* [PATCH v2 1/4] uboot-sign: set load address and entrypoint
@ 2024-01-19 6:19 Jamin Lin
2024-01-19 6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Jamin Lin @ 2024-01-19 6:19 UTC (permalink / raw)
To: openembedded-core
According to the design of uboot-sign.bbclass and kernel-fitimage.bbclass,
both of them use an UBOOT_LOADADDRESS variable to set the load address of
kernel and u-boot image and use an UBOOT_ENTRYPOINT variable to set the entry address of
kernel and u-boot image.
However, users may want to set the different load address of u-boot
and kernel image. Therefore, adds UBOOT_FIT_UBOOT_LOADADDRESS
and UBOOT_FIT_UBOOT_ENTRYPOINT variables to set the
load address and entry point of u-boot image, respectively.
The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_LOADADDRESS by default.
The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_ENTRYPOINT by default.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
meta/classes-recipe/uboot-sign.bbclass | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index ad04c82378..abde0bc61c 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -88,6 +88,9 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1"
# This is only necessary for determining the signing configuration
KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
+UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
+UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
+
python() {
# We need u-boot-tools-native if we're creating a U-Boot fitImage
sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
@@ -248,8 +251,8 @@ uboot_fitimage_assemble() {
os = "u-boot";
arch = "${UBOOT_ARCH}";
compression = "none";
- load = <${UBOOT_LOADADDRESS}>;
- entry = <${UBOOT_ENTRYPOINT}>;
+ load = <${UBOOT_FIT_UBOOT_LOADADDRESS}>;
+ entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>;
EOF
if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file
2024-01-19 6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
@ 2024-01-19 6:19 ` Jamin Lin
2024-01-19 6:19 ` [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image Jamin Lin
2024-01-19 6:19 ` [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Jamin Lin
2 siblings, 0 replies; 10+ messages in thread
From: Jamin Lin @ 2024-01-19 6:19 UTC (permalink / raw)
To: openembedded-core
Add to check dtb file exist, then install it.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
meta/classes-recipe/uboot-sign.bbclass | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index abde0bc61c..4b462698f9 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -318,7 +318,9 @@ EOF
${SPL_MKIMAGE_SIGN_ARGS}
fi
- cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
+ if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
+ cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
+ fi
}
uboot_assemble_fitimage_helper() {
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image
2024-01-19 6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
2024-01-19 6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
@ 2024-01-19 6:19 ` Jamin Lin
2024-01-19 6:19 ` [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Jamin Lin
2 siblings, 0 replies; 10+ messages in thread
From: Jamin Lin @ 2024-01-19 6:19 UTC (permalink / raw)
To: openembedded-core
It does not verify the signed FIT image of kernel and uboot.
To catch the unexpected errors as far as possible at the build time,
add uboot-fit-check-sign tool which is provided by u-boot to
verify the signed FIT image.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
meta/classes-recipe/uboot-config.bbclass | 3 +++
meta/classes-recipe/uboot-sign.bbclass | 10 ++++++++++
2 files changed, 13 insertions(+)
diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass
index 9be1d64d3e..0c579e8861 100644
--- a/meta/classes-recipe/uboot-config.bbclass
+++ b/meta/classes-recipe/uboot-config.bbclass
@@ -94,6 +94,9 @@ SPL_MKIMAGE_SIGN_ARGS ?= ""
UBOOT_DTB ?= ""
UBOOT_DTB_BINARY ??= ""
+# uboot-fit_check_sign command
+UBOOT_FIT_CHECK_SIGN ?= "uboot-fit_check_sign"
+
python () {
ubootmachine = d.getVar("UBOOT_MACHINE")
ubootconfigflags = d.getVarFlags('UBOOT_CONFIG')
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 4b462698f9..7a0b8047e4 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -112,6 +112,10 @@ concat_dtb() {
-K "${UBOOT_DTB_BINARY}" \
-r ${B}/fitImage-linux \
${UBOOT_MKIMAGE_SIGN_ARGS}
+ # Verify the kernel image and u-boot dtb
+ ${UBOOT_FIT_CHECK_SIGN} \
+ -k "${UBOOT_DTB_BINARY}" \
+ -f ${B}/fitImage-linux
cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
fi
@@ -316,6 +320,12 @@ EOF
-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
-r ${UBOOT_FITIMAGE_BINARY} \
${SPL_MKIMAGE_SIGN_ARGS}
+ #
+ # Verify the U-boot FIT image and SPL dtb
+ #
+ ${UBOOT_FIT_CHECK_SIGN} \
+ -k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+ -f ${UBOOT_FITIMAGE_BINARY}
fi
if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-01-19 6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
2024-01-19 6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
2024-01-19 6:19 ` [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image Jamin Lin
@ 2024-01-19 6:19 ` Jamin Lin
2024-01-26 17:05 ` [OE-core] " Richard Purdie
2 siblings, 1 reply; 10+ messages in thread
From: Jamin Lin @ 2024-01-19 6:19 UTC (permalink / raw)
To: openembedded-core
Currently, u-boot FIT image only support to load u-boot image.
To support optee-os and trusted-firmware-a, update ITS file generation
scripts, so users are able to use u-boot FIT image to load
u-boot, optee-os and treustred-firmware-a images
Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
enable trusted-firmware-a image and it is disable by default.
Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
and it is disable by default.
The ITS file creation looks like as following.
1. Both optee-os and trusted-firmware-a are disabled.
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
};
configurations {
default = "conf";
conf {
loadables = "uboot";
fdt = "fdt";
};
};
};
'''
2. Only enable optee-os
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
optee {
};
};
configurations {
default = "conf";
conf {
firmware = "optee";
loadables = "uboot";
fdt = "fdt";
};
};
};
'''
3. Both optee-os and trusted-firmware-a are enabled
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
atf {
};
optee {
};
};
configurations {
default = "conf";
conf {
firmware = "atf";
loadables = "uboot", "optee";
fdt = "fdt";
};
};
};
'''
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
1 file changed, 90 insertions(+), 1 deletion(-)
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 7a0b8047e4..d2b1013b93 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
+# Trusted Firmware-A (TF-A) provides a reference implementation of
+# secure world software for Armv7-A and Armv8-A,
+# including a Secure Monitor executing at Exception Level 3 (EL3)
+# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
+
+# OP-TEE is a Trusted Execution Environment (TEE) designed as
+# companion to a non-secure Linux kernel running on Arm
+UBOOT_FIT_OPTEE_OS ?= "0"
+UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
+
python() {
# We need u-boot-tools-native if we're creating a U-Boot fitImage
sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
@@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
# Create a ITS file for the U-boot FIT, for use when
# we want to sign it so that the SPL can verify it
uboot_fitimage_assemble() {
+ conf_loadables="\"uboot\""
+ conf_firmware=""
+
+ if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
+ conf_firmware="\"atf\""
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+ conf_loadables="\"uboot\", \"optee\""
+ fi
+ else
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+ conf_firmware="\"optee\""
+ fi
+ fi
+
rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
# First we create the ITS script
@@ -289,13 +315,76 @@ EOF
cat << EOF >> ${UBOOT_ITS}
};
+EOF
+ if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ atf {
+ description = "ARM Trusted Firmware-A";
+ data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
+ type = "firmware";
+ arch = "${UBOOT_ARCH}";
+ os = "arm-trusted-firmware";
+ load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
+ entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
+ compression = "none";
+EOF
+
+ if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ signature {
+ algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+ key-name-hint = "${SPL_SIGN_KEYNAME}";
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
+ };
+EOF
+ fi
+
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ optee {
+ description = "OPTEE OS Image";
+ data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
+ type = "tee";
+ arch = "${UBOOT_ARCH}";
+ os = "tee";
+ load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
+ entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
+ compression = "none";
+EOF
+
+ if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ signature {
+ algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+ key-name-hint = "${SPL_SIGN_KEYNAME}";
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
};
configurations {
default = "conf";
conf {
description = "Boot with signed U-Boot FIT";
- loadables = "uboot";
+EOF
+ if [ -n "${conf_firmware}" ]; then
+ cat << EOF >> ${UBOOT_ITS}
+ firmware = ${conf_firmware};
+EOF
+ fi
+ cat << EOF >> ${UBOOT_ITS}
+ loadables = ${conf_loadables};
fdt = "fdt";
};
};
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-01-19 6:19 ` [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Jamin Lin
@ 2024-01-26 17:05 ` Richard Purdie
2024-01-31 8:54 ` Jamin Lin
0 siblings, 1 reply; 10+ messages in thread
From: Richard Purdie @ 2024-01-26 17:05 UTC (permalink / raw)
To: jamin_lin, openembedded-core
On Fri, 2024-01-19 at 14:19 +0800, Jamin Lin via lists.openembedded.org
wrote:
> Currently, u-boot FIT image only support to load u-boot image.
> To support optee-os and trusted-firmware-a, update ITS file generation
> scripts, so users are able to use u-boot FIT image to load
> u-boot, optee-os and treustred-firmware-a images
>
> Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> enable trusted-firmware-a image and it is disable by default.
>
> Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> and it is disable by default.
>
> The ITS file creation looks like as following.
> 1. Both optee-os and trusted-firmware-a are disabled.
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 2. Only enable optee-os
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "optee";
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 3. Both optee-os and trusted-firmware-a are enabled
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> atf {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "atf";
> loadables = "uboot", "optee";
> fdt = "fdt";
> };
> };
> };
> '''
>
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> ---
> meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
> 1 file changed, 90 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
> index 7a0b8047e4..d2b1013b93 100644
> --- a/meta/classes-recipe/uboot-sign.bbclass
> +++ b/meta/classes-recipe/uboot-sign.bbclass
> @@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
> UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
> UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
>
> +# Trusted Firmware-A (TF-A) provides a reference implementation of
> +# secure world software for Armv7-A and Armv8-A,
> +# including a Secure Monitor executing at Exception Level 3 (EL3)
> +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
> +
> +# OP-TEE is a Trusted Execution Environment (TEE) designed as
> +# companion to a non-secure Linux kernel running on Arm
> +UBOOT_FIT_OPTEE_OS ?= "0"
> +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
> +
> python() {
> # We need u-boot-tools-native if we're creating a U-Boot fitImage
> sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
> @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
> # Create a ITS file for the U-boot FIT, for use when
> # we want to sign it so that the SPL can verify it
> uboot_fitimage_assemble() {
> + conf_loadables="\"uboot\""
> + conf_firmware=""
> +
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
> + conf_firmware="\"atf\""
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_loadables="\"uboot\", \"optee\""
> + fi
> + else
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_firmware="\"optee\""
> + fi
> + fi
> +
> rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
>
> # First we create the ITS script
> @@ -289,13 +315,76 @@ EOF
>
> cat << EOF >> ${UBOOT_ITS}
> };
> +EOF
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + atf {
> + description = "ARM Trusted Firmware-A";
> + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
> + type = "firmware";
> + arch = "${UBOOT_ARCH}";
> + os = "arm-trusted-firmware";
> + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + optee {
> + description = "OPTEE OS Image";
> + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
> + type = "tee";
> + arch = "${UBOOT_ARCH}";
> + os = "tee";
> + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> };
>
> configurations {
> default = "conf";
> conf {
> description = "Boot with signed U-Boot FIT";
> - loadables = "uboot";
> +EOF
> + if [ -n "${conf_firmware}" ]; then
> + cat << EOF >> ${UBOOT_ITS}
> + firmware = ${conf_firmware};
> +EOF
> + fi
> + cat << EOF >> ${UBOOT_ITS}
> + loadables = ${conf_loadables};
> fdt = "fdt";
> };
> };
These changes look good thanks. I'm just a bit worried they don't have
any test coverage so they're easily going to regress?
There are also no documentation patches?
Cheers,
Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-01-26 17:05 ` [OE-core] " Richard Purdie
@ 2024-01-31 8:54 ` Jamin Lin
2024-01-31 13:26 ` Richard Purdie
0 siblings, 1 reply; 10+ messages in thread
From: Jamin Lin @ 2024-01-31 8:54 UTC (permalink / raw)
To: Richard Purdie, openembedded-core
> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Saturday, January 27, 2024 1:05 AM
> To: Jamin Lin <jamin_lin@aspeedtech.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and
> TFA images
>
> On Fri, 2024-01-19 at 14:19 +0800, Jamin Lin via lists.openembedded.org
> wrote:
> > Currently, u-boot FIT image only support to load u-boot image.
> > To support optee-os and trusted-firmware-a, update ITS file generation
> > scripts, so users are able to use u-boot FIT image to load u-boot,
> > optee-os and treustred-firmware-a images
> >
> > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable
> > trusted-firmware-a image and it is disable by default.
> >
> > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is
> > disable by default.
> >
> > The ITS file creation looks like as following.
> > 1. Both optee-os and trusted-firmware-a are disabled.
> > '''
> > /dts-v1/;
> >
> > / {
> > images {
> > uboot {
> > };
> > fdt {
> > };
> > };
> >
> > configurations {
> > default = "conf";
> > conf {
> > loadables = "uboot";
> > fdt = "fdt";
> > };
> > };
> > };
> > '''
> >
> > 2. Only enable optee-os
> > '''
> > /dts-v1/;
> >
> > / {
> > images {
> > uboot {
> > };
> > fdt {
> > };
> > optee {
> > };
> > };
> >
> > configurations {
> > default = "conf";
> > conf {
> > firmware = "optee";
> > loadables = "uboot";
> > fdt = "fdt";
> > };
> > };
> > };
> > '''
> >
> > 3. Both optee-os and trusted-firmware-a are enabled '''
> > /dts-v1/;
> >
> > / {
> > images {
> > uboot {
> > };
> > fdt {
> > };
> > atf {
> > };
> > optee {
> > };
> > };
> >
> > configurations {
> > default = "conf";
> > conf {
> > firmware = "atf";
> > loadables = "uboot", "optee";
> > fdt = "fdt";
> > };
> > };
> > };
> > '''
> >
> > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> > ---
> > meta/classes-recipe/uboot-sign.bbclass | 91
> > +++++++++++++++++++++++++-
> > 1 file changed, 90 insertions(+), 1 deletion(-)
> >
> > diff --git a/meta/classes-recipe/uboot-sign.bbclass
> > b/meta/classes-recipe/uboot-sign.bbclass
> > index 7a0b8047e4..d2b1013b93 100644
> > --- a/meta/classes-recipe/uboot-sign.bbclass
> > +++ b/meta/classes-recipe/uboot-sign.bbclass
> > @@ -91,6 +91,18 @@ KERNEL_PN =
> "${PREFERRED_PROVIDER_virtual/kernel}"
> > UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
> > UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
> >
> > +# Trusted Firmware-A (TF-A) provides a reference implementation of #
> > +secure world software for Armv7-A and Armv8-A, # including a Secure
> > +Monitor executing at Exception Level 3 (EL3) # ATF is used as the
> > +initial start code on ARMv8-A cores for all K3 platforms
> > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
> > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
> > +
> > +# OP-TEE is a Trusted Execution Environment (TEE) designed as #
> > +companion to a non-secure Linux kernel running on Arm
> > +UBOOT_FIT_OPTEE_OS ?= "0"
> > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
> > +
> > python() {
> > # We need u-boot-tools-native if we're creating a U-Boot fitImage
> > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
> > @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before
> > do_uboot_assemble_fitimage after do_compi # Create a ITS file for the
> > U-boot FIT, for use when # we want to sign it so that the SPL can
> > verify it
> > uboot_fitimage_assemble() {
> > + conf_loadables="\"uboot\""
> > + conf_firmware=""
> > +
> > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
> > + conf_firmware="\"atf\""
> > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> > + conf_loadables="\"uboot\", \"optee\""
> > + fi
> > + else
> > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> > + conf_firmware="\"optee\""
> > + fi
> > + fi
> > +
> > rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
> >
> > # First we create the ITS script
> > @@ -289,13 +315,76 @@ EOF
> >
> > cat << EOF >> ${UBOOT_ITS}
> > };
> > +EOF
> > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
> > + cat << EOF >> ${UBOOT_ITS}
> > + atf {
> > + description = "ARM Trusted Firmware-A";
> > + data =
> /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
> > + type = "firmware";
> > + arch = "${UBOOT_ARCH}";
> > + os = "arm-trusted-firmware";
> > + load =
> <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
> > + entry =
> <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
> > + compression = "none";
> > +EOF
> > +
> > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> > + cat << EOF >> ${UBOOT_ITS}
> > + signature {
> > + algo =
> "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> > + key-name-hint = "${SPL_SIGN_KEYNAME}";
> > + };
> > +EOF
> > + fi
> > +
> > + cat << EOF >> ${UBOOT_ITS}
> > + };
> > +EOF
> > + fi
> > +
> > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
> > + cat << EOF >> ${UBOOT_ITS}
> > + optee {
> > + description = "OPTEE OS Image";
> > + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
> > + type = "tee";
> > + arch = "${UBOOT_ARCH}";
> > + os = "tee";
> > + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
> > + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
> > + compression = "none";
> > +EOF
> > +
> > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> > + cat << EOF >> ${UBOOT_ITS}
> > + signature {
> > + algo =
> "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> > + key-name-hint = "${SPL_SIGN_KEYNAME}";
> > + };
> > +EOF
> > + fi
> > +
> > + cat << EOF >> ${UBOOT_ITS}
> > + };
> > +EOF
> > + fi
> > +
> > + cat << EOF >> ${UBOOT_ITS}
> > };
> >
> > configurations {
> > default = "conf";
> > conf {
> > description = "Boot with signed U-Boot FIT";
> > - loadables = "uboot";
> > +EOF
> > + if [ -n "${conf_firmware}" ]; then
> > + cat << EOF >> ${UBOOT_ITS}
> > + firmware = ${conf_firmware}; EOF
> > + fi
> > + cat << EOF >> ${UBOOT_ITS}
> > + loadables = ${conf_loadables};
> > fdt = "fdt";
> > };
> > };
>
> These changes look good thanks. I'm just a bit worried they don't have any test
> coverage so they're easily going to regress?
>
> There are also no documentation patches?
>
> Cheers,
>
> Richard
Hi Richard,
Thanks for your review and sorry reply you late.
Did you mean I should create a new patch to add test case for fitimage of oe-selftest in this series patch?
After I read this document https://docs.yoctoproject.org/test-manual/index.html, it seems
oe-selftest support to test the generated u-boot FIT image and the generated u-boot.its here,
meta/lib/oeqa/selftest/cases/fitimage.py
Do I need to add more test case to test u-boot.its and u-boot FIT image for my modifications such as optee-os and trusted-firmware-a supported FIT image?
According to the design of optee-os and trusted-firmware-a, both recipes were placed in meta-arm meta layer, https://git.yoctoproject.org/meta-arm/tree
Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and meta/lib/oeqa/selftest/cases/fitimage.py.
One more question, " There are also no documentation patches?", Did you mean to update Yocto document?
If yes, could you please tell me which document I need to update?
Thanks-Jamin
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-01-31 8:54 ` Jamin Lin
@ 2024-01-31 13:26 ` Richard Purdie
2024-02-01 2:00 ` Jamin Lin
0 siblings, 1 reply; 10+ messages in thread
From: Richard Purdie @ 2024-01-31 13:26 UTC (permalink / raw)
To: Jamin Lin, openembedded-core; +Cc: Ross Burton, Jon Mason
On Wed, 2024-01-31 at 08:54 +0000, Jamin Lin wrote:
>
> Thanks for your review and sorry reply you late.
>
> Did you mean I should create a new patch to add test case for fitimage of oe-selftest in this series patch?
Ideally, yes please, we should really have test coverage for new things
we're adding.
> After I read this document https://docs.yoctoproject.org/test-manual/index.html, it seems
> oe-selftest support to test the generated u-boot FIT image and the generated u-boot.its here,
> meta/lib/oeqa/selftest/cases/fitimage.py
>
> Do I need to add more test case to test u-boot.its and u-boot FIT image for my modifications such as optee-os and trusted-firmware-a supported FIT image?
> According to the design of optee-os and trusted-firmware-a, both recipes were placed in meta-arm meta layer, https://git.yoctoproject.org/meta-arm/tree
> Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and meta/lib/oeqa/selftest/cases/fitimage.py.
For this I'm wondering if meta-arm would accept the test case and be
able to run it there? I've copied Ross/Jon who might be able to help
with ideas on that.
>
> One more question, " There are also no documentation patches?", Did you mean to update Yocto document?
> If yes, could you please tell me which document I need to update?
>
Where you add new variables we need to define them in the manual:
https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/variables.rst
Also, the classes are documented:
https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/classes.rst
so if the variables are class specific, they should probably be
referenced from the class documentation itself.
Cheers,
Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-01-31 13:26 ` Richard Purdie
@ 2024-02-01 2:00 ` Jamin Lin
2024-02-08 18:02 ` Ross Burton
0 siblings, 1 reply; 10+ messages in thread
From: Jamin Lin @ 2024-02-01 2:00 UTC (permalink / raw)
To: Richard Purdie, openembedded-core; +Cc: Ross Burton, Jon Mason
> On Wed, 2024-01-31 at 08:54 +0000, Jamin Lin wrote:
> >
> > Thanks for your review and sorry reply you late.
> >
> > Did you mean I should create a new patch to add test case for fitimage of
> oe-selftest in this series patch?
>
> Ideally, yes please, we should really have test coverage for new things we're
> adding.
>
> > After I read this document
> > https://docs.yoctoproject.org/test-manual/index.html, it seems
> > oe-selftest support to test the generated u-boot FIT image and the
> > generated u-boot.its here, meta/lib/oeqa/selftest/cases/fitimage.py
> >
> > Do I need to add more test case to test u-boot.its and u-boot FIT image for
> my modifications such as optee-os and trusted-firmware-a supported FIT
> image?
> > According to the design of optee-os and trusted-firmware-a, both
> > recipes were placed in meta-arm meta layer,
> > https://git.yoctoproject.org/meta-arm/tree
> > Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and
> meta/lib/oeqa/selftest/cases/fitimage.py.
>
> For this I'm wondering if meta-arm would accept the test case and be able to
> run it there? I've copied Ross/Jon who might be able to help with ideas on that.
>
Richard, Ross and Jon,
It seems that I can refer/modify openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test case to test u-boot fit image for optee-os and trustred-firmware-a) and
Copy this file into meta-arm layer in this directory, https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/tests.
Regarding the u-boot fit image generation dependency, can I add optee-os and tructred-firmeare dependency in meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of u-boot_%.bbappend as following.
do_compile[depends] += " \
${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy', '', d)} \
${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1', 'trusted-firmware-a:do_deploy', '', d)} \
"
Any suggestion will be appreciated.
> >
> > One more question, " There are also no documentation patches?", Did you
> mean to update Yocto document?
> > If yes, could you please tell me which document I need to update?
> >
>
> Where you add new variables we need to define them in the manual:
>
> https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/variabl
> es.rst
>
> Also, the classes are documented:
>
> https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/classes
> .rst
>
> so if the variables are class specific, they should probably be referenced from
> the class documentation itself.
>
Will update Yocto ref-manual.
Thanks-Jamin
> Cheers,
>
> Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-02-01 2:00 ` Jamin Lin
@ 2024-02-08 18:02 ` Ross Burton
2024-02-15 2:31 ` Jamin Lin
0 siblings, 1 reply; 10+ messages in thread
From: Ross Burton @ 2024-02-08 18:02 UTC (permalink / raw)
To: Jamin Lin; +Cc: Richard Purdie, openembedded-core, Jon Mason
On 1 Feb 2024, at 02:00, Jamin Lin <jamin_lin@aspeedtech.com> wrote:
> It seems that I can refer/modify openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test case to test u-boot fit image for optee-os and trustred-firmware-a) and
> Copy this file into meta-arm layer in this directory, https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/tests.
>
> Regarding the u-boot fit image generation dependency, can I add optee-os and tructred-firmeare dependency in meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of u-boot_%.bbappend as following.
>
> do_compile[depends] += " \
> ${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy', '', d)} \
> ${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1', 'trusted-firmware-a:do_deploy', '', d)} \
> “
It feels to me that we’re slowly creating two parallel generalised fit image classes, one called “uboot_sign” and the other called “kernel-fitimage”... Surely there should be just _one_ fit image creation class that can do everything in a generalised way?
Ross
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
2024-02-08 18:02 ` Ross Burton
@ 2024-02-15 2:31 ` Jamin Lin
0 siblings, 0 replies; 10+ messages in thread
From: Jamin Lin @ 2024-02-15 2:31 UTC (permalink / raw)
To: Ross Burton; +Cc: Richard Purdie, openembedded-core, Jon Mason
> -----Original Message-----
> From: Ross Burton <Ross.Burton@arm.com>
> Sent: Friday, February 9, 2024 2:03 AM
> To: Jamin Lin <jamin_lin@aspeedtech.com>
> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>;
> openembedded-core@lists.openembedded.org; Jon Mason
> <Jon.Mason@arm.com>
> Subject: Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and
> TFA images
>
> On 1 Feb 2024, at 02:00, Jamin Lin <jamin_lin@aspeedtech.com> wrote:
> > It seems that I can refer/modify
> > openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test
> case to test u-boot fit image for optee-os and trustred-firmware-a) and Copy
> this file into meta-arm layer in this directory,
> https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/
> tests.
> >
> > Regarding the u-boot fit image generation dependency, can I add optee-os
> and tructred-firmeare dependency in
> meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of
> u-boot_%.bbappend as following.
> >
> > do_compile[depends] += " \
> > ${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy',
> '', d)} \
> > ${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1',
> 'trusted-firmware-a:do_deploy', '', d)} \
> > “
>
> It feels to me that we’re slowly creating two parallel generalised fit image
> classes, one called “uboot_sign” and the other called “kernel-fitimage”...
> Surely there should be just _one_ fit image creation class that can do
> everything in a generalised way?
>
Hi Ross,
I am not the maintainer of uboot-sign.bbcalss and kernel-fitimage.bbclass.
I don't know whether the only one .bbclass for u-boot and kernel fit image generation is a good solution or not.
It seems that a single .bbclass to create two fit image is too complicate.
1. only u-boot fit image has TFA
2. only kernel fit image has ramdisc
Thanks-Jamin
> Ross
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-02-15 2:32 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-19 6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
2024-01-19 6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
2024-01-19 6:19 ` [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image Jamin Lin
2024-01-19 6:19 ` [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Jamin Lin
2024-01-26 17:05 ` [OE-core] " Richard Purdie
2024-01-31 8:54 ` Jamin Lin
2024-01-31 13:26 ` Richard Purdie
2024-02-01 2:00 ` Jamin Lin
2024-02-08 18:02 ` Ross Burton
2024-02-15 2:31 ` Jamin Lin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.