* [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3
@ 2022-05-06 4:37 Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 01/11] j721e_evm: schema: yaml: Add general schema and J721E board config files Neha Malcom Francis
` (12 more replies)
0 siblings, 13 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
Devices that belong to the K3 architecture require SYSFW which is a FIT
image consisting of a signed system firmware image and board config
binaries.
Board config binaries are needed to bring up SYSFW during U-Boot SPL
startup. The board config data is given in YAML as input. These board
configs contain board-specific information such as resource management,
power management and security.
The following series intends to plumb the system firmware generation
into U-Boot using binman for packaging. Thus it will eliminate the need
for additional custom repositories for SYSFW generation and also moves t
owards the community standard build flow. We use binman to package
tiboot3.bin and sysfw.itb images.
These images also require x509 certificates which are created using the
etype x509-cert.
The series also plumbs the generation of tispl.bin into the build flow.
This image is required for loading u-boot in K3 devices. The image is
packaged using ATF, OPTEE and DM (Device Manager).
Please note that the following series has implemented the above for
J721E general purpose board. The board configs and device trees added
are specific to J721E GP devices.
Also note the introduction of three new etypes: ti-sysfw, ti-dm and
x509-cert.
On running CI tests on Github, errors were produced during world builds
of keystone2_keystone3 and siemens (I0T2050 which is based on AM65x).
This patch series is intended for only J721E and future work is to expand
to the remaining K3 devices as well. The errors that come are mainly due
to the boards other than J721E trying to generate tispl.bin.
v2:
- Added etype x509-cert for creating x509 Texas Instruments certificate
binary
- Added packaging of tiboot3.bin
- Packaging of tiboot3.bin and sysfw.itb using new etype x509
- sysfw --> ti-sysfw
- Reformatted and re-arranged patches
- Removed k3_fit_atf.sh and k3_gen_x509_cert.sh as their functionality
is provided by binman now
Neha Malcom Francis (11):
j721e_evm: schema: yaml: Add general schema and J721E board config
files
ti: tools: config: Add board config class to generate config binaries
ti: etype: sysfw: Add entry type for sysfw
ti: etype: dm: Add entry type for TI DM
ti: etype: x509: Add etype for x509 certificate for K3 devices
ti: sysfw: Add support for packaging sysfw.itb
ti: tiboot3.bin: Remove tiboot3.bin target from makefile
ti: tispl.bin: Removed script that packages tispl.bin
ti: x509: Remove shell script used for signing
ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin
ti: dtsi: j721e: Use binman to package tispl.bin
Makefile | 2 +
arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +
.../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
arch/arm/dts/k3-j721e-r5-binman.dtsi | 88 +
.../k3-j721e-r5-common-proc-board-u-boot.dtsi | 1 +
arch/arm/mach-k3/config.mk | 64 +-
board/ti/common/schema.yaml | 355 ++
board/ti/j721e/Kconfig | 2 +
board/ti/j721e/config.yaml | 3162 +++++++++++++++++
scripts/Makefile.spl | 4 -
test/py/requirements.txt | 1 +
tools/binman/entries.rst | 36 +
tools/binman/etype/ti_dm.py | 23 +
tools/binman/etype/ti_sysfw.py | 28 +
tools/binman/etype/x509_cert.py | 248 ++
tools/binman/ftest.py | 21 +
tools/binman/test/225_ti_dm.dts | 13 +
tools/binman/test/232_ti_sysfw.dts | 13 +
tools/binman/test/232_x509_cert.dts | 18 +
tools/k3_fit_atf.sh | 123 -
tools/k3_gen_x509_cert.sh | 252 --
tools/tibcfg_gen.py | 114 +
22 files changed, 4227 insertions(+), 428 deletions(-)
create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
create mode 100644 arch/arm/dts/k3-j721e-r5-binman.dtsi
create mode 100644 board/ti/common/schema.yaml
create mode 100644 board/ti/j721e/config.yaml
create mode 100644 tools/binman/etype/ti_dm.py
create mode 100644 tools/binman/etype/ti_sysfw.py
create mode 100644 tools/binman/etype/x509_cert.py
create mode 100644 tools/binman/test/225_ti_dm.dts
create mode 100644 tools/binman/test/232_ti_sysfw.dts
create mode 100644 tools/binman/test/232_x509_cert.dts
delete mode 100755 tools/k3_fit_atf.sh
delete mode 100755 tools/k3_gen_x509_cert.sh
create mode 100644 tools/tibcfg_gen.py
--
2.17.1
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH RFC v2 01/11] j721e_evm: schema: yaml: Add general schema and J721E board config files
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 02/11] ti: tools: config: Add board config class to generate config binaries Neha Malcom Francis
` (11 subsequent siblings)
12 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
Schema file in YAML must be provided in board/ti/common for validating
input config files and packaging system firmware. The schema includes
entries for rm-cfg, board-cfg, pm-cfg and sec-cfg.
Board config file must be provided in board/ti/<devicename> in YAML.
These can then be consumed for generation of binaries to package system
firmware. Added YAML config for J721E EVM in particular.
It is to be noted that the bootflow followed by J721E requires
tiboot3.bin, TIFS and board config binaries to be packaged into
sysfw.itb along with u-boot.img. It also requires DM, ATF, OPTEE
packaged into tispl.bin.
Signed-off-by: Tarun Sahu <t-sahu@ti.com>
[n-francis@ti.com: prepared patch for upstreaming]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
board/ti/common/schema.yaml | 355 ++++
board/ti/j721e/config.yaml | 3162 +++++++++++++++++++++++++++++++++++
2 files changed, 3517 insertions(+)
create mode 100644 board/ti/common/schema.yaml
create mode 100644 board/ti/j721e/config.yaml
diff --git a/board/ti/common/schema.yaml b/board/ti/common/schema.yaml
new file mode 100644
index 0000000000..070ff797e0
--- /dev/null
+++ b/board/ti/common/schema.yaml
@@ -0,0 +1,355 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+# Config schema for TI K3 devices
+#
+
+---
+
+definitions:
+ u8:
+ type: integer
+ minimum: 0
+ maximum: 0xff
+ u16:
+ type: integer
+ minimum: 0
+ maximum: 0xffff
+ u32:
+ type: integer
+ minimum: 0
+ maximum: 0xffffffff
+
+
+
+type: object
+properties:
+ pm-cfg:
+ type: object
+ properties:
+ rev:
+ type: object
+ properties:
+ boardcfg_abi_maj:
+ $ref: "#/definitions/u8"
+ boardcfg_abi_min:
+ $ref: "#/definitions/u8"
+ board-cfg:
+ type: object
+ properties:
+ rev:
+ type: object
+ properties:
+ boardcfg_abi_maj:
+ $ref: "#/definitions/u8"
+ boardcfg_abi_min:
+ $ref: "#/definitions/u8"
+ control:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ main_isolation_enable:
+ $ref: "#/definitions/u8"
+ main_isolation_hostid:
+ $ref: "#/definitions/u16"
+
+
+ secproxy:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ scaling_factor:
+ $ref: "#/definitions/u8"
+ scaling_profile:
+ $ref: "#/definitions/u8"
+ disable_main_nav_secure_proxy:
+ $ref: "#/definitions/u8"
+
+ msmc:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ msmc_cache_size:
+ $ref: "#/definitions/u8"
+ debug_cfg:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ trace_dst_enables:
+ $ref: "#/definitions/u16"
+ trace_src_enables:
+ $ref: "#/definitions/u16"
+
+ sec-cfg:
+ type: object
+ properties:
+ rev:
+ type: object
+ properties:
+ boardcfg_abi_maj:
+ $ref: "#/definitions/u8"
+ boardcfg_abi_min:
+ $ref: "#/definitions/u8"
+
+ processor_acl_list:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ proc_acl_entries:
+ type: array
+ minItems: 32
+ maxItems: 32
+ items:
+ type: object
+ properties:
+ processor_id:
+ $ref: "#/definitions/u8"
+ proc_access_master:
+ $ref: "#/definitions/u8"
+ proc_access_secondary:
+ type: array
+ minItems: 3
+ maxItems: 3
+ items:
+ $ref: "#/definitions/u8"
+ host_hierarchy:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ host_hierarchy_entries:
+ type: array
+ minItems: 32
+ maxItems: 32
+ items:
+ type: object
+ properties:
+ host_id:
+ $ref: "#/definitions/u8"
+ supervisor_host_id:
+ $ref: "#/definitions/u8"
+
+ otp_config:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ otp_entry:
+ type: array
+ minItems: 32
+ maxItems: 32
+ items:
+ type: object
+ properties:
+ host_id:
+ $ref: "#/definitions/u8"
+ host_perms:
+ $ref: "#/definitions/u8"
+ write_host_id:
+ $ref: "#/definitions/u8"
+
+ dkek_config:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ allowed_hosts:
+ type: array
+ minItems: 4
+ maxItems: 4
+ items:
+ $ref: "#/definitions/u8"
+ allow_dkek_export_tisci:
+ $ref: "#/definitions/u8"
+ rsvd:
+ type: array
+ minItems: 3
+ maxItems: 3
+ items:
+ $ref: "#/definitions/u8"
+
+ sa2ul_cfg:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ rsvd:
+ type: array
+ minItems: 4
+ maxItems: 4
+ items:
+ $ref: "#/definitions/u8"
+ sec_dbg_config:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ allow_jtag_unlock:
+ $ref: "#/definitions/u8"
+ allow_wildcard_unlock:
+ $ref: "#/definitions/u8"
+ allowed_debug_level_rsvd:
+ $ref: "#/definitions/u8"
+ rsvd:
+ $ref: "#/definitions/u8"
+ min_cert_rev:
+ $ref: "#/definitions/u32"
+ jtag_unlock_hosts:
+ type: array
+ minItems: 4
+ maxItems: 4
+ items:
+ $ref: "#/definitions/u8"
+
+
+ sec_handover_cfg:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ handover_msg_sender:
+ $ref: "#/definitions/u8"
+ handover_to_host_id:
+ $ref: "#/definitions/u8"
+ rsvd:
+ type: array
+ minItems: 4
+ maxItems: 4
+ items:
+ $ref: "#/definitions/u8"
+
+ rm-cfg:
+ type: object
+ properties:
+ rm_boardcfg:
+ type: object
+ properties:
+ rev:
+ type: object
+ properties:
+ boardcfg_abi_maj:
+ $ref: "#/definitions/u8"
+ boardcfg_abi_min:
+ $ref: "#/definitions/u8"
+
+ host_cfg:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ host_cfg_entries:
+ type: array
+ minItems: 0
+ maxItems: 32
+ items:
+ type: object
+ properties:
+ host_id:
+ $ref: "#/definitions/u8"
+ allowed_atype:
+ $ref: "#/definitions/u8"
+ allowed_qos:
+ $ref: "#/definitions/u16"
+ allowed_orderid:
+ $ref: "#/definitions/u32"
+ allowed_priority:
+ $ref: "#/definitions/u16"
+ allowed_sched_priority:
+ $ref: "#/definitions/u8"
+ resasg:
+ type: object
+ properties:
+ subhdr:
+ type: object
+ properties:
+ magic:
+ $ref: "#/definitions/u16"
+ size:
+ $ref: "#/definitions/u16"
+ resasg_entries_size:
+ $ref: "#/definitions/u16"
+ reserved:
+ $ref: "#/definitions/u16"
+
+ resasg_entries:
+ type: array
+ minItems: 0
+ maxItems: 418
+ items:
+ type: object
+ properties:
+ start_resource:
+ $ref: "#/definitions/u16"
+ num_resource:
+ $ref: "#/definitions/u16"
+ type:
+ $ref: "#/definitions/u16"
+ host_id:
+ $ref: "#/definitions/u8"
+ reserved:
+ $ref: "#/definitions/u8"
diff --git a/board/ti/j721e/config.yaml b/board/ti/j721e/config.yaml
new file mode 100644
index 0000000000..710517404f
--- /dev/null
+++ b/board/ti/j721e/config.yaml
@@ -0,0 +1,3162 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+# Board configuration for J721E EVM
+#
+
+---
+
+pm-cfg:
+ rev:
+ boardcfg_abi_maj: 0x0
+ boardcfg_abi_min: 0x1
+
+board-cfg:
+ rev:
+ boardcfg_abi_maj: 0x0
+ boardcfg_abi_min: 0x1
+ control:
+ subhdr:
+ magic: 0xC1D3
+ size: 7
+ main_isolation_enable: 0x5A
+ main_isolation_hostid: 0x2
+ secproxy:
+ subhdr:
+ magic: 0x1207
+ size: 7
+ scaling_factor: 0x1
+ scaling_profile: 0x1
+ disable_main_nav_secure_proxy: 0
+ msmc:
+ subhdr:
+ magic: 0xA5C3
+ size: 5
+ msmc_cache_size: 0x0
+ debug_cfg:
+ subhdr:
+ magic: 0x020C
+ size: 8
+ trace_dst_enables: 0x00
+ trace_src_enables: 0x00
+
+sec-cfg:
+ rev:
+ boardcfg_abi_maj: 0x0
+ boardcfg_abi_min: 0x1
+ processor_acl_list:
+ subhdr:
+ magic: 0xF1EA
+ size: 164
+ proc_acl_entries:
+ - #1
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #2
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #3
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #4
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #5
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #6
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #7
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #8
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #9
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #10
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #11
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #12
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #13
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #14
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #15
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #16
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #17
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #18
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #19
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #20
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #21
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #22
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #23
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #24
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #25
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #26
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #27
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #28
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #29
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #30
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #31
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+ - #32
+ processor_id: 0
+ proc_access_master: 0
+ proc_access_secondary: [0, 0, 0]
+
+ host_hierarchy:
+ subhdr:
+ magic: 0x8D27
+ size: 68
+ host_hierarchy_entries:
+ - #1
+ host_id: 0
+ supervisor_host_id: 0
+ - #2
+ host_id: 0
+ supervisor_host_id: 0
+ - #3
+ host_id: 0
+ supervisor_host_id: 0
+ - #4
+ host_id: 0
+ supervisor_host_id: 0
+ - #5
+ host_id: 0
+ supervisor_host_id: 0
+ - #6
+ host_id: 0
+ supervisor_host_id: 0
+ - #7
+ host_id: 0
+ supervisor_host_id: 0
+ - #8
+ host_id: 0
+ supervisor_host_id: 0
+ - #9
+ host_id: 0
+ supervisor_host_id: 0
+ - #10
+ host_id: 0
+ supervisor_host_id: 0
+ - #11
+ host_id: 0
+ supervisor_host_id: 0
+ - #12
+ host_id: 0
+ supervisor_host_id: 0
+ - #13
+ host_id: 0
+ supervisor_host_id: 0
+ - #14
+ host_id: 0
+ supervisor_host_id: 0
+ - #15
+ host_id: 0
+ supervisor_host_id: 0
+ - #16
+ host_id: 0
+ supervisor_host_id: 0
+ - #17
+ host_id: 0
+ supervisor_host_id: 0
+ - #18
+ host_id: 0
+ supervisor_host_id: 0
+ - #19
+ host_id: 0
+ supervisor_host_id: 0
+ - #20
+ host_id: 0
+ supervisor_host_id: 0
+ - #21
+ host_id: 0
+ supervisor_host_id: 0
+ - #22
+ host_id: 0
+ supervisor_host_id: 0
+ - #23
+ host_id: 0
+ supervisor_host_id: 0
+ - #24
+ host_id: 0
+ supervisor_host_id: 0
+ - #25
+ host_id: 0
+ supervisor_host_id: 0
+ - #26
+ host_id: 0
+ supervisor_host_id: 0
+ - #27
+ host_id: 0
+ supervisor_host_id: 0
+ - #28
+ host_id: 0
+ supervisor_host_id: 0
+ - #29
+ host_id: 0
+ supervisor_host_id: 0
+ - #30
+ host_id: 0
+ supervisor_host_id: 0
+ - #31
+ host_id: 0
+ supervisor_host_id: 0
+ - #32
+ host_id: 0
+ supervisor_host_id: 0
+ otp_config:
+ subhdr:
+ magic: 0x4081
+ size: 69
+ otp_entry:
+ - #1
+ host_id: 0
+ host_perms: 0
+ - #2
+ host_id: 0
+ host_perms: 0
+ - #3
+ host_id: 0
+ host_perms: 0
+ - #4
+ host_id: 0
+ host_perms: 0
+ - #5
+ host_id: 0
+ host_perms: 0
+ - #6
+ host_id: 0
+ host_perms: 0
+ - #7
+ host_id: 0
+ host_perms: 0
+ - #8
+ host_id: 0
+ host_perms: 0
+ - #9
+ host_id: 0
+ host_perms: 0
+ - #10
+ host_id: 0
+ host_perms: 0
+ - #11
+ host_id: 0
+ host_perms: 0
+ - #12
+ host_id: 0
+ host_perms: 0
+ - #13
+ host_id: 0
+ host_perms: 0
+ - #14
+ host_id: 0
+ host_perms: 0
+ - #15
+ host_id: 0
+ host_perms: 0
+ - #16
+ host_id: 0
+ host_perms: 0
+ - #17
+ host_id: 0
+ host_perms: 0
+ - #18
+ host_id: 0
+ host_perms: 0
+ - #19
+ host_id: 0
+ host_perms: 0
+ - #20
+ host_id: 0
+ host_perms: 0
+ - #21
+ host_id: 0
+ host_perms: 0
+ - #22
+ host_id: 0
+ host_perms: 0
+ - #23
+ host_id: 0
+ host_perms: 0
+ - #24
+ host_id: 0
+ host_perms: 0
+ - #25
+ host_id: 0
+ host_perms: 0
+ - #26
+ host_id: 0
+ host_perms: 0
+ - #27
+ host_id: 0
+ host_perms: 0
+ - #28
+ host_id: 0
+ host_perms: 0
+ - #29
+ host_id: 0
+ host_perms: 0
+ - #30
+ host_id: 0
+ host_perms: 0
+ - #31
+ host_id: 0
+ host_perms: 0
+ - #32
+ host_id: 0
+ host_perms: 0
+ write_host_id: 0
+ dkek_config:
+ subhdr:
+ magic: 0x5170
+ size: 12
+ allowed_hosts: [128, 0, 0, 0]
+ allow_dkek_export_tisci: 0x5A
+ rsvd: [0, 0, 0]
+ sa2ul_cfg:
+ subhdr:
+ magic: 0x23BE
+ size: 0
+ rsvd: [0, 0, 0, 0]
+ sec_dbg_config:
+ subhdr:
+ magic: 0x42AF
+ size: 16
+ allow_jtag_unlock: 0x5A
+ allow_wildcard_unlock: 0x5A
+ allowed_debug_level_rsvd: 0
+ rsvd: 0
+ min_cert_rev: 0x0
+ jtag_unlock_hosts: [0, 0, 0, 0]
+ sec_handover_cfg:
+ subhdr:
+ magic: 0x608F
+ size: 10
+ handover_msg_sender: 0
+ handover_to_host_id: 0
+ rsvd: [0, 0, 0, 0]
+
+rm-cfg:
+ rm_boardcfg:
+ rev:
+ boardcfg_abi_maj: 0x0
+ boardcfg_abi_min: 0x1
+ host_cfg:
+ subhdr:
+ magic: 0x4C41
+ size: 356
+ host_cfg_entries:
+ - #1
+ host_id: 3
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #2
+ host_id: 5
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #3
+ host_id: 12
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #4
+ host_id: 13
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #5
+ host_id: 21
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #6
+ host_id: 26
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #7
+ host_id: 28
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #8
+ host_id: 35
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #9
+ host_id: 37
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #10
+ host_id: 40
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #11
+ host_id: 42
+ allowed_atype: 0x2A
+ allowed_qos: 0xAAAA
+ allowed_orderid: 0xAAAAAAAA
+ allowed_priority: 0xAAAA
+ allowed_sched_priority: 0xAA
+ - #12
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #13
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #14
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #15
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #16
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #17
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #18
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #19
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #20
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #21
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #22
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #23
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #24
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #25
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #26
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #27
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #28
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #29
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #30
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #31
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ - #32
+ host_id: 0
+ allowed_atype: 0
+ allowed_qos: 0
+ allowed_orderid: 0
+ allowed_priority: 0
+ allowed_sched_priority: 0
+ resasg:
+ subhdr:
+ magic: 0x7B25
+ size: 8
+ resasg_entries_size: 3344
+ reserved: 0
+ resasg_entries:
+ -
+ start_resource: 4
+ num_resource: 93
+ type: 7744
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 93
+ type: 7808
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 32
+ type: 7872
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 32
+ type: 8192
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 32
+ type: 8192
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 24
+ type: 8320
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 24
+ type: 8320
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 8
+ type: 8384
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 8
+ type: 8384
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 4
+ type: 8384
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 20
+ num_resource: 4
+ type: 8384
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 4
+ type: 8384
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 4
+ type: 8384
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 4
+ type: 8384
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 4
+ type: 8384
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 40
+ num_resource: 12
+ type: 8384
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 52
+ num_resource: 12
+ type: 8384
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 128
+ type: 8576
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 128
+ num_resource: 128
+ type: 8576
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 128
+ type: 8640
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 128
+ num_resource: 128
+ type: 8640
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 48
+ type: 8704
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 8
+ type: 8768
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 8
+ type: 8768
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 6
+ type: 8768
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 22
+ num_resource: 6
+ type: 8768
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 2
+ type: 8768
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 2
+ type: 8768
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 64
+ type: 13258
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 20480
+ num_resource: 1024
+ type: 13261
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 64
+ type: 13322
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 22528
+ num_resource: 1024
+ type: 13325
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 38
+ num_resource: 86
+ type: 13386
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 124
+ num_resource: 32
+ type: 13386
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 156
+ num_resource: 12
+ type: 13386
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 168
+ num_resource: 12
+ type: 13386
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 180
+ num_resource: 12
+ type: 13386
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 192
+ num_resource: 12
+ type: 13386
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 204
+ num_resource: 12
+ type: 13386
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 216
+ num_resource: 28
+ type: 13386
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 244
+ num_resource: 8
+ type: 13386
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 252
+ num_resource: 4
+ type: 13386
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 38
+ num_resource: 1024
+ type: 13389
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 1062
+ num_resource: 512
+ type: 13389
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 1574
+ num_resource: 32
+ type: 13389
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 1606
+ num_resource: 32
+ type: 13389
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 1638
+ num_resource: 256
+ type: 13389
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 1894
+ num_resource: 256
+ type: 13389
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 2150
+ num_resource: 256
+ type: 13389
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 2406
+ num_resource: 256
+ type: 13389
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 2662
+ num_resource: 256
+ type: 13389
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 2918
+ num_resource: 512
+ type: 13389
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 3430
+ num_resource: 256
+ type: 13389
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 3686
+ num_resource: 922
+ type: 13389
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 4
+ type: 13440
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 4
+ type: 13440
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 4
+ type: 13440
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 12
+ num_resource: 4
+ type: 13440
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 4
+ type: 13440
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 20
+ num_resource: 4
+ type: 13440
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 4
+ type: 13440
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 4
+ type: 13440
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 4
+ type: 13440
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 12
+ type: 13440
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 4
+ type: 13440
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 52
+ num_resource: 12
+ type: 13440
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 13504
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 440
+ num_resource: 150
+ type: 13505
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 590
+ num_resource: 40
+ type: 13505
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 630
+ num_resource: 6
+ type: 13505
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 636
+ num_resource: 6
+ type: 13505
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 642
+ num_resource: 10
+ type: 13505
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 652
+ num_resource: 10
+ type: 13505
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 662
+ num_resource: 32
+ type: 13505
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 694
+ num_resource: 38
+ type: 13505
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 732
+ num_resource: 12
+ type: 13505
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 744
+ num_resource: 182
+ type: 13505
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 926
+ num_resource: 40
+ type: 13505
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 966
+ num_resource: 8
+ type: 13505
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 316
+ num_resource: 8
+ type: 13506
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 324
+ num_resource: 2
+ type: 13506
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 324
+ num_resource: 0
+ type: 13506
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 326
+ num_resource: 2
+ type: 13506
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 328
+ num_resource: 2
+ type: 13506
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 330
+ num_resource: 2
+ type: 13506
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 332
+ num_resource: 2
+ type: 13506
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 334
+ num_resource: 8
+ type: 13506
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 342
+ num_resource: 2
+ type: 13506
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 344
+ num_resource: 4
+ type: 13506
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 348
+ num_resource: 1
+ type: 13506
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 349
+ num_resource: 28
+ type: 13506
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 377
+ num_resource: 20
+ type: 13506
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 397
+ num_resource: 4
+ type: 13506
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 401
+ num_resource: 4
+ type: 13506
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 405
+ num_resource: 4
+ type: 13506
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 409
+ num_resource: 8
+ type: 13506
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 417
+ num_resource: 6
+ type: 13506
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 423
+ num_resource: 16
+ type: 13506
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 439
+ num_resource: 1
+ type: 13506
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 8
+ type: 13507
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 2
+ type: 13507
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 0
+ type: 13507
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 26
+ num_resource: 2
+ type: 13507
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 2
+ type: 13507
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 2
+ type: 13507
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 2
+ type: 13507
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 34
+ num_resource: 8
+ type: 13507
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 2
+ type: 13507
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 44
+ num_resource: 4
+ type: 13507
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 1
+ type: 13507
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 49
+ num_resource: 28
+ type: 13507
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 77
+ num_resource: 20
+ type: 13507
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 97
+ num_resource: 4
+ type: 13507
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 101
+ num_resource: 4
+ type: 13507
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 105
+ num_resource: 4
+ type: 13507
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 109
+ num_resource: 8
+ type: 13507
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 117
+ num_resource: 6
+ type: 13507
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 123
+ num_resource: 10
+ type: 13507
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 133
+ num_resource: 6
+ type: 13507
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 139
+ num_resource: 1
+ type: 13507
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 140
+ num_resource: 16
+ type: 13508
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 156
+ num_resource: 6
+ type: 13508
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 162
+ num_resource: 6
+ type: 13508
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 168
+ num_resource: 2
+ type: 13508
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 170
+ num_resource: 2
+ type: 13508
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 172
+ num_resource: 96
+ type: 13508
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 268
+ num_resource: 32
+ type: 13508
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 304
+ num_resource: 0
+ type: 13509
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 304
+ num_resource: 4
+ type: 13509
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 304
+ num_resource: 0
+ type: 13509
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 308
+ num_resource: 6
+ type: 13509
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 314
+ num_resource: 2
+ type: 13509
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 300
+ num_resource: 0
+ type: 13510
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 300
+ num_resource: 2
+ type: 13510
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 300
+ num_resource: 0
+ type: 13510
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 302
+ num_resource: 2
+ type: 13510
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13511
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 4
+ type: 13511
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13511
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 6
+ type: 13511
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 2
+ type: 13511
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13512
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 13512
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13512
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 2
+ type: 13512
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 5
+ type: 13514
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 7
+ num_resource: 1
+ type: 13514
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 3
+ type: 13515
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 3
+ num_resource: 2
+ type: 13515
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 5
+ num_resource: 1
+ type: 13515
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 1
+ type: 13515
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 7
+ num_resource: 3
+ type: 13515
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 10
+ num_resource: 3
+ type: 13515
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 13
+ num_resource: 3
+ type: 13515
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 3
+ type: 13515
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 19
+ num_resource: 3
+ type: 13515
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 22
+ num_resource: 6
+ type: 13515
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 3
+ type: 13515
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 31
+ num_resource: 1
+ type: 13515
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 140
+ num_resource: 16
+ type: 13568
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 156
+ num_resource: 16
+ type: 13568
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 172
+ num_resource: 128
+ type: 13568
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 13569
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 49152
+ num_resource: 1024
+ type: 13570
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 13571
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 8
+ type: 13578
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 2
+ type: 13578
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 0
+ type: 13578
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 26
+ num_resource: 2
+ type: 13578
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 2
+ type: 13578
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 2
+ type: 13578
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 2
+ type: 13578
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 34
+ num_resource: 8
+ type: 13578
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 2
+ type: 13578
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 44
+ num_resource: 4
+ type: 13578
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 1
+ type: 13578
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 49
+ num_resource: 28
+ type: 13578
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 77
+ num_resource: 20
+ type: 13578
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 97
+ num_resource: 4
+ type: 13578
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 101
+ num_resource: 4
+ type: 13578
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 105
+ num_resource: 4
+ type: 13578
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 109
+ num_resource: 8
+ type: 13578
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 117
+ num_resource: 6
+ type: 13578
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 123
+ num_resource: 16
+ type: 13578
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 139
+ num_resource: 1
+ type: 13578
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13579
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 4
+ type: 13579
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13579
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 6
+ type: 13579
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 2
+ type: 13579
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13580
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 13580
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13580
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 2
+ type: 13580
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 8
+ type: 13581
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 2
+ type: 13581
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 0
+ type: 13581
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 26
+ num_resource: 2
+ type: 13581
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 28
+ num_resource: 2
+ type: 13581
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 2
+ type: 13581
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 32
+ num_resource: 2
+ type: 13581
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 34
+ num_resource: 8
+ type: 13581
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 2
+ type: 13581
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 44
+ num_resource: 4
+ type: 13581
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 1
+ type: 13581
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 49
+ num_resource: 28
+ type: 13581
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 77
+ num_resource: 20
+ type: 13581
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 97
+ num_resource: 4
+ type: 13581
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 101
+ num_resource: 4
+ type: 13581
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 105
+ num_resource: 4
+ type: 13581
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 109
+ num_resource: 8
+ type: 13581
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 117
+ num_resource: 6
+ type: 13581
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 123
+ num_resource: 10
+ type: 13581
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 133
+ num_resource: 6
+ type: 13581
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 139
+ num_resource: 1
+ type: 13581
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 140
+ num_resource: 16
+ type: 13582
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 156
+ num_resource: 6
+ type: 13582
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 162
+ num_resource: 6
+ type: 13582
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 168
+ num_resource: 2
+ type: 13582
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 170
+ num_resource: 2
+ type: 13582
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 172
+ num_resource: 96
+ type: 13582
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 268
+ num_resource: 32
+ type: 13582
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13583
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 4
+ type: 13583
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 4
+ num_resource: 0
+ type: 13583
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 6
+ type: 13583
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 2
+ type: 13583
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13584
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 13584
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 13584
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 2
+ type: 13584
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 10
+ num_resource: 100
+ type: 13632
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 110
+ num_resource: 32
+ type: 13632
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 142
+ num_resource: 46
+ type: 13632
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 196
+ num_resource: 28
+ type: 13632
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 228
+ num_resource: 28
+ type: 13632
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 260
+ num_resource: 28
+ type: 13632
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 292
+ num_resource: 28
+ type: 13632
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 320
+ num_resource: 24
+ type: 13632
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 352
+ num_resource: 24
+ type: 13632
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 400
+ num_resource: 4
+ type: 13632
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 404
+ num_resource: 4
+ type: 13632
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 16
+ num_resource: 32
+ type: 14922
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 16
+ type: 14922
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 64
+ num_resource: 64
+ type: 14922
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 128
+ num_resource: 4
+ type: 14922
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 132
+ num_resource: 16
+ type: 14922
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 148
+ num_resource: 16
+ type: 14922
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 164
+ num_resource: 8
+ type: 14922
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 172
+ num_resource: 8
+ type: 14922
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 180
+ num_resource: 8
+ type: 14922
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 188
+ num_resource: 24
+ type: 14922
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 212
+ num_resource: 8
+ type: 14922
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 220
+ num_resource: 36
+ type: 14922
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 16400
+ num_resource: 128
+ type: 14925
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 16528
+ num_resource: 128
+ type: 14925
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 16656
+ num_resource: 256
+ type: 14925
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 16912
+ num_resource: 64
+ type: 14925
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 16976
+ num_resource: 128
+ type: 14925
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 17104
+ num_resource: 128
+ type: 14925
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 17232
+ num_resource: 64
+ type: 14925
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 17296
+ num_resource: 64
+ type: 14925
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 17360
+ num_resource: 64
+ type: 14925
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 17424
+ num_resource: 128
+ type: 14925
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 17552
+ num_resource: 128
+ type: 14925
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 17680
+ num_resource: 240
+ type: 14925
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 1
+ num_resource: 4
+ type: 14976
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 5
+ num_resource: 4
+ type: 14976
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 9
+ num_resource: 4
+ type: 14976
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 13
+ num_resource: 4
+ type: 14976
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 17
+ num_resource: 4
+ type: 14976
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 21
+ num_resource: 4
+ type: 14976
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 25
+ num_resource: 4
+ type: 14976
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 29
+ num_resource: 4
+ type: 14976
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 33
+ num_resource: 4
+ type: 14976
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 37
+ num_resource: 16
+ type: 14976
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 53
+ num_resource: 4
+ type: 14976
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 57
+ num_resource: 7
+ type: 14976
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 15040
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 96
+ num_resource: 20
+ type: 15041
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 116
+ num_resource: 8
+ type: 15041
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 124
+ num_resource: 32
+ type: 15041
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 156
+ num_resource: 12
+ type: 15041
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 168
+ num_resource: 8
+ type: 15041
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 176
+ num_resource: 8
+ type: 15041
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 184
+ num_resource: 8
+ type: 15041
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 192
+ num_resource: 8
+ type: 15041
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 200
+ num_resource: 8
+ type: 15041
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 208
+ num_resource: 16
+ type: 15041
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 224
+ num_resource: 8
+ type: 15041
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 232
+ num_resource: 20
+ type: 15041
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 50
+ num_resource: 4
+ type: 15042
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 54
+ num_resource: 2
+ type: 15042
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 54
+ num_resource: 0
+ type: 15042
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 56
+ num_resource: 0
+ type: 15042
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 56
+ num_resource: 1
+ type: 15042
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 57
+ num_resource: 1
+ type: 15042
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 58
+ num_resource: 1
+ type: 15042
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 59
+ num_resource: 1
+ type: 15042
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 60
+ num_resource: 1
+ type: 15042
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 61
+ num_resource: 1
+ type: 15042
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 62
+ num_resource: 1
+ type: 15042
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 63
+ num_resource: 9
+ type: 15042
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 72
+ num_resource: 6
+ type: 15042
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 78
+ num_resource: 3
+ type: 15042
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 81
+ num_resource: 2
+ type: 15042
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 83
+ num_resource: 1
+ type: 15042
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 84
+ num_resource: 1
+ type: 15042
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 85
+ num_resource: 1
+ type: 15042
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 86
+ num_resource: 1
+ type: 15042
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 87
+ num_resource: 1
+ type: 15042
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 88
+ num_resource: 2
+ type: 15042
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 90
+ num_resource: 1
+ type: 15042
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 91
+ num_resource: 2
+ type: 15042
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 4
+ type: 15043
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 2
+ type: 15043
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 0
+ type: 15043
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 0
+ type: 15043
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 1
+ type: 15043
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 9
+ num_resource: 1
+ type: 15043
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 10
+ num_resource: 1
+ type: 15043
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 11
+ num_resource: 1
+ type: 15043
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 12
+ num_resource: 1
+ type: 15043
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 13
+ num_resource: 1
+ type: 15043
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 1
+ type: 15043
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 15
+ num_resource: 9
+ type: 15043
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 6
+ type: 15043
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 3
+ type: 15043
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 33
+ num_resource: 2
+ type: 15043
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 35
+ num_resource: 1
+ type: 15043
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 1
+ type: 15043
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 37
+ num_resource: 1
+ type: 15043
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 38
+ num_resource: 1
+ type: 15043
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 39
+ num_resource: 1
+ type: 15043
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 40
+ num_resource: 2
+ type: 15043
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 1
+ type: 15043
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 43
+ num_resource: 3
+ type: 15043
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 0
+ type: 15045
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 2
+ type: 15045
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 15047
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 15047
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 5
+ type: 15050
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 7
+ num_resource: 1
+ type: 15050
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 3
+ type: 15051
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 3
+ num_resource: 2
+ type: 15051
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 5
+ num_resource: 3
+ type: 15051
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 3
+ type: 15051
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 11
+ num_resource: 3
+ type: 15051
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 3
+ type: 15051
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 17
+ num_resource: 3
+ type: 15051
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 20
+ num_resource: 3
+ type: 15051
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 23
+ num_resource: 3
+ type: 15051
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 26
+ num_resource: 3
+ type: 15051
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 29
+ num_resource: 3
+ type: 15051
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 48
+ num_resource: 8
+ type: 15104
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 56
+ num_resource: 4
+ type: 15104
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 60
+ num_resource: 8
+ type: 15104
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 68
+ num_resource: 4
+ type: 15104
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 72
+ num_resource: 4
+ type: 15104
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 76
+ num_resource: 4
+ type: 15104
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 80
+ num_resource: 8
+ type: 15104
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 88
+ num_resource: 4
+ type: 15104
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 92
+ num_resource: 4
+ type: 15104
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 15105
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 56320
+ num_resource: 256
+ type: 15106
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 1
+ type: 15107
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 4
+ type: 15114
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 2
+ type: 15114
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 0
+ type: 15114
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 0
+ type: 15114
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 1
+ type: 15114
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 9
+ num_resource: 1
+ type: 15114
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 10
+ num_resource: 1
+ type: 15114
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 11
+ num_resource: 1
+ type: 15114
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 12
+ num_resource: 1
+ type: 15114
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 13
+ num_resource: 1
+ type: 15114
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 1
+ type: 15114
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 15
+ num_resource: 9
+ type: 15114
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 6
+ type: 15114
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 3
+ type: 15114
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 33
+ num_resource: 2
+ type: 15114
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 35
+ num_resource: 1
+ type: 15114
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 1
+ type: 15114
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 37
+ num_resource: 1
+ type: 15114
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 38
+ num_resource: 1
+ type: 15114
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 39
+ num_resource: 1
+ type: 15114
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 40
+ num_resource: 2
+ type: 15114
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 1
+ type: 15114
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 43
+ num_resource: 2
+ type: 15114
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 15115
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 15115
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 2
+ num_resource: 4
+ type: 15117
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 2
+ type: 15117
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 6
+ num_resource: 0
+ type: 15117
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 0
+ type: 15117
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 8
+ num_resource: 1
+ type: 15117
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 9
+ num_resource: 1
+ type: 15117
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 10
+ num_resource: 1
+ type: 15117
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 11
+ num_resource: 1
+ type: 15117
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 12
+ num_resource: 1
+ type: 15117
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 13
+ num_resource: 1
+ type: 15117
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 14
+ num_resource: 1
+ type: 15117
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 15
+ num_resource: 9
+ type: 15117
+ host_id: 12
+ reserved: 0
+ -
+ start_resource: 24
+ num_resource: 6
+ type: 15117
+ host_id: 13
+ reserved: 0
+ -
+ start_resource: 30
+ num_resource: 3
+ type: 15117
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 33
+ num_resource: 2
+ type: 15117
+ host_id: 5
+ reserved: 0
+ -
+ start_resource: 35
+ num_resource: 1
+ type: 15117
+ host_id: 40
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 1
+ type: 15117
+ host_id: 42
+ reserved: 0
+ -
+ start_resource: 37
+ num_resource: 1
+ type: 15117
+ host_id: 21
+ reserved: 0
+ -
+ start_resource: 38
+ num_resource: 1
+ type: 15117
+ host_id: 26
+ reserved: 0
+ -
+ start_resource: 39
+ num_resource: 1
+ type: 15117
+ host_id: 28
+ reserved: 0
+ -
+ start_resource: 40
+ num_resource: 2
+ type: 15117
+ host_id: 35
+ reserved: 0
+ -
+ start_resource: 42
+ num_resource: 1
+ type: 15117
+ host_id: 37
+ reserved: 0
+ -
+ start_resource: 43
+ num_resource: 3
+ type: 15117
+ host_id: 128
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 0
+ type: 15119
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 0
+ num_resource: 2
+ type: 15119
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 12
+ num_resource: 20
+ type: 15168
+ host_id: 3
+ reserved: 0
+ -
+ start_resource: 36
+ num_resource: 28
+ type: 15168
+ host_id: 5
+ reserved: 0
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 02/11] ti: tools: config: Add board config class to generate config binaries
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 01/11] j721e_evm: schema: yaml: Add general schema and J721E board config files Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw Neha Malcom Francis
` (10 subsequent siblings)
12 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
For validating config files and generating binary config artifacts, here
board specific config class is added.
Add function cfgBinaryGen() in tibcfg_gen.py. It uses TIBoardConfig
class to load given schema and config files in YAML, validate them and
generate binaries.
Signed-off-by: Tarun Sahu <t-sahu@ti.com>
[n-francis@ti.com: prepared patch for upstreaming]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
test/py/requirements.txt | 1 +
tools/tibcfg_gen.py | 114 +++++++++++++++++++++++++++++++++++++++
2 files changed, 115 insertions(+)
create mode 100644 tools/tibcfg_gen.py
diff --git a/test/py/requirements.txt b/test/py/requirements.txt
index 33c5c0bbc4..a91ba64563 100644
--- a/test/py/requirements.txt
+++ b/test/py/requirements.txt
@@ -4,6 +4,7 @@ coverage==4.5.4
extras==1.0.0
fixtures==3.0.0
importlib-metadata==0.23
+jsonschema==4.0.0
linecache2==1.0.0
more-itertools==7.2.0
packaging==19.2
diff --git a/tools/tibcfg_gen.py b/tools/tibcfg_gen.py
new file mode 100644
index 0000000000..e5fa2690c8
--- /dev/null
+++ b/tools/tibcfg_gen.py
@@ -0,0 +1,114 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+# TI Board Configuration Class for Schema Validation and Binary Generation
+#
+
+import os
+import getopt
+import sys
+
+import yaml
+
+from jsonschema import validate
+
+
+class TIBoardConfig:
+
+ """ Texas Instruments Board Configuration File"""
+
+ def __init__(self, file, schema, data_rules=""):
+ """Load a YAML configuration file and YAML schema
+
+ Validation of the config file against the schema is also done."""
+ with open(file, 'r') as f:
+ self.file_yaml = yaml.safe_load(f)
+ with open(schema, 'r') as sch:
+ self.schema_yaml = yaml.safe_load(sch)
+ self.data_rules = data_rules
+ try:
+ validate(self.file_yaml, self.schema_yaml)
+ except Exception as e:
+ print(e)
+
+ def _convert_to_byte_chunk(self, val, data_type):
+ """Convert value into byte array"""
+ size = 0
+ if(data_type == "#/definitions/u8"):
+ size = 1
+ elif(data_type == "#/definitions/u16"):
+ size = 2
+ elif(data_type == "#/definitions/u32"):
+ size = 4
+ else:
+ raise Exception("Data type not present in definitions")
+ if type(val) == int:
+ br = val.to_bytes(size, byteorder="little")
+ return br
+
+ def _compile_yaml(self, schema_yaml, file_yaml):
+ """Convert YAML file into byte array based on YAML schema"""
+ br = bytearray()
+ for key in file_yaml.keys():
+ node = file_yaml[key]
+ node_schema = schema_yaml['properties'][key]
+ node_type = node_schema.get('type')
+ if not 'type' in node_schema:
+ br += self._convert_to_byte_chunk(node,
+ node_schema.get('$ref'))
+ elif node_type == 'object':
+ br += self._compile_yaml(node_schema, node)
+ elif node_type == 'array':
+ for item in node:
+ if not isinstance(item, dict):
+ br += self._convert_to_byte_chunk(
+ item, schema_yaml['properties'][key]['items']["$ref"])
+ else:
+ br += self._compile_yaml(node_schema.get('items'), item)
+ return br
+
+ def generate_binaries(self, out_path=""):
+ """Generate config binary artifacts from the loaded YAML configuration file"""
+ if not os.path.isdir(out_path):
+ os.mkdir(out_path)
+ for key in self.file_yaml.keys():
+ node = self.file_yaml[key]
+ node_schema = self.schema_yaml['properties'][key]
+ br = self._compile_yaml(node_schema, node)
+ path = os.path.join(out_path, key + ".bin")
+ with open(path, 'wb') as cfg:
+ cfg.write(br)
+
+ def delete_binaries(self, out_path=""):
+ """Delete generated binaries"""
+ if os.path.isdir(out_path):
+ for key in self.file_yaml.keys():
+ path = os.path.join(out_path, key + ".bin")
+ if os.path.isfile(path):
+ os.remove(path)
+
+
+def cfgBinaryGen():
+ """Generate config binaries from YAML config file and YAML schema
+ Arguments:
+ - config_yaml: board config file in YAML
+ - schema_yaml: schema file in YAML to validate config_yaml against
+ - output_dir: output directory where generated binaries can be populated
+ Pass the arguments along with the filename in the Makefile.
+ """
+ opts, args = getopt.getopt(sys.argv[1:], "c:s:o")
+ for opt, val in opts:
+ if opt == "-c":
+ config_yaml = val
+ elif opt == "-s":
+ schema_yaml = val
+ elif opt == "-o":
+ output_dir = os.path.abspath(val)
+ try:
+ tibcfg = TIBoardConfig(config_yaml, schema_yaml)
+ tibcfg.generate_binaries(output_dir)
+ except:
+ raise ValueError("Could not find config files!")
+
+
+cfgBinaryGen()
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 01/11] j721e_evm: schema: yaml: Add general schema and J721E board config files Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 02/11] ti: tools: config: Add board config class to generate config binaries Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 8:44 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 04/11] ti: etype: dm: Add entry type for TI DM Neha Malcom Francis
` (9 subsequent siblings)
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
For K3 devices that require a sysfw image, add entry for SYSFW. It can
contain system firmware image that can be packaged into sysfw.itb by
binman.
Signed-off-by: Tarun Sahu <t-sahu@ti.com>
[n-francis@ti.com: added tests for addition of etype]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
Makefile | 1 +
tools/binman/entries.rst | 11 +++++++++++
tools/binman/etype/ti_sysfw.py | 28 ++++++++++++++++++++++++++++
tools/binman/ftest.py | 7 +++++++
tools/binman/test/232_ti_sysfw.dts | 13 +++++++++++++
5 files changed, 60 insertions(+)
create mode 100644 tools/binman/etype/ti_sysfw.py
create mode 100644 tools/binman/test/232_ti_sysfw.dts
diff --git a/Makefile b/Makefile
index 4b347d3603..581fbba4c3 100644
--- a/Makefile
+++ b/Makefile
@@ -1338,6 +1338,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
-a opensbi-path=${OPENSBI} \
-a default-dt=$(default_dt) \
-a scp-path=$(SCP) \
+ -a ti-sysfw-path=$(SYSFW) \
-a spl-bss-pad=$(if $(CONFIG_SPL_SEPARATE_BSS),,1) \
-a tpl-bss-pad=$(if $(CONFIG_TPL_SEPARATE_BSS),,1) \
-a spl-dtb=$(CONFIG_SPL_OF_REAL) \
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index ae4305c99e..6c0f03b34f 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1203,6 +1203,17 @@ This entry holds firmware for an external platform-specific coprocessor.
+Entry: sysfw: Texas Instruments System Firmware (SYSFW) blob
+------------------------------------------------------------
+
+Properties / Entry arguments:
+ - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
+
+This entry contains system firmware necessary for booting of K3 architecture
+devices.
+
+
+
Entry: section: Entry that contains other entries
-------------------------------------------------
diff --git a/tools/binman/etype/ti_sysfw.py b/tools/binman/etype/ti_sysfw.py
new file mode 100644
index 0000000000..5b5b307030
--- /dev/null
+++ b/tools/binman/etype/ti_sysfw.py
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+# Entry type module for TI SYSFW binary blob
+#
+
+import os
+import struct
+import sys
+import zlib
+
+from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
+from dtoc import fdt_util
+from patman import tools
+
+
+class Entry_ti_sysfw(Entry_blob_named_by_arg):
+ """Entry containing Texas Instruments System Firmware (SYSFW) blob
+
+ Properties / Entry arguments:
+ - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
+
+ This entry contains system firmware necessary for booting of K3 architecture devices.
+ """
+
+ def __init__(self, section, etype, node):
+ super().__init__(section, etype, node, 'ti-sysfw')
+ self.external = True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 4ce181a066..ec408de334 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -87,6 +87,7 @@ ATF_BL31_DATA = b'bl31'
TEE_OS_DATA = b'this is some tee OS data'
ATF_BL2U_DATA = b'bl2u'
OPENSBI_DATA = b'opensbi'
+TI_SYSFW_DATA = b'sysfw'
SCP_DATA = b'scp'
TEST_FDT1_DATA = b'fdt1'
TEST_FDT2_DATA = b'test-fdt2'
@@ -195,6 +196,7 @@ class TestFunctional(unittest.TestCase):
TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
+ TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
# Add a few .dtb files for testing
@@ -5522,6 +5524,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
"""Test an image with a pre-load header with an invalid key"""
with self.assertRaises(ValueError) as e:
data = self._DoReadFile('231_pre_load_invalid_key.dts')
+
+ def testPackTiSysfw(self):
+ """Test that an image with a SYSFW binary can be created"""
+ data = self._DoReadFile('232_ti_sysfw.dts')
+ self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
if __name__ == "__main__":
unittest.main()
diff --git a/tools/binman/test/232_ti_sysfw.dts b/tools/binman/test/232_ti_sysfw.dts
new file mode 100644
index 0000000000..9e66cbe77b
--- /dev/null
+++ b/tools/binman/test/232_ti_sysfw.dts
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+ binman {
+ ti-sysfw {
+ filename = "sysfw.bin";
+ };
+ };
+};
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 04/11] ti: etype: dm: Add entry type for TI DM
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (2 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices Neha Malcom Francis
` (8 subsequent siblings)
12 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
K3 devices introduces the concept of centralized power, resource and
security management to System Firmware. This is to overcome challenges
by the traditional approach that implements system control functions on
each of the processing units.
The software interface for System Firmware is split into TIFS and DM. DM
(Device Manager) is responsible for resource and power management from
secure and non-secure hosts. This additional binary is necessary for
specific platforms' ROM boot images and is to be packaged into tispl.bin
Add an entry for DM. The entry can be used for the packaging of
tispl.bin by binman along with ATF and TEE.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
Makefile | 1 +
tools/binman/entries.rst | 10 ++++++++++
tools/binman/etype/ti_dm.py | 23 +++++++++++++++++++++++
tools/binman/ftest.py | 7 +++++++
tools/binman/test/225_ti_dm.dts | 13 +++++++++++++
5 files changed, 54 insertions(+)
create mode 100644 tools/binman/etype/ti_dm.py
create mode 100644 tools/binman/test/225_ti_dm.dts
diff --git a/Makefile b/Makefile
index 581fbba4c3..7e9c8272c3 100644
--- a/Makefile
+++ b/Makefile
@@ -1335,6 +1335,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
$(foreach f,$(BINMAN_INDIRS),-I $(f)) \
-a atf-bl31-path=${BL31} \
-a tee-os-path=${TEE} \
+ -a ti-dm-path=${DM} \
-a opensbi-path=${OPENSBI} \
-a default-dt=$(default_dt) \
-a scp-path=$(SCP) \
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 6c0f03b34f..0c6d82fce8 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1214,6 +1214,16 @@ devices.
+Entry: ti-dm: Texas Instruments Device Manager (DM) blob
+-----------------------------------------------------------------
+
+Properties / Entry arguments:
+ - ti-dm-path: Filename of file to read into the entry, typically dm.bin
+
+This entry holds the device manager responsible for resource and power management in K3 devices.
+
+
+
Entry: section: Entry that contains other entries
-------------------------------------------------
diff --git a/tools/binman/etype/ti_dm.py b/tools/binman/etype/ti_dm.py
new file mode 100644
index 0000000000..4203fff36e
--- /dev/null
+++ b/tools/binman/etype/ti_dm.py
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+# Entry type for TI Device Manager
+
+import os
+
+from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
+
+
+class Entry_ti_dm(Entry_blob_named_by_arg):
+ """Entry containing a Texas Instruments Device Manager (DM)
+
+ Properties / Entry arguments:
+ - ti-dm-path: Filename of file to read into the entry, typically dm.bin
+
+ This entry holds the device manager responsible for resource and power management
+ in K3 devices.
+ """
+
+ def __init__(self, section, etype, node):
+ super().__init__(section, etype, node, 'ti-dm')
+ self.external = True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index ec408de334..5ff294a386 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -85,6 +85,7 @@ FSP_S_DATA = b'fsp_s'
FSP_T_DATA = b'fsp_t'
ATF_BL31_DATA = b'bl31'
TEE_OS_DATA = b'this is some tee OS data'
+TI_DM_DATA = b'tidmtidm'
ATF_BL2U_DATA = b'bl2u'
OPENSBI_DATA = b'opensbi'
TI_SYSFW_DATA = b'sysfw'
@@ -194,6 +195,7 @@ class TestFunctional(unittest.TestCase):
TestFunctional._MakeInputFile('compress_big', COMPRESS_DATA_BIG)
TestFunctional._MakeInputFile('bl31.bin', ATF_BL31_DATA)
TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
+ TestFunctional._MakeInputFile('dm.bin', TI_DM_DATA)
TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
@@ -5300,6 +5302,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
data = self._DoReadFile('222_tee_os.dts')
self.assertEqual(TEE_OS_DATA, data[:len(TEE_OS_DATA)])
+ def testPackTiDm(self):
+ """Test that an image with a TI DM binary can be created"""
+ data = self._DoReadFile('225_ti_dm.dts')
+ self.assertEqual(TI_DM_DATA, data[:len(TI_DM_DATA)])
+
def testFitFdtOper(self):
"""Check handling of a specified FIT operation"""
entry_args = {
diff --git a/tools/binman/test/225_ti_dm.dts b/tools/binman/test/225_ti_dm.dts
new file mode 100644
index 0000000000..3ab754131e
--- /dev/null
+++ b/tools/binman/test/225_ti_dm.dts
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+ binman {
+ ti-dm {
+ filename = "dm.bin";
+ };
+ };
+};
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (3 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 04/11] ti: etype: dm: Add entry type for TI DM Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 9:20 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 06/11] ti: sysfw: Add support for packaging sysfw.itb Neha Malcom Francis
` (7 subsequent siblings)
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
K3 devices x509 certificate added to certain binaries that allows ROM to
validate the integrity of the image. Etype that generates an x509
certificate depending on boot flow added.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
tools/binman/entries.rst | 15 ++
tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
tools/binman/ftest.py | 7 +
tools/binman/test/232_x509_cert.dts | 18 ++
tools/k3_gen_x509_cert.sh | 10 +-
5 files changed, 293 insertions(+), 5 deletions(-)
create mode 100644 tools/binman/etype/x509_cert.py
create mode 100644 tools/binman/test/232_x509_cert.dts
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 0c6d82fce8..dfa281e49f 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1890,6 +1890,21 @@ and kernel are genuine.
+Entry: x509cert: x509 certificate for K3 devices
+------------------------------------------------
+
+Properties / Entry arguments:
+ - content: Phandle of binary to sign
+ - output: Name of the final output file
+ - key_file: File with key inside it. If not provided, script generates RSA degenerate key
+ - core: Target core ID on which image would be running
+ - load: Target load address of the binary in hex
+
+ Output files:
+ - certificate.bin: Signed certificate binary
+
+
+
Entry: x86-reset16: x86 16-bit reset code for U-Boot
----------------------------------------------------
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
new file mode 100644
index 0000000000..0009973155
--- /dev/null
+++ b/tools/binman/etype/x509_cert.py
@@ -0,0 +1,248 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2018 Google, Inc
+# Written by Simon Glass <sjg@chromium.org>
+#
+
+# Support for a x509 certificate for signing K3 devices
+
+import os
+from collections import OrderedDict
+from subprocess import Popen, PIPE
+from sys import stderr, stdout
+
+import asn1
+from Crypto.PublicKey import RSA
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+from binman.etype.collection import Entry_collection
+from dtoc import fdt_util
+from patman import tools
+
+temp_x509 = "x509-temp.cert"
+cert = "certificate.bin"
+rand_key = "eckey.pem"
+bootcore_opts = 0
+bootcore = 0
+debug_type = 0
+
+
+class Entry_x509_cert(Entry_collection):
+ """ An entry which contains a x509 certificate
+
+ Properties / Entry arguments:
+ - content: Phandle of binary to sign
+ - key_file: File with key inside it. If not provided, script generates RSA degenerate key
+ - core: Target core ID on which image would be running
+ - load: Target load address of the binary in hex
+
+ Output files:
+ - certificate.bin: Signed certificate binary"""
+
+ def __init__(self, section, etype, node):
+ super().__init__(section, etype, node)
+ self.key_file = fdt_util.GetString(self._node, 'key-file', "")
+ self.core = fdt_util.GetInt(self._node, 'core', 0)
+ self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
+
+ def ReadNode(self):
+ super().ReadNode()
+ if self.key_file == "":
+ self.degen_key = True
+ else:
+ self.degen_key = False
+
+ def _CreateCertificate(self):
+ """Create certificate for legacy boot flow"""
+ if self.degen_key == True:
+ gen_degen_key()
+ self.key_file = rand_key
+
+ sha_val = get_sha_val("intermediate-sysfw.bin")
+ bin_size = get_file_size("intermediate-sysfw.bin")
+ addr = "%08x" % self.load_addr
+ if self.core == 0:
+ cert_type = 2
+ elif self.core == 16:
+ cert_type = 1
+ else:
+ cert_type = 2
+ debug_type = 0
+
+ gen_template()
+ gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
+ self.core, addr, debug_type, self.key_file)
+
+ return tools.read_file("certificate.bin")
+
+ def ObtainContents(self):
+ self.image = self.GetContents(False)
+ if self.image is None:
+ return False
+ f = open("intermediate-sysfw.bin", "wb")
+ f.write(self.image)
+ f.close()
+ self.SetContents(self._CreateCertificate())
+ return True
+
+ def ProcessContents(self):
+ data = self._CreateCertificate()
+ return self.ProcessContentsUpdate(data)
+
+
+def get_sha_val(binary_file):
+ process = Popen(['openssl', 'dgst', '-sha512', '-hex',
+ binary_file], stdout=PIPE, stderr=PIPE)
+ stdout, stderr = process.communicate()
+ sha_val = stdout.split()[1]
+ return sha_val
+
+
+def get_file_size(binary_file):
+ return os.path.getsize(binary_file)
+
+
+def gen_degen_template():
+ with open("degen-template.txt", 'w+', encoding='utf-8') as f:
+ degen_temp = """
+asn1=SEQUENCE:rsa_key
+
+[rsa_key]
+version=INTEGER:0
+modulus=INTEGER:0xDEGEN_MODULUS
+pubExp=INTEGER:1
+privExp=INTEGER:1
+p=INTEGER:0xDEGEN_P
+q=INTEGER:0xDEGEN_Q
+e1=INTEGER:1
+e2=INTEGER:1
+coeff=INTEGER:0xDEGEN_COEFF"""
+ f.write(degen_temp)
+
+
+def gen_template():
+ """Generate x509 Template"""
+ with open("x509-template.txt", "w+", encoding='utf-8') as f:
+ x509template = """
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+prompt = no
+dirstring_type = nobmp
+
+[ req_distinguished_name ]
+C = US
+ST = TX
+L = Dallas
+O = Texas Instruments Incorporated
+OU = Processors
+CN = TI support
+emailAddress = support@ti.com
+
+[ v3_ca ]
+basicConstraints = CA:true
+1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
+1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
+1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
+# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
+1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
+
+[ boot_seq ]
+certType = INTEGER:TEST_CERT_TYPE
+bootCore = INTEGER:TEST_BOOT_CORE
+bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
+destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
+imageSize = INTEGER:TEST_IMAGE_LENGTH
+
+[ image_integrity ]
+shaType = OID:2.16.840.1.101.3.4.2.3
+shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
+
+[ swrv ]
+swrv = INTEGER:0
+
+# [ encryption ]
+# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
+# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
+# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
+# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
+
+[ debug ]
+debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
+debugType = INTEGER:TEST_DEBUG_TYPE
+coreDbgEn = INTEGER:0
+coreDbgSecEn = INTEGER:0"""
+ f.write(x509template)
+
+
+def parse_key(inp_key, section):
+ parsed_key = ""
+ section_true = False
+ with open(inp_key, 'r') as file:
+ for line in file:
+ if section in line:
+ section_true = True
+ elif section_true:
+ if " " not in line:
+ break
+ else:
+ parsed_key += line.replace(":", "").replace(" ", "")
+ return parsed_key.replace("\n", "")
+
+
+def gen_degen_key():
+ """Generate a 4096 bit RSA key"""
+ try:
+ # generates 1024 bit PEM encoded RSA key in PKCS#1 format
+ private_key = RSA.generate(1024)
+ f = open('key.pem', 'wb')
+ f.write(private_key.exportKey('PEM'))
+ f.close()
+ except:
+ raise(Exception)
+
+ try:
+ process = Popen(['openssl', 'rsa', '-in', 'key.pem',
+ '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
+ stdout, stderr = process.communicate()
+ except:
+ raise(stderr)
+
+ DEGEN_MODULUS = parse_key("key.txt", "modulus")
+ DEGEN_P = parse_key("key.txt", "prime1")
+ DEGEN_Q = parse_key("key.txt", "prime2")
+ DEGEN_COEFF = parse_key("key.txt", "coefficient")
+
+ gen_degen_template()
+
+ with open("degen-template.txt", 'r') as file_input:
+ with open("degenerateKey.txt", 'w') as file_output:
+ for line in file_input:
+ s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
+ "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
+ file_output.write(s)
+
+ try:
+ process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
+ '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
+ stdout, stderr = process.communicate()
+ except:
+ raise(stderr)
+
+ try:
+ process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
+ '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
+ stdout, stderr = process.communicate()
+ except:
+ raise(stderr)
+
+
+def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
+ with open(temp_x509, "w") as output_file:
+ with open("x509-template.txt", "r") as input_file:
+ for line in input_file:
+ output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
+ "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
+ process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
+ 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
+ stdout, stderr = process.communicate()
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 5ff294a386..d8ee592250 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
PRE_LOAD_MAGIC = b'UBSH'
PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
+X509_DATA = b'filetobesigned'
# Subdirectory of the input dir to use to put test FDTs
TEST_FDT_SUBDIR = 'fdts'
@@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
+ TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
# Add a few .dtb files for testing
TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
@@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
data = self._DoReadFile('232_ti_sysfw.dts')
self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
+ def testX509Cert(self):
+ """Test an image with the default x509 certificate header"""
+ data = self._DoReadFile('232_x509_cert.dts')
+ self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
+
if __name__ == "__main__":
unittest.main()
diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
new file mode 100644
index 0000000000..f768568ca7
--- /dev/null
+++ b/tools/binman/test/232_x509_cert.dts
@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ x509-cert {
+ content = <&image>;
+ };
+
+ image: blob-ext {
+ filename = "tosign.bin";
+ };
+ };
+};
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
index 298cec1313..b6ef5a2de3 100755
--- a/tools/k3_gen_x509_cert.sh
+++ b/tools/k3_gen_x509_cert.sh
@@ -109,7 +109,7 @@ gen_degen_key() {
openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
KEY=$RAND_KEY
- rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
+ #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
}
declare -A options_help
@@ -246,7 +246,7 @@ gen_cert
cat $CERT $BIN > $OUTPUT
# Remove all intermediate files
-rm $TEMP_X509 $CERT x509-template.txt
-if [ "$KEY" == "$RAND_KEY" ]; then
- rm $RAND_KEY
-fi
+#rm $TEMP_X509 $CERT x509-template.txt
+#if [ "$KEY" == "$RAND_KEY" ]; then
+# rm $RAND_KEY
+#fi
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 06/11] ti: sysfw: Add support for packaging sysfw.itb
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (4 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile Neha Malcom Francis
` (6 subsequent siblings)
12 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
For devices that require sysfw.itb, board config binary artifacts must
be populated in the R5 output directory. These can be used by binman to
package sysfw.itb.
config.mk for mach-k3 updated to generate the required binaries using
tibcfg_gen.py.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
arch/arm/mach-k3/config.mk | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index da458bcfb2..e6c13c1800 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -28,6 +28,24 @@ else
KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
endif
+# Board config binary artifacts necessary for packaging of tiboot3.bin
+# and sysfw.itb by binman, currently for general purpose devices and
+# devices that require sysfw.itb in ROM boot image. Currently set up
+# for J721E
+ifneq ($(CONFIG_SOC_K3_J721E), )
+ifneq ($(CONFIG_TI_SECURE_DEVICE), y)
+
+CONFIG_YAML = $(srctree)/board/ti/$(BOARD)/config.yaml
+SCHEMA_YAML = $(srctree)/board/ti/common/schema.yaml
+board-cfg.bin pm-cfg.bin rm-cfg.bin sec-cfg.bin:
+ $(PYTHON3) $(srctree)/tools/tibcfg_gen.py -c $(CONFIG_YAML) -s $(SCHEMA_YAML) -o $(O)
+INPUTS-y += board-cfg.bin
+INPUTS-y += pm-cfg.bin
+INPUTS-y += rm-cfg.bin
+INPUTS-y += sec-cfg.bin
+endif
+endif
+
# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
# So restrict tiboot3.bin creation for CPU_V7R.
ifdef CONFIG_CPU_V7R
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (5 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 06/11] ti: sysfw: Add support for packaging sysfw.itb Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 10:51 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin Neha Malcom Francis
` (5 subsequent siblings)
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
Intention of patch is to move the signing and packaging of tiboot3.bin
image to binman, thus removing target from makefile.
Also deleting k3_gen_x509_cert.sh which was earlier used to sign a
binary associated with K3 devices with x509 certificate. This
functionality has been replicated in binman with the etype x509_cert.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
arch/arm/mach-k3/config.mk | 19 -------------------
1 file changed, 19 deletions(-)
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index e6c13c1800..49f80ae79b 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -46,25 +46,6 @@ INPUTS-y += sec-cfg.bin
endif
endif
-# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
-# So restrict tiboot3.bin creation for CPU_V7R.
-ifdef CONFIG_CPU_V7R
-image_check: $(obj)/u-boot-spl.bin FORCE
- @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \
- echo "===============================================" >&2; \
- echo "ERROR: Final Image too big. " >&2; \
- echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
- echo "===============================================" >&2; \
- exit 1; \
- fi
-
-tiboot3.bin: image_check FORCE
- $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
- -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
-
-INPUTS-y += tiboot3.bin
-endif
-
ifdef CONFIG_ARM64
ifeq ($(CONFIG_SOC_K3_J721E),)
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (6 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 10:53 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing Neha Malcom Francis
` (4 subsequent siblings)
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
As tispl.bin is to be packaged (with ATF, OPTEE, DM and A72 SPL) using
binman, the shell script k3_fit_atf.sh is no longer needed. Removing
this file.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
tools/k3_fit_atf.sh | 123 --------------------------------------------
1 file changed, 123 deletions(-)
delete mode 100755 tools/k3_fit_atf.sh
diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
deleted file mode 100755
index 7bc07ad074..0000000000
--- a/tools/k3_fit_atf.sh
+++ /dev/null
@@ -1,123 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0+
-#
-# script to generate FIT image source for K3 Family boards with
-# ATF, OPTEE, SPL and multiple device trees (given on the command line).
-# Inspired from board/sunxi/mksunxi_fit_atf.sh
-#
-# usage: $0 <atf_load_addr> <dt_name> [<dt_name> [<dt_name] ...]
-
-[ -z "$ATF" ] && ATF="bl31.bin"
-
-if [ ! -f $ATF ]; then
- echo "WARNING ATF file $ATF NOT found, resulting binary is non-functional" >&2
- ATF=/dev/null
-fi
-
-[ -z "$TEE" ] && TEE="bl32.bin"
-
-if [ ! -f $TEE ]; then
- echo "WARNING OPTEE file $TEE NOT found, resulting might be non-functional" >&2
- TEE=/dev/null
-fi
-
-[ -z "$DM" ] && DM="dm.bin"
-
-if [ ! -e $DM ]; then
- echo "WARNING DM file $DM NOT found, resulting might be non-functional" >&2
- DM=/dev/null
-fi
-
-if [ ! -z "$IS_HS" ]; then
- HS_APPEND=_HS
-fi
-
-cat << __HEADER_EOF
-/dts-v1/;
-
-/ {
- description = "Configuration to load ATF and SPL";
- #address-cells = <1>;
-
- images {
- atf {
- description = "ARM Trusted Firmware";
- data = /incbin/("$ATF");
- type = "firmware";
- arch = "arm64";
- compression = "none";
- os = "arm-trusted-firmware";
- load = <$1>;
- entry = <$1>;
- };
- tee {
- description = "OPTEE";
- data = /incbin/("$TEE");
- type = "tee";
- arch = "arm64";
- compression = "none";
- os = "tee";
- load = <0x9e800000>;
- entry = <0x9e800000>;
- };
- dm {
- description = "DM binary";
- data = /incbin/("$DM");
- type = "firmware";
- arch = "arm32";
- compression = "none";
- os = "DM";
- load = <0x89000000>;
- entry = <0x89000000>;
- };
- spl {
- description = "SPL (64-bit)";
- data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
- type = "standalone";
- os = "U-Boot";
- arch = "arm64";
- compression = "none";
- load = <0x80080000>;
- entry = <0x80080000>;
- };
-__HEADER_EOF
-
-# shift through ATF load address in the command line arguments
-shift
-
-for dtname in $*
-do
- cat << __FDT_IMAGE_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- data = /incbin/("$dtname$HS_APPEND");
- type = "flat_dt";
- arch = "arm";
- compression = "none";
- };
-__FDT_IMAGE_EOF
-done
-
-cat << __CONF_HEADER_EOF
- };
- configurations {
- default = "$(basename $1)";
-
-__CONF_HEADER_EOF
-
-for dtname in $*
-do
- cat << __CONF_SECTION_EOF
- $(basename $dtname) {
- description = "$(basename $dtname .dtb)";
- firmware = "atf";
- loadables = "tee", "dm", "spl";
- fdt = "$(basename $dtname)";
- };
-__CONF_SECTION_EOF
-done
-
-cat << __ITS_EOF
- };
-};
-__ITS_EOF
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (7 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 10:54 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 10/11] ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin Neha Malcom Francis
` (3 subsequent siblings)
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
Earlier the k3_gen_x509_cert.sh was used for signing binaries with the
x509 certificate for Texas Instruments K3 architecture devices. Since
the signing process is handled by x509 etype now, there is no more
requirement for this script, hence removing it.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
tools/k3_gen_x509_cert.sh | 252 --------------------------------------
1 file changed, 252 deletions(-)
delete mode 100755 tools/k3_gen_x509_cert.sh
diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
deleted file mode 100755
index b6ef5a2de3..0000000000
--- a/tools/k3_gen_x509_cert.sh
+++ /dev/null
@@ -1,252 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
-#
-# Script to add K3 specific x509 cetificate to a binary.
-#
-
-# Variables
-OUTPUT=tiboot3.bin
-TEMP_X509=x509-temp.cert
-CERT=certificate.bin
-RAND_KEY=eckey.pem
-LOADADDR=0x41c00000
-BOOTCORE_OPTS=0
-BOOTCORE=16
-DEBUG_TYPE=0
-
-gen_degen_template() {
-cat << 'EOF' > degen-template.txt
-
-asn1=SEQUENCE:rsa_key
-
-[rsa_key]
-version=INTEGER:0
-modulus=INTEGER:0xDEGEN_MODULUS
-pubExp=INTEGER:1
-privExp=INTEGER:1
-p=INTEGER:0xDEGEN_P
-q=INTEGER:0xDEGEN_Q
-e1=INTEGER:1
-e2=INTEGER:1
-coeff=INTEGER:0xDEGEN_COEFF
-EOF
-}
-
-# Generate x509 Template
-gen_template() {
-cat << 'EOF' > x509-template.txt
- [ req ]
- distinguished_name = req_distinguished_name
- x509_extensions = v3_ca
- prompt = no
- dirstring_type = nobmp
-
- [ req_distinguished_name ]
- C = US
- ST = TX
- L = Dallas
- O = Texas Instruments Incorporated
- OU = Processors
- CN = TI support
- emailAddress = support@ti.com
-
- [ v3_ca ]
- basicConstraints = CA:true
- 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
- 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
- 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
-# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
- 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
-
- [ boot_seq ]
- certType = INTEGER:TEST_CERT_TYPE
- bootCore = INTEGER:TEST_BOOT_CORE
- bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
- destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
- imageSize = INTEGER:TEST_IMAGE_LENGTH
-
- [ image_integrity ]
- shaType = OID:2.16.840.1.101.3.4.2.3
- shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
-
- [ swrv ]
- swrv = INTEGER:0
-
-# [ encryption ]
-# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
-# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
-# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
-# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
-
- [ debug ]
- debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
- debugType = INTEGER:TEST_DEBUG_TYPE
- coreDbgEn = INTEGER:0
- coreDbgSecEn = INTEGER:0
-EOF
-}
-
-parse_key() {
- sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
-}
-
-gen_degen_key() {
-# Generate a 4096 bit RSA Key
- openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
- openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
- DEGEN_MODULUS=$( parse_key 'modulus' )
- DEGEN_P=$( parse_key 'prime1' )
- DEGEN_Q=$( parse_key 'prime2' )
- DEGEN_COEFF=$( parse_key 'coefficient' )
- gen_degen_template
-
- sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
- -e "s/DEGEN_P/$DEGEN_P/" \
- -e "s/DEGEN_Q/$DEGEN_Q/" \
- -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
- degen-template.txt > degenerateKey.txt
-
- openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
- openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
- KEY=$RAND_KEY
- #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
-}
-
-declare -A options_help
-usage() {
- if [ -n "$*" ]; then
- echo "ERROR: $*"
- fi
- echo -n "Usage: $0 "
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- if [ -n "$arg" ]; then
- arg=" $arg"
- fi
- echo -n "[-$option$arg] "
- done
- echo
- echo -e "\nWhere:"
- for option in "${!options_help[@]}"
- do
- arg=`echo ${options_help[$option]}|cut -d ':' -f1`
- txt=`echo ${options_help[$option]}|cut -d ':' -f2`
- tb="\t\t\t"
- if [ -n "$arg" ]; then
- arg=" $arg"
- tb="\t"
- fi
- echo -e " -$option$arg:$tb$txt"
- done
- echo
- echo "Examples of usage:-"
- echo "# Example of signing the SYSFW binary with rsa degenerate key"
- echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
- echo "# Example of signing the SPL binary with rsa degenerate key"
- echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
-}
-
-options_help[b]="bin_file:Bin file that needs to be signed"
-options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
-options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
-options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
-options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
-options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
-
-while getopts "b:k:o:c:l:d:h" opt
-do
- case $opt in
- b)
- BIN=$OPTARG
- ;;
- k)
- KEY=$OPTARG
- ;;
- o)
- OUTPUT=$OPTARG
- ;;
- l)
- LOADADDR=$OPTARG
- ;;
- c)
- BOOTCORE=$OPTARG
- ;;
- d)
- DEBUG_TYPE=$OPTARG
- ;;
- h)
- usage
- exit 0
- ;;
- \?)
- usage "Invalid Option '-$OPTARG'"
- exit 1
- ;;
- :)
- usage "Option '-$OPTARG' Needs an argument."
- exit 1
- ;;
- esac
-done
-
-if [ "$#" -eq 0 ]; then
- usage "Arguments missing"
- exit 1
-fi
-
-if [ -z "$BIN" ]; then
- usage "Bin file missing in arguments"
- exit 1
-fi
-
-# Generate rsa degenerate key if user doesn't provide a key
-if [ -z "$KEY" ]; then
- gen_degen_key
-fi
-
-if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
- CERTTYPE=2
-elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
- CERTTYPE=1
-else # Non BOOTCORE, loaded by SYSFW
- BOOTCORE_OPTS_VER=$(printf "%01x" 1)
- # Add input args option for SET and CLR flags.
- BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
- BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
- BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
- # Set the cert type to zero.
- # We are not using public/private key store now
- CERTTYPE=$(printf "0x%08x" 0)
-fi
-
-SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
-BIN_SIZE=`cat $BIN | wc -c`
-ADDR=`printf "%08x" $LOADADDR`
-
-gen_cert() {
- #echo "Certificate being generated :"
- #echo " LOADADDR = 0x$ADDR"
- #echo " IMAGE_SIZE = $BIN_SIZE"
- #echo " CERT_TYPE = $CERTTYPE"
- #echo " DEBUG_TYPE = $DEBUG_TYPE"
- sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
- -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
- -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
- -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
- -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
- -e "s/TEST_BOOT_ADDR/$ADDR/" \
- -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
- x509-template.txt > $TEMP_X509
- openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
-}
-
-gen_template
-gen_cert
-cat $CERT $BIN > $OUTPUT
-
-# Remove all intermediate files
-#rm $TEMP_X509 $CERT x509-template.txt
-#if [ "$KEY" == "$RAND_KEY" ]; then
-# rm $RAND_KEY
-#fi
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 10/11] ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (8 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin Neha Malcom Francis
` (2 subsequent siblings)
12 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
By providing entries in the binman node of the device tree, binman will
be able to find and package board config binary artifacts generated by
TIBoardConfig with sysfw.bin and generate the final image sysfw.itb.
k3-j721e-r5-binman.dtsi has been introduced for R5 specific binman node.
It can be then be include by files that require it like
k3-j721e-r5-common-proc-board-u-boot.dtsi.
Signed-off-by: Tarun Sahu <t-sahu@ti.com>
[n-francis@ti.com: prepared patch for upstreaming]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
arch/arm/dts/k3-j721e-r5-binman.dtsi | 88 +++++++++++++++++++
.../k3-j721e-r5-common-proc-board-u-boot.dtsi | 1 +
board/ti/j721e/Kconfig | 1 +
3 files changed, 90 insertions(+)
create mode 100644 arch/arm/dts/k3-j721e-r5-binman.dtsi
diff --git a/arch/arm/dts/k3-j721e-r5-binman.dtsi b/arch/arm/dts/k3-j721e-r5-binman.dtsi
new file mode 100644
index 0000000000..cf5b5bfdf6
--- /dev/null
+++ b/arch/arm/dts/k3-j721e-r5-binman.dtsi
@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: GPL-2.0+
+// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+
+#include <config.h>
+
+/ {
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ tiboot3 {
+ filename = "tiboot3.bin";
+ x509-cert {
+ content = <&image1>;
+ core = <16>;
+ load = <CONFIG_SPL_TEXT_BASE>;
+ };
+ image1: u-boot-spl {
+ no-expanded;
+ };
+ };
+ binary {
+ filename = "sysfw.bin";
+ x509-cert {
+ content = <&image2>;
+ core = <0>;
+ load = <0x0040000>;
+ };
+ image2: ti-sysfw {
+ };
+ };
+ itb {
+ filename = "sysfw.itb";
+ fit {
+ description = "SYSFW and Config Fragments";
+ #address-cells = <1>;
+ images {
+ sysfw.bin {
+ description = "sysfw";
+ type = "firmware";
+ arch = "arm";
+ compression = "none";
+ blob {
+ filename = "sysfw.bin";
+ };
+ };
+ board-cfg.bin {
+ description = "board-cfg";
+ type = "firmware";
+ arch = "arm";
+ compression = "none";
+ blob-ext {
+ filename = "board-cfg.bin";
+ };
+ };
+ pm-cfg.bin {
+ description = "pm-cfg";
+ type = "firmware";
+ arch = "arm";
+ compression = "none";
+ blob-ext {
+ filename = "pm-cfg.bin";
+ };
+ };
+ rm-cfg.bin {
+ description = "rm-cfg";
+ type = "firmware";
+ arch = "arm";
+ compression = "none";
+ blob-ext {
+ filename = "rm-cfg.bin";
+ };
+ };
+ sec-cfg.bin {
+ description = "sec-cfg";
+ type = "firmware";
+ arch = "arm";
+ compression = "none";
+ blob-ext {
+ filename = "sec-cfg.bin";
+ };
+ };
+ };
+ };
+ };
+};
diff --git a/arch/arm/dts/k3-j721e-r5-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-r5-common-proc-board-u-boot.dtsi
index 48c6ddf672..75ec722e89 100644
--- a/arch/arm/dts/k3-j721e-r5-common-proc-board-u-boot.dtsi
+++ b/arch/arm/dts/k3-j721e-r5-common-proc-board-u-boot.dtsi
@@ -4,6 +4,7 @@
*/
#include "k3-j721e-common-proc-board-u-boot.dtsi"
+#include "k3-j721e-r5-binman.dtsi"
/ {
chosen {
diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
index c28752a658..a3a9d504ae 100644
--- a/board/ti/j721e/Kconfig
+++ b/board/ti/j721e/Kconfig
@@ -24,6 +24,7 @@ config TARGET_J721E_R5_EVM
select RAM
select SPL_RAM
select K3_DDRSS
+ select BINMAN
imply SYS_K3_SPL_ATF
imply TI_I2C_BOARD_DETECT
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (9 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 10/11] ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin Neha Malcom Francis
@ 2022-05-06 4:37 ` Neha Malcom Francis
2022-05-31 11:02 ` Roger Quadros
2022-05-10 20:05 ` [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Tom Rini
2022-05-31 8:21 ` Roger Quadros
12 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-05-06 4:37 UTC (permalink / raw)
To: u-boot; +Cc: n-francis
Explicit make commands were earlier used to generate tispl.bin image,
now it is replaced using binman.
Binman picks up and packages entries according to the description of
entries given in the binman node in the device tree. The make commands
that were earlier responsible for generating tispl.bin has been removed.
k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
It can be included in files that require it like
k3-j721e-common-proc-board-u-boot.dtsi.
Note that make commands for secure devices has also been removed as
focus is on general purpose devices at present time.
Signed-off-by: Tarun Sahu <t-sahu@ti.com>
[n-francis@ti.com: prepared patch for upstreaming]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
---
arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
.../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
arch/arm/mach-k3/config.mk | 33 -------
board/ti/j721e/Kconfig | 1 +
scripts/Makefile.spl | 4 -
5 files changed, 88 insertions(+), 37 deletions(-)
create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
new file mode 100644
index 0000000000..beb3424bb9
--- /dev/null
+++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
@@ -0,0 +1,86 @@
+// SPDX-License-Identifier: GPL-2.0+
+// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
+
+#include <config.h>
+
+#ifdef CONFIG_ARM64
+/ {
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ tispl {
+ filename = "tispl.bin";
+ fit {
+ description = "FIT IMAGE";
+ #address-cells = <1>;
+ images {
+ atf {
+ description = "ARM Trusted Firmware";
+ type = "firmware";
+ arch = "arm64";
+ compression = "none";
+ os = "arm-trusted-firmware";
+ load = <CONFIG_K3_ATF_LOAD_ADDR>;
+ entry = <CONFIG_K3_ATF_LOAD_ADDR>;
+ atf-bl31 {
+ };
+ };
+ tee {
+ description = "OPTEE";
+ type = "tee";
+ arch = "arm64";
+ compression = "none";
+ os = "tee";
+ load = <0x9e800000>;
+ entry = <0x9e800000>;
+ tee-os {
+ };
+ };
+ dm {
+ description = "DM binary";
+ type = "firmware";
+ arch = "arm32";
+ compression = "none";
+ os = "DM";
+ load = <0x89000000>;
+ entry = <0x89000000>;
+ ti-dm {
+ };
+ };
+ spl {
+ description = "SPL (64-bit)";
+ type = "standalone";
+ os = "U-Boot";
+ arch = "arm64";
+ compression = "none";
+ load = <CONFIG_SPL_TEXT_BASE>;
+ entry = <CONFIG_SPL_TEXT_BASE>;
+ u-boot-spl-nodtb {
+ };
+ };
+ k3-j721e-common-proc-board.dtb {
+ description = "k3-j721e-common-proc-board";
+ type = "flat_dt";
+ arch = "arm";
+ compression = "none";
+ blob-ext {
+ filename = "spl/dts/k3-j721e-common-proc-board.dtb";
+ };
+ };
+ };
+ configurations {
+ default = "conf";
+ conf {
+ description = "k3-j721e-common-proc-board";
+ firmware = "atf";
+ loadables = "tee", "dm", "spl";
+ fdt = "k3-j721e-common-proc-board.dtb";
+ };
+ };
+ };
+ };
+};
+#endif
diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
index 677a72d2a2..6490d71f7e 100644
--- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
+++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
@@ -4,6 +4,7 @@
*/
#include <dt-bindings/net/ti-dp83867.h>
+#include "k3-j721e-a72-binman.dtsi"
/ {
chosen {
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index 49f80ae79b..e0d9ea97c9 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
export DM := /dev/null
endif
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-SPL_ITS := u-boot-spl-k3_HS.its
-$(SPL_ITS): export IS_HS=1
-INPUTS-y += tispl.bin_HS
-else
-SPL_ITS := u-boot-spl-k3.its
-INPUTS-y += tispl.bin
-endif
-
-ifeq ($(CONFIG_SPL_OF_LIST),)
-LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
-else
-LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
endif
-
-quiet_cmd_k3_mkits = MKITS $@
-cmd_k3_mkits = \
- $(srctree)/tools/k3_fit_atf.sh \
- $(CONFIG_K3_ATF_LOAD_ADDR) \
- $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
-
-$(SPL_ITS): FORCE
- $(call cmd,k3_mkits)
endif
-
-else
-
-ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
-INPUTS-y += u-boot.img_HS
-else
-INPUTS-y += u-boot.img
-endif
-endif
-
-include $(srctree)/arch/arm/mach-k3/config_secure.mk
diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
index a3a9d504ae..3cf05f0d3b 100644
--- a/board/ti/j721e/Kconfig
+++ b/board/ti/j721e/Kconfig
@@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
select BOARD_LATE_INIT
imply TI_I2C_BOARD_DETECT
select SYS_DISABLE_DCACHE_OPS
+ select BINMAN
config TARGET_J721E_R5_EVM
bool "TI K3 based J721E EVM running on R5"
diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
index 6ad82cecfb..5f8a8487c5 100644
--- a/scripts/Makefile.spl
+++ b/scripts/Makefile.spl
@@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
$(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
@lzop -f9 $< > $@
-ifdef CONFIG_ARCH_K3
-tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
- $(call if_changed,mkfitimage)
-endif
--
2.17.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (10 preceding siblings ...)
2022-05-06 4:37 ` [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin Neha Malcom Francis
@ 2022-05-10 20:05 ` Tom Rini
2022-05-11 18:56 ` Alper Nebi Yasak
2022-05-31 8:21 ` Roger Quadros
12 siblings, 1 reply; 36+ messages in thread
From: Tom Rini @ 2022-05-10 20:05 UTC (permalink / raw)
To: Neha Malcom Francis, Alper Nebi Yasak; +Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 4965 bytes --]
On Fri, May 06, 2022 at 10:07:48AM +0530, Neha Malcom Francis wrote:
> Devices that belong to the K3 architecture require SYSFW which is a FIT
> image consisting of a signed system firmware image and board config
> binaries.
>
> Board config binaries are needed to bring up SYSFW during U-Boot SPL
> startup. The board config data is given in YAML as input. These board
> configs contain board-specific information such as resource management,
> power management and security.
>
> The following series intends to plumb the system firmware generation
> into U-Boot using binman for packaging. Thus it will eliminate the need
> for additional custom repositories for SYSFW generation and also moves t
> owards the community standard build flow. We use binman to package
> tiboot3.bin and sysfw.itb images.
>
> These images also require x509 certificates which are created using the
> etype x509-cert.
>
> The series also plumbs the generation of tispl.bin into the build flow.
> This image is required for loading u-boot in K3 devices. The image is
> packaged using ATF, OPTEE and DM (Device Manager).
>
> Please note that the following series has implemented the above for
> J721E general purpose board. The board configs and device trees added
> are specific to J721E GP devices.
>
> Also note the introduction of three new etypes: ti-sysfw, ti-dm and
> x509-cert.
>
> On running CI tests on Github, errors were produced during world builds
> of keystone2_keystone3 and siemens (I0T2050 which is based on AM65x).
> This patch series is intended for only J721E and future work is to expand
> to the remaining K3 devices as well. The errors that come are mainly due
> to the boards other than J721E trying to generate tispl.bin.
>
> v2:
> - Added etype x509-cert for creating x509 Texas Instruments certificate
> binary
> - Added packaging of tiboot3.bin
> - Packaging of tiboot3.bin and sysfw.itb using new etype x509
> - sysfw --> ti-sysfw
> - Reformatted and re-arranged patches
> - Removed k3_fit_atf.sh and k3_gen_x509_cert.sh as their functionality
> is provided by binman now
>
> Neha Malcom Francis (11):
> j721e_evm: schema: yaml: Add general schema and J721E board config
> files
> ti: tools: config: Add board config class to generate config binaries
> ti: etype: sysfw: Add entry type for sysfw
> ti: etype: dm: Add entry type for TI DM
> ti: etype: x509: Add etype for x509 certificate for K3 devices
> ti: sysfw: Add support for packaging sysfw.itb
> ti: tiboot3.bin: Remove tiboot3.bin target from makefile
> ti: tispl.bin: Removed script that packages tispl.bin
> ti: x509: Remove shell script used for signing
> ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin
> ti: dtsi: j721e: Use binman to package tispl.bin
>
> Makefile | 2 +
> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +
> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
> arch/arm/dts/k3-j721e-r5-binman.dtsi | 88 +
> .../k3-j721e-r5-common-proc-board-u-boot.dtsi | 1 +
> arch/arm/mach-k3/config.mk | 64 +-
> board/ti/common/schema.yaml | 355 ++
> board/ti/j721e/Kconfig | 2 +
> board/ti/j721e/config.yaml | 3162 +++++++++++++++++
> scripts/Makefile.spl | 4 -
> test/py/requirements.txt | 1 +
> tools/binman/entries.rst | 36 +
> tools/binman/etype/ti_dm.py | 23 +
> tools/binman/etype/ti_sysfw.py | 28 +
> tools/binman/etype/x509_cert.py | 248 ++
> tools/binman/ftest.py | 21 +
> tools/binman/test/225_ti_dm.dts | 13 +
> tools/binman/test/232_ti_sysfw.dts | 13 +
> tools/binman/test/232_x509_cert.dts | 18 +
> tools/k3_fit_atf.sh | 123 -
> tools/k3_gen_x509_cert.sh | 252 --
> tools/tibcfg_gen.py | 114 +
> 22 files changed, 4227 insertions(+), 428 deletions(-)
> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
> create mode 100644 arch/arm/dts/k3-j721e-r5-binman.dtsi
> create mode 100644 board/ti/common/schema.yaml
> create mode 100644 board/ti/j721e/config.yaml
> create mode 100644 tools/binman/etype/ti_dm.py
> create mode 100644 tools/binman/etype/ti_sysfw.py
> create mode 100644 tools/binman/etype/x509_cert.py
> create mode 100644 tools/binman/test/225_ti_dm.dts
> create mode 100644 tools/binman/test/232_ti_sysfw.dts
> create mode 100644 tools/binman/test/232_x509_cert.dts
> delete mode 100755 tools/k3_fit_atf.sh
> delete mode 100755 tools/k3_gen_x509_cert.sh
> create mode 100644 tools/tibcfg_gen.py
Adding the other binman maintainer..
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3
2022-05-10 20:05 ` [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Tom Rini
@ 2022-05-11 18:56 ` Alper Nebi Yasak
0 siblings, 0 replies; 36+ messages in thread
From: Alper Nebi Yasak @ 2022-05-11 18:56 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Neha Malcom Francis
On 10/05/2022 23:05, Tom Rini wrote:
> Adding the other binman maintainer..
Thanks. I haven't been able to focus on anything for a while. I'll try
to review the few series that have accumulated, maybe can manage this
week or so if things go well. Just wanted to send an update.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
` (11 preceding siblings ...)
2022-05-10 20:05 ` [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Tom Rini
@ 2022-05-31 8:21 ` Roger Quadros
2022-06-01 5:54 ` Neha Malcom Francis
12 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 8:21 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
Hi,
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> Devices that belong to the K3 architecture require SYSFW which is a FIT
> image consisting of a signed system firmware image and board config
> binaries.
>
> Board config binaries are needed to bring up SYSFW during U-Boot SPL
> startup. The board config data is given in YAML as input. These board
> configs contain board-specific information such as resource management,
> power management and security.
>
> The following series intends to plumb the system firmware generation
> into U-Boot using binman for packaging. Thus it will eliminate the need
> for additional custom repositories for SYSFW generation and also moves t
> owards the community standard build flow. We use binman to package
> tiboot3.bin and sysfw.itb images.
>
> These images also require x509 certificates which are created using the
> etype x509-cert.
>
> The series also plumbs the generation of tispl.bin into the build flow.
> This image is required for loading u-boot in K3 devices. The image is
> packaged using ATF, OPTEE and DM (Device Manager).
>
> Please note that the following series has implemented the above for
> J721E general purpose board. The board configs and device trees added
> are specific to J721E GP devices.
>
> Also note the introduction of three new etypes: ti-sysfw, ti-dm and
> x509-cert.
>
> On running CI tests on Github, errors were produced during world builds
> of keystone2_keystone3 and siemens (I0T2050 which is based on AM65x).
> This patch series is intended for only J721E and future work is to expand
> to the remaining K3 devices as well. The errors that come are mainly due
> to the boards other than J721E trying to generate tispl.bin.
You will have to implement it such that none of the existing board build/functionality
breaks. Otherwise it will be impossible to get this merged.
Is this series tested for High-Security (HS) J721E as well?
cheers,
-roger
>
> v2:
> - Added etype x509-cert for creating x509 Texas Instruments certificate
> binary
> - Added packaging of tiboot3.bin
> - Packaging of tiboot3.bin and sysfw.itb using new etype x509
> - sysfw --> ti-sysfw
> - Reformatted and re-arranged patches
> - Removed k3_fit_atf.sh and k3_gen_x509_cert.sh as their functionality
> is provided by binman now
>
> Neha Malcom Francis (11):
> j721e_evm: schema: yaml: Add general schema and J721E board config
> files
> ti: tools: config: Add board config class to generate config binaries
> ti: etype: sysfw: Add entry type for sysfw
> ti: etype: dm: Add entry type for TI DM
> ti: etype: x509: Add etype for x509 certificate for K3 devices
> ti: sysfw: Add support for packaging sysfw.itb
> ti: tiboot3.bin: Remove tiboot3.bin target from makefile
> ti: tispl.bin: Removed script that packages tispl.bin
> ti: x509: Remove shell script used for signing
> ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin
> ti: dtsi: j721e: Use binman to package tispl.bin
>
> Makefile | 2 +
> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +
> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
> arch/arm/dts/k3-j721e-r5-binman.dtsi | 88 +
> .../k3-j721e-r5-common-proc-board-u-boot.dtsi | 1 +
> arch/arm/mach-k3/config.mk | 64 +-
> board/ti/common/schema.yaml | 355 ++
> board/ti/j721e/Kconfig | 2 +
> board/ti/j721e/config.yaml | 3162 +++++++++++++++++
> scripts/Makefile.spl | 4 -
> test/py/requirements.txt | 1 +
> tools/binman/entries.rst | 36 +
> tools/binman/etype/ti_dm.py | 23 +
> tools/binman/etype/ti_sysfw.py | 28 +
> tools/binman/etype/x509_cert.py | 248 ++
> tools/binman/ftest.py | 21 +
> tools/binman/test/225_ti_dm.dts | 13 +
> tools/binman/test/232_ti_sysfw.dts | 13 +
> tools/binman/test/232_x509_cert.dts | 18 +
> tools/k3_fit_atf.sh | 123 -
> tools/k3_gen_x509_cert.sh | 252 --
> tools/tibcfg_gen.py | 114 +
> 22 files changed, 4227 insertions(+), 428 deletions(-)
> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
> create mode 100644 arch/arm/dts/k3-j721e-r5-binman.dtsi
> create mode 100644 board/ti/common/schema.yaml
> create mode 100644 board/ti/j721e/config.yaml
> create mode 100644 tools/binman/etype/ti_dm.py
> create mode 100644 tools/binman/etype/ti_sysfw.py
> create mode 100644 tools/binman/etype/x509_cert.py
> create mode 100644 tools/binman/test/225_ti_dm.dts
> create mode 100644 tools/binman/test/232_ti_sysfw.dts
> create mode 100644 tools/binman/test/232_x509_cert.dts
> delete mode 100755 tools/k3_fit_atf.sh
> delete mode 100755 tools/k3_gen_x509_cert.sh
> create mode 100644 tools/tibcfg_gen.py
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw
2022-05-06 4:37 ` [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw Neha Malcom Francis
@ 2022-05-31 8:44 ` Roger Quadros
2022-06-01 5:58 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 8:44 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> For K3 devices that require a sysfw image, add entry for SYSFW. It can
'can' or 'should'?
For binman, 'sysfw' and 'dm' (added in patch 4) are just binary blobs. correct?
Why can't you just use blob entry type?
> contain system firmware image that can be packaged into sysfw.itb by
> binman.
>
> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
> [n-francis@ti.com: added tests for addition of etype]
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
cheers,
-roger
> ---
> Makefile | 1 +
> tools/binman/entries.rst | 11 +++++++++++
> tools/binman/etype/ti_sysfw.py | 28 ++++++++++++++++++++++++++++
> tools/binman/ftest.py | 7 +++++++
> tools/binman/test/232_ti_sysfw.dts | 13 +++++++++++++
> 5 files changed, 60 insertions(+)
> create mode 100644 tools/binman/etype/ti_sysfw.py
> create mode 100644 tools/binman/test/232_ti_sysfw.dts
>
> diff --git a/Makefile b/Makefile
> index 4b347d3603..581fbba4c3 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1338,6 +1338,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
> -a opensbi-path=${OPENSBI} \
> -a default-dt=$(default_dt) \
> -a scp-path=$(SCP) \
> + -a ti-sysfw-path=$(SYSFW) \
> -a spl-bss-pad=$(if $(CONFIG_SPL_SEPARATE_BSS),,1) \
> -a tpl-bss-pad=$(if $(CONFIG_TPL_SEPARATE_BSS),,1) \
> -a spl-dtb=$(CONFIG_SPL_OF_REAL) \
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index ae4305c99e..6c0f03b34f 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -1203,6 +1203,17 @@ This entry holds firmware for an external platform-specific coprocessor.
>
>
>
> +Entry: sysfw: Texas Instruments System Firmware (SYSFW) blob
> +------------------------------------------------------------
> +
> +Properties / Entry arguments:
> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
> +
> +This entry contains system firmware necessary for booting of K3 architecture
> +devices.
> +
> +
> +
> Entry: section: Entry that contains other entries
> -------------------------------------------------
>
> diff --git a/tools/binman/etype/ti_sysfw.py b/tools/binman/etype/ti_sysfw.py
> new file mode 100644
> index 0000000000..5b5b307030
> --- /dev/null
> +++ b/tools/binman/etype/ti_sysfw.py
> @@ -0,0 +1,28 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
> +#
> +# Entry type module for TI SYSFW binary blob
> +#
> +
> +import os
> +import struct
> +import sys
> +import zlib
> +
> +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
> +from dtoc import fdt_util
> +from patman import tools
> +
> +
> +class Entry_ti_sysfw(Entry_blob_named_by_arg):
> + """Entry containing Texas Instruments System Firmware (SYSFW) blob
> +
> + Properties / Entry arguments:
> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
> +
> + This entry contains system firmware necessary for booting of K3 architecture devices.
> + """
> +
> + def __init__(self, section, etype, node):
> + super().__init__(section, etype, node, 'ti-sysfw')
> + self.external = True
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index 4ce181a066..ec408de334 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -87,6 +87,7 @@ ATF_BL31_DATA = b'bl31'
> TEE_OS_DATA = b'this is some tee OS data'
> ATF_BL2U_DATA = b'bl2u'
> OPENSBI_DATA = b'opensbi'
> +TI_SYSFW_DATA = b'sysfw'
> SCP_DATA = b'scp'
> TEST_FDT1_DATA = b'fdt1'
> TEST_FDT2_DATA = b'test-fdt2'
> @@ -195,6 +196,7 @@ class TestFunctional(unittest.TestCase):
> TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
> TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
> + TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>
> # Add a few .dtb files for testing
> @@ -5522,6 +5524,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> """Test an image with a pre-load header with an invalid key"""
> with self.assertRaises(ValueError) as e:
> data = self._DoReadFile('231_pre_load_invalid_key.dts')
> +
> + def testPackTiSysfw(self):
> + """Test that an image with a SYSFW binary can be created"""
> + data = self._DoReadFile('232_ti_sysfw.dts')
> + self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>
> if __name__ == "__main__":
> unittest.main()
> diff --git a/tools/binman/test/232_ti_sysfw.dts b/tools/binman/test/232_ti_sysfw.dts
> new file mode 100644
> index 0000000000..9e66cbe77b
> --- /dev/null
> +++ b/tools/binman/test/232_ti_sysfw.dts
> @@ -0,0 +1,13 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +
> +/ {
> + #address-cells = <1>;
> + #size-cells = <1>;
> + binman {
> + ti-sysfw {
> + filename = "sysfw.bin";
> + };
> + };
> +};
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-05-06 4:37 ` [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices Neha Malcom Francis
@ 2022-05-31 9:20 ` Roger Quadros
2022-06-01 6:02 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 9:20 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> K3 devices x509 certificate added to certain binaries that allows ROM to
what binaries?
> validate the integrity of the image. Etype that generates an x509
> certificate depending on boot flow added.
Could you please explain in more detail as to what exactly is happening here.
What do you mean by "depending on boot flow"?
>
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
> ---
> tools/binman/entries.rst | 15 ++
> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
> tools/binman/ftest.py | 7 +
> tools/binman/test/232_x509_cert.dts | 18 ++
> tools/k3_gen_x509_cert.sh | 10 +-
> 5 files changed, 293 insertions(+), 5 deletions(-)
> create mode 100644 tools/binman/etype/x509_cert.py
> create mode 100644 tools/binman/test/232_x509_cert.dts
>
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index 0c6d82fce8..dfa281e49f 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>
>
>
> +Entry: x509cert: x509 certificate for K3 devices
> +------------------------------------------------
> +
x509 is a generic standard. Can this be made usable by other vendors as well or
is it very specific to TI?
If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
> +Properties / Entry arguments:
> + - content: Phandle of binary to sign
> + - output: Name of the final output file
why do you need output property?
> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
> + - core: Target core ID on which image would be running
> + - load: Target load address of the binary in hex
> +
> + Output files:
> + - certificate.bin: Signed certificate binary
> +
> +
> +
> Entry: x86-reset16: x86 16-bit reset code for U-Boot
> ----------------------------------------------------
>
> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> new file mode 100644
> index 0000000000..0009973155
> --- /dev/null
> +++ b/tools/binman/etype/x509_cert.py
> @@ -0,0 +1,248 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +# Copyright (c) 2018 Google, Inc
> +# Written by Simon Glass <sjg@chromium.org>
> +#
> +
> +# Support for a x509 certificate for signing K3 devices
> +
> +import os
> +from collections import OrderedDict
> +from subprocess import Popen, PIPE
> +from sys import stderr, stdout
> +
> +import asn1
> +from Crypto.PublicKey import RSA
> +from cryptography.hazmat.backends import default_backend
> +from cryptography.hazmat.primitives import serialization
> +
> +from binman.etype.collection import Entry_collection
> +from dtoc import fdt_util
> +from patman import tools
> +
> +temp_x509 = "x509-temp.cert"
> +cert = "certificate.bin"
> +rand_key = "eckey.pem"
> +bootcore_opts = 0
> +bootcore = 0
> +debug_type = 0
> +
> +
> +class Entry_x509_cert(Entry_collection):
> + """ An entry which contains a x509 certificate
> +
> + Properties / Entry arguments:
> + - content: Phandle of binary to sign
> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
> + - core: Target core ID on which image would be running
> + - load: Target load address of the binary in hex
> +
> + Output files:
> + - certificate.bin: Signed certificate binary"""
> +
> + def __init__(self, section, etype, node):
> + super().__init__(section, etype, node)
> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
> + self.core = fdt_util.GetInt(self._node, 'core', 0)
> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
> +
> + def ReadNode(self):
> + super().ReadNode()
> + if self.key_file == "":
> + self.degen_key = True
> + else:
> + self.degen_key = False
> +
> + def _CreateCertificate(self):
> + """Create certificate for legacy boot flow"""
> + if self.degen_key == True:
> + gen_degen_key()
> + self.key_file = rand_key
> +
> + sha_val = get_sha_val("intermediate-sysfw.bin")
> + bin_size = get_file_size("intermediate-sysfw.bin")
> + addr = "%08x" % self.load_addr
> + if self.core == 0:
> + cert_type = 2
> + elif self.core == 16:
> + cert_type = 1
> + else:
> + cert_type = 2
> + debug_type = 0
> +
> + gen_template()
> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
> + self.core, addr, debug_type, self.key_file)
> +
> + return tools.read_file("certificate.bin")
> +
> + def ObtainContents(self):
> + self.image = self.GetContents(False)
> + if self.image is None:
> + return False
> + f = open("intermediate-sysfw.bin", "wb")
> + f.write(self.image)
> + f.close()
> + self.SetContents(self._CreateCertificate())
> + return True
> +
> + def ProcessContents(self):
> + data = self._CreateCertificate()
> + return self.ProcessContentsUpdate(data)
Why do you need _CreateCertificate() and ProcessContents()?
Just have one ObtainContents() and try to get rid of all the intermediate files.
> +
> +
> +def get_sha_val(binary_file):
> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
> + binary_file], stdout=PIPE, stderr=PIPE)
> + stdout, stderr = process.communicate()
> + sha_val = stdout.split()[1]
> + return sha_val
> +
> +
> +def get_file_size(binary_file):
> + return os.path.getsize(binary_file)
> +
> +
> +def gen_degen_template():
> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
> + degen_temp = """
> +asn1=SEQUENCE:rsa_key
> +
> +[rsa_key]
> +version=INTEGER:0
> +modulus=INTEGER:0xDEGEN_MODULUS
> +pubExp=INTEGER:1
> +privExp=INTEGER:1
> +p=INTEGER:0xDEGEN_P
> +q=INTEGER:0xDEGEN_Q
> +e1=INTEGER:1
> +e2=INTEGER:1
> +coeff=INTEGER:0xDEGEN_COEFF"""
> + f.write(degen_temp)
> +
> +
> +def gen_template():
> + """Generate x509 Template"""
> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
> + x509template = """
> +[ req ]
> +distinguished_name = req_distinguished_name
> +x509_extensions = v3_ca
> +prompt = no
> +dirstring_type = nobmp
> +
> +[ req_distinguished_name ]
> +C = US
> +ST = TX
> +L = Dallas
> +O = Texas Instruments Incorporated
> +OU = Processors
> +CN = TI support
> +emailAddress = support@ti.com
> +
> +[ v3_ca ]
> +basicConstraints = CA:true
> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
> +
> +[ boot_seq ]
> +certType = INTEGER:TEST_CERT_TYPE
> +bootCore = INTEGER:TEST_BOOT_CORE
> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
> +imageSize = INTEGER:TEST_IMAGE_LENGTH
> +
> +[ image_integrity ]
> +shaType = OID:2.16.840.1.101.3.4.2.3
> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
> +
> +[ swrv ]
> +swrv = INTEGER:0
> +
> +# [ encryption ]
> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
> +
> +[ debug ]
> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
> +debugType = INTEGER:TEST_DEBUG_TYPE
> +coreDbgEn = INTEGER:0
> +coreDbgSecEn = INTEGER:0"""
> + f.write(x509template)
> +
> +
> +def parse_key(inp_key, section):
> + parsed_key = ""
> + section_true = False
> + with open(inp_key, 'r') as file:
> + for line in file:
> + if section in line:
> + section_true = True
> + elif section_true:
> + if " " not in line:
> + break
> + else:
> + parsed_key += line.replace(":", "").replace(" ", "")
> + return parsed_key.replace("\n", "")
> +
> +
> +def gen_degen_key():
> + """Generate a 4096 bit RSA key"""
> + try:
> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
> + private_key = RSA.generate(1024)
> + f = open('key.pem', 'wb')
> + f.write(private_key.exportKey('PEM'))
> + f.close()
> + except:
> + raise(Exception)
> +
> + try:
> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
> + stdout, stderr = process.communicate()
> + except:
> + raise(stderr)
> +
> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
> + DEGEN_P = parse_key("key.txt", "prime1")
> + DEGEN_Q = parse_key("key.txt", "prime2")
> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
> +
> + gen_degen_template()
> +
> + with open("degen-template.txt", 'r') as file_input:
> + with open("degenerateKey.txt", 'w') as file_output:
> + for line in file_input:
> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
> + file_output.write(s)
> +
> + try:
> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
> + stdout, stderr = process.communicate()
> + except:
> + raise(stderr)
> +
> + try:
> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
> + stdout, stderr = process.communicate()
> + except:
> + raise(stderr)
> +
> +
> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
> + with open(temp_x509, "w") as output_file:
> + with open("x509-template.txt", "r") as input_file:
> + for line in input_file:
> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
> + stdout, stderr = process.communicate()
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index 5ff294a386..d8ee592250 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
> PRE_LOAD_MAGIC = b'UBSH'
> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
> +X509_DATA = b'filetobesigned'
>
> # Subdirectory of the input dir to use to put test FDTs
> TEST_FDT_SUBDIR = 'fdts'
> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>
> # Add a few .dtb files for testing
> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> data = self._DoReadFile('232_ti_sysfw.dts')
> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>
> + def testX509Cert(self):
> + """Test an image with the default x509 certificate header"""
> + data = self._DoReadFile('232_x509_cert.dts')
> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
what is 938?
Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
> +
> if __name__ == "__main__":
> unittest.main()
> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
> new file mode 100644
> index 0000000000..f768568ca7
> --- /dev/null
> +++ b/tools/binman/test/232_x509_cert.dts
> @@ -0,0 +1,18 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +
> +/ {
> + #address-cells = <1>;
> + #size-cells = <1>;
> +
> + binman {
> + x509-cert {
> + content = <&image>;
> + };
> +
> + image: blob-ext {
> + filename = "tosign.bin";
> + };
> + };
> +};
> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
> index 298cec1313..b6ef5a2de3 100755
> --- a/tools/k3_gen_x509_cert.sh
> +++ b/tools/k3_gen_x509_cert.sh
> @@ -109,7 +109,7 @@ gen_degen_key() {
> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
> KEY=$RAND_KEY
> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
> }
>
> declare -A options_help
> @@ -246,7 +246,7 @@ gen_cert
> cat $CERT $BIN > $OUTPUT
>
> # Remove all intermediate files
> -rm $TEMP_X509 $CERT x509-template.txt
> -if [ "$KEY" == "$RAND_KEY" ]; then
> - rm $RAND_KEY
> -fi
> +#rm $TEMP_X509 $CERT x509-template.txt
> +#if [ "$KEY" == "$RAND_KEY" ]; then
> +# rm $RAND_KEY
> +#fi
Why these changes?
Maybe you should include them within
"ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile
2022-05-06 4:37 ` [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile Neha Malcom Francis
@ 2022-05-31 10:51 ` Roger Quadros
0 siblings, 0 replies; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 10:51 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> Intention of patch is to move the signing and packaging of tiboot3.bin
> image to binman, thus removing target from makefile.
>
> Also deleting k3_gen_x509_cert.sh which was earlier used to sign a
> binary associated with K3 devices with x509 certificate. This
> functionality has been replicated in binman with the etype x509_cert.
>
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
> ---
> arch/arm/mach-k3/config.mk | 19 -------------------
> 1 file changed, 19 deletions(-)
>
> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
> index e6c13c1800..49f80ae79b 100644
> --- a/arch/arm/mach-k3/config.mk
> +++ b/arch/arm/mach-k3/config.mk
> @@ -46,25 +46,6 @@ INPUTS-y += sec-cfg.bin
> endif
> endif
>
> -# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
> -# So restrict tiboot3.bin creation for CPU_V7R.
> -ifdef CONFIG_CPU_V7R
> -image_check: $(obj)/u-boot-spl.bin FORCE
> - @if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then \
> - echo "===============================================" >&2; \
> - echo "ERROR: Final Image too big. " >&2; \
> - echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
> - echo "===============================================" >&2; \
> - exit 1; \
> - fi
> -
> -tiboot3.bin: image_check FORCE
> - $(srctree)/tools/k3_gen_x509_cert.sh -c 16 -b $(obj)/u-boot-spl.bin \
> - -o $@ -l $(CONFIG_SPL_TEXT_BASE) -k $(KEY)
> -
> -INPUTS-y += tiboot3.bin
> -endif
> -
Instead of removing it unconditionally and breaking build for all this must
be placed under
#ifndef CONFIG_BINMAN ... #endif
> ifdef CONFIG_ARM64
>
> ifeq ($(CONFIG_SOC_K3_J721E),)
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin
2022-05-06 4:37 ` [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin Neha Malcom Francis
@ 2022-05-31 10:53 ` Roger Quadros
0 siblings, 0 replies; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 10:53 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> As tispl.bin is to be packaged (with ATF, OPTEE, DM and A72 SPL) using
> binman, the shell script k3_fit_atf.sh is no longer needed. Removing
This is not true until you have migrated all K3 platforms to use binman.
So let's leave this script here for now.
> this file.
>
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
cheers,
-roger
> ---
> tools/k3_fit_atf.sh | 123 --------------------------------------------
> 1 file changed, 123 deletions(-)
> delete mode 100755 tools/k3_fit_atf.sh
>
> diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
> deleted file mode 100755
> index 7bc07ad074..0000000000
> --- a/tools/k3_fit_atf.sh
> +++ /dev/null
> @@ -1,123 +0,0 @@
> -#!/bin/sh
> -# SPDX-License-Identifier: GPL-2.0+
> -#
> -# script to generate FIT image source for K3 Family boards with
> -# ATF, OPTEE, SPL and multiple device trees (given on the command line).
> -# Inspired from board/sunxi/mksunxi_fit_atf.sh
> -#
> -# usage: $0 <atf_load_addr> <dt_name> [<dt_name> [<dt_name] ...]
> -
> -[ -z "$ATF" ] && ATF="bl31.bin"
> -
> -if [ ! -f $ATF ]; then
> - echo "WARNING ATF file $ATF NOT found, resulting binary is non-functional" >&2
> - ATF=/dev/null
> -fi
> -
> -[ -z "$TEE" ] && TEE="bl32.bin"
> -
> -if [ ! -f $TEE ]; then
> - echo "WARNING OPTEE file $TEE NOT found, resulting might be non-functional" >&2
> - TEE=/dev/null
> -fi
> -
> -[ -z "$DM" ] && DM="dm.bin"
> -
> -if [ ! -e $DM ]; then
> - echo "WARNING DM file $DM NOT found, resulting might be non-functional" >&2
> - DM=/dev/null
> -fi
> -
> -if [ ! -z "$IS_HS" ]; then
> - HS_APPEND=_HS
> -fi
> -
> -cat << __HEADER_EOF
> -/dts-v1/;
> -
> -/ {
> - description = "Configuration to load ATF and SPL";
> - #address-cells = <1>;
> -
> - images {
> - atf {
> - description = "ARM Trusted Firmware";
> - data = /incbin/("$ATF");
> - type = "firmware";
> - arch = "arm64";
> - compression = "none";
> - os = "arm-trusted-firmware";
> - load = <$1>;
> - entry = <$1>;
> - };
> - tee {
> - description = "OPTEE";
> - data = /incbin/("$TEE");
> - type = "tee";
> - arch = "arm64";
> - compression = "none";
> - os = "tee";
> - load = <0x9e800000>;
> - entry = <0x9e800000>;
> - };
> - dm {
> - description = "DM binary";
> - data = /incbin/("$DM");
> - type = "firmware";
> - arch = "arm32";
> - compression = "none";
> - os = "DM";
> - load = <0x89000000>;
> - entry = <0x89000000>;
> - };
> - spl {
> - description = "SPL (64-bit)";
> - data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
> - type = "standalone";
> - os = "U-Boot";
> - arch = "arm64";
> - compression = "none";
> - load = <0x80080000>;
> - entry = <0x80080000>;
> - };
> -__HEADER_EOF
> -
> -# shift through ATF load address in the command line arguments
> -shift
> -
> -for dtname in $*
> -do
> - cat << __FDT_IMAGE_EOF
> - $(basename $dtname) {
> - description = "$(basename $dtname .dtb)";
> - data = /incbin/("$dtname$HS_APPEND");
> - type = "flat_dt";
> - arch = "arm";
> - compression = "none";
> - };
> -__FDT_IMAGE_EOF
> -done
> -
> -cat << __CONF_HEADER_EOF
> - };
> - configurations {
> - default = "$(basename $1)";
> -
> -__CONF_HEADER_EOF
> -
> -for dtname in $*
> -do
> - cat << __CONF_SECTION_EOF
> - $(basename $dtname) {
> - description = "$(basename $dtname .dtb)";
> - firmware = "atf";
> - loadables = "tee", "dm", "spl";
> - fdt = "$(basename $dtname)";
> - };
> -__CONF_SECTION_EOF
> -done
> -
> -cat << __ITS_EOF
> - };
> -};
> -__ITS_EOF
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing
2022-05-06 4:37 ` [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing Neha Malcom Francis
@ 2022-05-31 10:54 ` Roger Quadros
0 siblings, 0 replies; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 10:54 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> Earlier the k3_gen_x509_cert.sh was used for signing binaries with the
> x509 certificate for Texas Instruments K3 architecture devices. Since
> the signing process is handled by x509 etype now, there is no more
> requirement for this script, hence removing it.
Are you sure this script is not required for any Keystone platforms?
If not, let's just leave it there.
cheers,
-roger
>
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
> ---
> tools/k3_gen_x509_cert.sh | 252 --------------------------------------
> 1 file changed, 252 deletions(-)
> delete mode 100755 tools/k3_gen_x509_cert.sh
>
> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
> deleted file mode 100755
> index b6ef5a2de3..0000000000
> --- a/tools/k3_gen_x509_cert.sh
> +++ /dev/null
> @@ -1,252 +0,0 @@
> -#!/bin/bash
> -# SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
> -#
> -# Script to add K3 specific x509 cetificate to a binary.
> -#
> -
> -# Variables
> -OUTPUT=tiboot3.bin
> -TEMP_X509=x509-temp.cert
> -CERT=certificate.bin
> -RAND_KEY=eckey.pem
> -LOADADDR=0x41c00000
> -BOOTCORE_OPTS=0
> -BOOTCORE=16
> -DEBUG_TYPE=0
> -
> -gen_degen_template() {
> -cat << 'EOF' > degen-template.txt
> -
> -asn1=SEQUENCE:rsa_key
> -
> -[rsa_key]
> -version=INTEGER:0
> -modulus=INTEGER:0xDEGEN_MODULUS
> -pubExp=INTEGER:1
> -privExp=INTEGER:1
> -p=INTEGER:0xDEGEN_P
> -q=INTEGER:0xDEGEN_Q
> -e1=INTEGER:1
> -e2=INTEGER:1
> -coeff=INTEGER:0xDEGEN_COEFF
> -EOF
> -}
> -
> -# Generate x509 Template
> -gen_template() {
> -cat << 'EOF' > x509-template.txt
> - [ req ]
> - distinguished_name = req_distinguished_name
> - x509_extensions = v3_ca
> - prompt = no
> - dirstring_type = nobmp
> -
> - [ req_distinguished_name ]
> - C = US
> - ST = TX
> - L = Dallas
> - O = Texas Instruments Incorporated
> - OU = Processors
> - CN = TI support
> - emailAddress = support@ti.com
> -
> - [ v3_ca ]
> - basicConstraints = CA:true
> - 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
> - 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
> - 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
> -# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
> - 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
> -
> - [ boot_seq ]
> - certType = INTEGER:TEST_CERT_TYPE
> - bootCore = INTEGER:TEST_BOOT_CORE
> - bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
> - destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
> - imageSize = INTEGER:TEST_IMAGE_LENGTH
> -
> - [ image_integrity ]
> - shaType = OID:2.16.840.1.101.3.4.2.3
> - shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
> -
> - [ swrv ]
> - swrv = INTEGER:0
> -
> -# [ encryption ]
> -# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
> -# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
> -# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
> -# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
> -
> - [ debug ]
> - debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
> - debugType = INTEGER:TEST_DEBUG_TYPE
> - coreDbgEn = INTEGER:0
> - coreDbgSecEn = INTEGER:0
> -EOF
> -}
> -
> -parse_key() {
> - sed '/\ \ \ \ /s/://g' key.txt | awk '!/\ \ \ \ / {printf("\n%s\n", $0)}; /\ \ \ \ / {printf("%s", $0)}' | sed 's/\ \ \ \ //g' | awk "/$1:/{getline; print}"
> -}
> -
> -gen_degen_key() {
> -# Generate a 4096 bit RSA Key
> - openssl genrsa -out key.pem 1024 >>/dev/null 2>&1
> - openssl rsa -in key.pem -text -out key.txt >>/dev/null 2>&1
> - DEGEN_MODULUS=$( parse_key 'modulus' )
> - DEGEN_P=$( parse_key 'prime1' )
> - DEGEN_Q=$( parse_key 'prime2' )
> - DEGEN_COEFF=$( parse_key 'coefficient' )
> - gen_degen_template
> -
> - sed -e "s/DEGEN_MODULUS/$DEGEN_MODULUS/"\
> - -e "s/DEGEN_P/$DEGEN_P/" \
> - -e "s/DEGEN_Q/$DEGEN_Q/" \
> - -e "s/DEGEN_COEFF/$DEGEN_COEFF/" \
> - degen-template.txt > degenerateKey.txt
> -
> - openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
> - openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
> - KEY=$RAND_KEY
> - #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
> -}
> -
> -declare -A options_help
> -usage() {
> - if [ -n "$*" ]; then
> - echo "ERROR: $*"
> - fi
> - echo -n "Usage: $0 "
> - for option in "${!options_help[@]}"
> - do
> - arg=`echo ${options_help[$option]}|cut -d ':' -f1`
> - if [ -n "$arg" ]; then
> - arg=" $arg"
> - fi
> - echo -n "[-$option$arg] "
> - done
> - echo
> - echo -e "\nWhere:"
> - for option in "${!options_help[@]}"
> - do
> - arg=`echo ${options_help[$option]}|cut -d ':' -f1`
> - txt=`echo ${options_help[$option]}|cut -d ':' -f2`
> - tb="\t\t\t"
> - if [ -n "$arg" ]; then
> - arg=" $arg"
> - tb="\t"
> - fi
> - echo -e " -$option$arg:$tb$txt"
> - done
> - echo
> - echo "Examples of usage:-"
> - echo "# Example of signing the SYSFW binary with rsa degenerate key"
> - echo " $0 -c 0 -b ti-sci-firmware-am6x.bin -o sysfw.bin -l 0x40000"
> - echo "# Example of signing the SPL binary with rsa degenerate key"
> - echo " $0 -c 16 -b spl/u-boot-spl.bin -o tiboot3.bin -l 0x41c00000"
> -}
> -
> -options_help[b]="bin_file:Bin file that needs to be signed"
> -options_help[k]="key_file:file with key inside it. If not provided script generates a rsa degenerate key."
> -options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
> -options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
> -options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
> -options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
> -
> -while getopts "b:k:o:c:l:d:h" opt
> -do
> - case $opt in
> - b)
> - BIN=$OPTARG
> - ;;
> - k)
> - KEY=$OPTARG
> - ;;
> - o)
> - OUTPUT=$OPTARG
> - ;;
> - l)
> - LOADADDR=$OPTARG
> - ;;
> - c)
> - BOOTCORE=$OPTARG
> - ;;
> - d)
> - DEBUG_TYPE=$OPTARG
> - ;;
> - h)
> - usage
> - exit 0
> - ;;
> - \?)
> - usage "Invalid Option '-$OPTARG'"
> - exit 1
> - ;;
> - :)
> - usage "Option '-$OPTARG' Needs an argument."
> - exit 1
> - ;;
> - esac
> -done
> -
> -if [ "$#" -eq 0 ]; then
> - usage "Arguments missing"
> - exit 1
> -fi
> -
> -if [ -z "$BIN" ]; then
> - usage "Bin file missing in arguments"
> - exit 1
> -fi
> -
> -# Generate rsa degenerate key if user doesn't provide a key
> -if [ -z "$KEY" ]; then
> - gen_degen_key
> -fi
> -
> -if [ $BOOTCORE == 0 ]; then # BOOTCORE M3, loaded by ROM
> - CERTTYPE=2
> -elif [ $BOOTCORE == 16 ]; then # BOOTCORE R5, loaded by ROM
> - CERTTYPE=1
> -else # Non BOOTCORE, loaded by SYSFW
> - BOOTCORE_OPTS_VER=$(printf "%01x" 1)
> - # Add input args option for SET and CLR flags.
> - BOOTCORE_OPTS_SETFLAG=$(printf "%08x" 0)
> - BOOTCORE_OPTS_CLRFLAG=$(printf "%08x" 0x100) # Clear FLAG_ARMV8_AARCH32
> - BOOTCORE_OPTS="0x$BOOTCORE_OPTS_VER$BOOTCORE_OPTS_SETFLAG$BOOTCORE_OPTS_CLRFLAG"
> - # Set the cert type to zero.
> - # We are not using public/private key store now
> - CERTTYPE=$(printf "0x%08x" 0)
> -fi
> -
> -SHA_VAL=`openssl dgst -sha512 -hex $BIN | sed -e "s/^.*= //g"`
> -BIN_SIZE=`cat $BIN | wc -c`
> -ADDR=`printf "%08x" $LOADADDR`
> -
> -gen_cert() {
> - #echo "Certificate being generated :"
> - #echo " LOADADDR = 0x$ADDR"
> - #echo " IMAGE_SIZE = $BIN_SIZE"
> - #echo " CERT_TYPE = $CERTTYPE"
> - #echo " DEBUG_TYPE = $DEBUG_TYPE"
> - sed -e "s/TEST_IMAGE_LENGTH/$BIN_SIZE/" \
> - -e "s/TEST_IMAGE_SHA_VAL/$SHA_VAL/" \
> - -e "s/TEST_CERT_TYPE/$CERTTYPE/" \
> - -e "s/TEST_BOOT_CORE_OPTS/$BOOTCORE_OPTS/" \
> - -e "s/TEST_BOOT_CORE/$BOOTCORE/" \
> - -e "s/TEST_BOOT_ADDR/$ADDR/" \
> - -e "s/TEST_DEBUG_TYPE/$DEBUG_TYPE/" \
> - x509-template.txt > $TEMP_X509
> - openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -sha512
> -}
> -
> -gen_template
> -gen_cert
> -cat $CERT $BIN > $OUTPUT
> -
> -# Remove all intermediate files
> -#rm $TEMP_X509 $CERT x509-template.txt
> -#if [ "$KEY" == "$RAND_KEY" ]; then
> -# rm $RAND_KEY
> -#fi
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-05-06 4:37 ` [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin Neha Malcom Francis
@ 2022-05-31 11:02 ` Roger Quadros
2022-06-01 6:08 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-05-31 11:02 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 06/05/2022 07:37, Neha Malcom Francis wrote:
> Explicit make commands were earlier used to generate tispl.bin image,
> now it is replaced using binman.
>
> Binman picks up and packages entries according to the description of
> entries given in the binman node in the device tree. The make commands
> that were earlier responsible for generating tispl.bin has been removed.
>
> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
> It can be included in files that require it like
> k3-j721e-common-proc-board-u-boot.dtsi.
>
> Note that make commands for secure devices has also been removed as
> focus is on general purpose devices at present time.
>
> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
> [n-francis@ti.com: prepared patch for upstreaming]
> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
> ---
> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
> arch/arm/mach-k3/config.mk | 33 -------
> board/ti/j721e/Kconfig | 1 +
> scripts/Makefile.spl | 4 -
> 5 files changed, 88 insertions(+), 37 deletions(-)
> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>
> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
> new file mode 100644
> index 0000000000..beb3424bb9
> --- /dev/null
> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
> @@ -0,0 +1,86 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
> +
> +#include <config.h>
> +
> +#ifdef CONFIG_ARM64
> +/ {
> + binman: binman {
> + multiple-images;
> + };
> +};
> +
> +&binman {
> + tispl {
> + filename = "tispl.bin";
> + fit {
> + description = "FIT IMAGE";
> + #address-cells = <1>;
> + images {
> + atf {
> + description = "ARM Trusted Firmware";
> + type = "firmware";
> + arch = "arm64";
> + compression = "none";
> + os = "arm-trusted-firmware";
> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
> + atf-bl31 {
> + };
> + };
> + tee {
> + description = "OPTEE";
> + type = "tee";
> + arch = "arm64";
> + compression = "none";
> + os = "tee";
> + load = <0x9e800000>;
> + entry = <0x9e800000>;
> + tee-os {
> + };
> + };
> + dm {
> + description = "DM binary";
> + type = "firmware";
> + arch = "arm32";
> + compression = "none";
> + os = "DM";
> + load = <0x89000000>;
> + entry = <0x89000000>;
> + ti-dm {
> + };
> + };
> + spl {
> + description = "SPL (64-bit)";
> + type = "standalone";
> + os = "U-Boot";
> + arch = "arm64";
> + compression = "none";
> + load = <CONFIG_SPL_TEXT_BASE>;
> + entry = <CONFIG_SPL_TEXT_BASE>;
> + u-boot-spl-nodtb {
> + };
> + };
> + k3-j721e-common-proc-board.dtb {
> + description = "k3-j721e-common-proc-board";
> + type = "flat_dt";
> + arch = "arm";
> + compression = "none";
> + blob-ext {
> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
> + };
> + };
> + };
> + configurations {
> + default = "conf";
> + conf {
> + description = "k3-j721e-common-proc-board";
> + firmware = "atf";
> + loadables = "tee", "dm", "spl";
> + fdt = "k3-j721e-common-proc-board.dtb";
> + };
> + };
> + };
> + };
> +};
> +#endif
> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
> index 677a72d2a2..6490d71f7e 100644
> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
> @@ -4,6 +4,7 @@
> */
>
> #include <dt-bindings/net/ti-dp83867.h>
> +#include "k3-j721e-a72-binman.dtsi"
>
> / {
> chosen {
> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
> index 49f80ae79b..e0d9ea97c9 100644
> --- a/arch/arm/mach-k3/config.mk
> +++ b/arch/arm/mach-k3/config.mk
> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
> export DM := /dev/null
> endif
>
> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> -SPL_ITS := u-boot-spl-k3_HS.its
> -$(SPL_ITS): export IS_HS=1
> -INPUTS-y += tispl.bin_HS
> -else
> -SPL_ITS := u-boot-spl-k3.its
> -INPUTS-y += tispl.bin
> -endif
> -
> -ifeq ($(CONFIG_SPL_OF_LIST),)
> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
> -else
> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
> endif
> -
> -quiet_cmd_k3_mkits = MKITS $@
> -cmd_k3_mkits = \
> - $(srctree)/tools/k3_fit_atf.sh \
> - $(CONFIG_K3_ATF_LOAD_ADDR) \
> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
> -
> -$(SPL_ITS): FORCE
> - $(call cmd,k3_mkits)
> endif
> -
> -else
> -
> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> -INPUTS-y += u-boot.img_HS
> -else
> -INPUTS-y += u-boot.img
> -endif
> -endif
> -
> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
You can't yet remove these as all K3 platforms are not converted to use binman.
Please include them under #ifndef CONFIG_BINMAN...#endif
One more question I have is that how are _HS binaries being created with binman?
> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
> index a3a9d504ae..3cf05f0d3b 100644
> --- a/board/ti/j721e/Kconfig
> +++ b/board/ti/j721e/Kconfig
> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
> select BOARD_LATE_INIT
> imply TI_I2C_BOARD_DETECT
> select SYS_DISABLE_DCACHE_OPS
> + select BINMAN
>
> config TARGET_J721E_R5_EVM
> bool "TI K3 based J721E EVM running on R5"
> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
> index 6ad82cecfb..5f8a8487c5 100644
> --- a/scripts/Makefile.spl
> +++ b/scripts/Makefile.spl
> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
> @lzop -f9 $< > $@
>
> -ifdef CONFIG_ARCH_K3
> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
> - $(call if_changed,mkfitimage)
> -endif
Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3
2022-05-31 8:21 ` Roger Quadros
@ 2022-06-01 5:54 ` Neha Malcom Francis
0 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 5:54 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 31/05/22 13:51, Roger Quadros wrote:
> Hi,
>
> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>> Devices that belong to the K3 architecture require SYSFW which is a FIT
>> image consisting of a signed system firmware image and board config
>> binaries.
>>
>> Board config binaries are needed to bring up SYSFW during U-Boot SPL
>> startup. The board config data is given in YAML as input. These board
>> configs contain board-specific information such as resource management,
>> power management and security.
>>
>> The following series intends to plumb the system firmware generation
>> into U-Boot using binman for packaging. Thus it will eliminate the need
>> for additional custom repositories for SYSFW generation and also moves t
>> owards the community standard build flow. We use binman to package
>> tiboot3.bin and sysfw.itb images.
>>
>> These images also require x509 certificates which are created using the
>> etype x509-cert.
>>
>> The series also plumbs the generation of tispl.bin into the build flow.
>> This image is required for loading u-boot in K3 devices. The image is
>> packaged using ATF, OPTEE and DM (Device Manager).
>>
>> Please note that the following series has implemented the above for
>> J721E general purpose board. The board configs and device trees added
>> are specific to J721E GP devices.
>>
>> Also note the introduction of three new etypes: ti-sysfw, ti-dm and
>> x509-cert.
>>
>> On running CI tests on Github, errors were produced during world builds
>> of keystone2_keystone3 and siemens (I0T2050 which is based on AM65x).
>> This patch series is intended for only J721E and future work is to expand
>> to the remaining K3 devices as well. The errors that come are mainly due
>> to the boards other than J721E trying to generate tispl.bin.
>
> You will have to implement it such that none of the existing board build/functionality
> breaks. Otherwise it will be impossible to get this merged.
>
> Is this series tested for High-Security (HS) J721E as well?
>
> cheers,
> -roger
>
I've noted this and the other comments you've mentioned in the rest of
the series regarding not breaking any of the existing board
functionalities. I'll make the necessary changes and send across a new
patch for the same.
No this series is intended for only General Purpose J721E devices.
>>
>> v2:
>> - Added etype x509-cert for creating x509 Texas Instruments certificate
>> binary
>> - Added packaging of tiboot3.bin
>> - Packaging of tiboot3.bin and sysfw.itb using new etype x509
>> - sysfw --> ti-sysfw
>> - Reformatted and re-arranged patches
>> - Removed k3_fit_atf.sh and k3_gen_x509_cert.sh as their functionality
>> is provided by binman now
>>
>> Neha Malcom Francis (11):
>> j721e_evm: schema: yaml: Add general schema and J721E board config
>> files
>> ti: tools: config: Add board config class to generate config binaries
>> ti: etype: sysfw: Add entry type for sysfw
>> ti: etype: dm: Add entry type for TI DM
>> ti: etype: x509: Add etype for x509 certificate for K3 devices
>> ti: sysfw: Add support for packaging sysfw.itb
>> ti: tiboot3.bin: Remove tiboot3.bin target from makefile
>> ti: tispl.bin: Removed script that packages tispl.bin
>> ti: x509: Remove shell script used for signing
>> ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin
>> ti: dtsi: j721e: Use binman to package tispl.bin
>>
>> Makefile | 2 +
>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +
>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>> arch/arm/dts/k3-j721e-r5-binman.dtsi | 88 +
>> .../k3-j721e-r5-common-proc-board-u-boot.dtsi | 1 +
>> arch/arm/mach-k3/config.mk | 64 +-
>> board/ti/common/schema.yaml | 355 ++
>> board/ti/j721e/Kconfig | 2 +
>> board/ti/j721e/config.yaml | 3162 +++++++++++++++++
>> scripts/Makefile.spl | 4 -
>> test/py/requirements.txt | 1 +
>> tools/binman/entries.rst | 36 +
>> tools/binman/etype/ti_dm.py | 23 +
>> tools/binman/etype/ti_sysfw.py | 28 +
>> tools/binman/etype/x509_cert.py | 248 ++
>> tools/binman/ftest.py | 21 +
>> tools/binman/test/225_ti_dm.dts | 13 +
>> tools/binman/test/232_ti_sysfw.dts | 13 +
>> tools/binman/test/232_x509_cert.dts | 18 +
>> tools/k3_fit_atf.sh | 123 -
>> tools/k3_gen_x509_cert.sh | 252 --
>> tools/tibcfg_gen.py | 114 +
>> 22 files changed, 4227 insertions(+), 428 deletions(-)
>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>> create mode 100644 arch/arm/dts/k3-j721e-r5-binman.dtsi
>> create mode 100644 board/ti/common/schema.yaml
>> create mode 100644 board/ti/j721e/config.yaml
>> create mode 100644 tools/binman/etype/ti_dm.py
>> create mode 100644 tools/binman/etype/ti_sysfw.py
>> create mode 100644 tools/binman/etype/x509_cert.py
>> create mode 100644 tools/binman/test/225_ti_dm.dts
>> create mode 100644 tools/binman/test/232_ti_sysfw.dts
>> create mode 100644 tools/binman/test/232_x509_cert.dts
>> delete mode 100755 tools/k3_fit_atf.sh
>> delete mode 100755 tools/k3_gen_x509_cert.sh
>> create mode 100644 tools/tibcfg_gen.py
>>
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw
2022-05-31 8:44 ` Roger Quadros
@ 2022-06-01 5:58 ` Neha Malcom Francis
2022-06-01 7:29 ` Neha Malcom Francis
2022-06-01 9:26 ` Roger Quadros
0 siblings, 2 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 5:58 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 31/05/22 14:14, Roger Quadros wrote:
>
>
> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>> For K3 devices that require a sysfw image, add entry for SYSFW. It can
>
> 'can' or 'should'?
>
> For binman, 'sysfw' and 'dm' (added in patch 4) are just binary blobs. correct?
> Why can't you just use blob entry type?
>
This was suggested so that there is space for changes that will be
required when scaling to High Security devices as well.
>> contain system firmware image that can be packaged into sysfw.itb by
>> binman.
>>
>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>> [n-francis@ti.com: added tests for addition of etype]
>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>
> cheers,
> -roger
>
>> ---
>> Makefile | 1 +
>> tools/binman/entries.rst | 11 +++++++++++
>> tools/binman/etype/ti_sysfw.py | 28 ++++++++++++++++++++++++++++
>> tools/binman/ftest.py | 7 +++++++
>> tools/binman/test/232_ti_sysfw.dts | 13 +++++++++++++
>> 5 files changed, 60 insertions(+)
>> create mode 100644 tools/binman/etype/ti_sysfw.py
>> create mode 100644 tools/binman/test/232_ti_sysfw.dts
>>
>> diff --git a/Makefile b/Makefile
>> index 4b347d3603..581fbba4c3 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -1338,6 +1338,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
>> -a opensbi-path=${OPENSBI} \
>> -a default-dt=$(default_dt) \
>> -a scp-path=$(SCP) \
>> + -a ti-sysfw-path=$(SYSFW) \
>> -a spl-bss-pad=$(if $(CONFIG_SPL_SEPARATE_BSS),,1) \
>> -a tpl-bss-pad=$(if $(CONFIG_TPL_SEPARATE_BSS),,1) \
>> -a spl-dtb=$(CONFIG_SPL_OF_REAL) \
>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>> index ae4305c99e..6c0f03b34f 100644
>> --- a/tools/binman/entries.rst
>> +++ b/tools/binman/entries.rst
>> @@ -1203,6 +1203,17 @@ This entry holds firmware for an external platform-specific coprocessor.
>>
>>
>>
>> +Entry: sysfw: Texas Instruments System Firmware (SYSFW) blob
>> +------------------------------------------------------------
>> +
>> +Properties / Entry arguments:
>> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
>> +
>> +This entry contains system firmware necessary for booting of K3 architecture
>> +devices.
>> +
>> +
>> +
>> Entry: section: Entry that contains other entries
>> -------------------------------------------------
>>
>> diff --git a/tools/binman/etype/ti_sysfw.py b/tools/binman/etype/ti_sysfw.py
>> new file mode 100644
>> index 0000000000..5b5b307030
>> --- /dev/null
>> +++ b/tools/binman/etype/ti_sysfw.py
>> @@ -0,0 +1,28 @@
>> +# SPDX-License-Identifier: GPL-2.0+
>> +# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>> +#
>> +# Entry type module for TI SYSFW binary blob
>> +#
>> +
>> +import os
>> +import struct
>> +import sys
>> +import zlib
>> +
>> +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
>> +from dtoc import fdt_util
>> +from patman import tools
>> +
>> +
>> +class Entry_ti_sysfw(Entry_blob_named_by_arg):
>> + """Entry containing Texas Instruments System Firmware (SYSFW) blob
>> +
>> + Properties / Entry arguments:
>> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
>> +
>> + This entry contains system firmware necessary for booting of K3 architecture devices.
>> + """
>> +
>> + def __init__(self, section, etype, node):
>> + super().__init__(section, etype, node, 'ti-sysfw')
>> + self.external = True
>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>> index 4ce181a066..ec408de334 100644
>> --- a/tools/binman/ftest.py
>> +++ b/tools/binman/ftest.py
>> @@ -87,6 +87,7 @@ ATF_BL31_DATA = b'bl31'
>> TEE_OS_DATA = b'this is some tee OS data'
>> ATF_BL2U_DATA = b'bl2u'
>> OPENSBI_DATA = b'opensbi'
>> +TI_SYSFW_DATA = b'sysfw'
>> SCP_DATA = b'scp'
>> TEST_FDT1_DATA = b'fdt1'
>> TEST_FDT2_DATA = b'test-fdt2'
>> @@ -195,6 +196,7 @@ class TestFunctional(unittest.TestCase):
>> TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
>> TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>> + TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>
>> # Add a few .dtb files for testing
>> @@ -5522,6 +5524,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>> """Test an image with a pre-load header with an invalid key"""
>> with self.assertRaises(ValueError) as e:
>> data = self._DoReadFile('231_pre_load_invalid_key.dts')
>> +
>> + def testPackTiSysfw(self):
>> + """Test that an image with a SYSFW binary can be created"""
>> + data = self._DoReadFile('232_ti_sysfw.dts')
>> + self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>
>> if __name__ == "__main__":
>> unittest.main()
>> diff --git a/tools/binman/test/232_ti_sysfw.dts b/tools/binman/test/232_ti_sysfw.dts
>> new file mode 100644
>> index 0000000000..9e66cbe77b
>> --- /dev/null
>> +++ b/tools/binman/test/232_ti_sysfw.dts
>> @@ -0,0 +1,13 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +
>> +/dts-v1/;
>> +
>> +/ {
>> + #address-cells = <1>;
>> + #size-cells = <1>;
>> + binman {
>> + ti-sysfw {
>> + filename = "sysfw.bin";
>> + };
>> + };
>> +};
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-05-31 9:20 ` Roger Quadros
@ 2022-06-01 6:02 ` Neha Malcom Francis
2022-06-01 9:24 ` Roger Quadros
0 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 6:02 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 31/05/22 14:50, Roger Quadros wrote:
>
>
> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>> K3 devices x509 certificate added to certain binaries that allows ROM to
>
> what binaries?
>
>> validate the integrity of the image. Etype that generates an x509
>> certificate depending on boot flow added.
>
> Could you please explain in more detail as to what exactly is happening here.
>
> What do you mean by "depending on boot flow"?
>
I will reformat the commit messages accordingly.
>>
>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>> ---
>> tools/binman/entries.rst | 15 ++
>> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
>> tools/binman/ftest.py | 7 +
>> tools/binman/test/232_x509_cert.dts | 18 ++
>> tools/k3_gen_x509_cert.sh | 10 +-
>> 5 files changed, 293 insertions(+), 5 deletions(-)
>> create mode 100644 tools/binman/etype/x509_cert.py
>> create mode 100644 tools/binman/test/232_x509_cert.dts
>>
>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>> index 0c6d82fce8..dfa281e49f 100644
>> --- a/tools/binman/entries.rst
>> +++ b/tools/binman/entries.rst
>> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>>
>>
>>
>> +Entry: x509cert: x509 certificate for K3 devices
>> +------------------------------------------------
>> +
>
> x509 is a generic standard. Can this be made usable by other vendors as well or
> is it very specific to TI?
> If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
>
>> +Properties / Entry arguments:
>> + - content: Phandle of binary to sign
>> + - output: Name of the final output file
>
> why do you need output property?
>
That is not required, I had later changed it to always using
certificate.bin. Will make the necessary changes.
>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>> + - core: Target core ID on which image would be running
>> + - load: Target load address of the binary in hex
>> +
>> + Output files:
>> + - certificate.bin: Signed certificate binary
>> +
>> +
>> +
>> Entry: x86-reset16: x86 16-bit reset code for U-Boot
>> ----------------------------------------------------
>>
>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>> new file mode 100644
>> index 0000000000..0009973155
>> --- /dev/null
>> +++ b/tools/binman/etype/x509_cert.py
>> @@ -0,0 +1,248 @@
>> +# SPDX-License-Identifier: GPL-2.0+
>> +# Copyright (c) 2018 Google, Inc
>> +# Written by Simon Glass <sjg@chromium.org>
>> +#
>> +
>> +# Support for a x509 certificate for signing K3 devices
>> +
>> +import os
>> +from collections import OrderedDict
>> +from subprocess import Popen, PIPE
>> +from sys import stderr, stdout
>> +
>> +import asn1
>> +from Crypto.PublicKey import RSA
>> +from cryptography.hazmat.backends import default_backend
>> +from cryptography.hazmat.primitives import serialization
>> +
>> +from binman.etype.collection import Entry_collection
>> +from dtoc import fdt_util
>> +from patman import tools
>> +
>> +temp_x509 = "x509-temp.cert"
>> +cert = "certificate.bin"
>> +rand_key = "eckey.pem"
>> +bootcore_opts = 0
>> +bootcore = 0
>> +debug_type = 0
>> +
>> +
>> +class Entry_x509_cert(Entry_collection):
>> + """ An entry which contains a x509 certificate
>> +
>> + Properties / Entry arguments:
>> + - content: Phandle of binary to sign
>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>> + - core: Target core ID on which image would be running
>> + - load: Target load address of the binary in hex
>> +
>> + Output files:
>> + - certificate.bin: Signed certificate binary"""
>> +
>> + def __init__(self, section, etype, node):
>> + super().__init__(section, etype, node)
>> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
>> + self.core = fdt_util.GetInt(self._node, 'core', 0)
>> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
>> +
>> + def ReadNode(self):
>> + super().ReadNode()
>> + if self.key_file == "":
>> + self.degen_key = True
>> + else:
>> + self.degen_key = False
>> +
>> + def _CreateCertificate(self):
>> + """Create certificate for legacy boot flow"""
>> + if self.degen_key == True:
>> + gen_degen_key()
>> + self.key_file = rand_key
>> +
>> + sha_val = get_sha_val("intermediate-sysfw.bin")
>> + bin_size = get_file_size("intermediate-sysfw.bin")
>> + addr = "%08x" % self.load_addr
>> + if self.core == 0:
>> + cert_type = 2
>> + elif self.core == 16:
>> + cert_type = 1
>> + else:
>> + cert_type = 2
>> + debug_type = 0
>> +
>> + gen_template()
>> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
>> + self.core, addr, debug_type, self.key_file)
>> +
>> + return tools.read_file("certificate.bin")
>> +
>> + def ObtainContents(self):
>> + self.image = self.GetContents(False)
>> + if self.image is None:
>> + return False
>> + f = open("intermediate-sysfw.bin", "wb")
>> + f.write(self.image)
>> + f.close()
>> + self.SetContents(self._CreateCertificate())
>> + return True
>> +
>> + def ProcessContents(self):
>> + data = self._CreateCertificate()
>> + return self.ProcessContentsUpdate(data)
>
> Why do you need _CreateCertificate() and ProcessContents()?
> Just have one ObtainContents() and try to get rid of all the intermediate files.
>
I used etype/vblock.py as a reference. I will clean up this etype further.
>> +
>> +
>> +def get_sha_val(binary_file):
>> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
>> + binary_file], stdout=PIPE, stderr=PIPE)
>> + stdout, stderr = process.communicate()
>> + sha_val = stdout.split()[1]
>> + return sha_val
>> +
>> +
>> +def get_file_size(binary_file):
>> + return os.path.getsize(binary_file)
>> +
>> +
>> +def gen_degen_template():
>> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
>> + degen_temp = """
>> +asn1=SEQUENCE:rsa_key
>> +
>> +[rsa_key]
>> +version=INTEGER:0
>> +modulus=INTEGER:0xDEGEN_MODULUS
>> +pubExp=INTEGER:1
>> +privExp=INTEGER:1
>> +p=INTEGER:0xDEGEN_P
>> +q=INTEGER:0xDEGEN_Q
>> +e1=INTEGER:1
>> +e2=INTEGER:1
>> +coeff=INTEGER:0xDEGEN_COEFF"""
>> + f.write(degen_temp)
>> +
>> +
>> +def gen_template():
>> + """Generate x509 Template"""
>> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
>> + x509template = """
>> +[ req ]
>> +distinguished_name = req_distinguished_name
>> +x509_extensions = v3_ca
>> +prompt = no
>> +dirstring_type = nobmp
>> +
>> +[ req_distinguished_name ]
>> +C = US
>> +ST = TX
>> +L = Dallas
>> +O = Texas Instruments Incorporated
>> +OU = Processors
>> +CN = TI support
>> +emailAddress = support@ti.com
>> +
>> +[ v3_ca ]
>> +basicConstraints = CA:true
>> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
>> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
>> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
>> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
>> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
>> +
>> +[ boot_seq ]
>> +certType = INTEGER:TEST_CERT_TYPE
>> +bootCore = INTEGER:TEST_BOOT_CORE
>> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
>> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
>> +imageSize = INTEGER:TEST_IMAGE_LENGTH
>> +
>> +[ image_integrity ]
>> +shaType = OID:2.16.840.1.101.3.4.2.3
>> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
>> +
>> +[ swrv ]
>> +swrv = INTEGER:0
>> +
>> +# [ encryption ]
>> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
>> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
>> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
>> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
>> +
>> +[ debug ]
>> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>> +debugType = INTEGER:TEST_DEBUG_TYPE
>> +coreDbgEn = INTEGER:0
>> +coreDbgSecEn = INTEGER:0"""
>> + f.write(x509template)
>> +
>> +
>> +def parse_key(inp_key, section):
>> + parsed_key = ""
>> + section_true = False
>> + with open(inp_key, 'r') as file:
>> + for line in file:
>> + if section in line:
>> + section_true = True
>> + elif section_true:
>> + if " " not in line:
>> + break
>> + else:
>> + parsed_key += line.replace(":", "").replace(" ", "")
>> + return parsed_key.replace("\n", "")
>> +
>> +
>> +def gen_degen_key():
>> + """Generate a 4096 bit RSA key"""
>> + try:
>> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
>> + private_key = RSA.generate(1024)
>> + f = open('key.pem', 'wb')
>> + f.write(private_key.exportKey('PEM'))
>> + f.close()
>> + except:
>> + raise(Exception)
>> +
>> + try:
>> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
>> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
>> + stdout, stderr = process.communicate()
>> + except:
>> + raise(stderr)
>> +
>> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
>> + DEGEN_P = parse_key("key.txt", "prime1")
>> + DEGEN_Q = parse_key("key.txt", "prime2")
>> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
>> +
>> + gen_degen_template()
>> +
>> + with open("degen-template.txt", 'r') as file_input:
>> + with open("degenerateKey.txt", 'w') as file_output:
>> + for line in file_input:
>> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
>> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
>> + file_output.write(s)
>> +
>> + try:
>> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
>> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
>> + stdout, stderr = process.communicate()
>> + except:
>> + raise(stderr)
>> +
>> + try:
>> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
>> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
>> + stdout, stderr = process.communicate()
>> + except:
>> + raise(stderr)
>> +
>> +
>> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
>> + with open(temp_x509, "w") as output_file:
>> + with open("x509-template.txt", "r") as input_file:
>> + for line in input_file:
>> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
>> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
>> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
>> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
>> + stdout, stderr = process.communicate()
>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>> index 5ff294a386..d8ee592250 100644
>> --- a/tools/binman/ftest.py
>> +++ b/tools/binman/ftest.py
>> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
>> PRE_LOAD_MAGIC = b'UBSH'
>> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
>> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
>> +X509_DATA = b'filetobesigned'
>>
>> # Subdirectory of the input dir to use to put test FDTs
>> TEST_FDT_SUBDIR = 'fdts'
>> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>>
>> # Add a few .dtb files for testing
>> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
>> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>> data = self._DoReadFile('232_ti_sysfw.dts')
>> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>
>> + def testX509Cert(self):
>> + """Test an image with the default x509 certificate header"""
>> + data = self._DoReadFile('232_x509_cert.dts')
>> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
>
> what is 938?
>
> Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
>
>> +
>> if __name__ == "__main__":
>> unittest.main()
>> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
>> new file mode 100644
>> index 0000000000..f768568ca7
>> --- /dev/null
>> +++ b/tools/binman/test/232_x509_cert.dts
>> @@ -0,0 +1,18 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +
>> +/dts-v1/;
>> +
>> +/ {
>> + #address-cells = <1>;
>> + #size-cells = <1>;
>> +
>> + binman {
>> + x509-cert {
>> + content = <&image>;
>> + };
>> +
>> + image: blob-ext {
>> + filename = "tosign.bin";
>> + };
>> + };
>> +};
>> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
>> index 298cec1313..b6ef5a2de3 100755
>> --- a/tools/k3_gen_x509_cert.sh
>> +++ b/tools/k3_gen_x509_cert.sh
>> @@ -109,7 +109,7 @@ gen_degen_key() {
>> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
>> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
>> KEY=$RAND_KEY
>> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>> }
>>
>> declare -A options_help
>> @@ -246,7 +246,7 @@ gen_cert
>> cat $CERT $BIN > $OUTPUT
>>
>> # Remove all intermediate files
>> -rm $TEMP_X509 $CERT x509-template.txt
>> -if [ "$KEY" == "$RAND_KEY" ]; then
>> - rm $RAND_KEY
>> -fi
>> +#rm $TEMP_X509 $CERT x509-template.txt
>> +#if [ "$KEY" == "$RAND_KEY" ]; then
>> +# rm $RAND_KEY
>> +#fi
>
> Why these changes?
> Maybe you should include them within
> "ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
>
> cheers,
> -roger
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-05-31 11:02 ` Roger Quadros
@ 2022-06-01 6:08 ` Neha Malcom Francis
2022-06-01 9:23 ` Roger Quadros
0 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 6:08 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 31/05/22 16:32, Roger Quadros wrote:
>
>
> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>> Explicit make commands were earlier used to generate tispl.bin image,
>> now it is replaced using binman.
>>
>> Binman picks up and packages entries according to the description of
>> entries given in the binman node in the device tree. The make commands
>> that were earlier responsible for generating tispl.bin has been removed.
>>
>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>> It can be included in files that require it like
>> k3-j721e-common-proc-board-u-boot.dtsi.
>>
>> Note that make commands for secure devices has also been removed as
>> focus is on general purpose devices at present time.
>>
>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>> [n-francis@ti.com: prepared patch for upstreaming]
>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>> ---
>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>> arch/arm/mach-k3/config.mk | 33 -------
>> board/ti/j721e/Kconfig | 1 +
>> scripts/Makefile.spl | 4 -
>> 5 files changed, 88 insertions(+), 37 deletions(-)
>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>
>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>> new file mode 100644
>> index 0000000000..beb3424bb9
>> --- /dev/null
>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>> @@ -0,0 +1,86 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>> +
>> +#include <config.h>
>> +
>> +#ifdef CONFIG_ARM64
>> +/ {
>> + binman: binman {
>> + multiple-images;
>> + };
>> +};
>> +
>> +&binman {
>> + tispl {
>> + filename = "tispl.bin";
>> + fit {
>> + description = "FIT IMAGE";
>> + #address-cells = <1>;
>> + images {
>> + atf {
>> + description = "ARM Trusted Firmware";
>> + type = "firmware";
>> + arch = "arm64";
>> + compression = "none";
>> + os = "arm-trusted-firmware";
>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>> + atf-bl31 {
>> + };
>> + };
>> + tee {
>> + description = "OPTEE";
>> + type = "tee";
>> + arch = "arm64";
>> + compression = "none";
>> + os = "tee";
>> + load = <0x9e800000>;
>> + entry = <0x9e800000>;
>> + tee-os {
>> + };
>> + };
>> + dm {
>> + description = "DM binary";
>> + type = "firmware";
>> + arch = "arm32";
>> + compression = "none";
>> + os = "DM";
>> + load = <0x89000000>;
>> + entry = <0x89000000>;
>> + ti-dm {
>> + };
>> + };
>> + spl {
>> + description = "SPL (64-bit)";
>> + type = "standalone";
>> + os = "U-Boot";
>> + arch = "arm64";
>> + compression = "none";
>> + load = <CONFIG_SPL_TEXT_BASE>;
>> + entry = <CONFIG_SPL_TEXT_BASE>;
>> + u-boot-spl-nodtb {
>> + };
>> + };
>> + k3-j721e-common-proc-board.dtb {
>> + description = "k3-j721e-common-proc-board";
>> + type = "flat_dt";
>> + arch = "arm";
>> + compression = "none";
>> + blob-ext {
>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>> + };
>> + };
>> + };
>> + configurations {
>> + default = "conf";
>> + conf {
>> + description = "k3-j721e-common-proc-board";
>> + firmware = "atf";
>> + loadables = "tee", "dm", "spl";
>> + fdt = "k3-j721e-common-proc-board.dtb";
>> + };
>> + };
>> + };
>> + };
>> +};
>> +#endif
>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>> index 677a72d2a2..6490d71f7e 100644
>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>> @@ -4,6 +4,7 @@
>> */
>>
>> #include <dt-bindings/net/ti-dp83867.h>
>> +#include "k3-j721e-a72-binman.dtsi"
>>
>> / {
>> chosen {
>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>> index 49f80ae79b..e0d9ea97c9 100644
>> --- a/arch/arm/mach-k3/config.mk
>> +++ b/arch/arm/mach-k3/config.mk
>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>> export DM := /dev/null
>> endif
>>
>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>> -SPL_ITS := u-boot-spl-k3_HS.its
>> -$(SPL_ITS): export IS_HS=1
>> -INPUTS-y += tispl.bin_HS
>> -else
>> -SPL_ITS := u-boot-spl-k3.its
>> -INPUTS-y += tispl.bin
>> -endif
>> -
>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>> -else
>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>> endif
>> -
>> -quiet_cmd_k3_mkits = MKITS $@
>> -cmd_k3_mkits = \
>> - $(srctree)/tools/k3_fit_atf.sh \
>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>> -
>> -$(SPL_ITS): FORCE
>> - $(call cmd,k3_mkits)
>> endif
>> -
>> -else
>> -
>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>> -INPUTS-y += u-boot.img_HS
>> -else
>> -INPUTS-y += u-boot.img
>> -endif
>> -endif
>> -
>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>
> You can't yet remove these as all K3 platforms are not converted to use binman.
> Please include them under #ifndef CONFIG_BINMAN...#endif
>
> One more question I have is that how are _HS binaries being created with binman?
>
I will make the changes accordingly that do not affect any of the other
builds. _HS binaries are not being created with binman in this series.
But there is a patch series that does create HS images (tispl.bin and
u-boot.img) using binman for AM64x:
https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
>> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
>> index a3a9d504ae..3cf05f0d3b 100644
>> --- a/board/ti/j721e/Kconfig
>> +++ b/board/ti/j721e/Kconfig
>> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
>> select BOARD_LATE_INIT
>> imply TI_I2C_BOARD_DETECT
>> select SYS_DISABLE_DCACHE_OPS
>> + select BINMAN
>>
>> config TARGET_J721E_R5_EVM
>> bool "TI K3 based J721E EVM running on R5"
>> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
>> index 6ad82cecfb..5f8a8487c5 100644
>> --- a/scripts/Makefile.spl
>> +++ b/scripts/Makefile.spl
>> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
>> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
>> @lzop -f9 $< > $@
>>
>> -ifdef CONFIG_ARCH_K3
>> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
>> - $(call if_changed,mkfitimage)
>> -endif
>
> Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
>
> cheers,
> -roger
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw
2022-06-01 5:58 ` Neha Malcom Francis
@ 2022-06-01 7:29 ` Neha Malcom Francis
2022-06-01 9:26 ` Roger Quadros
1 sibling, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 7:29 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 01/06/22 11:28, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 31/05/22 14:14, Roger Quadros wrote:
>>
>>
>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>> For K3 devices that require a sysfw image, add entry for SYSFW. It can
>>
>> 'can' or 'should'?
>>
>> For binman, 'sysfw' and 'dm' (added in patch 4) are just binary blobs.
>> correct?
>> Why can't you just use blob entry type?
>>
> This was suggested so that there is space for changes that will be
> required when scaling to High Security devices as well.
>
Also to add, this also enables us to take files given in "SYSFW" and
"DM" arguments since it is an Entry_blob_named_by_arg. Similar to the
use of etype/scp.py
>>> contain system firmware image that can be packaged into sysfw.itb by
>>> binman.
>>>
>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>> [n-francis@ti.com: added tests for addition of etype]
>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>
>> cheers,
>> -roger
>>
>>> ---
>>> Makefile | 1 +
>>> tools/binman/entries.rst | 11 +++++++++++
>>> tools/binman/etype/ti_sysfw.py | 28 ++++++++++++++++++++++++++++
>>> tools/binman/ftest.py | 7 +++++++
>>> tools/binman/test/232_ti_sysfw.dts | 13 +++++++++++++
>>> 5 files changed, 60 insertions(+)
>>> create mode 100644 tools/binman/etype/ti_sysfw.py
>>> create mode 100644 tools/binman/test/232_ti_sysfw.dts
>>>
>>> diff --git a/Makefile b/Makefile
>>> index 4b347d3603..581fbba4c3 100644
>>> --- a/Makefile
>>> +++ b/Makefile
>>> @@ -1338,6 +1338,7 @@ cmd_binman = $(srctree)/tools/binman/binman
>>> $(if $(BINMAN_DEBUG),-D) \
>>> -a opensbi-path=${OPENSBI} \
>>> -a default-dt=$(default_dt) \
>>> -a scp-path=$(SCP) \
>>> + -a ti-sysfw-path=$(SYSFW) \
>>> -a spl-bss-pad=$(if $(CONFIG_SPL_SEPARATE_BSS),,1) \
>>> -a tpl-bss-pad=$(if $(CONFIG_TPL_SEPARATE_BSS),,1) \
>>> -a spl-dtb=$(CONFIG_SPL_OF_REAL) \
>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>> index ae4305c99e..6c0f03b34f 100644
>>> --- a/tools/binman/entries.rst
>>> +++ b/tools/binman/entries.rst
>>> @@ -1203,6 +1203,17 @@ This entry holds firmware for an external
>>> platform-specific coprocessor.
>>> +Entry: sysfw: Texas Instruments System Firmware (SYSFW) blob
>>> +------------------------------------------------------------
>>> +
>>> +Properties / Entry arguments:
>>> + - ti-sysfw-path: Filename of file to read into the entry,
>>> typically sysfw.bin
>>> +
>>> +This entry contains system firmware necessary for booting of K3
>>> architecture
>>> +devices.
>>> +
>>> +
>>> +
>>> Entry: section: Entry that contains other entries
>>> -------------------------------------------------
>>> diff --git a/tools/binman/etype/ti_sysfw.py
>>> b/tools/binman/etype/ti_sysfw.py
>>> new file mode 100644
>>> index 0000000000..5b5b307030
>>> --- /dev/null
>>> +++ b/tools/binman/etype/ti_sysfw.py
>>> @@ -0,0 +1,28 @@
>>> +# SPDX-License-Identifier: GPL-2.0+
>>> +# Copyright (C) 2022 Texas Instruments Incorporated -
>>> https://www.ti.com/
>>> +#
>>> +# Entry type module for TI SYSFW binary blob
>>> +#
>>> +
>>> +import os
>>> +import struct
>>> +import sys
>>> +import zlib
>>> +
>>> +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
>>> +from dtoc import fdt_util
>>> +from patman import tools
>>> +
>>> +
>>> +class Entry_ti_sysfw(Entry_blob_named_by_arg):
>>> + """Entry containing Texas Instruments System Firmware (SYSFW) blob
>>> +
>>> + Properties / Entry arguments:
>>> + - ti-sysfw-path: Filename of file to read into the entry,
>>> typically sysfw.bin
>>> +
>>> + This entry contains system firmware necessary for booting of K3
>>> architecture devices.
>>> + """
>>> +
>>> + def __init__(self, section, etype, node):
>>> + super().__init__(section, etype, node, 'ti-sysfw')
>>> + self.external = True
>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>> index 4ce181a066..ec408de334 100644
>>> --- a/tools/binman/ftest.py
>>> +++ b/tools/binman/ftest.py
>>> @@ -87,6 +87,7 @@ ATF_BL31_DATA = b'bl31'
>>> TEE_OS_DATA = b'this is some tee OS data'
>>> ATF_BL2U_DATA = b'bl2u'
>>> OPENSBI_DATA = b'opensbi'
>>> +TI_SYSFW_DATA = b'sysfw'
>>> SCP_DATA = b'scp'
>>> TEST_FDT1_DATA = b'fdt1'
>>> TEST_FDT2_DATA = b'test-fdt2'
>>> @@ -195,6 +196,7 @@ class TestFunctional(unittest.TestCase):
>>> TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
>>> TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>> + TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>> # Add a few .dtb files for testing
>>> @@ -5522,6 +5524,11 @@ fdt fdtmap Extract the
>>> devicetree blob from the fdtmap
>>> """Test an image with a pre-load header with an invalid key"""
>>> with self.assertRaises(ValueError) as e:
>>> data = self._DoReadFile('231_pre_load_invalid_key.dts')
>>> +
>>> + def testPackTiSysfw(self):
>>> + """Test that an image with a SYSFW binary can be created"""
>>> + data = self._DoReadFile('232_ti_sysfw.dts')
>>> + self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>> if __name__ == "__main__":
>>> unittest.main()
>>> diff --git a/tools/binman/test/232_ti_sysfw.dts
>>> b/tools/binman/test/232_ti_sysfw.dts
>>> new file mode 100644
>>> index 0000000000..9e66cbe77b
>>> --- /dev/null
>>> +++ b/tools/binman/test/232_ti_sysfw.dts
>>> @@ -0,0 +1,13 @@
>>> +// SPDX-License-Identifier: GPL-2.0+
>>> +
>>> +/dts-v1/;
>>> +
>>> +/ {
>>> + #address-cells = <1>;
>>> + #size-cells = <1>;
>>> + binman {
>>> + ti-sysfw {
>>> + filename = "sysfw.bin";
>>> + };
>>> + };
>>> +};
>
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-06-01 6:08 ` Neha Malcom Francis
@ 2022-06-01 9:23 ` Roger Quadros
2022-06-01 10:42 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-06-01 9:23 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot; +Cc: Alper Nebi Yasak, Andrew F. Davis
Hi,
On 01/06/2022 09:08, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 31/05/22 16:32, Roger Quadros wrote:
>>
>>
>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>> Explicit make commands were earlier used to generate tispl.bin image,
>>> now it is replaced using binman.
>>>
>>> Binman picks up and packages entries according to the description of
>>> entries given in the binman node in the device tree. The make commands
>>> that were earlier responsible for generating tispl.bin has been removed.
>>>
>>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>>> It can be included in files that require it like
>>> k3-j721e-common-proc-board-u-boot.dtsi.
>>>
>>> Note that make commands for secure devices has also been removed as
>>> focus is on general purpose devices at present time.
>>>
>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>> [n-francis@ti.com: prepared patch for upstreaming]
>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>> ---
>>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>>> arch/arm/mach-k3/config.mk | 33 -------
>>> board/ti/j721e/Kconfig | 1 +
>>> scripts/Makefile.spl | 4 -
>>> 5 files changed, 88 insertions(+), 37 deletions(-)
>>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>
>>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>> new file mode 100644
>>> index 0000000000..beb3424bb9
>>> --- /dev/null
>>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>> @@ -0,0 +1,86 @@
>>> +// SPDX-License-Identifier: GPL-2.0+
>>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>> +
>>> +#include <config.h>
>>> +
>>> +#ifdef CONFIG_ARM64
>>> +/ {
>>> + binman: binman {
>>> + multiple-images;
>>> + };
>>> +};
>>> +
>>> +&binman {
>>> + tispl {
>>> + filename = "tispl.bin";
>>> + fit {
>>> + description = "FIT IMAGE";
>>> + #address-cells = <1>;
>>> + images {
>>> + atf {
>>> + description = "ARM Trusted Firmware";
>>> + type = "firmware";
>>> + arch = "arm64";
>>> + compression = "none";
>>> + os = "arm-trusted-firmware";
>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>>> + atf-bl31 {
>>> + };
>>> + };
>>> + tee {
>>> + description = "OPTEE";
>>> + type = "tee";
>>> + arch = "arm64";
>>> + compression = "none";
>>> + os = "tee";
>>> + load = <0x9e800000>;
>>> + entry = <0x9e800000>;
>>> + tee-os {
>>> + };
>>> + };
>>> + dm {
>>> + description = "DM binary";
>>> + type = "firmware";
>>> + arch = "arm32";
>>> + compression = "none";
>>> + os = "DM";
>>> + load = <0x89000000>;
>>> + entry = <0x89000000>;
>>> + ti-dm {
>>> + };
>>> + };
>>> + spl {
>>> + description = "SPL (64-bit)";
>>> + type = "standalone";
>>> + os = "U-Boot";
>>> + arch = "arm64";
>>> + compression = "none";
>>> + load = <CONFIG_SPL_TEXT_BASE>;
>>> + entry = <CONFIG_SPL_TEXT_BASE>;
>>> + u-boot-spl-nodtb {
>>> + };
>>> + };
>>> + k3-j721e-common-proc-board.dtb {
>>> + description = "k3-j721e-common-proc-board";
>>> + type = "flat_dt";
>>> + arch = "arm";
>>> + compression = "none";
>>> + blob-ext {
>>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>>> + };
>>> + };
>>> + };
>>> + configurations {
>>> + default = "conf";
>>> + conf {
>>> + description = "k3-j721e-common-proc-board";
>>> + firmware = "atf";
>>> + loadables = "tee", "dm", "spl";
>>> + fdt = "k3-j721e-common-proc-board.dtb";
>>> + };
>>> + };
>>> + };
>>> + };
>>> +};
>>> +#endif
>>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>> index 677a72d2a2..6490d71f7e 100644
>>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>> @@ -4,6 +4,7 @@
>>> */
>>> #include <dt-bindings/net/ti-dp83867.h>
>>> +#include "k3-j721e-a72-binman.dtsi"
>>> / {
>>> chosen {
>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>> index 49f80ae79b..e0d9ea97c9 100644
>>> --- a/arch/arm/mach-k3/config.mk
>>> +++ b/arch/arm/mach-k3/config.mk
>>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>>> export DM := /dev/null
>>> endif
>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>> -SPL_ITS := u-boot-spl-k3_HS.its
>>> -$(SPL_ITS): export IS_HS=1
>>> -INPUTS-y += tispl.bin_HS
>>> -else
>>> -SPL_ITS := u-boot-spl-k3.its
>>> -INPUTS-y += tispl.bin
>>> -endif
>>> -
>>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>>> -else
>>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>>> endif
>>> -
>>> -quiet_cmd_k3_mkits = MKITS $@
>>> -cmd_k3_mkits = \
>>> - $(srctree)/tools/k3_fit_atf.sh \
>>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>>> -
>>> -$(SPL_ITS): FORCE
>>> - $(call cmd,k3_mkits)
>>> endif
>>> -
>>> -else
>>> -
>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>> -INPUTS-y += u-boot.img_HS
>>> -else
>>> -INPUTS-y += u-boot.img
>>> -endif
>>> -endif
>>> -
>>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>
>> You can't yet remove these as all K3 platforms are not converted to use binman.
>> Please include them under #ifndef CONFIG_BINMAN...#endif
>>
>> One more question I have is that how are _HS binaries being created with binman?
>>
>
> I will make the changes accordingly that do not affect any of the other builds. _HS binaries are not being created with binman in this series.
>
> But there is a patch series that does create HS images (tispl.bin and u-boot.img) using binman for AM64x: https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
That series still depends on "TI_SECURE_DEV_PKG//scripts/secure-binary-image.sh"
to sign the image.
Funny thing is that I'm no longer able to download the above package from ti.com
to see what it is doing. Any pointers on how to get it?
cheers,
-roger
>
>>> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
>>> index a3a9d504ae..3cf05f0d3b 100644
>>> --- a/board/ti/j721e/Kconfig
>>> +++ b/board/ti/j721e/Kconfig
>>> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
>>> select BOARD_LATE_INIT
>>> imply TI_I2C_BOARD_DETECT
>>> select SYS_DISABLE_DCACHE_OPS
>>> + select BINMAN
>>> config TARGET_J721E_R5_EVM
>>> bool "TI K3 based J721E EVM running on R5"
>>> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
>>> index 6ad82cecfb..5f8a8487c5 100644
>>> --- a/scripts/Makefile.spl
>>> +++ b/scripts/Makefile.spl
>>> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
>>> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
>>> @lzop -f9 $< > $@
>>> -ifdef CONFIG_ARCH_K3
>>> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
>>> - $(call if_changed,mkfitimage)
>>> -endif
>>
>> Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
>>
>> cheers,
>> -roger
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-06-01 6:02 ` Neha Malcom Francis
@ 2022-06-01 9:24 ` Roger Quadros
2022-06-01 9:48 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-06-01 9:24 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
On 01/06/2022 09:02, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 31/05/22 14:50, Roger Quadros wrote:
>>
>>
>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>> K3 devices x509 certificate added to certain binaries that allows ROM to
>>
>> what binaries?
>>
>>> validate the integrity of the image. Etype that generates an x509
>>> certificate depending on boot flow added.
>>
>> Could you please explain in more detail as to what exactly is happening here.
>>
>> What do you mean by "depending on boot flow"?
>>
>
> I will reformat the commit messages accordingly.
>>>
>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>> ---
>>> tools/binman/entries.rst | 15 ++
>>> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
>>> tools/binman/ftest.py | 7 +
>>> tools/binman/test/232_x509_cert.dts | 18 ++
>>> tools/k3_gen_x509_cert.sh | 10 +-
>>> 5 files changed, 293 insertions(+), 5 deletions(-)
>>> create mode 100644 tools/binman/etype/x509_cert.py
>>> create mode 100644 tools/binman/test/232_x509_cert.dts
>>>
>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>> index 0c6d82fce8..dfa281e49f 100644
>>> --- a/tools/binman/entries.rst
>>> +++ b/tools/binman/entries.rst
>>> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>>> +Entry: x509cert: x509 certificate for K3 devices
>>> +------------------------------------------------
>>> +
>>
>> x509 is a generic standard. Can this be made usable by other vendors as well or
>> is it very specific to TI?
>> If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
>>
>>> +Properties / Entry arguments:
>>> + - content: Phandle of binary to sign
>>> + - output: Name of the final output file
>>
>> why do you need output property?
>>
>
> That is not required, I had later changed it to always using certificate.bin. Will make the necessary changes.
>
>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>> + - core: Target core ID on which image would be running
>>> + - load: Target load address of the binary in hex
>>> +
>>> + Output files:
>>> + - certificate.bin: Signed certificate binary
>>> +
>>> +
>>> +
>>> Entry: x86-reset16: x86 16-bit reset code for U-Boot
>>> ----------------------------------------------------
>>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>>> new file mode 100644
>>> index 0000000000..0009973155
>>> --- /dev/null
>>> +++ b/tools/binman/etype/x509_cert.py
>>> @@ -0,0 +1,248 @@
>>> +# SPDX-License-Identifier: GPL-2.0+
>>> +# Copyright (c) 2018 Google, Inc
>>> +# Written by Simon Glass <sjg@chromium.org>
>>> +#
>>> +
>>> +# Support for a x509 certificate for signing K3 devices
>>> +
>>> +import os
>>> +from collections import OrderedDict
>>> +from subprocess import Popen, PIPE
>>> +from sys import stderr, stdout
>>> +
>>> +import asn1
>>> +from Crypto.PublicKey import RSA
>>> +from cryptography.hazmat.backends import default_backend
>>> +from cryptography.hazmat.primitives import serialization
>>> +
>>> +from binman.etype.collection import Entry_collection
>>> +from dtoc import fdt_util
>>> +from patman import tools
>>> +
>>> +temp_x509 = "x509-temp.cert"
>>> +cert = "certificate.bin"
>>> +rand_key = "eckey.pem"
>>> +bootcore_opts = 0
>>> +bootcore = 0
>>> +debug_type = 0
>>> +
>>> +
>>> +class Entry_x509_cert(Entry_collection):
>>> + """ An entry which contains a x509 certificate
>>> +
>>> + Properties / Entry arguments:
>>> + - content: Phandle of binary to sign
>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>> + - core: Target core ID on which image would be running
>>> + - load: Target load address of the binary in hex
>>> +
>>> + Output files:
>>> + - certificate.bin: Signed certificate binary"""
>>> +
>>> + def __init__(self, section, etype, node):
>>> + super().__init__(section, etype, node)
>>> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
>>> + self.core = fdt_util.GetInt(self._node, 'core', 0)
>>> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
>>> +
>>> + def ReadNode(self):
>>> + super().ReadNode()
>>> + if self.key_file == "":
>>> + self.degen_key = True
>>> + else:
>>> + self.degen_key = False
>>> +
>>> + def _CreateCertificate(self):
>>> + """Create certificate for legacy boot flow"""
>>> + if self.degen_key == True:
>>> + gen_degen_key()
>>> + self.key_file = rand_key
>>> +
>>> + sha_val = get_sha_val("intermediate-sysfw.bin")
>>> + bin_size = get_file_size("intermediate-sysfw.bin")
>>> + addr = "%08x" % self.load_addr
>>> + if self.core == 0:
>>> + cert_type = 2
>>> + elif self.core == 16:
>>> + cert_type = 1
>>> + else:
>>> + cert_type = 2
>>> + debug_type = 0
>>> +
>>> + gen_template()
>>> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
>>> + self.core, addr, debug_type, self.key_file)
>>> +
>>> + return tools.read_file("certificate.bin")
>>> +
>>> + def ObtainContents(self):
>>> + self.image = self.GetContents(False)
>>> + if self.image is None:
>>> + return False
>>> + f = open("intermediate-sysfw.bin", "wb")
>>> + f.write(self.image)
>>> + f.close()
>>> + self.SetContents(self._CreateCertificate())
>>> + return True
>>> +
>>> + def ProcessContents(self):
>>> + data = self._CreateCertificate()
>>> + return self.ProcessContentsUpdate(data)
>>
>> Why do you need _CreateCertificate() and ProcessContents()?
>> Just have one ObtainContents() and try to get rid of all the intermediate files.
>>
>
> I used etype/vblock.py as a reference. I will clean up this etype further.
>
There were some more comments below, in case you missed them.
>>> +
>>> +
>>> +def get_sha_val(binary_file):
>>> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
>>> + binary_file], stdout=PIPE, stderr=PIPE)
>>> + stdout, stderr = process.communicate()
>>> + sha_val = stdout.split()[1]
>>> + return sha_val
>>> +
>>> +
>>> +def get_file_size(binary_file):
>>> + return os.path.getsize(binary_file)
>>> +
>>> +
>>> +def gen_degen_template():
>>> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
>>> + degen_temp = """
>>> +asn1=SEQUENCE:rsa_key
>>> +
>>> +[rsa_key]
>>> +version=INTEGER:0
>>> +modulus=INTEGER:0xDEGEN_MODULUS
>>> +pubExp=INTEGER:1
>>> +privExp=INTEGER:1
>>> +p=INTEGER:0xDEGEN_P
>>> +q=INTEGER:0xDEGEN_Q
>>> +e1=INTEGER:1
>>> +e2=INTEGER:1
>>> +coeff=INTEGER:0xDEGEN_COEFF"""
>>> + f.write(degen_temp)
>>> +
>>> +
>>> +def gen_template():
>>> + """Generate x509 Template"""
>>> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
>>> + x509template = """
>>> +[ req ]
>>> +distinguished_name = req_distinguished_name
>>> +x509_extensions = v3_ca
>>> +prompt = no
>>> +dirstring_type = nobmp
>>> +
>>> +[ req_distinguished_name ]
>>> +C = US
>>> +ST = TX
>>> +L = Dallas
>>> +O = Texas Instruments Incorporated
>>> +OU = Processors
>>> +CN = TI support
>>> +emailAddress = support@ti.com
>>> +
>>> +[ v3_ca ]
>>> +basicConstraints = CA:true
>>> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
>>> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
>>> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
>>> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
>>> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
>>> +
>>> +[ boot_seq ]
>>> +certType = INTEGER:TEST_CERT_TYPE
>>> +bootCore = INTEGER:TEST_BOOT_CORE
>>> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
>>> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
>>> +imageSize = INTEGER:TEST_IMAGE_LENGTH
>>> +
>>> +[ image_integrity ]
>>> +shaType = OID:2.16.840.1.101.3.4.2.3
>>> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
>>> +
>>> +[ swrv ]
>>> +swrv = INTEGER:0
>>> +
>>> +# [ encryption ]
>>> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
>>> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
>>> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
>>> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
>>> +
>>> +[ debug ]
>>> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>>> +debugType = INTEGER:TEST_DEBUG_TYPE
>>> +coreDbgEn = INTEGER:0
>>> +coreDbgSecEn = INTEGER:0"""
>>> + f.write(x509template)
>>> +
>>> +
>>> +def parse_key(inp_key, section):
>>> + parsed_key = ""
>>> + section_true = False
>>> + with open(inp_key, 'r') as file:
>>> + for line in file:
>>> + if section in line:
>>> + section_true = True
>>> + elif section_true:
>>> + if " " not in line:
>>> + break
>>> + else:
>>> + parsed_key += line.replace(":", "").replace(" ", "")
>>> + return parsed_key.replace("\n", "")
>>> +
>>> +
>>> +def gen_degen_key():
>>> + """Generate a 4096 bit RSA key"""
>>> + try:
>>> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
>>> + private_key = RSA.generate(1024)
>>> + f = open('key.pem', 'wb')
>>> + f.write(private_key.exportKey('PEM'))
>>> + f.close()
>>> + except:
>>> + raise(Exception)
>>> +
>>> + try:
>>> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
>>> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
>>> + stdout, stderr = process.communicate()
>>> + except:
>>> + raise(stderr)
>>> +
>>> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
>>> + DEGEN_P = parse_key("key.txt", "prime1")
>>> + DEGEN_Q = parse_key("key.txt", "prime2")
>>> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
>>> +
>>> + gen_degen_template()
>>> +
>>> + with open("degen-template.txt", 'r') as file_input:
>>> + with open("degenerateKey.txt", 'w') as file_output:
>>> + for line in file_input:
>>> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
>>> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
>>> + file_output.write(s)
>>> +
>>> + try:
>>> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
>>> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
>>> + stdout, stderr = process.communicate()
>>> + except:
>>> + raise(stderr)
>>> +
>>> + try:
>>> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
>>> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
>>> + stdout, stderr = process.communicate()
>>> + except:
>>> + raise(stderr)
>>> +
>>> +
>>> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
>>> + with open(temp_x509, "w") as output_file:
>>> + with open("x509-template.txt", "r") as input_file:
>>> + for line in input_file:
>>> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
>>> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
>>> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
>>> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
>>> + stdout, stderr = process.communicate()
>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>> index 5ff294a386..d8ee592250 100644
>>> --- a/tools/binman/ftest.py
>>> +++ b/tools/binman/ftest.py
>>> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
>>> PRE_LOAD_MAGIC = b'UBSH'
>>> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
>>> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
>>> +X509_DATA = b'filetobesigned'
>>> # Subdirectory of the input dir to use to put test FDTs
>>> TEST_FDT_SUBDIR = 'fdts'
>>> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>>> # Add a few .dtb files for testing
>>> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
>>> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>>> data = self._DoReadFile('232_ti_sysfw.dts')
>>> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>> + def testX509Cert(self):
>>> + """Test an image with the default x509 certificate header"""
>>> + data = self._DoReadFile('232_x509_cert.dts')
>>> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
>>
>> what is 938?
>>
>> Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
>>
>>> +
>>> if __name__ == "__main__":
>>> unittest.main()
>>> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
>>> new file mode 100644
>>> index 0000000000..f768568ca7
>>> --- /dev/null
>>> +++ b/tools/binman/test/232_x509_cert.dts
>>> @@ -0,0 +1,18 @@
>>> +// SPDX-License-Identifier: GPL-2.0+
>>> +
>>> +/dts-v1/;
>>> +
>>> +/ {
>>> + #address-cells = <1>;
>>> + #size-cells = <1>;
>>> +
>>> + binman {
>>> + x509-cert {
>>> + content = <&image>;
>>> + };
>>> +
>>> + image: blob-ext {
>>> + filename = "tosign.bin";
>>> + };
>>> + };
>>> +};
>>> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
>>> index 298cec1313..b6ef5a2de3 100755
>>> --- a/tools/k3_gen_x509_cert.sh
>>> +++ b/tools/k3_gen_x509_cert.sh
>>> @@ -109,7 +109,7 @@ gen_degen_key() {
>>> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
>>> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
>>> KEY=$RAND_KEY
>>> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>> }
>>> declare -A options_help
>>> @@ -246,7 +246,7 @@ gen_cert
>>> cat $CERT $BIN > $OUTPUT
>>> # Remove all intermediate files
>>> -rm $TEMP_X509 $CERT x509-template.txt
>>> -if [ "$KEY" == "$RAND_KEY" ]; then
>>> - rm $RAND_KEY
>>> -fi
>>> +#rm $TEMP_X509 $CERT x509-template.txt
>>> +#if [ "$KEY" == "$RAND_KEY" ]; then
>>> +# rm $RAND_KEY
>>> +#fi
>>
>> Why these changes?
>> Maybe you should include them within
>> "ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
>>
>> cheers,
>> -roger
>
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw
2022-06-01 5:58 ` Neha Malcom Francis
2022-06-01 7:29 ` Neha Malcom Francis
@ 2022-06-01 9:26 ` Roger Quadros
1 sibling, 0 replies; 36+ messages in thread
From: Roger Quadros @ 2022-06-01 9:26 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot; +Cc: Andrew F. Davis, Alper Nebi Yasak
On 01/06/2022 08:58, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 31/05/22 14:14, Roger Quadros wrote:
>>
>>
>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>> For K3 devices that require a sysfw image, add entry for SYSFW. It can
>>
>> 'can' or 'should'?
>>
>> For binman, 'sysfw' and 'dm' (added in patch 4) are just binary blobs. correct?
>> Why can't you just use blob entry type?
>>
> This was suggested so that there is space for changes that will be required when scaling to High Security devices as well.
How will these change for High Security devices?
cheers,
-roger
>
>>> contain system firmware image that can be packaged into sysfw.itb by
>>> binman.
>>>
>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>> [n-francis@ti.com: added tests for addition of etype]
>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>
>> cheers,
>> -roger
>>
>>> ---
>>> Makefile | 1 +
>>> tools/binman/entries.rst | 11 +++++++++++
>>> tools/binman/etype/ti_sysfw.py | 28 ++++++++++++++++++++++++++++
>>> tools/binman/ftest.py | 7 +++++++
>>> tools/binman/test/232_ti_sysfw.dts | 13 +++++++++++++
>>> 5 files changed, 60 insertions(+)
>>> create mode 100644 tools/binman/etype/ti_sysfw.py
>>> create mode 100644 tools/binman/test/232_ti_sysfw.dts
>>>
>>> diff --git a/Makefile b/Makefile
>>> index 4b347d3603..581fbba4c3 100644
>>> --- a/Makefile
>>> +++ b/Makefile
>>> @@ -1338,6 +1338,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
>>> -a opensbi-path=${OPENSBI} \
>>> -a default-dt=$(default_dt) \
>>> -a scp-path=$(SCP) \
>>> + -a ti-sysfw-path=$(SYSFW) \
>>> -a spl-bss-pad=$(if $(CONFIG_SPL_SEPARATE_BSS),,1) \
>>> -a tpl-bss-pad=$(if $(CONFIG_TPL_SEPARATE_BSS),,1) \
>>> -a spl-dtb=$(CONFIG_SPL_OF_REAL) \
>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>> index ae4305c99e..6c0f03b34f 100644
>>> --- a/tools/binman/entries.rst
>>> +++ b/tools/binman/entries.rst
>>> @@ -1203,6 +1203,17 @@ This entry holds firmware for an external platform-specific coprocessor.
>>> +Entry: sysfw: Texas Instruments System Firmware (SYSFW) blob
>>> +------------------------------------------------------------
>>> +
>>> +Properties / Entry arguments:
>>> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
>>> +
>>> +This entry contains system firmware necessary for booting of K3 architecture
>>> +devices.
>>> +
>>> +
>>> +
>>> Entry: section: Entry that contains other entries
>>> -------------------------------------------------
>>> diff --git a/tools/binman/etype/ti_sysfw.py b/tools/binman/etype/ti_sysfw.py
>>> new file mode 100644
>>> index 0000000000..5b5b307030
>>> --- /dev/null
>>> +++ b/tools/binman/etype/ti_sysfw.py
>>> @@ -0,0 +1,28 @@
>>> +# SPDX-License-Identifier: GPL-2.0+
>>> +# Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>> +#
>>> +# Entry type module for TI SYSFW binary blob
>>> +#
>>> +
>>> +import os
>>> +import struct
>>> +import sys
>>> +import zlib
>>> +
>>> +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
>>> +from dtoc import fdt_util
>>> +from patman import tools
>>> +
>>> +
>>> +class Entry_ti_sysfw(Entry_blob_named_by_arg):
>>> + """Entry containing Texas Instruments System Firmware (SYSFW) blob
>>> +
>>> + Properties / Entry arguments:
>>> + - ti-sysfw-path: Filename of file to read into the entry, typically sysfw.bin
>>> +
>>> + This entry contains system firmware necessary for booting of K3 architecture devices.
>>> + """
>>> +
>>> + def __init__(self, section, etype, node):
>>> + super().__init__(section, etype, node, 'ti-sysfw')
>>> + self.external = True
>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>> index 4ce181a066..ec408de334 100644
>>> --- a/tools/binman/ftest.py
>>> +++ b/tools/binman/ftest.py
>>> @@ -87,6 +87,7 @@ ATF_BL31_DATA = b'bl31'
>>> TEE_OS_DATA = b'this is some tee OS data'
>>> ATF_BL2U_DATA = b'bl2u'
>>> OPENSBI_DATA = b'opensbi'
>>> +TI_SYSFW_DATA = b'sysfw'
>>> SCP_DATA = b'scp'
>>> TEST_FDT1_DATA = b'fdt1'
>>> TEST_FDT2_DATA = b'test-fdt2'
>>> @@ -195,6 +196,7 @@ class TestFunctional(unittest.TestCase):
>>> TestFunctional._MakeInputFile('tee-pager.bin', TEE_OS_DATA)
>>> TestFunctional._MakeInputFile('bl2u.bin', ATF_BL2U_DATA)
>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>> + TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>> # Add a few .dtb files for testing
>>> @@ -5522,6 +5524,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>>> """Test an image with a pre-load header with an invalid key"""
>>> with self.assertRaises(ValueError) as e:
>>> data = self._DoReadFile('231_pre_load_invalid_key.dts')
>>> +
>>> + def testPackTiSysfw(self):
>>> + """Test that an image with a SYSFW binary can be created"""
>>> + data = self._DoReadFile('232_ti_sysfw.dts')
>>> + self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>> if __name__ == "__main__":
>>> unittest.main()
>>> diff --git a/tools/binman/test/232_ti_sysfw.dts b/tools/binman/test/232_ti_sysfw.dts
>>> new file mode 100644
>>> index 0000000000..9e66cbe77b
>>> --- /dev/null
>>> +++ b/tools/binman/test/232_ti_sysfw.dts
>>> @@ -0,0 +1,13 @@
>>> +// SPDX-License-Identifier: GPL-2.0+
>>> +
>>> +/dts-v1/;
>>> +
>>> +/ {
>>> + #address-cells = <1>;
>>> + #size-cells = <1>;
>>> + binman {
>>> + ti-sysfw {
>>> + filename = "sysfw.bin";
>>> + };
>>> + };
>>> +};
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-06-01 9:24 ` Roger Quadros
@ 2022-06-01 9:48 ` Neha Malcom Francis
2022-06-01 10:48 ` Roger Quadros
0 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 9:48 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 01/06/22 14:54, Roger Quadros wrote:
>
>
> On 01/06/2022 09:02, Neha Malcom Francis wrote:
>> Hi Roger,
>>
>> On 31/05/22 14:50, Roger Quadros wrote:
>>>
>>>
>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>> K3 devices x509 certificate added to certain binaries that allows ROM to
>>>
>>> what binaries?
>>>
>>>> validate the integrity of the image. Etype that generates an x509
>>>> certificate depending on boot flow added.
>>>
>>> Could you please explain in more detail as to what exactly is happening here.
>>>
>>> What do you mean by "depending on boot flow"?
>>>
>>
>> I will reformat the commit messages accordingly.
>>>>
>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>> ---
>>>> tools/binman/entries.rst | 15 ++
>>>> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
>>>> tools/binman/ftest.py | 7 +
>>>> tools/binman/test/232_x509_cert.dts | 18 ++
>>>> tools/k3_gen_x509_cert.sh | 10 +-
>>>> 5 files changed, 293 insertions(+), 5 deletions(-)
>>>> create mode 100644 tools/binman/etype/x509_cert.py
>>>> create mode 100644 tools/binman/test/232_x509_cert.dts
>>>>
>>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>>> index 0c6d82fce8..dfa281e49f 100644
>>>> --- a/tools/binman/entries.rst
>>>> +++ b/tools/binman/entries.rst
>>>> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>>>> +Entry: x509cert: x509 certificate for K3 devices
>>>> +------------------------------------------------
>>>> +
>>>
>>> x509 is a generic standard. Can this be made usable by other vendors as well or
>>> is it very specific to TI?
>>> If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
>>>
>>>> +Properties / Entry arguments:
>>>> + - content: Phandle of binary to sign
>>>> + - output: Name of the final output file
>>>
>>> why do you need output property?
>>>
>>
>> That is not required, I had later changed it to always using certificate.bin. Will make the necessary changes.
>>
>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>> + - core: Target core ID on which image would be running
>>>> + - load: Target load address of the binary in hex
>>>> +
>>>> + Output files:
>>>> + - certificate.bin: Signed certificate binary
>>>> +
>>>> +
>>>> +
>>>> Entry: x86-reset16: x86 16-bit reset code for U-Boot
>>>> ----------------------------------------------------
>>>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>>>> new file mode 100644
>>>> index 0000000000..0009973155
>>>> --- /dev/null
>>>> +++ b/tools/binman/etype/x509_cert.py
>>>> @@ -0,0 +1,248 @@
>>>> +# SPDX-License-Identifier: GPL-2.0+
>>>> +# Copyright (c) 2018 Google, Inc
>>>> +# Written by Simon Glass <sjg@chromium.org>
>>>> +#
>>>> +
>>>> +# Support for a x509 certificate for signing K3 devices
>>>> +
>>>> +import os
>>>> +from collections import OrderedDict
>>>> +from subprocess import Popen, PIPE
>>>> +from sys import stderr, stdout
>>>> +
>>>> +import asn1
>>>> +from Crypto.PublicKey import RSA
>>>> +from cryptography.hazmat.backends import default_backend
>>>> +from cryptography.hazmat.primitives import serialization
>>>> +
>>>> +from binman.etype.collection import Entry_collection
>>>> +from dtoc import fdt_util
>>>> +from patman import tools
>>>> +
>>>> +temp_x509 = "x509-temp.cert"
>>>> +cert = "certificate.bin"
>>>> +rand_key = "eckey.pem"
>>>> +bootcore_opts = 0
>>>> +bootcore = 0
>>>> +debug_type = 0
>>>> +
>>>> +
>>>> +class Entry_x509_cert(Entry_collection):
>>>> + """ An entry which contains a x509 certificate
>>>> +
>>>> + Properties / Entry arguments:
>>>> + - content: Phandle of binary to sign
>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>> + - core: Target core ID on which image would be running
>>>> + - load: Target load address of the binary in hex
>>>> +
>>>> + Output files:
>>>> + - certificate.bin: Signed certificate binary"""
>>>> +
>>>> + def __init__(self, section, etype, node):
>>>> + super().__init__(section, etype, node)
>>>> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
>>>> + self.core = fdt_util.GetInt(self._node, 'core', 0)
>>>> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
>>>> +
>>>> + def ReadNode(self):
>>>> + super().ReadNode()
>>>> + if self.key_file == "":
>>>> + self.degen_key = True
>>>> + else:
>>>> + self.degen_key = False
>>>> +
>>>> + def _CreateCertificate(self):
>>>> + """Create certificate for legacy boot flow"""
>>>> + if self.degen_key == True:
>>>> + gen_degen_key()
>>>> + self.key_file = rand_key
>>>> +
>>>> + sha_val = get_sha_val("intermediate-sysfw.bin")
>>>> + bin_size = get_file_size("intermediate-sysfw.bin")
>>>> + addr = "%08x" % self.load_addr
>>>> + if self.core == 0:
>>>> + cert_type = 2
>>>> + elif self.core == 16:
>>>> + cert_type = 1
>>>> + else:
>>>> + cert_type = 2
>>>> + debug_type = 0
>>>> +
>>>> + gen_template()
>>>> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
>>>> + self.core, addr, debug_type, self.key_file)
>>>> +
>>>> + return tools.read_file("certificate.bin")
>>>> +
>>>> + def ObtainContents(self):
>>>> + self.image = self.GetContents(False)
>>>> + if self.image is None:
>>>> + return False
>>>> + f = open("intermediate-sysfw.bin", "wb")
>>>> + f.write(self.image)
>>>> + f.close()
>>>> + self.SetContents(self._CreateCertificate())
>>>> + return True
>>>> +
>>>> + def ProcessContents(self):
>>>> + data = self._CreateCertificate()
>>>> + return self.ProcessContentsUpdate(data)
>>>
>>> Why do you need _CreateCertificate() and ProcessContents()?
>>> Just have one ObtainContents() and try to get rid of all the intermediate files.
>>>
>>
>> I used etype/vblock.py as a reference. I will clean up this etype further.
>>
>
> There were some more comments below, in case you missed them.
Thanks!
>
>>>> +
>>>> +
>>>> +def get_sha_val(binary_file):
>>>> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
>>>> + binary_file], stdout=PIPE, stderr=PIPE)
>>>> + stdout, stderr = process.communicate()
>>>> + sha_val = stdout.split()[1]
>>>> + return sha_val
>>>> +
>>>> +
>>>> +def get_file_size(binary_file):
>>>> + return os.path.getsize(binary_file)
>>>> +
>>>> +
>>>> +def gen_degen_template():
>>>> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
>>>> + degen_temp = """
>>>> +asn1=SEQUENCE:rsa_key
>>>> +
>>>> +[rsa_key]
>>>> +version=INTEGER:0
>>>> +modulus=INTEGER:0xDEGEN_MODULUS
>>>> +pubExp=INTEGER:1
>>>> +privExp=INTEGER:1
>>>> +p=INTEGER:0xDEGEN_P
>>>> +q=INTEGER:0xDEGEN_Q
>>>> +e1=INTEGER:1
>>>> +e2=INTEGER:1
>>>> +coeff=INTEGER:0xDEGEN_COEFF"""
>>>> + f.write(degen_temp)
>>>> +
>>>> +
>>>> +def gen_template():
>>>> + """Generate x509 Template"""
>>>> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
>>>> + x509template = """
>>>> +[ req ]
>>>> +distinguished_name = req_distinguished_name
>>>> +x509_extensions = v3_ca
>>>> +prompt = no
>>>> +dirstring_type = nobmp
>>>> +
>>>> +[ req_distinguished_name ]
>>>> +C = US
>>>> +ST = TX
>>>> +L = Dallas
>>>> +O = Texas Instruments Incorporated
>>>> +OU = Processors
>>>> +CN = TI support
>>>> +emailAddress = support@ti.com
>>>> +
>>>> +[ v3_ca ]
>>>> +basicConstraints = CA:true
>>>> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
>>>> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
>>>> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
>>>> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
>>>> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
>>>> +
>>>> +[ boot_seq ]
>>>> +certType = INTEGER:TEST_CERT_TYPE
>>>> +bootCore = INTEGER:TEST_BOOT_CORE
>>>> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
>>>> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
>>>> +imageSize = INTEGER:TEST_IMAGE_LENGTH
>>>> +
>>>> +[ image_integrity ]
>>>> +shaType = OID:2.16.840.1.101.3.4.2.3
>>>> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
>>>> +
>>>> +[ swrv ]
>>>> +swrv = INTEGER:0
>>>> +
>>>> +# [ encryption ]
>>>> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
>>>> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
>>>> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
>>>> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
>>>> +
>>>> +[ debug ]
>>>> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>>>> +debugType = INTEGER:TEST_DEBUG_TYPE
>>>> +coreDbgEn = INTEGER:0
>>>> +coreDbgSecEn = INTEGER:0"""
>>>> + f.write(x509template)
>>>> +
>>>> +
>>>> +def parse_key(inp_key, section):
>>>> + parsed_key = ""
>>>> + section_true = False
>>>> + with open(inp_key, 'r') as file:
>>>> + for line in file:
>>>> + if section in line:
>>>> + section_true = True
>>>> + elif section_true:
>>>> + if " " not in line:
>>>> + break
>>>> + else:
>>>> + parsed_key += line.replace(":", "").replace(" ", "")
>>>> + return parsed_key.replace("\n", "")
>>>> +
>>>> +
>>>> +def gen_degen_key():
>>>> + """Generate a 4096 bit RSA key"""
>>>> + try:
>>>> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
>>>> + private_key = RSA.generate(1024)
>>>> + f = open('key.pem', 'wb')
>>>> + f.write(private_key.exportKey('PEM'))
>>>> + f.close()
>>>> + except:
>>>> + raise(Exception)
>>>> +
>>>> + try:
>>>> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
>>>> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
>>>> + stdout, stderr = process.communicate()
>>>> + except:
>>>> + raise(stderr)
>>>> +
>>>> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
>>>> + DEGEN_P = parse_key("key.txt", "prime1")
>>>> + DEGEN_Q = parse_key("key.txt", "prime2")
>>>> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
>>>> +
>>>> + gen_degen_template()
>>>> +
>>>> + with open("degen-template.txt", 'r') as file_input:
>>>> + with open("degenerateKey.txt", 'w') as file_output:
>>>> + for line in file_input:
>>>> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
>>>> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
>>>> + file_output.write(s)
>>>> +
>>>> + try:
>>>> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
>>>> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
>>>> + stdout, stderr = process.communicate()
>>>> + except:
>>>> + raise(stderr)
>>>> +
>>>> + try:
>>>> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
>>>> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
>>>> + stdout, stderr = process.communicate()
>>>> + except:
>>>> + raise(stderr)
>>>> +
>>>> +
>>>> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
>>>> + with open(temp_x509, "w") as output_file:
>>>> + with open("x509-template.txt", "r") as input_file:
>>>> + for line in input_file:
>>>> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
>>>> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
>>>> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
>>>> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
>>>> + stdout, stderr = process.communicate()
>>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>>> index 5ff294a386..d8ee592250 100644
>>>> --- a/tools/binman/ftest.py
>>>> +++ b/tools/binman/ftest.py
>>>> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
>>>> PRE_LOAD_MAGIC = b'UBSH'
>>>> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
>>>> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
>>>> +X509_DATA = b'filetobesigned'
>>>> # Subdirectory of the input dir to use to put test FDTs
>>>> TEST_FDT_SUBDIR = 'fdts'
>>>> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
>>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>>> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>>> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>>>> # Add a few .dtb files for testing
>>>> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
>>>> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>>>> data = self._DoReadFile('232_ti_sysfw.dts')
>>>> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>>> + def testX509Cert(self):
>>>> + """Test an image with the default x509 certificate header"""
>>>> + data = self._DoReadFile('232_x509_cert.dts')
>>>> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
>>>
>>> what is 938?
938 was the size of the expected x509 certificate to which the data is
appended.
>>>
>>> Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
Would that test ensure the proper creation of certificate.bin?
>>>
>>>> +
>>>> if __name__ == "__main__":
>>>> unittest.main()
>>>> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
>>>> new file mode 100644
>>>> index 0000000000..f768568ca7
>>>> --- /dev/null
>>>> +++ b/tools/binman/test/232_x509_cert.dts
>>>> @@ -0,0 +1,18 @@
>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>> +
>>>> +/dts-v1/;
>>>> +
>>>> +/ {
>>>> + #address-cells = <1>;
>>>> + #size-cells = <1>;
>>>> +
>>>> + binman {
>>>> + x509-cert {
>>>> + content = <&image>;
>>>> + };
>>>> +
>>>> + image: blob-ext {
>>>> + filename = "tosign.bin";
>>>> + };
>>>> + };
>>>> +};
>>>> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
>>>> index 298cec1313..b6ef5a2de3 100755
>>>> --- a/tools/k3_gen_x509_cert.sh
>>>> +++ b/tools/k3_gen_x509_cert.sh
>>>> @@ -109,7 +109,7 @@ gen_degen_key() {
>>>> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
>>>> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
>>>> KEY=$RAND_KEY
>>>> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>> }
>>>> declare -A options_help
>>>> @@ -246,7 +246,7 @@ gen_cert
>>>> cat $CERT $BIN > $OUTPUT
>>>> # Remove all intermediate files
>>>> -rm $TEMP_X509 $CERT x509-template.txt
>>>> -if [ "$KEY" == "$RAND_KEY" ]; then
>>>> - rm $RAND_KEY
>>>> -fi
>>>> +#rm $TEMP_X509 $CERT x509-template.txt
>>>> +#if [ "$KEY" == "$RAND_KEY" ]; then
>>>> +# rm $RAND_KEY
>>>> +#fi
>>>
>>> Why these changes?
>>> Maybe you should include them within
>>> "ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
These file changes (k3_gen_x509_cert.sh) were not intended to be present
in the patch series, sorry for that.
>>>
>>> cheers,
>>> -roger
>>
>
> cheers,
> -roger
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-06-01 9:23 ` Roger Quadros
@ 2022-06-01 10:42 ` Neha Malcom Francis
2022-06-01 10:55 ` Roger Quadros
0 siblings, 1 reply; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-01 10:42 UTC (permalink / raw)
To: Roger Quadros, u-boot; +Cc: Alper Nebi Yasak, Andrew F. Davis
Hi Roger,
On 01/06/22 14:53, Roger Quadros wrote:
> Hi,
>
> On 01/06/2022 09:08, Neha Malcom Francis wrote:
>> Hi Roger,
>>
>> On 31/05/22 16:32, Roger Quadros wrote:
>>>
>>>
>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>> Explicit make commands were earlier used to generate tispl.bin image,
>>>> now it is replaced using binman.
>>>>
>>>> Binman picks up and packages entries according to the description of
>>>> entries given in the binman node in the device tree. The make commands
>>>> that were earlier responsible for generating tispl.bin has been removed.
>>>>
>>>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>>>> It can be included in files that require it like
>>>> k3-j721e-common-proc-board-u-boot.dtsi.
>>>>
>>>> Note that make commands for secure devices has also been removed as
>>>> focus is on general purpose devices at present time.
>>>>
>>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>>> [n-francis@ti.com: prepared patch for upstreaming]
>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>> ---
>>>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>>>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>>>> arch/arm/mach-k3/config.mk | 33 -------
>>>> board/ti/j721e/Kconfig | 1 +
>>>> scripts/Makefile.spl | 4 -
>>>> 5 files changed, 88 insertions(+), 37 deletions(-)
>>>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>
>>>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>> new file mode 100644
>>>> index 0000000000..beb3424bb9
>>>> --- /dev/null
>>>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>> @@ -0,0 +1,86 @@
>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>>> +
>>>> +#include <config.h>
>>>> +
>>>> +#ifdef CONFIG_ARM64
>>>> +/ {
>>>> + binman: binman {
>>>> + multiple-images;
>>>> + };
>>>> +};
>>>> +
>>>> +&binman {
>>>> + tispl {
>>>> + filename = "tispl.bin";
>>>> + fit {
>>>> + description = "FIT IMAGE";
>>>> + #address-cells = <1>;
>>>> + images {
>>>> + atf {
>>>> + description = "ARM Trusted Firmware";
>>>> + type = "firmware";
>>>> + arch = "arm64";
>>>> + compression = "none";
>>>> + os = "arm-trusted-firmware";
>>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>> + atf-bl31 {
>>>> + };
>>>> + };
>>>> + tee {
>>>> + description = "OPTEE";
>>>> + type = "tee";
>>>> + arch = "arm64";
>>>> + compression = "none";
>>>> + os = "tee";
>>>> + load = <0x9e800000>;
>>>> + entry = <0x9e800000>;
>>>> + tee-os {
>>>> + };
>>>> + };
>>>> + dm {
>>>> + description = "DM binary";
>>>> + type = "firmware";
>>>> + arch = "arm32";
>>>> + compression = "none";
>>>> + os = "DM";
>>>> + load = <0x89000000>;
>>>> + entry = <0x89000000>;
>>>> + ti-dm {
>>>> + };
>>>> + };
>>>> + spl {
>>>> + description = "SPL (64-bit)";
>>>> + type = "standalone";
>>>> + os = "U-Boot";
>>>> + arch = "arm64";
>>>> + compression = "none";
>>>> + load = <CONFIG_SPL_TEXT_BASE>;
>>>> + entry = <CONFIG_SPL_TEXT_BASE>;
>>>> + u-boot-spl-nodtb {
>>>> + };
>>>> + };
>>>> + k3-j721e-common-proc-board.dtb {
>>>> + description = "k3-j721e-common-proc-board";
>>>> + type = "flat_dt";
>>>> + arch = "arm";
>>>> + compression = "none";
>>>> + blob-ext {
>>>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>>>> + };
>>>> + };
>>>> + };
>>>> + configurations {
>>>> + default = "conf";
>>>> + conf {
>>>> + description = "k3-j721e-common-proc-board";
>>>> + firmware = "atf";
>>>> + loadables = "tee", "dm", "spl";
>>>> + fdt = "k3-j721e-common-proc-board.dtb";
>>>> + };
>>>> + };
>>>> + };
>>>> + };
>>>> +};
>>>> +#endif
>>>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>> index 677a72d2a2..6490d71f7e 100644
>>>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>> @@ -4,6 +4,7 @@
>>>> */
>>>> #include <dt-bindings/net/ti-dp83867.h>
>>>> +#include "k3-j721e-a72-binman.dtsi"
>>>> / {
>>>> chosen {
>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>>> index 49f80ae79b..e0d9ea97c9 100644
>>>> --- a/arch/arm/mach-k3/config.mk
>>>> +++ b/arch/arm/mach-k3/config.mk
>>>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>>>> export DM := /dev/null
>>>> endif
>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>> -SPL_ITS := u-boot-spl-k3_HS.its
>>>> -$(SPL_ITS): export IS_HS=1
>>>> -INPUTS-y += tispl.bin_HS
>>>> -else
>>>> -SPL_ITS := u-boot-spl-k3.its
>>>> -INPUTS-y += tispl.bin
>>>> -endif
>>>> -
>>>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>>>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>>>> -else
>>>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>>>> endif
>>>> -
>>>> -quiet_cmd_k3_mkits = MKITS $@
>>>> -cmd_k3_mkits = \
>>>> - $(srctree)/tools/k3_fit_atf.sh \
>>>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>>>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>>>> -
>>>> -$(SPL_ITS): FORCE
>>>> - $(call cmd,k3_mkits)
>>>> endif
>>>> -
>>>> -else
>>>> -
>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>> -INPUTS-y += u-boot.img_HS
>>>> -else
>>>> -INPUTS-y += u-boot.img
>>>> -endif
>>>> -endif
>>>> -
>>>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>>
>>> You can't yet remove these as all K3 platforms are not converted to use binman.
>>> Please include them under #ifndef CONFIG_BINMAN...#endif
>>>
>>> One more question I have is that how are _HS binaries being created with binman?
>>>
>>
>> I will make the changes accordingly that do not affect any of the other builds. _HS binaries are not being created with binman in this series.
>>
>> But there is a patch series that does create HS images (tispl.bin and u-boot.img) using binman for AM64x: https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
>
> That series still depends on "TI_SECURE_DEV_PKG//scripts/secure-binary-image.sh"
> to sign the image.
>
> Funny thing is that I'm no longer able to download the above package from ti.com
> to see what it is doing. Any pointers on how to get it?
>
> cheers,
> -roger
>
Did you try to access using the browser using https link?
I am able to access the script by cloning
git://git.ti.com/security-development-tools/core-secdev-k3.git
>>
>>>> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
>>>> index a3a9d504ae..3cf05f0d3b 100644
>>>> --- a/board/ti/j721e/Kconfig
>>>> +++ b/board/ti/j721e/Kconfig
>>>> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
>>>> select BOARD_LATE_INIT
>>>> imply TI_I2C_BOARD_DETECT
>>>> select SYS_DISABLE_DCACHE_OPS
>>>> + select BINMAN
>>>> config TARGET_J721E_R5_EVM
>>>> bool "TI K3 based J721E EVM running on R5"
>>>> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
>>>> index 6ad82cecfb..5f8a8487c5 100644
>>>> --- a/scripts/Makefile.spl
>>>> +++ b/scripts/Makefile.spl
>>>> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
>>>> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
>>>> @lzop -f9 $< > $@
>>>> -ifdef CONFIG_ARCH_K3
>>>> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
>>>> - $(call if_changed,mkfitimage)
>>>> -endif
>>>
>>> Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
>>>
>>> cheers,
>>> -roger
>>
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-06-01 9:48 ` Neha Malcom Francis
@ 2022-06-01 10:48 ` Roger Quadros
2022-06-02 4:09 ` Neha Malcom Francis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-06-01 10:48 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot
Neha,
On 01/06/2022 12:48, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 01/06/22 14:54, Roger Quadros wrote:
>>
>>
>> On 01/06/2022 09:02, Neha Malcom Francis wrote:
>>> Hi Roger,
>>>
>>> On 31/05/22 14:50, Roger Quadros wrote:
>>>>
>>>>
>>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>>> K3 devices x509 certificate added to certain binaries that allows ROM to
>>>>
>>>> what binaries?
>>>>
>>>>> validate the integrity of the image. Etype that generates an x509
>>>>> certificate depending on boot flow added.
>>>>
>>>> Could you please explain in more detail as to what exactly is happening here.
>>>>
>>>> What do you mean by "depending on boot flow"?
>>>>
>>>
>>> I will reformat the commit messages accordingly.
>>>>>
>>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>>> ---
>>>>> tools/binman/entries.rst | 15 ++
>>>>> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
>>>>> tools/binman/ftest.py | 7 +
>>>>> tools/binman/test/232_x509_cert.dts | 18 ++
>>>>> tools/k3_gen_x509_cert.sh | 10 +-
>>>>> 5 files changed, 293 insertions(+), 5 deletions(-)
>>>>> create mode 100644 tools/binman/etype/x509_cert.py
>>>>> create mode 100644 tools/binman/test/232_x509_cert.dts
>>>>>
>>>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>>>> index 0c6d82fce8..dfa281e49f 100644
>>>>> --- a/tools/binman/entries.rst
>>>>> +++ b/tools/binman/entries.rst
>>>>> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>>>>> +Entry: x509cert: x509 certificate for K3 devices
>>>>> +------------------------------------------------
>>>>> +
>>>>
>>>> x509 is a generic standard. Can this be made usable by other vendors as well or
>>>> is it very specific to TI?
>>>> If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
>>>>
>>>>> +Properties / Entry arguments:
>>>>> + - content: Phandle of binary to sign
>>>>> + - output: Name of the final output file
>>>>
>>>> why do you need output property?
>>>>
>>>
>>> That is not required, I had later changed it to always using certificate.bin. Will make the necessary changes.
>>>
>>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>>> + - core: Target core ID on which image would be running
>>>>> + - load: Target load address of the binary in hex
>>>>> +
>>>>> + Output files:
>>>>> + - certificate.bin: Signed certificate binary
>>>>> +
>>>>> +
>>>>> +
>>>>> Entry: x86-reset16: x86 16-bit reset code for U-Boot
>>>>> ----------------------------------------------------
>>>>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>>>>> new file mode 100644
>>>>> index 0000000000..0009973155
>>>>> --- /dev/null
>>>>> +++ b/tools/binman/etype/x509_cert.py
>>>>> @@ -0,0 +1,248 @@
>>>>> +# SPDX-License-Identifier: GPL-2.0+
>>>>> +# Copyright (c) 2018 Google, Inc
>>>>> +# Written by Simon Glass <sjg@chromium.org>
>>>>> +#
>>>>> +
>>>>> +# Support for a x509 certificate for signing K3 devices
>>>>> +
>>>>> +import os
>>>>> +from collections import OrderedDict
>>>>> +from subprocess import Popen, PIPE
>>>>> +from sys import stderr, stdout
>>>>> +
>>>>> +import asn1
>>>>> +from Crypto.PublicKey import RSA
>>>>> +from cryptography.hazmat.backends import default_backend
>>>>> +from cryptography.hazmat.primitives import serialization
>>>>> +
>>>>> +from binman.etype.collection import Entry_collection
>>>>> +from dtoc import fdt_util
>>>>> +from patman import tools
>>>>> +
>>>>> +temp_x509 = "x509-temp.cert"
>>>>> +cert = "certificate.bin"
>>>>> +rand_key = "eckey.pem"
>>>>> +bootcore_opts = 0
>>>>> +bootcore = 0
>>>>> +debug_type = 0
>>>>> +
>>>>> +
>>>>> +class Entry_x509_cert(Entry_collection):
>>>>> + """ An entry which contains a x509 certificate
>>>>> +
>>>>> + Properties / Entry arguments:
>>>>> + - content: Phandle of binary to sign
>>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>>> + - core: Target core ID on which image would be running
>>>>> + - load: Target load address of the binary in hex
>>>>> +
>>>>> + Output files:
>>>>> + - certificate.bin: Signed certificate binary"""
>>>>> +
>>>>> + def __init__(self, section, etype, node):
>>>>> + super().__init__(section, etype, node)
>>>>> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
>>>>> + self.core = fdt_util.GetInt(self._node, 'core', 0)
>>>>> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
>>>>> +
>>>>> + def ReadNode(self):
>>>>> + super().ReadNode()
>>>>> + if self.key_file == "":
>>>>> + self.degen_key = True
>>>>> + else:
>>>>> + self.degen_key = False
>>>>> +
>>>>> + def _CreateCertificate(self):
>>>>> + """Create certificate for legacy boot flow"""
>>>>> + if self.degen_key == True:
>>>>> + gen_degen_key()
>>>>> + self.key_file = rand_key
>>>>> +
>>>>> + sha_val = get_sha_val("intermediate-sysfw.bin")
>>>>> + bin_size = get_file_size("intermediate-sysfw.bin")
>>>>> + addr = "%08x" % self.load_addr
>>>>> + if self.core == 0:
>>>>> + cert_type = 2
>>>>> + elif self.core == 16:
>>>>> + cert_type = 1
>>>>> + else:
>>>>> + cert_type = 2
>>>>> + debug_type = 0
>>>>> +
>>>>> + gen_template()
>>>>> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
>>>>> + self.core, addr, debug_type, self.key_file)
>>>>> +
>>>>> + return tools.read_file("certificate.bin")
>>>>> +
>>>>> + def ObtainContents(self):
>>>>> + self.image = self.GetContents(False)
>>>>> + if self.image is None:
>>>>> + return False
>>>>> + f = open("intermediate-sysfw.bin", "wb")
>>>>> + f.write(self.image)
>>>>> + f.close()
>>>>> + self.SetContents(self._CreateCertificate())
>>>>> + return True
>>>>> +
>>>>> + def ProcessContents(self):
>>>>> + data = self._CreateCertificate()
>>>>> + return self.ProcessContentsUpdate(data)
>>>>
>>>> Why do you need _CreateCertificate() and ProcessContents()?
>>>> Just have one ObtainContents() and try to get rid of all the intermediate files.
>>>>
>>>
>>> I used etype/vblock.py as a reference. I will clean up this etype further.
>>>
>>
>> There were some more comments below, in case you missed them.
> Thanks!
>
>>
>>>>> +
>>>>> +
>>>>> +def get_sha_val(binary_file):
>>>>> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
>>>>> + binary_file], stdout=PIPE, stderr=PIPE)
>>>>> + stdout, stderr = process.communicate()
>>>>> + sha_val = stdout.split()[1]
>>>>> + return sha_val
>>>>> +
>>>>> +
>>>>> +def get_file_size(binary_file):
>>>>> + return os.path.getsize(binary_file)
>>>>> +
>>>>> +
>>>>> +def gen_degen_template():
>>>>> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
>>>>> + degen_temp = """
>>>>> +asn1=SEQUENCE:rsa_key
>>>>> +
>>>>> +[rsa_key]
>>>>> +version=INTEGER:0
>>>>> +modulus=INTEGER:0xDEGEN_MODULUS
>>>>> +pubExp=INTEGER:1
>>>>> +privExp=INTEGER:1
>>>>> +p=INTEGER:0xDEGEN_P
>>>>> +q=INTEGER:0xDEGEN_Q
>>>>> +e1=INTEGER:1
>>>>> +e2=INTEGER:1
>>>>> +coeff=INTEGER:0xDEGEN_COEFF"""
>>>>> + f.write(degen_temp)
>>>>> +
>>>>> +
>>>>> +def gen_template():
>>>>> + """Generate x509 Template"""
>>>>> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
>>>>> + x509template = """
>>>>> +[ req ]
>>>>> +distinguished_name = req_distinguished_name
>>>>> +x509_extensions = v3_ca
>>>>> +prompt = no
>>>>> +dirstring_type = nobmp
>>>>> +
>>>>> +[ req_distinguished_name ]
>>>>> +C = US
>>>>> +ST = TX
>>>>> +L = Dallas
>>>>> +O = Texas Instruments Incorporated
>>>>> +OU = Processors
>>>>> +CN = TI support
>>>>> +emailAddress = support@ti.com
>>>>> +
>>>>> +[ v3_ca ]
>>>>> +basicConstraints = CA:true
>>>>> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
>>>>> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
>>>>> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
>>>>> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
>>>>> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
>>>>> +
>>>>> +[ boot_seq ]
>>>>> +certType = INTEGER:TEST_CERT_TYPE
>>>>> +bootCore = INTEGER:TEST_BOOT_CORE
>>>>> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
>>>>> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
>>>>> +imageSize = INTEGER:TEST_IMAGE_LENGTH
>>>>> +
>>>>> +[ image_integrity ]
>>>>> +shaType = OID:2.16.840.1.101.3.4.2.3
>>>>> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
>>>>> +
>>>>> +[ swrv ]
>>>>> +swrv = INTEGER:0
>>>>> +
>>>>> +# [ encryption ]
>>>>> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
>>>>> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
>>>>> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
>>>>> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
>>>>> +
>>>>> +[ debug ]
>>>>> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>>>>> +debugType = INTEGER:TEST_DEBUG_TYPE
>>>>> +coreDbgEn = INTEGER:0
>>>>> +coreDbgSecEn = INTEGER:0"""
>>>>> + f.write(x509template)
>>>>> +
>>>>> +
>>>>> +def parse_key(inp_key, section):
>>>>> + parsed_key = ""
>>>>> + section_true = False
>>>>> + with open(inp_key, 'r') as file:
>>>>> + for line in file:
>>>>> + if section in line:
>>>>> + section_true = True
>>>>> + elif section_true:
>>>>> + if " " not in line:
>>>>> + break
>>>>> + else:
>>>>> + parsed_key += line.replace(":", "").replace(" ", "")
>>>>> + return parsed_key.replace("\n", "")
>>>>> +
>>>>> +
>>>>> +def gen_degen_key():
>>>>> + """Generate a 4096 bit RSA key"""
>>>>> + try:
>>>>> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
>>>>> + private_key = RSA.generate(1024)
>>>>> + f = open('key.pem', 'wb')
>>>>> + f.write(private_key.exportKey('PEM'))
>>>>> + f.close()
>>>>> + except:
>>>>> + raise(Exception)
>>>>> +
>>>>> + try:
>>>>> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
>>>>> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
>>>>> + stdout, stderr = process.communicate()
>>>>> + except:
>>>>> + raise(stderr)
>>>>> +
>>>>> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
>>>>> + DEGEN_P = parse_key("key.txt", "prime1")
>>>>> + DEGEN_Q = parse_key("key.txt", "prime2")
>>>>> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
>>>>> +
>>>>> + gen_degen_template()
>>>>> +
>>>>> + with open("degen-template.txt", 'r') as file_input:
>>>>> + with open("degenerateKey.txt", 'w') as file_output:
>>>>> + for line in file_input:
>>>>> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
>>>>> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
>>>>> + file_output.write(s)
>>>>> +
>>>>> + try:
>>>>> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
>>>>> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
>>>>> + stdout, stderr = process.communicate()
>>>>> + except:
>>>>> + raise(stderr)
>>>>> +
>>>>> + try:
>>>>> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
>>>>> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
>>>>> + stdout, stderr = process.communicate()
>>>>> + except:
>>>>> + raise(stderr)
>>>>> +
>>>>> +
>>>>> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
>>>>> + with open(temp_x509, "w") as output_file:
>>>>> + with open("x509-template.txt", "r") as input_file:
>>>>> + for line in input_file:
>>>>> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
>>>>> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
>>>>> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
>>>>> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
>>>>> + stdout, stderr = process.communicate()
>>>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>>>> index 5ff294a386..d8ee592250 100644
>>>>> --- a/tools/binman/ftest.py
>>>>> +++ b/tools/binman/ftest.py
>>>>> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
>>>>> PRE_LOAD_MAGIC = b'UBSH'
>>>>> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
>>>>> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
>>>>> +X509_DATA = b'filetobesigned'
>>>>> # Subdirectory of the input dir to use to put test FDTs
>>>>> TEST_FDT_SUBDIR = 'fdts'
>>>>> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
>>>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>>>> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>>>> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>>>>> # Add a few .dtb files for testing
>>>>> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
>>>>> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>>>>> data = self._DoReadFile('232_ti_sysfw.dts')
>>>>> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>>>> + def testX509Cert(self):
>>>>> + """Test an image with the default x509 certificate header"""
>>>>> + data = self._DoReadFile('232_x509_cert.dts')
>>>>> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
>>>>
>>>> what is 938?
>
> 938 was the size of the expected x509 certificate to which the data is appended.
And that is not exepected to change anytime in future?
If not, then you can use a macro define for that.
If yes, then this solution is not good.
>
>>>>
>>>> Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
> Would that test ensure the proper creation of certificate.bin?
>
No but it would just tell you that something was appended or not and
will not break if certificate size changes.
Your above check was not checking certificate contents either.
>>>>
>>>>> +
>>>>> if __name__ == "__main__":
>>>>> unittest.main()
>>>>> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
>>>>> new file mode 100644
>>>>> index 0000000000..f768568ca7
>>>>> --- /dev/null
>>>>> +++ b/tools/binman/test/232_x509_cert.dts
>>>>> @@ -0,0 +1,18 @@
>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>> +
>>>>> +/dts-v1/;
>>>>> +
>>>>> +/ {
>>>>> + #address-cells = <1>;
>>>>> + #size-cells = <1>;
>>>>> +
>>>>> + binman {
>>>>> + x509-cert {
>>>>> + content = <&image>;
>>>>> + };
>>>>> +
>>>>> + image: blob-ext {
>>>>> + filename = "tosign.bin";
>>>>> + };
>>>>> + };
>>>>> +};
>>>>> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
>>>>> index 298cec1313..b6ef5a2de3 100755
>>>>> --- a/tools/k3_gen_x509_cert.sh
>>>>> +++ b/tools/k3_gen_x509_cert.sh
>>>>> @@ -109,7 +109,7 @@ gen_degen_key() {
>>>>> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
>>>>> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
>>>>> KEY=$RAND_KEY
>>>>> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>>> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>>> }
>>>>> declare -A options_help
>>>>> @@ -246,7 +246,7 @@ gen_cert
>>>>> cat $CERT $BIN > $OUTPUT
>>>>> # Remove all intermediate files
>>>>> -rm $TEMP_X509 $CERT x509-template.txt
>>>>> -if [ "$KEY" == "$RAND_KEY" ]; then
>>>>> - rm $RAND_KEY
>>>>> -fi
>>>>> +#rm $TEMP_X509 $CERT x509-template.txt
>>>>> +#if [ "$KEY" == "$RAND_KEY" ]; then
>>>>> +# rm $RAND_KEY
>>>>> +#fi
>>>>
>>>> Why these changes?
>>>> Maybe you should include them within
>>>> "ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
>
> These file changes (k3_gen_x509_cert.sh) were not intended to be present in the patch series, sorry for that.
>
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-06-01 10:42 ` Neha Malcom Francis
@ 2022-06-01 10:55 ` Roger Quadros
2022-06-01 12:47 ` Andrew Davis
0 siblings, 1 reply; 36+ messages in thread
From: Roger Quadros @ 2022-06-01 10:55 UTC (permalink / raw)
To: Neha Malcom Francis, u-boot; +Cc: Alper Nebi Yasak, Andrew F. Davis
On 01/06/2022 13:42, Neha Malcom Francis wrote:
> Hi Roger,
>
> On 01/06/22 14:53, Roger Quadros wrote:
>> Hi,
>>
>> On 01/06/2022 09:08, Neha Malcom Francis wrote:
>>> Hi Roger,
>>>
>>> On 31/05/22 16:32, Roger Quadros wrote:
>>>>
>>>>
>>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>>> Explicit make commands were earlier used to generate tispl.bin image,
>>>>> now it is replaced using binman.
>>>>>
>>>>> Binman picks up and packages entries according to the description of
>>>>> entries given in the binman node in the device tree. The make commands
>>>>> that were earlier responsible for generating tispl.bin has been removed.
>>>>>
>>>>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>>>>> It can be included in files that require it like
>>>>> k3-j721e-common-proc-board-u-boot.dtsi.
>>>>>
>>>>> Note that make commands for secure devices has also been removed as
>>>>> focus is on general purpose devices at present time.
>>>>>
>>>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>>>> [n-francis@ti.com: prepared patch for upstreaming]
>>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>>> ---
>>>>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>>>>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>>>>> arch/arm/mach-k3/config.mk | 33 -------
>>>>> board/ti/j721e/Kconfig | 1 +
>>>>> scripts/Makefile.spl | 4 -
>>>>> 5 files changed, 88 insertions(+), 37 deletions(-)
>>>>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>
>>>>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>> new file mode 100644
>>>>> index 0000000000..beb3424bb9
>>>>> --- /dev/null
>>>>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>> @@ -0,0 +1,86 @@
>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>>>> +
>>>>> +#include <config.h>
>>>>> +
>>>>> +#ifdef CONFIG_ARM64
>>>>> +/ {
>>>>> + binman: binman {
>>>>> + multiple-images;
>>>>> + };
>>>>> +};
>>>>> +
>>>>> +&binman {
>>>>> + tispl {
>>>>> + filename = "tispl.bin";
>>>>> + fit {
>>>>> + description = "FIT IMAGE";
>>>>> + #address-cells = <1>;
>>>>> + images {
>>>>> + atf {
>>>>> + description = "ARM Trusted Firmware";
>>>>> + type = "firmware";
>>>>> + arch = "arm64";
>>>>> + compression = "none";
>>>>> + os = "arm-trusted-firmware";
>>>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>> + atf-bl31 {
>>>>> + };
>>>>> + };
>>>>> + tee {
>>>>> + description = "OPTEE";
>>>>> + type = "tee";
>>>>> + arch = "arm64";
>>>>> + compression = "none";
>>>>> + os = "tee";
>>>>> + load = <0x9e800000>;
>>>>> + entry = <0x9e800000>;
>>>>> + tee-os {
>>>>> + };
>>>>> + };
>>>>> + dm {
>>>>> + description = "DM binary";
>>>>> + type = "firmware";
>>>>> + arch = "arm32";
>>>>> + compression = "none";
>>>>> + os = "DM";
>>>>> + load = <0x89000000>;
>>>>> + entry = <0x89000000>;
>>>>> + ti-dm {
>>>>> + };
>>>>> + };
>>>>> + spl {
>>>>> + description = "SPL (64-bit)";
>>>>> + type = "standalone";
>>>>> + os = "U-Boot";
>>>>> + arch = "arm64";
>>>>> + compression = "none";
>>>>> + load = <CONFIG_SPL_TEXT_BASE>;
>>>>> + entry = <CONFIG_SPL_TEXT_BASE>;
>>>>> + u-boot-spl-nodtb {
>>>>> + };
>>>>> + };
>>>>> + k3-j721e-common-proc-board.dtb {
>>>>> + description = "k3-j721e-common-proc-board";
>>>>> + type = "flat_dt";
>>>>> + arch = "arm";
>>>>> + compression = "none";
>>>>> + blob-ext {
>>>>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>>>>> + };
>>>>> + };
>>>>> + };
>>>>> + configurations {
>>>>> + default = "conf";
>>>>> + conf {
>>>>> + description = "k3-j721e-common-proc-board";
>>>>> + firmware = "atf";
>>>>> + loadables = "tee", "dm", "spl";
>>>>> + fdt = "k3-j721e-common-proc-board.dtb";
>>>>> + };
>>>>> + };
>>>>> + };
>>>>> + };
>>>>> +};
>>>>> +#endif
>>>>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>> index 677a72d2a2..6490d71f7e 100644
>>>>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>> @@ -4,6 +4,7 @@
>>>>> */
>>>>> #include <dt-bindings/net/ti-dp83867.h>
>>>>> +#include "k3-j721e-a72-binman.dtsi"
>>>>> / {
>>>>> chosen {
>>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>>>> index 49f80ae79b..e0d9ea97c9 100644
>>>>> --- a/arch/arm/mach-k3/config.mk
>>>>> +++ b/arch/arm/mach-k3/config.mk
>>>>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>>>>> export DM := /dev/null
>>>>> endif
>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>> -SPL_ITS := u-boot-spl-k3_HS.its
>>>>> -$(SPL_ITS): export IS_HS=1
>>>>> -INPUTS-y += tispl.bin_HS
>>>>> -else
>>>>> -SPL_ITS := u-boot-spl-k3.its
>>>>> -INPUTS-y += tispl.bin
>>>>> -endif
>>>>> -
>>>>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>>>>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>>>>> -else
>>>>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>>>>> endif
>>>>> -
>>>>> -quiet_cmd_k3_mkits = MKITS $@
>>>>> -cmd_k3_mkits = \
>>>>> - $(srctree)/tools/k3_fit_atf.sh \
>>>>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>>>>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>>>>> -
>>>>> -$(SPL_ITS): FORCE
>>>>> - $(call cmd,k3_mkits)
>>>>> endif
>>>>> -
>>>>> -else
>>>>> -
>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>> -INPUTS-y += u-boot.img_HS
>>>>> -else
>>>>> -INPUTS-y += u-boot.img
>>>>> -endif
>>>>> -endif
>>>>> -
>>>>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>>>
>>>> You can't yet remove these as all K3 platforms are not converted to use binman.
>>>> Please include them under #ifndef CONFIG_BINMAN...#endif
>>>>
>>>> One more question I have is that how are _HS binaries being created with binman?
>>>>
>>>
>>> I will make the changes accordingly that do not affect any of the other builds. _HS binaries are not being created with binman in this series.
>>>
>>> But there is a patch series that does create HS images (tispl.bin and u-boot.img) using binman for AM64x: https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
>>
>> That series still depends on "TI_SECURE_DEV_PKG//scripts/secure-binary-image.sh"
>> to sign the image.
>>
>> Funny thing is that I'm no longer able to download the above package from ti.com
>> to see what it is doing. Any pointers on how to get it?
>>
>> cheers,
>> -roger
>>
>
> Did you try to access using the browser using https link?
>
> I am able to access the script by cloning git://git.ti.com/security-development-tools/core-secdev-k3.git
>
Aha! sure I can access that.
But according to doc/README.ti-secure I should be getting it from
http://www.ti.com/mysecuresoftware
And I couldn't get anything there.
Looks like we need to update the doc to point to the git repo instead?
>>>
>>>>> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
>>>>> index a3a9d504ae..3cf05f0d3b 100644
>>>>> --- a/board/ti/j721e/Kconfig
>>>>> +++ b/board/ti/j721e/Kconfig
>>>>> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
>>>>> select BOARD_LATE_INIT
>>>>> imply TI_I2C_BOARD_DETECT
>>>>> select SYS_DISABLE_DCACHE_OPS
>>>>> + select BINMAN
>>>>> config TARGET_J721E_R5_EVM
>>>>> bool "TI K3 based J721E EVM running on R5"
>>>>> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
>>>>> index 6ad82cecfb..5f8a8487c5 100644
>>>>> --- a/scripts/Makefile.spl
>>>>> +++ b/scripts/Makefile.spl
>>>>> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
>>>>> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
>>>>> @lzop -f9 $< > $@
>>>>> -ifdef CONFIG_ARCH_K3
>>>>> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
>>>>> - $(call if_changed,mkfitimage)
>>>>> -endif
>>>>
>>>> Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
>>>>
>>>> cheers,
>>>> -roger
>>>
>
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-06-01 10:55 ` Roger Quadros
@ 2022-06-01 12:47 ` Andrew Davis
2022-06-03 8:49 ` Roger Quadros
0 siblings, 1 reply; 36+ messages in thread
From: Andrew Davis @ 2022-06-01 12:47 UTC (permalink / raw)
To: Roger Quadros, Neha Malcom Francis, u-boot; +Cc: Alper Nebi Yasak
On 6/1/22 5:55 AM, Roger Quadros wrote:
>
>
> On 01/06/2022 13:42, Neha Malcom Francis wrote:
>> Hi Roger,
>>
>> On 01/06/22 14:53, Roger Quadros wrote:
>>> Hi,
>>>
>>> On 01/06/2022 09:08, Neha Malcom Francis wrote:
>>>> Hi Roger,
>>>>
>>>> On 31/05/22 16:32, Roger Quadros wrote:
>>>>>
>>>>>
>>>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>>>> Explicit make commands were earlier used to generate tispl.bin image,
>>>>>> now it is replaced using binman.
>>>>>>
>>>>>> Binman picks up and packages entries according to the description of
>>>>>> entries given in the binman node in the device tree. The make commands
>>>>>> that were earlier responsible for generating tispl.bin has been removed.
>>>>>>
>>>>>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>>>>>> It can be included in files that require it like
>>>>>> k3-j721e-common-proc-board-u-boot.dtsi.
>>>>>>
>>>>>> Note that make commands for secure devices has also been removed as
>>>>>> focus is on general purpose devices at present time.
>>>>>>
>>>>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>>>>> [n-francis@ti.com: prepared patch for upstreaming]
>>>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>>>> ---
>>>>>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>>>>>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>>>>>> arch/arm/mach-k3/config.mk | 33 -------
>>>>>> board/ti/j721e/Kconfig | 1 +
>>>>>> scripts/Makefile.spl | 4 -
>>>>>> 5 files changed, 88 insertions(+), 37 deletions(-)
>>>>>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>>
>>>>>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>> new file mode 100644
>>>>>> index 0000000000..beb3424bb9
>>>>>> --- /dev/null
>>>>>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>> @@ -0,0 +1,86 @@
>>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>>>>> +
>>>>>> +#include <config.h>
>>>>>> +
>>>>>> +#ifdef CONFIG_ARM64
>>>>>> +/ {
>>>>>> + binman: binman {
>>>>>> + multiple-images;
>>>>>> + };
>>>>>> +};
>>>>>> +
>>>>>> +&binman {
>>>>>> + tispl {
>>>>>> + filename = "tispl.bin";
>>>>>> + fit {
>>>>>> + description = "FIT IMAGE";
>>>>>> + #address-cells = <1>;
>>>>>> + images {
>>>>>> + atf {
>>>>>> + description = "ARM Trusted Firmware";
>>>>>> + type = "firmware";
>>>>>> + arch = "arm64";
>>>>>> + compression = "none";
>>>>>> + os = "arm-trusted-firmware";
>>>>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>>> + atf-bl31 {
>>>>>> + };
>>>>>> + };
>>>>>> + tee {
>>>>>> + description = "OPTEE";
>>>>>> + type = "tee";
>>>>>> + arch = "arm64";
>>>>>> + compression = "none";
>>>>>> + os = "tee";
>>>>>> + load = <0x9e800000>;
>>>>>> + entry = <0x9e800000>;
>>>>>> + tee-os {
>>>>>> + };
>>>>>> + };
>>>>>> + dm {
>>>>>> + description = "DM binary";
>>>>>> + type = "firmware";
>>>>>> + arch = "arm32";
>>>>>> + compression = "none";
>>>>>> + os = "DM";
>>>>>> + load = <0x89000000>;
>>>>>> + entry = <0x89000000>;
>>>>>> + ti-dm {
>>>>>> + };
>>>>>> + };
>>>>>> + spl {
>>>>>> + description = "SPL (64-bit)";
>>>>>> + type = "standalone";
>>>>>> + os = "U-Boot";
>>>>>> + arch = "arm64";
>>>>>> + compression = "none";
>>>>>> + load = <CONFIG_SPL_TEXT_BASE>;
>>>>>> + entry = <CONFIG_SPL_TEXT_BASE>;
>>>>>> + u-boot-spl-nodtb {
>>>>>> + };
>>>>>> + };
>>>>>> + k3-j721e-common-proc-board.dtb {
>>>>>> + description = "k3-j721e-common-proc-board";
>>>>>> + type = "flat_dt";
>>>>>> + arch = "arm";
>>>>>> + compression = "none";
>>>>>> + blob-ext {
>>>>>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>>>>>> + };
>>>>>> + };
>>>>>> + };
>>>>>> + configurations {
>>>>>> + default = "conf";
>>>>>> + conf {
>>>>>> + description = "k3-j721e-common-proc-board";
>>>>>> + firmware = "atf";
>>>>>> + loadables = "tee", "dm", "spl";
>>>>>> + fdt = "k3-j721e-common-proc-board.dtb";
>>>>>> + };
>>>>>> + };
>>>>>> + };
>>>>>> + };
>>>>>> +};
>>>>>> +#endif
>>>>>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>> index 677a72d2a2..6490d71f7e 100644
>>>>>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>> @@ -4,6 +4,7 @@
>>>>>> */
>>>>>> #include <dt-bindings/net/ti-dp83867.h>
>>>>>> +#include "k3-j721e-a72-binman.dtsi"
>>>>>> / {
>>>>>> chosen {
>>>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>>>>> index 49f80ae79b..e0d9ea97c9 100644
>>>>>> --- a/arch/arm/mach-k3/config.mk
>>>>>> +++ b/arch/arm/mach-k3/config.mk
>>>>>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>>>>>> export DM := /dev/null
>>>>>> endif
>>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>>> -SPL_ITS := u-boot-spl-k3_HS.its
>>>>>> -$(SPL_ITS): export IS_HS=1
>>>>>> -INPUTS-y += tispl.bin_HS
>>>>>> -else
>>>>>> -SPL_ITS := u-boot-spl-k3.its
>>>>>> -INPUTS-y += tispl.bin
>>>>>> -endif
>>>>>> -
>>>>>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>>>>>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>>>>>> -else
>>>>>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>>>>>> endif
>>>>>> -
>>>>>> -quiet_cmd_k3_mkits = MKITS $@
>>>>>> -cmd_k3_mkits = \
>>>>>> - $(srctree)/tools/k3_fit_atf.sh \
>>>>>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>>>>>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>>>>>> -
>>>>>> -$(SPL_ITS): FORCE
>>>>>> - $(call cmd,k3_mkits)
>>>>>> endif
>>>>>> -
>>>>>> -else
>>>>>> -
>>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>>> -INPUTS-y += u-boot.img_HS
>>>>>> -else
>>>>>> -INPUTS-y += u-boot.img
>>>>>> -endif
>>>>>> -endif
>>>>>> -
>>>>>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>>>>
>>>>> You can't yet remove these as all K3 platforms are not converted to use binman.
>>>>> Please include them under #ifndef CONFIG_BINMAN...#endif
>>>>>
>>>>> One more question I have is that how are _HS binaries being created with binman?
>>>>>
>>>>
>>>> I will make the changes accordingly that do not affect any of the other builds. _HS binaries are not being created with binman in this series.
>>>>
>>>> But there is a patch series that does create HS images (tispl.bin and u-boot.img) using binman for AM64x: https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
>>>
>>> That series still depends on "TI_SECURE_DEV_PKG//scripts/secure-binary-image.sh"
>>> to sign the image.
>>>
>>> Funny thing is that I'm no longer able to download the above package from ti.com
>>> to see what it is doing. Any pointers on how to get it?
>>>
>>> cheers,
>>> -roger
>>>
>>
>> Did you try to access using the browser using https link?
>>
>> I am able to access the script by cloning git://git.ti.com/security-development-tools/core-secdev-k3.git
>>
>
> Aha! sure I can access that.
> But according to doc/README.ti-secure I should be getting it from
> http://www.ti.com/mysecuresoftware
> And I couldn't get anything there.
>
> Looks like we need to update the doc to point to the git repo instead?
>
The mysecuresoftware is for the AM335x-AM57x class devices, that is still
the place to get the tools for those. For K3 forward the git.ti.com is
the right spot. We can add a new doc for K3 devices.
Andrew
>>>>
>>>>>> diff --git a/board/ti/j721e/Kconfig b/board/ti/j721e/Kconfig
>>>>>> index a3a9d504ae..3cf05f0d3b 100644
>>>>>> --- a/board/ti/j721e/Kconfig
>>>>>> +++ b/board/ti/j721e/Kconfig
>>>>>> @@ -14,6 +14,7 @@ config TARGET_J721E_A72_EVM
>>>>>> select BOARD_LATE_INIT
>>>>>> imply TI_I2C_BOARD_DETECT
>>>>>> select SYS_DISABLE_DCACHE_OPS
>>>>>> + select BINMAN
>>>>>> config TARGET_J721E_R5_EVM
>>>>>> bool "TI K3 based J721E EVM running on R5"
>>>>>> diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl
>>>>>> index 6ad82cecfb..5f8a8487c5 100644
>>>>>> --- a/scripts/Makefile.spl
>>>>>> +++ b/scripts/Makefile.spl
>>>>>> @@ -577,7 +577,3 @@ $(obj)/$(SPL_BIN).multidtb.fit.gz: $(obj)/$(SPL_BIN).multidtb.fit
>>>>>> $(obj)/$(SPL_BIN).multidtb.fit.lzo: $(obj)/$(SPL_BIN).multidtb.fit
>>>>>> @lzop -f9 $< > $@
>>>>>> -ifdef CONFIG_ARCH_K3
>>>>>> -tispl.bin: $(obj)/u-boot-spl-nodtb.bin $(SHRUNK_ARCH_DTB) $(SPL_ITS) FORCE
>>>>>> - $(call if_changed,mkfitimage)
>>>>>> -endif
>>>>>
>>>>> Please don't remove this but include it under #ifndef CONFIG_BINMAN...#endif
>>>>>
>>>>> cheers,
>>>>> -roger
>>>>
>>
>
> cheers,
> -roger
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices
2022-06-01 10:48 ` Roger Quadros
@ 2022-06-02 4:09 ` Neha Malcom Francis
0 siblings, 0 replies; 36+ messages in thread
From: Neha Malcom Francis @ 2022-06-02 4:09 UTC (permalink / raw)
To: Roger Quadros, u-boot
Hi Roger,
On 01/06/22 16:18, Roger Quadros wrote:
> Neha,
>
> On 01/06/2022 12:48, Neha Malcom Francis wrote:
>> Hi Roger,
>>
>> On 01/06/22 14:54, Roger Quadros wrote:
>>>
>>>
>>> On 01/06/2022 09:02, Neha Malcom Francis wrote:
>>>> Hi Roger,
>>>>
>>>> On 31/05/22 14:50, Roger Quadros wrote:
>>>>>
>>>>>
>>>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>>>> K3 devices x509 certificate added to certain binaries that allows ROM to
>>>>>
>>>>> what binaries?
>>>>>
>>>>>> validate the integrity of the image. Etype that generates an x509
>>>>>> certificate depending on boot flow added.
>>>>>
>>>>> Could you please explain in more detail as to what exactly is happening here.
>>>>>
>>>>> What do you mean by "depending on boot flow"?
>>>>>
>>>>
>>>> I will reformat the commit messages accordingly.
>>>>>>
>>>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>>>> ---
>>>>>> tools/binman/entries.rst | 15 ++
>>>>>> tools/binman/etype/x509_cert.py | 248 ++++++++++++++++++++++++++++
>>>>>> tools/binman/ftest.py | 7 +
>>>>>> tools/binman/test/232_x509_cert.dts | 18 ++
>>>>>> tools/k3_gen_x509_cert.sh | 10 +-
>>>>>> 5 files changed, 293 insertions(+), 5 deletions(-)
>>>>>> create mode 100644 tools/binman/etype/x509_cert.py
>>>>>> create mode 100644 tools/binman/test/232_x509_cert.dts
>>>>>>
>>>>>> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
>>>>>> index 0c6d82fce8..dfa281e49f 100644
>>>>>> --- a/tools/binman/entries.rst
>>>>>> +++ b/tools/binman/entries.rst
>>>>>> @@ -1890,6 +1890,21 @@ and kernel are genuine.
>>>>>> +Entry: x509cert: x509 certificate for K3 devices
>>>>>> +------------------------------------------------
>>>>>> +
>>>>>
>>>>> x509 is a generic standard. Can this be made usable by other vendors as well or
>>>>> is it very specific to TI?
>>>>> If this is TI specific then I'd suggest a "ti-" prefix to the entry name.
>>>>>
>>>>>> +Properties / Entry arguments:
>>>>>> + - content: Phandle of binary to sign
>>>>>> + - output: Name of the final output file
>>>>>
>>>>> why do you need output property?
>>>>>
>>>>
>>>> That is not required, I had later changed it to always using certificate.bin. Will make the necessary changes.
>>>>
>>>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>>>> + - core: Target core ID on which image would be running
>>>>>> + - load: Target load address of the binary in hex
>>>>>> +
>>>>>> + Output files:
>>>>>> + - certificate.bin: Signed certificate binary
>>>>>> +
>>>>>> +
>>>>>> +
>>>>>> Entry: x86-reset16: x86 16-bit reset code for U-Boot
>>>>>> ----------------------------------------------------
>>>>>> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
>>>>>> new file mode 100644
>>>>>> index 0000000000..0009973155
>>>>>> --- /dev/null
>>>>>> +++ b/tools/binman/etype/x509_cert.py
>>>>>> @@ -0,0 +1,248 @@
>>>>>> +# SPDX-License-Identifier: GPL-2.0+
>>>>>> +# Copyright (c) 2018 Google, Inc
>>>>>> +# Written by Simon Glass <sjg@chromium.org>
>>>>>> +#
>>>>>> +
>>>>>> +# Support for a x509 certificate for signing K3 devices
>>>>>> +
>>>>>> +import os
>>>>>> +from collections import OrderedDict
>>>>>> +from subprocess import Popen, PIPE
>>>>>> +from sys import stderr, stdout
>>>>>> +
>>>>>> +import asn1
>>>>>> +from Crypto.PublicKey import RSA
>>>>>> +from cryptography.hazmat.backends import default_backend
>>>>>> +from cryptography.hazmat.primitives import serialization
>>>>>> +
>>>>>> +from binman.etype.collection import Entry_collection
>>>>>> +from dtoc import fdt_util
>>>>>> +from patman import tools
>>>>>> +
>>>>>> +temp_x509 = "x509-temp.cert"
>>>>>> +cert = "certificate.bin"
>>>>>> +rand_key = "eckey.pem"
>>>>>> +bootcore_opts = 0
>>>>>> +bootcore = 0
>>>>>> +debug_type = 0
>>>>>> +
>>>>>> +
>>>>>> +class Entry_x509_cert(Entry_collection):
>>>>>> + """ An entry which contains a x509 certificate
>>>>>> +
>>>>>> + Properties / Entry arguments:
>>>>>> + - content: Phandle of binary to sign
>>>>>> + - key_file: File with key inside it. If not provided, script generates RSA degenerate key
>>>>>> + - core: Target core ID on which image would be running
>>>>>> + - load: Target load address of the binary in hex
>>>>>> +
>>>>>> + Output files:
>>>>>> + - certificate.bin: Signed certificate binary"""
>>>>>> +
>>>>>> + def __init__(self, section, etype, node):
>>>>>> + super().__init__(section, etype, node)
>>>>>> + self.key_file = fdt_util.GetString(self._node, 'key-file', "")
>>>>>> + self.core = fdt_util.GetInt(self._node, 'core', 0)
>>>>>> + self.load_addr = fdt_util.GetInt(self._node, 'load', 0x41c00000)
>>>>>> +
>>>>>> + def ReadNode(self):
>>>>>> + super().ReadNode()
>>>>>> + if self.key_file == "":
>>>>>> + self.degen_key = True
>>>>>> + else:
>>>>>> + self.degen_key = False
>>>>>> +
>>>>>> + def _CreateCertificate(self):
>>>>>> + """Create certificate for legacy boot flow"""
>>>>>> + if self.degen_key == True:
>>>>>> + gen_degen_key()
>>>>>> + self.key_file = rand_key
>>>>>> +
>>>>>> + sha_val = get_sha_val("intermediate-sysfw.bin")
>>>>>> + bin_size = get_file_size("intermediate-sysfw.bin")
>>>>>> + addr = "%08x" % self.load_addr
>>>>>> + if self.core == 0:
>>>>>> + cert_type = 2
>>>>>> + elif self.core == 16:
>>>>>> + cert_type = 1
>>>>>> + else:
>>>>>> + cert_type = 2
>>>>>> + debug_type = 0
>>>>>> +
>>>>>> + gen_template()
>>>>>> + gen_cert(bin_size, sha_val, cert_type, bootcore_opts,
>>>>>> + self.core, addr, debug_type, self.key_file)
>>>>>> +
>>>>>> + return tools.read_file("certificate.bin")
>>>>>> +
>>>>>> + def ObtainContents(self):
>>>>>> + self.image = self.GetContents(False)
>>>>>> + if self.image is None:
>>>>>> + return False
>>>>>> + f = open("intermediate-sysfw.bin", "wb")
>>>>>> + f.write(self.image)
>>>>>> + f.close()
>>>>>> + self.SetContents(self._CreateCertificate())
>>>>>> + return True
>>>>>> +
>>>>>> + def ProcessContents(self):
>>>>>> + data = self._CreateCertificate()
>>>>>> + return self.ProcessContentsUpdate(data)
>>>>>
>>>>> Why do you need _CreateCertificate() and ProcessContents()?
>>>>> Just have one ObtainContents() and try to get rid of all the intermediate files.
>>>>>
>>>>
>>>> I used etype/vblock.py as a reference. I will clean up this etype further.
>>>>
>>>
>>> There were some more comments below, in case you missed them.
>> Thanks!
>>
>>>
>>>>>> +
>>>>>> +
>>>>>> +def get_sha_val(binary_file):
>>>>>> + process = Popen(['openssl', 'dgst', '-sha512', '-hex',
>>>>>> + binary_file], stdout=PIPE, stderr=PIPE)
>>>>>> + stdout, stderr = process.communicate()
>>>>>> + sha_val = stdout.split()[1]
>>>>>> + return sha_val
>>>>>> +
>>>>>> +
>>>>>> +def get_file_size(binary_file):
>>>>>> + return os.path.getsize(binary_file)
>>>>>> +
>>>>>> +
>>>>>> +def gen_degen_template():
>>>>>> + with open("degen-template.txt", 'w+', encoding='utf-8') as f:
>>>>>> + degen_temp = """
>>>>>> +asn1=SEQUENCE:rsa_key
>>>>>> +
>>>>>> +[rsa_key]
>>>>>> +version=INTEGER:0
>>>>>> +modulus=INTEGER:0xDEGEN_MODULUS
>>>>>> +pubExp=INTEGER:1
>>>>>> +privExp=INTEGER:1
>>>>>> +p=INTEGER:0xDEGEN_P
>>>>>> +q=INTEGER:0xDEGEN_Q
>>>>>> +e1=INTEGER:1
>>>>>> +e2=INTEGER:1
>>>>>> +coeff=INTEGER:0xDEGEN_COEFF"""
>>>>>> + f.write(degen_temp)
>>>>>> +
>>>>>> +
>>>>>> +def gen_template():
>>>>>> + """Generate x509 Template"""
>>>>>> + with open("x509-template.txt", "w+", encoding='utf-8') as f:
>>>>>> + x509template = """
>>>>>> +[ req ]
>>>>>> +distinguished_name = req_distinguished_name
>>>>>> +x509_extensions = v3_ca
>>>>>> +prompt = no
>>>>>> +dirstring_type = nobmp
>>>>>> +
>>>>>> +[ req_distinguished_name ]
>>>>>> +C = US
>>>>>> +ST = TX
>>>>>> +L = Dallas
>>>>>> +O = Texas Instruments Incorporated
>>>>>> +OU = Processors
>>>>>> +CN = TI support
>>>>>> +emailAddress = support@ti.com
>>>>>> +
>>>>>> +[ v3_ca ]
>>>>>> +basicConstraints = CA:true
>>>>>> +1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
>>>>>> +1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
>>>>>> +1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
>>>>>> +# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
>>>>>> +1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
>>>>>> +
>>>>>> +[ boot_seq ]
>>>>>> +certType = INTEGER:TEST_CERT_TYPE
>>>>>> +bootCore = INTEGER:TEST_BOOT_CORE
>>>>>> +bootCoreOpts = INTEGER:TEST_BOOT_CORE_OPTS
>>>>>> +destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
>>>>>> +imageSize = INTEGER:TEST_IMAGE_LENGTH
>>>>>> +
>>>>>> +[ image_integrity ]
>>>>>> +shaType = OID:2.16.840.1.101.3.4.2.3
>>>>>> +shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
>>>>>> +
>>>>>> +[ swrv ]
>>>>>> +swrv = INTEGER:0
>>>>>> +
>>>>>> +# [ encryption ]
>>>>>> +# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
>>>>>> +# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
>>>>>> +# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
>>>>>> +# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
>>>>>> +
>>>>>> +[ debug ]
>>>>>> +debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000
>>>>>> +debugType = INTEGER:TEST_DEBUG_TYPE
>>>>>> +coreDbgEn = INTEGER:0
>>>>>> +coreDbgSecEn = INTEGER:0"""
>>>>>> + f.write(x509template)
>>>>>> +
>>>>>> +
>>>>>> +def parse_key(inp_key, section):
>>>>>> + parsed_key = ""
>>>>>> + section_true = False
>>>>>> + with open(inp_key, 'r') as file:
>>>>>> + for line in file:
>>>>>> + if section in line:
>>>>>> + section_true = True
>>>>>> + elif section_true:
>>>>>> + if " " not in line:
>>>>>> + break
>>>>>> + else:
>>>>>> + parsed_key += line.replace(":", "").replace(" ", "")
>>>>>> + return parsed_key.replace("\n", "")
>>>>>> +
>>>>>> +
>>>>>> +def gen_degen_key():
>>>>>> + """Generate a 4096 bit RSA key"""
>>>>>> + try:
>>>>>> + # generates 1024 bit PEM encoded RSA key in PKCS#1 format
>>>>>> + private_key = RSA.generate(1024)
>>>>>> + f = open('key.pem', 'wb')
>>>>>> + f.write(private_key.exportKey('PEM'))
>>>>>> + f.close()
>>>>>> + except:
>>>>>> + raise(Exception)
>>>>>> +
>>>>>> + try:
>>>>>> + process = Popen(['openssl', 'rsa', '-in', 'key.pem',
>>>>>> + '-text', '-out', 'key.txt'], stdout=PIPE, stderr=PIPE)
>>>>>> + stdout, stderr = process.communicate()
>>>>>> + except:
>>>>>> + raise(stderr)
>>>>>> +
>>>>>> + DEGEN_MODULUS = parse_key("key.txt", "modulus")
>>>>>> + DEGEN_P = parse_key("key.txt", "prime1")
>>>>>> + DEGEN_Q = parse_key("key.txt", "prime2")
>>>>>> + DEGEN_COEFF = parse_key("key.txt", "coefficient")
>>>>>> +
>>>>>> + gen_degen_template()
>>>>>> +
>>>>>> + with open("degen-template.txt", 'r') as file_input:
>>>>>> + with open("degenerateKey.txt", 'w') as file_output:
>>>>>> + for line in file_input:
>>>>>> + s = line.replace("DEGEN_MODULUS", DEGEN_MODULUS).replace(
>>>>>> + "DEGEN_P", DEGEN_P).replace("DEGEN_Q", DEGEN_Q).replace("DEGEN_COEFF", DEGEN_COEFF)
>>>>>> + file_output.write(s)
>>>>>> +
>>>>>> + try:
>>>>>> + process = Popen(['openssl', 'asn1parse', '-genconf', 'degenerateKey.txt',
>>>>>> + '-out', 'degenerateKey.der'], stdout=PIPE, stderr=PIPE)
>>>>>> + stdout, stderr = process.communicate()
>>>>>> + except:
>>>>>> + raise(stderr)
>>>>>> +
>>>>>> + try:
>>>>>> + process = Popen(['openssl', 'rsa', '-in', 'degenerateKey.der',
>>>>>> + '-inform', 'DER', '-outform', 'PEM', '-out', rand_key])
>>>>>> + stdout, stderr = process.communicate()
>>>>>> + except:
>>>>>> + raise(stderr)
>>>>>> +
>>>>>> +
>>>>>> +def gen_cert(bin_size, sha_val, cert_type, bootcore_opts, bootcore, addr, debug_type, key):
>>>>>> + with open(temp_x509, "w") as output_file:
>>>>>> + with open("x509-template.txt", "r") as input_file:
>>>>>> + for line in input_file:
>>>>>> + output_file.write(line.replace("TEST_IMAGE_LENGTH", str(bin_size)).replace("TEST_IMAGE_SHA_VAL", sha_val.decode("utf-8")).replace("TEST_CERT_TYPE", str(cert_type)).replace(
>>>>>> + "TEST_BOOT_CORE_OPTS", str(bootcore_opts)).replace("TEST_BOOT_CORE", str(bootcore)).replace("TEST_BOOT_ADDR", str(addr)).replace("TEST_DEBUG_TYPE", str(debug_type)))
>>>>>> + process = Popen(['openssl', 'req', '-new', '-x509', '-key', key, '-nodes', '-outform',
>>>>>> + 'DER', '-out', cert, '-config', temp_x509, '-sha512'], stdout=PIPE, stderr=PIPE)
>>>>>> + stdout, stderr = process.communicate()
>>>>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>>>>> index 5ff294a386..d8ee592250 100644
>>>>>> --- a/tools/binman/ftest.py
>>>>>> +++ b/tools/binman/ftest.py
>>>>>> @@ -96,6 +96,7 @@ ENV_DATA = b'var1=1\nvar2="2"'
>>>>>> PRE_LOAD_MAGIC = b'UBSH'
>>>>>> PRE_LOAD_VERSION = 0x11223344.to_bytes(4, 'big')
>>>>>> PRE_LOAD_HDR_SIZE = 0x00001000.to_bytes(4, 'big')
>>>>>> +X509_DATA = b'filetobesigned'
>>>>>> # Subdirectory of the input dir to use to put test FDTs
>>>>>> TEST_FDT_SUBDIR = 'fdts'
>>>>>> @@ -200,6 +201,7 @@ class TestFunctional(unittest.TestCase):
>>>>>> TestFunctional._MakeInputFile('fw_dynamic.bin', OPENSBI_DATA)
>>>>>> TestFunctional._MakeInputFile('sysfw.bin', TI_SYSFW_DATA)
>>>>>> TestFunctional._MakeInputFile('scp.bin', SCP_DATA)
>>>>>> + TestFunctional._MakeInputFile('tosign.bin', X509_DATA)
>>>>>> # Add a few .dtb files for testing
>>>>>> TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
>>>>>> @@ -5537,5 +5539,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
>>>>>> data = self._DoReadFile('232_ti_sysfw.dts')
>>>>>> self.assertEqual(TI_SYSFW_DATA, data[:len(TI_SYSFW_DATA)])
>>>>>> + def testX509Cert(self):
>>>>>> + """Test an image with the default x509 certificate header"""
>>>>>> + data = self._DoReadFile('232_x509_cert.dts')
>>>>>> + self.assertEqual(X509_DATA, data[938:938 + len(X509_DATA)])
>>>>>
>>>>> what is 938?
>>
>> 938 was the size of the expected x509 certificate to which the data is appended.
>
> And that is not exepected to change anytime in future?
> If not, then you can use a macro define for that.
> If yes, then this solution is not good.
>
Right, I'll make changes to the testing.
>>
>>>>>
>>>>> Isn't it easier to just assert that _DoReadFile('232_x509_cert.dts') is greater than len(X509_DATA)?
>> Would that test ensure the proper creation of certificate.bin?
>>
> No but it would just tell you that something was appended or not and
> will not break if certificate size changes.
>
> Your above check was not checking certificate contents either.
>
I'm not sure about where to draw the line to test the contents of the
certificate, I'll ask around about that. If you have any suggestions
please let me know. I will definitely add that test to check whether
anything was appended or not for now.
>>>>>
>>>>>> +
>>>>>> if __name__ == "__main__":
>>>>>> unittest.main()
>>>>>> diff --git a/tools/binman/test/232_x509_cert.dts b/tools/binman/test/232_x509_cert.dts
>>>>>> new file mode 100644
>>>>>> index 0000000000..f768568ca7
>>>>>> --- /dev/null
>>>>>> +++ b/tools/binman/test/232_x509_cert.dts
>>>>>> @@ -0,0 +1,18 @@
>>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>>> +
>>>>>> +/dts-v1/;
>>>>>> +
>>>>>> +/ {
>>>>>> + #address-cells = <1>;
>>>>>> + #size-cells = <1>;
>>>>>> +
>>>>>> + binman {
>>>>>> + x509-cert {
>>>>>> + content = <&image>;
>>>>>> + };
>>>>>> +
>>>>>> + image: blob-ext {
>>>>>> + filename = "tosign.bin";
>>>>>> + };
>>>>>> + };
>>>>>> +};
>>>>>> diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
>>>>>> index 298cec1313..b6ef5a2de3 100755
>>>>>> --- a/tools/k3_gen_x509_cert.sh
>>>>>> +++ b/tools/k3_gen_x509_cert.sh
>>>>>> @@ -109,7 +109,7 @@ gen_degen_key() {
>>>>>> openssl asn1parse -genconf degenerateKey.txt -out degenerateKey.der >>/dev/null 2>&1
>>>>>> openssl rsa -in degenerateKey.der -inform DER -outform PEM -out $RAND_KEY >>/dev/null 2>&1
>>>>>> KEY=$RAND_KEY
>>>>>> - rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>>>> + #rm key.pem key.txt degen-template.txt degenerateKey.txt degenerateKey.der
>>>>>> }
>>>>>> declare -A options_help
>>>>>> @@ -246,7 +246,7 @@ gen_cert
>>>>>> cat $CERT $BIN > $OUTPUT
>>>>>> # Remove all intermediate files
>>>>>> -rm $TEMP_X509 $CERT x509-template.txt
>>>>>> -if [ "$KEY" == "$RAND_KEY" ]; then
>>>>>> - rm $RAND_KEY
>>>>>> -fi
>>>>>> +#rm $TEMP_X509 $CERT x509-template.txt
>>>>>> +#if [ "$KEY" == "$RAND_KEY" ]; then
>>>>>> +# rm $RAND_KEY
>>>>>> +#fi
>>>>>
>>>>> Why these changes?
>>>>> Maybe you should include them within
>>>>> "ifndef CONFIG_BINMAN ... endif" to avoid breaking platforms not using BINMAN.
>>
>> These file changes (k3_gen_x509_cert.sh) were not intended to be present in the patch series, sorry for that.
>>
>
>
> cheers,
> -roger
--
Thanking You
Neha Malcom Francis
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin
2022-06-01 12:47 ` Andrew Davis
@ 2022-06-03 8:49 ` Roger Quadros
0 siblings, 0 replies; 36+ messages in thread
From: Roger Quadros @ 2022-06-03 8:49 UTC (permalink / raw)
To: Andrew Davis, Neha Malcom Francis, u-boot; +Cc: Alper Nebi Yasak
On 01/06/2022 15:47, Andrew Davis wrote:
> On 6/1/22 5:55 AM, Roger Quadros wrote:
>>
>>
>> On 01/06/2022 13:42, Neha Malcom Francis wrote:
>>> Hi Roger,
>>>
>>> On 01/06/22 14:53, Roger Quadros wrote:
>>>> Hi,
>>>>
>>>> On 01/06/2022 09:08, Neha Malcom Francis wrote:
>>>>> Hi Roger,
>>>>>
>>>>> On 31/05/22 16:32, Roger Quadros wrote:
>>>>>>
>>>>>>
>>>>>> On 06/05/2022 07:37, Neha Malcom Francis wrote:
>>>>>>> Explicit make commands were earlier used to generate tispl.bin image,
>>>>>>> now it is replaced using binman.
>>>>>>>
>>>>>>> Binman picks up and packages entries according to the description of
>>>>>>> entries given in the binman node in the device tree. The make commands
>>>>>>> that were earlier responsible for generating tispl.bin has been removed.
>>>>>>>
>>>>>>> k3-j721e-a72-binman.dtsi has been introduced for A72 specific binman node.
>>>>>>> It can be included in files that require it like
>>>>>>> k3-j721e-common-proc-board-u-boot.dtsi.
>>>>>>>
>>>>>>> Note that make commands for secure devices has also been removed as
>>>>>>> focus is on general purpose devices at present time.
>>>>>>>
>>>>>>> Signed-off-by: Tarun Sahu <t-sahu@ti.com>
>>>>>>> [n-francis@ti.com: prepared patch for upstreaming]
>>>>>>> Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
>>>>>>> ---
>>>>>>> arch/arm/dts/k3-j721e-a72-binman.dtsi | 86 +++++++++++++++++++
>>>>>>> .../k3-j721e-common-proc-board-u-boot.dtsi | 1 +
>>>>>>> arch/arm/mach-k3/config.mk | 33 -------
>>>>>>> board/ti/j721e/Kconfig | 1 +
>>>>>>> scripts/Makefile.spl | 4 -
>>>>>>> 5 files changed, 88 insertions(+), 37 deletions(-)
>>>>>>> create mode 100644 arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>>>
>>>>>>> diff --git a/arch/arm/dts/k3-j721e-a72-binman.dtsi b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>>> new file mode 100644
>>>>>>> index 0000000000..beb3424bb9
>>>>>>> --- /dev/null
>>>>>>> +++ b/arch/arm/dts/k3-j721e-a72-binman.dtsi
>>>>>>> @@ -0,0 +1,86 @@
>>>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>>>> +// Copyright (C) 2022 Texas Instruments Incorporated - https://www.ti.com/
>>>>>>> +
>>>>>>> +#include <config.h>
>>>>>>> +
>>>>>>> +#ifdef CONFIG_ARM64
>>>>>>> +/ {
>>>>>>> + binman: binman {
>>>>>>> + multiple-images;
>>>>>>> + };
>>>>>>> +};
>>>>>>> +
>>>>>>> +&binman {
>>>>>>> + tispl {
>>>>>>> + filename = "tispl.bin";
>>>>>>> + fit {
>>>>>>> + description = "FIT IMAGE";
>>>>>>> + #address-cells = <1>;
>>>>>>> + images {
>>>>>>> + atf {
>>>>>>> + description = "ARM Trusted Firmware";
>>>>>>> + type = "firmware";
>>>>>>> + arch = "arm64";
>>>>>>> + compression = "none";
>>>>>>> + os = "arm-trusted-firmware";
>>>>>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
>>>>>>> + atf-bl31 {
>>>>>>> + };
>>>>>>> + };
>>>>>>> + tee {
>>>>>>> + description = "OPTEE";
>>>>>>> + type = "tee";
>>>>>>> + arch = "arm64";
>>>>>>> + compression = "none";
>>>>>>> + os = "tee";
>>>>>>> + load = <0x9e800000>;
>>>>>>> + entry = <0x9e800000>;
>>>>>>> + tee-os {
>>>>>>> + };
>>>>>>> + };
>>>>>>> + dm {
>>>>>>> + description = "DM binary";
>>>>>>> + type = "firmware";
>>>>>>> + arch = "arm32";
>>>>>>> + compression = "none";
>>>>>>> + os = "DM";
>>>>>>> + load = <0x89000000>;
>>>>>>> + entry = <0x89000000>;
>>>>>>> + ti-dm {
>>>>>>> + };
>>>>>>> + };
>>>>>>> + spl {
>>>>>>> + description = "SPL (64-bit)";
>>>>>>> + type = "standalone";
>>>>>>> + os = "U-Boot";
>>>>>>> + arch = "arm64";
>>>>>>> + compression = "none";
>>>>>>> + load = <CONFIG_SPL_TEXT_BASE>;
>>>>>>> + entry = <CONFIG_SPL_TEXT_BASE>;
>>>>>>> + u-boot-spl-nodtb {
>>>>>>> + };
>>>>>>> + };
>>>>>>> + k3-j721e-common-proc-board.dtb {
>>>>>>> + description = "k3-j721e-common-proc-board";
>>>>>>> + type = "flat_dt";
>>>>>>> + arch = "arm";
>>>>>>> + compression = "none";
>>>>>>> + blob-ext {
>>>>>>> + filename = "spl/dts/k3-j721e-common-proc-board.dtb";
>>>>>>> + };
>>>>>>> + };
>>>>>>> + };
>>>>>>> + configurations {
>>>>>>> + default = "conf";
>>>>>>> + conf {
>>>>>>> + description = "k3-j721e-common-proc-board";
>>>>>>> + firmware = "atf";
>>>>>>> + loadables = "tee", "dm", "spl";
>>>>>>> + fdt = "k3-j721e-common-proc-board.dtb";
>>>>>>> + };
>>>>>>> + };
>>>>>>> + };
>>>>>>> + };
>>>>>>> +};
>>>>>>> +#endif
>>>>>>> diff --git a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>>> index 677a72d2a2..6490d71f7e 100644
>>>>>>> --- a/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>>> +++ b/arch/arm/dts/k3-j721e-common-proc-board-u-boot.dtsi
>>>>>>> @@ -4,6 +4,7 @@
>>>>>>> */
>>>>>>> #include <dt-bindings/net/ti-dp83867.h>
>>>>>>> +#include "k3-j721e-a72-binman.dtsi"
>>>>>>> / {
>>>>>>> chosen {
>>>>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
>>>>>>> index 49f80ae79b..e0d9ea97c9 100644
>>>>>>> --- a/arch/arm/mach-k3/config.mk
>>>>>>> +++ b/arch/arm/mach-k3/config.mk
>>>>>>> @@ -52,38 +52,5 @@ ifeq ($(CONFIG_SOC_K3_J721E),)
>>>>>>> export DM := /dev/null
>>>>>>> endif
>>>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>>>> -SPL_ITS := u-boot-spl-k3_HS.its
>>>>>>> -$(SPL_ITS): export IS_HS=1
>>>>>>> -INPUTS-y += tispl.bin_HS
>>>>>>> -else
>>>>>>> -SPL_ITS := u-boot-spl-k3.its
>>>>>>> -INPUTS-y += tispl.bin
>>>>>>> -endif
>>>>>>> -
>>>>>>> -ifeq ($(CONFIG_SPL_OF_LIST),)
>>>>>>> -LIST_OF_DTB := $(CONFIG_DEFAULT_DEVICE_TREE)
>>>>>>> -else
>>>>>>> -LIST_OF_DTB := $(CONFIG_SPL_OF_LIST)
>>>>>>> endif
>>>>>>> -
>>>>>>> -quiet_cmd_k3_mkits = MKITS $@
>>>>>>> -cmd_k3_mkits = \
>>>>>>> - $(srctree)/tools/k3_fit_atf.sh \
>>>>>>> - $(CONFIG_K3_ATF_LOAD_ADDR) \
>>>>>>> - $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(LIST_OF_DTB))) > $@
>>>>>>> -
>>>>>>> -$(SPL_ITS): FORCE
>>>>>>> - $(call cmd,k3_mkits)
>>>>>>> endif
>>>>>>> -
>>>>>>> -else
>>>>>>> -
>>>>>>> -ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
>>>>>>> -INPUTS-y += u-boot.img_HS
>>>>>>> -else
>>>>>>> -INPUTS-y += u-boot.img
>>>>>>> -endif
>>>>>>> -endif
>>>>>>> -
>>>>>>> -include $(srctree)/arch/arm/mach-k3/config_secure.mk
>>>>>>
>>>>>> You can't yet remove these as all K3 platforms are not converted to use binman.
>>>>>> Please include them under #ifndef CONFIG_BINMAN...#endif
>>>>>>
>>>>>> One more question I have is that how are _HS binaries being created with binman?
>>>>>>
>>>>>
>>>>> I will make the changes accordingly that do not affect any of the other builds. _HS binaries are not being created with binman in this series.
>>>>>
>>>>> But there is a patch series that does create HS images (tispl.bin and u-boot.img) using binman for AM64x: https://patchwork.ozlabs.org/project/uboot/patch/20220509072936.12899-4-rogerq@kernel.org/
>>>>
>>>> That series still depends on "TI_SECURE_DEV_PKG//scripts/secure-binary-image.sh"
>>>> to sign the image.
>>>>
>>>> Funny thing is that I'm no longer able to download the above package from ti.com
>>>> to see what it is doing. Any pointers on how to get it?
>>>>
>>>> cheers,
>>>> -roger
>>>>
>>>
>>> Did you try to access using the browser using https link?
>>>
>>> I am able to access the script by cloning git://git.ti.com/security-development-tools/core-secdev-k3.git
>>>
>>
>> Aha! sure I can access that.
>> But according to doc/README.ti-secure I should be getting it from
>> http://www.ti.com/mysecuresoftware
>> And I couldn't get anything there.
>>
>> Looks like we need to update the doc to point to the git repo instead?
>>
>
>
> The mysecuresoftware is for the AM335x-AM57x class devices, that is still
> the place to get the tools for those. For K3 forward the git.ti.com is
> the right spot. We can add a new doc for K3 devices.
>
Understood now. Thanks for the clarification.
cheers,
-roger
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2022-06-03 8:49 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-06 4:37 [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 01/11] j721e_evm: schema: yaml: Add general schema and J721E board config files Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 02/11] ti: tools: config: Add board config class to generate config binaries Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 03/11] ti: etype: sysfw: Add entry type for sysfw Neha Malcom Francis
2022-05-31 8:44 ` Roger Quadros
2022-06-01 5:58 ` Neha Malcom Francis
2022-06-01 7:29 ` Neha Malcom Francis
2022-06-01 9:26 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 04/11] ti: etype: dm: Add entry type for TI DM Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 05/11] ti: etype: x509: Add etype for x509 certificate for K3 devices Neha Malcom Francis
2022-05-31 9:20 ` Roger Quadros
2022-06-01 6:02 ` Neha Malcom Francis
2022-06-01 9:24 ` Roger Quadros
2022-06-01 9:48 ` Neha Malcom Francis
2022-06-01 10:48 ` Roger Quadros
2022-06-02 4:09 ` Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 06/11] ti: sysfw: Add support for packaging sysfw.itb Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 07/11] ti: tiboot3.bin: Remove tiboot3.bin target from makefile Neha Malcom Francis
2022-05-31 10:51 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 08/11] ti: tispl.bin: Removed script that packages tispl.bin Neha Malcom Francis
2022-05-31 10:53 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 09/11] ti: x509: Remove shell script used for signing Neha Malcom Francis
2022-05-31 10:54 ` Roger Quadros
2022-05-06 4:37 ` [PATCH RFC v2 10/11] ti: dtsi: j721e: Use binman to package sysfw.itb and tiboot3.bin Neha Malcom Francis
2022-05-06 4:37 ` [PATCH RFC v2 11/11] ti: dtsi: j721e: Use binman to package tispl.bin Neha Malcom Francis
2022-05-31 11:02 ` Roger Quadros
2022-06-01 6:08 ` Neha Malcom Francis
2022-06-01 9:23 ` Roger Quadros
2022-06-01 10:42 ` Neha Malcom Francis
2022-06-01 10:55 ` Roger Quadros
2022-06-01 12:47 ` Andrew Davis
2022-06-03 8:49 ` Roger Quadros
2022-05-10 20:05 ` [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 Tom Rini
2022-05-11 18:56 ` Alper Nebi Yasak
2022-05-31 8:21 ` Roger Quadros
2022-06-01 5:54 ` Neha Malcom Francis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.