and test are also included, the test validates
> both positive and negative test cases, where fitImage does not include
> TEE and does include TEE blobs.
>
> Signed-off-by: Marek Vasut <marek.vasut at mailbox.org>
> ---
> Cc: "Carlos López" <carlos.lopezr4096 at gmail.com>
> Cc: Aristo Chen <jj251510319013 at gmail.com>
> Cc: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> Cc: Julien Masson <jmasson at baylibre.com>
> Cc: Mattijs Korpershoek <mkorpershoek at kernel.org>
> Cc: Mayuresh Chitale <mchitale at ventanamicro.com>
> Cc: Paul HENRYS <paul.henrys_ext at softathome.com>
> Cc: Quentin Schulz <quentin.schulz at cherry.de>
> Cc: Rasmus Villemoes <ravi at prevas.dk>
> Cc: Simon Glass <sjg at chromium.org>
> Cc: Tom Rini <trini at konsulko.com>
> Cc: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
> Cc: u-boot at lists.denx.de
> Cc: u-boot at dh-electronics.com
> ---
> doc/mkimage.1 | 12 +++
> include/image.h | 1 +
> test/py/tests/test_fit_auto_signed.py | 110 +++++++++++++++++++++++---
> tools/fit_image.c | 55 ++++++++++++-
> tools/imagetool.h | 2 +
> tools/mkimage.c | 17 +++-
> 6 files changed, 185 insertions(+), 12 deletions(-)
>
> diff --git a/doc/mkimage.1 b/doc/mkimage.1
> index c705218d345..c87003a6c0a 100644
> --- a/doc/mkimage.1
> +++ b/doc/mkimage.1
> @@ -251,6 +251,18 @@ Append TFA BL31 file to the image.
> .B \-\-tfa-bl31-addr
> Set TFA BL31 file load and entry point address.
> .
> +.TP
> +.B \-z
> +.TQ
> +.B \-\-optee-file
> +Append OPTEE file to the image.
> +.
> +.TP
> +.B \-Z
> +.TQ
> +.B \-\-optee-addr
> +Set OPTEE file load and entry point address.
> +.
I believe we use tee-file and tee-addr according to the last diff in
this patch?
Please specify this is parsed as hex.
Which formats are supported for the --tee-file parameter? OP-TEE OS
itself has multiple versions for the binary header (v1 and v2?) and we
can pass either a binary (tee.bin) or an ELF (tee.elf) in binman, c.f.
tools/binman/etype/tee_os.py
> .SS Options for creating FIT images
> .
> .TP
> diff --git a/include/image.h b/include/image.h
> index 9a1c828416d..d543c6cf254 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -1105,6 +1105,7 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size,
> #define FIT_SCRIPT_PROP "script"
> #define FIT_PHASE_PROP "phase"
> #define FIT_TFA_BL31_PROP "tfa-bl31"
> +#define FIT_TEE_PROP "tee"
>
> #define FIT_MAX_HASH_LEN HASH_MAX_DIGEST_SIZE
>
> diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py
> index 0b5dbd5401c..cb8bd519fd9 100644
> --- a/test/py/tests/test_fit_auto_signed.py
> +++ b/test/py/tests/test_fit_auto_signed.py
> @@ -117,23 +117,31 @@ class SignedFitHelper(object):
> algo = self.__fdt_get_string(f'{node}/signature', 'algo')
> assert algo == sign_algo + "\n", "Missing expected signature algo!"
>
> - def check_fit_loadables(self, present):
> + def check_fit_loadables(self, bl31present, teepresent):
> """Test that loadables contains both kernel and TFA BL31 entries.
>
> Each configuration must have a loadables property which lists both
> kernel-1 and tfa-bl31-1 strings in the string list.
Missing update to the method docstring.
> """
> - if present:
> + if bl31present:
> assert "/images/tfa-bl31-1" in self.images_nodes
> else:
> assert "/images/tfa-bl31-1" not in self.images_nodes
> + if teepresent:
> + assert "/images/tee-1" in self.images_nodes
> + else:
> + assert "/images/tee-1" not in self.images_nodes
> for node in self.confgs_nodes:
> loadables = self.__fdt_get_string(f'{node}', 'loadables')
> assert "kernel-1" in loadables
> - if present:
> + if bl31present:
> assert "tfa-bl31-1" in loadables
> else:
> assert "tfa-bl31-1" not in loadables
> + if teepresent:
> + assert "tee-1" in loadables
> + else:
> + assert "tee-1" not in loadables
[...]
> + # Run the same tests as 1/2/3 above, but this time with TEE
> + # options -z tee.bin -Z 0x56780000 to cover both mkimage with
> + # and without TEE use cases.
> + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -z" + tee_file + " -Z 0x56780000"
> +
> + # 4 - Create auto FIT with images crc32 checksum, and verify it
> + utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + " " + fit_file)
> +
> + fit = SignedFitHelper(ubman, fit_file)
> + if fit.build_nodes_sets() == 0:
> + raise ValueError('FIT-7 has no "/image" nor "/configuration" nodes')
> +
> + fit.check_fit_crc32_images()
> +
> + fit.check_fit_loadables(bl31present=False, teepresent=True)
> +
> + # 5 - Create auto FIT with signed images, and verify it
> + utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " +
> + fit_file)
> +
> + fit = SignedFitHelper(ubman, fit_file)
> + if fit.build_nodes_sets() == 0:
> + raise ValueError('FIT-8 has no "/image" nor "/configuration" nodes')
> +
> + fit.check_fit_signed_images(key_name, sign_algo, verifier)
> +
> + fit.check_fit_loadables(bl31present=False, teepresent=True)
> +
> + # 6 - Create auto FIT with signed configs and hashed images, and verify it
> + utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " +
> + fit_file)
> +
> + fit = SignedFitHelper(ubman, fit_file)
> + if fit.build_nodes_sets() == 0:
> + raise ValueError('FIT-9 has no "/image" nor "/configuration" nodes')
> +
> + fit.check_fit_signed_confgs(key_name, sign_algo)
> +
> + fit.check_fit_loadables(bl31present=False, teepresent=True)
> +
> + # Run the same tests as 1/2/3 above, but this time with TEE
> + # options -z tee.bin -Z 0x56780000 to cover both mkimage with
> + # and without TEE use cases.
And with TFA BL31...
[...]
> diff --git a/tools/fit_image.c b/tools/fit_image.c
> index 0306333141e..6388b04e340 100644
> --- a/tools/fit_image.c
> +++ b/tools/fit_image.c
> @@ -180,6 +180,13 @@ static int fit_calc_size(struct image_tool_params *params)
> total_size += size;
> }
>
> + if (params->fit_tee) {
> + size = imagetool_get_filesize(params, params->fit_tee);
> + if (size < 0)
> + return -1;
> + total_size += size;
> + }
> +
> for (cont = params->content_head; cont; cont = cont->next) {
> size = imagetool_get_filesize(params, cont->fname);
> if (size < 0)
> @@ -433,6 +440,30 @@ static int fit_write_images(struct image_tool_params *params, char *fdt)
> fdt_end_node(fdt);
> }
>
> + /* And a TEE file if available */
> + if (params->fit_tee) {
> + fdt_begin_node(fdt, FIT_TEE_PROP "-1");
> +
> + fdt_property_string(fdt, FIT_TYPE_PROP, FIT_TEE_PROP);
> + fdt_property_string(fdt, FIT_OS_PROP,
> + genimg_get_os_short_name(params->os));
> + fdt_property_string(fdt, FIT_ARCH_PROP,
> + genimg_get_arch_short_name(params->arch));
> + get_basename(str, sizeof(str), params->fit_tee);
> + fdt_property_string(fdt, FIT_DESC_PROP, str);
> +
> + ret = fdt_property_file(params, fdt, FIT_DATA_PROP,
> + params->fit_tee);
> + if (ret)
> + return ret;
> + fdt_property_u32(fdt, FIT_LOAD_PROP, params->fit_tee_addr);
> + fdt_property_u32(fdt, FIT_ENTRY_PROP, params->fit_tee_addr);
> + fit_add_hash_or_sign(params, fdt, true);
> + if (ret)
> + return ret;
> + fdt_end_node(fdt);
> + }
> +
OK so... On Rockchip we have TF-A and OP-TEE OS split in multiple
entries with different load addresses (see @atf-seq and @tee-seq in
arch/arm/dts/rockchip-u-boot.dtsi). I guess this means we wouldn't be
able to use this auto FIT?
> fdt_end_node(fdt);
>
> return 0;
> @@ -473,10 +504,20 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt)
> len = strlen(str);
> fdt_property_string(fdt, typename, str);
>
> - if (params->fit_tfa_bl31) {
> + if (params->fit_tfa_bl31 && params->fit_tee) {
> + snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1." FIT_TEE_PROP "-1", typename);
> + str[len] = 0;
> + len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
> + str[len] = 0;
> + len += strlen(FIT_TEE_PROP "-1") + 1;
> + } else if (params->fit_tfa_bl31) {
> snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename);
> str[len] = 0;
> len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
> + } else if (params->fit_tee) {
> + snprintf(str, sizeof(str), "%s-1." FIT_TEE_PROP "-1", typename);
> + str[len] = 0;
> + len += strlen(FIT_TEE_PROP "-1") + 1;
> }
>
> fdt_property(fdt, FIT_LOADABLE_PROP, str, len + 1);
> @@ -498,10 +539,20 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt)
> len = strlen(str);
> fdt_property_string(fdt, typename, str);
>
> - if (params->fit_tfa_bl31) {
> + if (params->fit_tfa_bl31 && params->fit_tee) {
> + snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1." FIT_TEE_PROP "-1", typename);
> + str[len] = 0;
> + len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
> + str[len] = 0;
> + len += strlen(FIT_TEE_PROP "-1") + 1;
> + } else if (params->fit_tfa_bl31) {
> snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename);
> str[len] = 0;
> len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
> + } else if (params->fit_tee) {
> + snprintf(str, sizeof(str), "%s-1." FIT_TEE_PROP "-1", typename);
> + str[len] = 0;
> + len += strlen(FIT_TEE_PROP "-1") + 1;
> }
The coded here seems to be shared with one diff above, maybe it'd make
sense to make this into a reusable function? What do you think?
Cheers,
Quentin
More information about the U-Boot
mailing list