[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[Heiko Stuebner]

A trusted execution environment should also get loaded as loadable from
a fit image, so add the possibility to present a tee.elf to make_fit_atf.py
that then gets included as additional loadable into the generated its.

For ease of integration the additional loadable is created as atf_(x+1)
after all others to re-use core generation loops.

Tested against the combinations of 1-part-atf and multi-part-atf each
time with and without a tee binary present.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
---
 arch/arm/mach-rockchip/make_fit_atf.py | 52 +++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
index 585edcf9d5..3c045a5e17 100755
--- a/arch/arm/mach-rockchip/make_fit_atf.py
+++ b/arch/arm/mach-rockchip/make_fit_atf.py
@@ -63,6 +63,21 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
     file.write('\t\t};\n')
     file.write('\n')
 
+def append_tee_node(file, atf_index, phy_addr, elf_entry):
+    # Append TEE DT node to input FIT dts file.
+    data = 'tee_0x%08x.bin' % phy_addr
+    file.write('\t\tatf_%d {\n' % atf_index)
+    file.write('\t\t\tdescription = \"TEE\";\n')
+    file.write('\t\t\tdata = /incbin/("%s");\n' % data)
+    file.write('\t\t\ttype = "tee";\n')
+    file.write('\t\t\tarch = "arm64";\n')
+    file.write('\t\t\tos = "tee";\n')
+    file.write('\t\t\tcompression = "none";\n')
+    file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
+    file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+    file.write('\t\t};\n')
+    file.write('\n')
+
 def append_fdt_node(file, dtbs):
     # Append FDT nodes.
     cnt = 1
@@ -115,15 +130,23 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
     index, entry, p_paddr, data = segments[0]
     fit_file.write(DT_UBOOT % p_paddr)
 
-def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, dtbs_file_name):
+def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
     segments = unpack_elf(bl31_file_name)
     for index, entry, paddr, data in segments:
         append_bl31_node(fit_file, index + 1, paddr, entry)
+    num_segments = len(segments)
+
+    if tee_file_name:
+        tee_segments = unpack_elf(tee_file_name)
+        for index, entry, paddr, data in tee_segments:
+            append_tee_node(fit_file, num_segments + index + 1, paddr, entry)
+        num_segments = num_segments + len(tee_segments)
+
     append_fdt_node(fit_file, dtbs_file_name)
     fit_file.write(DT_IMAGES_NODE_END)
-    append_conf_node(fit_file, dtbs_file_name, len(segments))
+    append_conf_node(fit_file, dtbs_file_name, num_segments)
 
-def generate_atf_fit_dts(fit_file_name, bl31_file_name, uboot_file_name, dtbs_file_name):
+def generate_atf_fit_dts(fit_file_name, bl31_file_name, tee_file_name, uboot_file_name, dtbs_file_name):
     # Generate FIT script for ATF image.
     if fit_file_name != sys.stdout:
         fit_file = open(fit_file_name, "wb")
@@ -132,7 +155,7 @@ def generate_atf_fit_dts(fit_file_name, bl31_file_name, uboot_file_name, dtbs_fi
 
     fit_file.write(DT_HEADER)
     generate_atf_fit_dts_uboot(fit_file, uboot_file_name)
-    generate_atf_fit_dts_bl31(fit_file, bl31_file_name, dtbs_file_name)
+    generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name)
     fit_file.write(DT_END)
 
     if fit_file_name != sys.stdout:
@@ -144,6 +167,13 @@ def generate_atf_binary(bl31_file_name):
         with open(file_name, "wb") as atf:
             atf.write(data)
 
+def generate_tee_binary(tee_file_name):
+    if tee_file_name:
+        for index, entry, paddr, data in unpack_elf(tee_file_name):
+            file_name = 'tee_0x%08x.bin' % paddr
+            with open(file_name, "wb") as atf:
+                atf.write(data)
+
 def unpack_elf(filename):
     with open(filename, 'rb') as file:
         elf = file.read()
@@ -178,7 +208,14 @@ def main():
         logging.warning(' BL31 file bl31.elf NOT found, resulting binary is non-functional')
         logging.warning(' Please read Building section in doc/README.rockchip')
 
-    opts, args = getopt.getopt(sys.argv[1:], "o:u:b:h")
+    if "TEE" in os.environ:
+        tee_elf = os.getenv("TEE")
+    elif os.path.isfile("./tee.elf"):
+        tee_elf = "./tee.elf"
+    else:
+        tee_elf = ""
+
+    opts, args = getopt.getopt(sys.argv[1:], "o:u:b:t:h")
     for opt, val in opts:
         if opt == "-o":
             fit_its = val
@@ -186,14 +223,17 @@ def main():
             uboot_elf = val
         elif opt == "-b":
             bl31_elf = val
+        elif opt == "-t":
+            tee_elf = val
         elif opt == "-h":
             print(__doc__)
             sys.exit(2)
 
     dtbs = args
 
-    generate_atf_fit_dts(fit_its, bl31_elf, uboot_elf, dtbs)
+    generate_atf_fit_dts(fit_its, bl31_elf, tee_elf, uboot_elf, dtbs)
     generate_atf_binary(bl31_elf)
+    generate_tee_binary(tee_elf)
 
 if __name__ == "__main__":
     main()
-- 
2.23.0

[U-Boot] [PATCH 2/2] common: spl: atf: support booting bl32 image

[Heiko Stuebner]

From: Joseph Chen <chenjh@rock-chips.com>

Trusted-Firmware can also initialize a secure payload to use as a trusted
execution environment. In general for the arm64 case this is provided as
separate image and uboot is supposed to also place it in a predetermined
location in memory and add the necessary parameters to the ATF boot params.

So add the possibility to get this tee payload from the provided FIT image
and setup things as necessary.

Tested on a Rockchip PX30 with mainline TF-A, mainline OP-Tee (with pending
PX30 support) and mainline 5.4-rc1 Linux kernel.

Signed-off-by: Joseph Chen <chenjh@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
---
 common/spl/spl_atf.c | 46 ++++++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/common/spl/spl_atf.c b/common/spl/spl_atf.c
index 4715f9d371..41b7dbd769 100644
--- a/common/spl/spl_atf.c
+++ b/common/spl/spl_atf.c
@@ -30,8 +30,10 @@ static struct bl31_params *bl2_to_bl31_params;
  *
  * @return bl31 params structure pointer
  */
-static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl33_entry)
+static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl32_entry,
+						    uintptr_t bl33_entry)
 {
+	struct entry_point_info *bl32_ep_info;
 	struct entry_point_info *bl33_ep_info;
 
 	/*
@@ -49,16 +51,21 @@ static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl33_entry)
 	SET_PARAM_HEAD(bl2_to_bl31_params->bl31_image_info,
 		       ATF_PARAM_IMAGE_BINARY, ATF_VERSION_1, 0);
 
-	/* Fill BL32 related information if it exists */
+
+	/* Fill BL32 related information */
 	bl2_to_bl31_params->bl32_ep_info = &bl31_params_mem.bl32_ep_info;
-	SET_PARAM_HEAD(bl2_to_bl31_params->bl32_ep_info, ATF_PARAM_EP,
-		       ATF_VERSION_1, 0);
+	bl32_ep_info = &bl31_params_mem.bl32_ep_info;
+	SET_PARAM_HEAD(bl32_ep_info, ATF_PARAM_EP, ATF_VERSION_1,
+		       ATF_EP_SECURE);
+
+	/* secure payload is optional, so set pc to 0 if absent */
+	bl32_ep_info->pc = bl32_entry ? bl32_entry : 0;
+	bl32_ep_info->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX,
+				     DISABLE_ALL_EXECPTIONS);
+
 	bl2_to_bl31_params->bl32_image_info = &bl31_params_mem.bl32_image_info;
 	SET_PARAM_HEAD(bl2_to_bl31_params->bl32_image_info,
 		       ATF_PARAM_IMAGE_BINARY, ATF_VERSION_1, 0);
-#ifndef BL32_BASE
-	bl2_to_bl31_params->bl32_ep_info->pc = 0;
-#endif /* BL32_BASE */
 
 	/* Fill BL33 related information */
 	bl2_to_bl31_params->bl33_ep_info = &bl31_params_mem.bl33_ep_info;
@@ -86,13 +93,13 @@ static inline void raw_write_daif(unsigned int daif)
 
 typedef void (*atf_entry_t)(struct bl31_params *params, void *plat_params);
 
-static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl33_entry,
-		       uintptr_t fdt_addr)
+static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl32_entry,
+		       uintptr_t bl33_entry, uintptr_t fdt_addr)
 {
 	struct bl31_params *bl31_params;
 	atf_entry_t  atf_entry = (atf_entry_t)bl31_entry;
 
-	bl31_params = bl2_plat_get_bl31_params(bl33_entry);
+	bl31_params = bl2_plat_get_bl31_params(bl32_entry, bl33_entry);
 
 	raw_write_daif(SPSR_EXCEPTION_MASK);
 	dcache_disable();
@@ -100,7 +107,7 @@ static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl33_entry,
 	atf_entry((void *)bl31_params, (void *)fdt_addr);
 }
 
-static int spl_fit_images_find_uboot(void *blob)
+static int spl_fit_images_find(void *blob, int os)
 {
 	int parent, node, ndepth;
 	const void *data;
@@ -122,7 +129,7 @@ static int spl_fit_images_find_uboot(void *blob)
 		if (!data)
 			continue;
 
-		if (genimg_get_os_id(data) == IH_OS_U_BOOT)
+		if (genimg_get_os_id(data) == os)
 			return node;
 	};
 
@@ -143,11 +150,21 @@ uintptr_t spl_fit_images_get_entry(void *blob, int node)
 
 void spl_invoke_atf(struct spl_image_info *spl_image)
 {
+	uintptr_t  bl32_entry = 0;
 	uintptr_t  bl33_entry = CONFIG_SYS_TEXT_BASE;
 	void *blob = spl_image->fdt_addr;
 	uintptr_t platform_param = (uintptr_t)blob;
 	int node;
 
+	/*
+	 * Find the OP-TEE binary (in /fit-images) load address or
+	 * entry point (if different) and pass it as the BL3-2 entry
+	 * point, this is optional.
+	 */
+	node = spl_fit_images_find(blob, IH_OS_TEE);
+	if (node >= 0)
+		bl32_entry = spl_fit_images_get_entry(blob, node);
+
 	/*
 	 * Find the U-Boot binary (in /fit-images) load addreess or
 	 * entry point (if different) and pass it as the BL3-3 entry
@@ -155,7 +172,7 @@ void spl_invoke_atf(struct spl_image_info *spl_image)
 	 * This will need to be extended to support Falcon mode.
 	 */
 
-	node = spl_fit_images_find_uboot(blob);
+	node = spl_fit_images_find(blob, IH_OS_U_BOOT);
 	if (node >= 0)
 		bl33_entry = spl_fit_images_get_entry(blob, node);
 
@@ -172,5 +189,6 @@ void spl_invoke_atf(struct spl_image_info *spl_image)
 	 * We don't provide a BL3-2 entry yet, but this will be possible
 	 * using similar logic.
 	 */
-	bl31_entry(spl_image->entry_point, bl33_entry, platform_param);
+	bl31_entry(spl_image->entry_point, bl32_entry,
+		   bl33_entry, platform_param);
 }
-- 
2.23.0

[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[Simon Glass]

Hi Heiko,

On Tue, 1 Oct 2019 at 14:23, Heiko Stuebner <heiko@sntech.de> wrote:
>
> A trusted execution environment should also get loaded as loadable from
> a fit image, so add the possibility to present a tee.elf to make_fit_atf.py
> that then gets included as additional loadable into the generated its.
>
> For ease of integration the additional loadable is created as atf_(x+1)
> after all others to re-use core generation loops.
>
> Tested against the combinations of 1-part-atf and multi-part-atf each
> time with and without a tee binary present.
>
> Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> ---
>  arch/arm/mach-rockchip/make_fit_atf.py | 52 +++++++++++++++++++++++---
>  1 file changed, 46 insertions(+), 6 deletions(-)
>

Instead of building up another tool, could we use binman for this? If
not, what is missing?

Regards,
Simon

[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[Heiko Stübner]

Hi Simon,

Am Donnerstag, 10. Oktober 2019, 19:06:12 CEST schrieb Simon Glass:
> On Tue, 1 Oct 2019 at 14:23, Heiko Stuebner <heiko@sntech.de> wrote:
> > A trusted execution environment should also get loaded as loadable from
> > a fit image, so add the possibility to present a tee.elf to make_fit_atf.py
> > that then gets included as additional loadable into the generated its.
> >
> > For ease of integration the additional loadable is created as atf_(x+1)
> > after all others to re-use core generation loops.
> >
> > Tested against the combinations of 1-part-atf and multi-part-atf each
> > time with and without a tee binary present.
> >
> > Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> > ---
> >  arch/arm/mach-rockchip/make_fit_atf.py | 52 +++++++++++++++++++++++---
> >  1 file changed, 46 insertions(+), 6 deletions(-)
> >
> 
> Instead of building up another tool, could we use binman for this? If
> not, what is missing?

make_fit_atf.py is the existing tool and I've no real experience with
binman so far, so I don't really know.

make_fit_atf.py is the script used to create the u-boot.its used as base
for the uboot fit image loaded from SPL, so it's the script set in the
SPL_FIT_GENERATOR Kconfig similar to sunxi and riscv.

For this it parses the ATF.elf and (now) TEE.elf to get the actual load
addresses for the loadables (the ATF.elf contains separate sections for
main DDR and often additional SRAM locations for loadables of variable
number) and creates the .its based on this data.


Looking at the binman README:
"Binman considers FIT to be one of the binaries it can place in the image.
Where possible it is best to put as much as possible in the FIT, with binman
used to deal with cases not covered by FIT."

So it looks like that should stay as it is? Or is that documentation outdated?


Heiko

[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[Simon Glass]

Hi Heiko,

On Thu, 10 Oct 2019 at 12:28, Heiko Stübner <heiko@sntech.de> wrote:
>
> Hi Simon,
>
> Am Donnerstag, 10. Oktober 2019, 19:06:12 CEST schrieb Simon Glass:
> > On Tue, 1 Oct 2019 at 14:23, Heiko Stuebner <heiko@sntech.de> wrote:
> > > A trusted execution environment should also get loaded as loadable from
> > > a fit image, so add the possibility to present a tee.elf to make_fit_atf.py
> > > that then gets included as additional loadable into the generated its.
> > >
> > > For ease of integration the additional loadable is created as atf_(x+1)
> > > after all others to re-use core generation loops.
> > >
> > > Tested against the combinations of 1-part-atf and multi-part-atf each
> > > time with and without a tee binary present.
> > >
> > > Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> > > ---
> > >  arch/arm/mach-rockchip/make_fit_atf.py | 52 +++++++++++++++++++++++---
> > >  1 file changed, 46 insertions(+), 6 deletions(-)
> > >
> >
> > Instead of building up another tool, could we use binman for this? If
> > not, what is missing?
>
> make_fit_atf.py is the existing tool and I've no real experience with
> binman so far, so I don't really know.
>
> make_fit_atf.py is the script used to create the u-boot.its used as base
> for the uboot fit image loaded from SPL, so it's the script set in the
> SPL_FIT_GENERATOR Kconfig similar to sunxi and riscv.
>
> For this it parses the ATF.elf and (now) TEE.elf to get the actual load
> addresses for the loadables (the ATF.elf contains separate sections for
> main DDR and often additional SRAM locations for loadables of variable
> number) and creates the .its based on this data.

binman has functionality to obtain symbol addresses (see for example

>
>
> Looking at the binman README:
> "Binman considers FIT to be one of the binaries it can place in the image.
> Where possible it is best to put as much as possible in the FIT, with binman
> used to deal with cases not covered by FIT."

Also see the slides from a recent talk [1].

>
> So it looks like that should stay as it is? Or is that documentation outdated?

It seems like we should create a FIT generator in binman. FIT support
is in the TODO but not yet done.

Do you want to have a try? It basically involves creating a new entry
type, e.g. 'rockchip-fit.py' that generates the FIT (from a template)
and then runs mkimage.

Regards,
Simon

[1] https://osfc.io/uploads/talk/paper/45/Binman_-_A_data-controlled_firmware_packer_for_U-Boot.pdf

[U-Boot] [PATCH 2/2] common: spl: atf: support booting bl32 image

[Kever Yang]

On 2019/10/2 上午5:23, Heiko Stuebner wrote:
> From: Joseph Chen <chenjh@rock-chips.com>
>
> Trusted-Firmware can also initialize a secure payload to use as a trusted
> execution environment. In general for the arm64 case this is provided as
> separate image and uboot is supposed to also place it in a predetermined
> location in memory and add the necessary parameters to the ATF boot params.
>
> So add the possibility to get this tee payload from the provided FIT image
> and setup things as necessary.
>
> Tested on a Rockchip PX30 with mainline TF-A, mainline OP-Tee (with pending
> PX30 support) and mainline 5.4-rc1 Linux kernel.
>
> Signed-off-by: Joseph Chen <chenjh@rock-chips.com>
> Signed-off-by: Heiko Stuebner <heiko@sntech.de>

Reviewed-by: Kever Yang<kever.yang@rock-chips.com>


Thanks,
- Kever
> ---
>   common/spl/spl_atf.c | 46 ++++++++++++++++++++++++++++++--------------
>   1 file changed, 32 insertions(+), 14 deletions(-)
>
> diff --git a/common/spl/spl_atf.c b/common/spl/spl_atf.c
> index 4715f9d371..41b7dbd769 100644
> --- a/common/spl/spl_atf.c
> +++ b/common/spl/spl_atf.c
> @@ -30,8 +30,10 @@ static struct bl31_params *bl2_to_bl31_params;
>    *
>    * @return bl31 params structure pointer
>    */
> -static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl33_entry)
> +static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl32_entry,
> +						    uintptr_t bl33_entry)
>   {
> +	struct entry_point_info *bl32_ep_info;
>   	struct entry_point_info *bl33_ep_info;
>   
>   	/*
> @@ -49,16 +51,21 @@ static struct bl31_params *bl2_plat_get_bl31_params(uintptr_t bl33_entry)
>   	SET_PARAM_HEAD(bl2_to_bl31_params->bl31_image_info,
>   		       ATF_PARAM_IMAGE_BINARY, ATF_VERSION_1, 0);
>   
> -	/* Fill BL32 related information if it exists */
> +
> +	/* Fill BL32 related information */
>   	bl2_to_bl31_params->bl32_ep_info = &bl31_params_mem.bl32_ep_info;
> -	SET_PARAM_HEAD(bl2_to_bl31_params->bl32_ep_info, ATF_PARAM_EP,
> -		       ATF_VERSION_1, 0);
> +	bl32_ep_info = &bl31_params_mem.bl32_ep_info;
> +	SET_PARAM_HEAD(bl32_ep_info, ATF_PARAM_EP, ATF_VERSION_1,
> +		       ATF_EP_SECURE);
> +
> +	/* secure payload is optional, so set pc to 0 if absent */
> +	bl32_ep_info->pc = bl32_entry ? bl32_entry : 0;
> +	bl32_ep_info->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX,
> +				     DISABLE_ALL_EXECPTIONS);
> +
>   	bl2_to_bl31_params->bl32_image_info = &bl31_params_mem.bl32_image_info;
>   	SET_PARAM_HEAD(bl2_to_bl31_params->bl32_image_info,
>   		       ATF_PARAM_IMAGE_BINARY, ATF_VERSION_1, 0);
> -#ifndef BL32_BASE
> -	bl2_to_bl31_params->bl32_ep_info->pc = 0;
> -#endif /* BL32_BASE */
>   
>   	/* Fill BL33 related information */
>   	bl2_to_bl31_params->bl33_ep_info = &bl31_params_mem.bl33_ep_info;
> @@ -86,13 +93,13 @@ static inline void raw_write_daif(unsigned int daif)
>   
>   typedef void (*atf_entry_t)(struct bl31_params *params, void *plat_params);
>   
> -static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl33_entry,
> -		       uintptr_t fdt_addr)
> +static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl32_entry,
> +		       uintptr_t bl33_entry, uintptr_t fdt_addr)
>   {
>   	struct bl31_params *bl31_params;
>   	atf_entry_t  atf_entry = (atf_entry_t)bl31_entry;
>   
> -	bl31_params = bl2_plat_get_bl31_params(bl33_entry);
> +	bl31_params = bl2_plat_get_bl31_params(bl32_entry, bl33_entry);
>   
>   	raw_write_daif(SPSR_EXCEPTION_MASK);
>   	dcache_disable();
> @@ -100,7 +107,7 @@ static void bl31_entry(uintptr_t bl31_entry, uintptr_t bl33_entry,
>   	atf_entry((void *)bl31_params, (void *)fdt_addr);
>   }
>   
> -static int spl_fit_images_find_uboot(void *blob)
> +static int spl_fit_images_find(void *blob, int os)
>   {
>   	int parent, node, ndepth;
>   	const void *data;
> @@ -122,7 +129,7 @@ static int spl_fit_images_find_uboot(void *blob)
>   		if (!data)
>   			continue;
>   
> -		if (genimg_get_os_id(data) == IH_OS_U_BOOT)
> +		if (genimg_get_os_id(data) == os)
>   			return node;
>   	};
>   
> @@ -143,11 +150,21 @@ uintptr_t spl_fit_images_get_entry(void *blob, int node)
>   
>   void spl_invoke_atf(struct spl_image_info *spl_image)
>   {
> +	uintptr_t  bl32_entry = 0;
>   	uintptr_t  bl33_entry = CONFIG_SYS_TEXT_BASE;
>   	void *blob = spl_image->fdt_addr;
>   	uintptr_t platform_param = (uintptr_t)blob;
>   	int node;
>   
> +	/*
> +	 * Find the OP-TEE binary (in /fit-images) load address or
> +	 * entry point (if different) and pass it as the BL3-2 entry
> +	 * point, this is optional.
> +	 */
> +	node = spl_fit_images_find(blob, IH_OS_TEE);
> +	if (node >= 0)
> +		bl32_entry = spl_fit_images_get_entry(blob, node);
> +
>   	/*
>   	 * Find the U-Boot binary (in /fit-images) load addreess or
>   	 * entry point (if different) and pass it as the BL3-3 entry
> @@ -155,7 +172,7 @@ void spl_invoke_atf(struct spl_image_info *spl_image)
>   	 * This will need to be extended to support Falcon mode.
>   	 */
>   
> -	node = spl_fit_images_find_uboot(blob);
> +	node = spl_fit_images_find(blob, IH_OS_U_BOOT);
>   	if (node >= 0)
>   		bl33_entry = spl_fit_images_get_entry(blob, node);
>   
> @@ -172,5 +189,6 @@ void spl_invoke_atf(struct spl_image_info *spl_image)
>   	 * We don't provide a BL3-2 entry yet, but this will be possible
>   	 * using similar logic.
>   	 */
> -	bl31_entry(spl_image->entry_point, bl33_entry, platform_param);
> +	bl31_entry(spl_image->entry_point, bl32_entry,
> +		   bl33_entry, platform_param);
>   }

[U-Boot] [PATCH 1/2] rockchip: make_fit_atf.py: allow inclusion of a tee binary

[Kever Yang]

On 2019/10/2 上午5:23, Heiko Stuebner wrote:
> A trusted execution environment should also get loaded as loadable from
> a fit image, so add the possibility to present a tee.elf to make_fit_atf.py
> that then gets included as additional loadable into the generated its.
>
> For ease of integration the additional loadable is created as atf_(x+1)
> after all others to re-use core generation loops.
>
> Tested against the combinations of 1-part-atf and multi-part-atf each
> time with and without a tee binary present.
>
> Signed-off-by: Heiko Stuebner <heiko@sntech.de>

Reviewed-by: Kever Yang<kever.yang@rock-chips.com>


Thanks,
- Kever
> ---
>   arch/arm/mach-rockchip/make_fit_atf.py | 52 +++++++++++++++++++++++---
>   1 file changed, 46 insertions(+), 6 deletions(-)
>
> diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
> index 585edcf9d5..3c045a5e17 100755
> --- a/arch/arm/mach-rockchip/make_fit_atf.py
> +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> @@ -63,6 +63,21 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
>       file.write('\t\t};\n')
>       file.write('\n')
>   
> +def append_tee_node(file, atf_index, phy_addr, elf_entry):
> +    # Append TEE DT node to input FIT dts file.
> +    data = 'tee_0x%08x.bin' % phy_addr
> +    file.write('\t\tatf_%d {\n' % atf_index)
> +    file.write('\t\t\tdescription = \"TEE\";\n')
> +    file.write('\t\t\tdata = /incbin/("%s");\n' % data)
> +    file.write('\t\t\ttype = "tee";\n')
> +    file.write('\t\t\tarch = "arm64";\n')
> +    file.write('\t\t\tos = "tee";\n')
> +    file.write('\t\t\tcompression = "none";\n')
> +    file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
> +    file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> +    file.write('\t\t};\n')
> +    file.write('\n')
> +
>   def append_fdt_node(file, dtbs):
>       # Append FDT nodes.
>       cnt = 1
> @@ -115,15 +130,23 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
>       index, entry, p_paddr, data = segments[0]
>       fit_file.write(DT_UBOOT % p_paddr)
>   
> -def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, dtbs_file_name):
> +def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
>       segments = unpack_elf(bl31_file_name)
>       for index, entry, paddr, data in segments:
>           append_bl31_node(fit_file, index + 1, paddr, entry)
> +    num_segments = len(segments)
> +
> +    if tee_file_name:
> +        tee_segments = unpack_elf(tee_file_name)
> +        for index, entry, paddr, data in tee_segments:
> +            append_tee_node(fit_file, num_segments + index + 1, paddr, entry)
> +        num_segments = num_segments + len(tee_segments)
> +
>       append_fdt_node(fit_file, dtbs_file_name)
>       fit_file.write(DT_IMAGES_NODE_END)
> -    append_conf_node(fit_file, dtbs_file_name, len(segments))
> +    append_conf_node(fit_file, dtbs_file_name, num_segments)
>   
> -def generate_atf_fit_dts(fit_file_name, bl31_file_name, uboot_file_name, dtbs_file_name):
> +def generate_atf_fit_dts(fit_file_name, bl31_file_name, tee_file_name, uboot_file_name, dtbs_file_name):
>       # Generate FIT script for ATF image.
>       if fit_file_name != sys.stdout:
>           fit_file = open(fit_file_name, "wb")
> @@ -132,7 +155,7 @@ def generate_atf_fit_dts(fit_file_name, bl31_file_name, uboot_file_name, dtbs_fi
>   
>       fit_file.write(DT_HEADER)
>       generate_atf_fit_dts_uboot(fit_file, uboot_file_name)
> -    generate_atf_fit_dts_bl31(fit_file, bl31_file_name, dtbs_file_name)
> +    generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name)
>       fit_file.write(DT_END)
>   
>       if fit_file_name != sys.stdout:
> @@ -144,6 +167,13 @@ def generate_atf_binary(bl31_file_name):
>           with open(file_name, "wb") as atf:
>               atf.write(data)
>   
> +def generate_tee_binary(tee_file_name):
> +    if tee_file_name:
> +        for index, entry, paddr, data in unpack_elf(tee_file_name):
> +            file_name = 'tee_0x%08x.bin' % paddr
> +            with open(file_name, "wb") as atf:
> +                atf.write(data)
> +
>   def unpack_elf(filename):
>       with open(filename, 'rb') as file:
>           elf = file.read()
> @@ -178,7 +208,14 @@ def main():
>           logging.warning(' BL31 file bl31.elf NOT found, resulting binary is non-functional')
>           logging.warning(' Please read Building section in doc/README.rockchip')
>   
> -    opts, args = getopt.getopt(sys.argv[1:], "o:u:b:h")
> +    if "TEE" in os.environ:
> +        tee_elf = os.getenv("TEE")
> +    elif os.path.isfile("./tee.elf"):
> +        tee_elf = "./tee.elf"
> +    else:
> +        tee_elf = ""
> +
> +    opts, args = getopt.getopt(sys.argv[1:], "o:u:b:t:h")
>       for opt, val in opts:
>           if opt == "-o":
>               fit_its = val
> @@ -186,14 +223,17 @@ def main():
>               uboot_elf = val
>           elif opt == "-b":
>               bl31_elf = val
> +        elif opt == "-t":
> +            tee_elf = val
>           elif opt == "-h":
>               print(__doc__)
>               sys.exit(2)
>   
>       dtbs = args
>   
> -    generate_atf_fit_dts(fit_its, bl31_elf, uboot_elf, dtbs)
> +    generate_atf_fit_dts(fit_its, bl31_elf, tee_elf, uboot_elf, dtbs)
>       generate_atf_binary(bl31_elf)
> +    generate_tee_binary(tee_elf)
>   
>   if __name__ == "__main__":
>       main()