[PATCH v4 05/11] arm: dts: k3-binman: Add template for packing HSM firmware

Thu Apr 30 01:51:28 CEST 2026

Hi Beleswar,

On 2026-04-25T03:37:39, Padhi, Beleswar <b-padhi at ti.com> wrote:
> arm: dts: k3-binman: Add template for packing HSM firmware
>
> The HSM M4 core needs to be booted at R5 SPL stage so that it can be
> used for further Authentication and security services. Therefore, the
> firmware for the HSM core needs to be packed in tispl.bin fit image so
> that it can be used by R5 SPL to boot the HSM core.
>
> Add a template for packing the HSM firmware in tispl.bin. The template
> also contains necessary fields which will be populated in the boot
> extension and load extension in the x509 certificate for HSM firmware.
> This is required as the HSM firmware needs to be signed before invoking
> TIFS to authenticate and load the blob to HSM core.
>
> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
>
> arch/arm/dts/k3-binman.dtsi | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)

> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> @@ -297,6 +297,26 @@
> +                                     ti-secure {
> +                                             content = <&hsm_fw>;
> +                                             keyfile = 'custMpk.pem';
> +                                             proc_id = <0x80>;
> +                                             flags_set = <0x04>;
> +                                             flags_clr = <0x00>;
> +                                             reset_vector = <0x00>;
> +                                             dest_addr = <0x43C00000>;
> +                                             auth_type = <0xFD00>;
> +                                     };

We should use hyphens in DT property names. The existing ti-secure
properties (auth-in-place, firewall-cert-data) already follow this
convention; the python side can still expose them as proc_id etc after
the usual hyphen-to-underscore translation.

> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> @@ -297,6 +297,26 @@
> +                                             proc_id = <0x80>;
> +                                             flags_set = <0x04>;
> +                                             flags_clr = <0x00>;
> +                                             reset_vector = <0x00>;
> +                                             dest_addr = <0x43C00000>;
> +                                             auth_type = <0xFD00>;

Please use lower case hex. Also these could use a short comment above
the node (or alongside each value) describing what proc-id 0x80 names,
what bits flags-set 0x04 selects, and what auth-type 0xFD00 means. A
reference to the TIFS interface doc would also help.

> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> @@ -297,6 +297,26 @@
> +#ifdef CONFIG_K3_HSM_FW
> +                             hsm {
> +                                     description = "HSM binary";
> +                                     type = 'standalone';
> +                                     compression = 'none';
> +                                     os = 'hsm';

The os = 'hsm' string is what r5/common.c keys on via
image_os_match[IMAGE_ID_HSM] to identify this image. Please mention
that coupling in the commit message (or add a brief comment) so it is
clear this string is not free-form - i.e. changing it silently breaks
the post-process matcher.

Reviewed-by: Simon Glass <sjg at chromium.org>

Regards,
Simon