[U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support

From: Lokesh Vutla <lokeshvutla@ti.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support
Date: Thu, 14 Feb 2019 09:16:55 +0530	[thread overview]
Message-ID: <e8208ea1-1d3f-ed66-ca56-822db3e84ec3@ti.com> (raw)
In-Reply-To: <20190213183712.7087-6-afd@ti.com>

On 14/02/19 12:07 AM, Andrew F. Davis wrote:
> K3 HS devices require signed binaries for boot, use the SECDEV tools
> to sign the boot artifacts during build.
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> ---
>  MAINTAINERS                       |  1 +
>  arch/arm/mach-k3/config.mk        | 25 ++++++++++++++++++
>  arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
>  tools/k3_fit_atf.sh               |  8 ++++--
>  4 files changed, 76 insertions(+), 2 deletions(-)
>  create mode 100644 arch/arm/mach-k3/config_secure.mk
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 18cdca9447..ac6bd8cfca 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -717,6 +717,7 @@ F:	arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
>  F:	arch/arm/mach-omap2/sec-common.c
>  F:	arch/arm/mach-omap2/config_secure.mk
>  F:	arch/arm/mach-k3/security.c
> +F:	arch/arm/mach-k3/config_secure.mk
>  F:	configs/am335x_hs_evm_defconfig
>  F:	configs/am335x_hs_evm_uart_defconfig
>  F:	configs/am43xx_hs_evm_defconfig
> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
> index be00d79fb0..2d8f61f9db 100644
> --- a/arch/arm/mach-k3/config.mk
> +++ b/arch/arm/mach-k3/config.mk
> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
>  # If external key is not provided, generate key using openssl.
>  ifeq ($(CONFIG_SYS_K3_KEY), "")
>  KEY=u-boot-spl-eckey.pem
> +# On HS use real key or warn if not available
> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
> +else
> +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
> +endif
> +endif
>  else
>  KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
>  endif
> @@ -65,6 +73,15 @@ ALL-y	+= tiboot3.bin
>  endif
>  
>  ifdef CONFIG_ARM64
> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> +SPL_ITS := u-boot-spl-k3_HS.its
> +$(SPL_ITS): FORCE
> +	IS_HS=1 \
> +	$(srctree)/tools/k3_fit_atf.sh \
> +	$(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@
> +
> +ALL-y	+= tispl.bin_HS
> +else
>  SPL_ITS := u-boot-spl-k3.its
>  $(SPL_ITS): FORCE
>  	$(srctree)/tools/k3_fit_atf.sh \
> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
>  
>  ALL-y	+= tispl.bin
>  endif
> +endif
> +
> +else
>  
> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> +ALL-y	+= u-boot.img_HS
>  else
>  ALL-y	+= u-boot.img
>  endif
> +endif
> +
> +include $(srctree)/arch/arm/mach-k3/config_secure.mk
> diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
> new file mode 100644
> index 0000000000..6d63c57665
> --- /dev/null
> +++ b/arch/arm/mach-k3/config_secure.mk
> @@ -0,0 +1,44 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
> +#	Andrew F. Davis <afd@ti.com>
> +
> +quiet_cmd_k3secureimg = SECURE  $@
> +ifneq ($(TI_SECURE_DEV_PKG),)
> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
> +	$< $@ \
> +	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
> +else
> +cmd_k3secureimg = echo "WARNING:" \
> +	"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
> +	"$@ was NOT secured!"; cp $< $@
> +endif
> +else
> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
> +	"variable must be defined for TI secure devices." \
> +	"$@ was NOT secured!"; cp $< $@
> +endif
> +
> +%.dtb_HS: %.dtb FORCE
> +	$(call if_changed,k3secureimg)
> +
> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE
> +	$(call if_changed,k3secureimg)
> +
> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE
> +	$(call if_changed,mkfitimage)
> +
> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
> +	-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
> +	-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
> +	$(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))

I guess these HS postfixed dtbs will never get cleaned. I see the same issue
with other TI secure devices as well. Can you update the clean rules as well?

Thanks and regards,
Lokesh

> +
> +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
> +$(OF_LIST_TARGETS): dtbs
> +
> +u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE
> +	$(call if_changed,k3secureimg)
> +
> +u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE
> +	$(call if_changed,mkimage)
> diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
> index 430b5ca616..4e9f69c087 100755
> --- a/tools/k3_fit_atf.sh
> +++ b/tools/k3_fit_atf.sh
> @@ -21,6 +21,10 @@ if [ ! -f $TEE ]; then
>  	TEE=/dev/null
>  fi
>  
> +if [ ! -z "$IS_HS" ]; then
> +	HS_APPEND=_HS
> +fi
> +
>  cat << __HEADER_EOF
>  /dts-v1/;
>  
> @@ -51,7 +55,7 @@ cat << __HEADER_EOF
>  		};
>  		spl {
>  			description = "SPL (64-bit)";
> -			data = /incbin/("spl/u-boot-spl-nodtb.bin");
> +			data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
>  			type = "standalone";
>  			os = "U-Boot";
>  			arch = "arm64";
> @@ -66,7 +70,7 @@ do
>  	cat << __FDT_IMAGE_EOF
>  		$(basename $dtname) {
>  			description = "$(basename $dtname .dtb)";
> -			data = /incbin/("$dtname");
> +			data = /incbin/("$dtname$HS_APPEND");
>  			type = "flat_dt";
>  			arch = "arm";
>  			compression = "none";
> 