[PATCH 5/6] sunxi: extend binman FIT description for signed SPL images

[Lukas Schmid]

Extend the sunxi binman/FIT description to support signed SPL FIT
images. Add an SPL public-key DTB image, per-image hash nodes,
fit,sign support, and a configuration signature that covers
firmware, loadables and the selected FDT.

Handle TOC0 SPL output as well by adding the required filename and
mkimage wrapping so the generated sunxi image remains verifiable.

Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
---
 arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 4 deletions(-)

diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
index e1a9a7f5d4c..313fcad3922 100644
--- a/arch/arm/dts/sunxi-u-boot.dtsi
+++ b/arch/arm/dts/sunxi-u-boot.dtsi
@@ -27,6 +27,38 @@
 #endif
 
 &binman {
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+	spl {
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+		filename = "spl/u-boot-spl.bin";
+#else
+		filename = "spl/sunxi-spl.bin";
+#endif
+
+		u-boot-spl-nodtb {
+		};
+
+		u-boot-spl-pubkey-dtb {
+			algo = "sha256,rsa2048";
+			required = "conf";
+			key-name-hint = "dev";
+		};
+	};
+
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+	image {
+		filename = "spl/sunxi-spl.bin";
+
+		mkimage {
+			args = "-a 0x20060 -T sunxi_toc0";
+			data-to-imagename;
+
+			u-boot-spl {
+			};
+		};
+	};
+#endif
+#endif
 	u-boot-sunxi-with-spl {
 		filename = "u-boot-sunxi-with-spl.bin";
 		pad-byte = <0xff>;
@@ -45,6 +77,9 @@
 			description = "Configuration to load U-Boot and firmware";
 			#address-cells = <1>;
 			fit,fdt-list = "of-list";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+			fit,sign;
+#endif
 
 			images {
 				uboot {
@@ -60,6 +95,11 @@
 
 					u-boot-nodtb {
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 
 #if CONFIG_SUNXI_BL31_BASE
@@ -76,6 +116,11 @@
 						filename = "bl31.bin";
 						missing-msg = "atf-bl31-sunxi";
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 #endif
 
@@ -92,6 +137,11 @@
 						missing-msg = "scp-sunxi";
 						optional;
 					};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 #endif
 
@@ -99,6 +149,11 @@
 					description = "NAME";
 					type = "flat_dt";
 					compression = "none";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					hash {
+						algo = "sha256";
+					};
+#endif
 				};
 			};
 
@@ -108,16 +163,21 @@
 				@config-SEQ {
 					description = "NAME";
 #if CONFIG_SUNXI_BL31_BASE
-					firmware = "atf";
+					firmware = "atf", "uboot";
 #else
 					firmware = "uboot";
 #endif
 #if CONFIG_SUNXI_SCP_BASE
-					loadables = "scp", "uboot";
-#else
-					loadables = "uboot";
+					loadables = "scp";
 #endif
 					fdt = "fdt-SEQ";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+					signature {
+						algo = "sha256,rsa2048";
+						key-name-hint = "dev";
+						sign-images = "firmware", "loadables", "fdt";
+					};
+#endif
 				};
 			};
 		};
-- 
2.47.3