From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lokesh Vutla Date: Thu, 14 Feb 2019 09:16:55 +0530 Subject: [U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support In-Reply-To: <20190213183712.7087-6-afd@ti.com> References: <20190213183712.7087-1-afd@ti.com> <20190213183712.7087-6-afd@ti.com> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 14/02/19 12:07 AM, Andrew F. Davis wrote: > K3 HS devices require signed binaries for boot, use the SECDEV tools > to sign the boot artifacts during build. > > Signed-off-by: Andrew F. Davis > --- > MAINTAINERS | 1 + > arch/arm/mach-k3/config.mk | 25 ++++++++++++++++++ > arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++ > tools/k3_fit_atf.sh | 8 ++++-- > 4 files changed, 76 insertions(+), 2 deletions(-) > create mode 100644 arch/arm/mach-k3/config_secure.mk > > diff --git a/MAINTAINERS b/MAINTAINERS > index 18cdca9447..ac6bd8cfca 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -717,6 +717,7 @@ F: arch/arm/mach-omap2/omap5/sec_entry_cpu1.S > F: arch/arm/mach-omap2/sec-common.c > F: arch/arm/mach-omap2/config_secure.mk > F: arch/arm/mach-k3/security.c > +F: arch/arm/mach-k3/config_secure.mk > F: configs/am335x_hs_evm_defconfig > F: configs/am335x_hs_evm_uart_defconfig > F: configs/am43xx_hs_evm_defconfig > diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk > index be00d79fb0..2d8f61f9db 100644 > --- a/arch/arm/mach-k3/config.mk > +++ b/arch/arm/mach-k3/config.mk > @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo > # If external key is not provided, generate key using openssl. > ifeq ($(CONFIG_SYS_K3_KEY), "") > KEY=u-boot-spl-eckey.pem > +# On HS use real key or warn if not available > +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),) > +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem > +else > +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!") > +endif > +endif > else > KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) > endif > @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin > endif > > ifdef CONFIG_ARM64 > +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > +SPL_ITS := u-boot-spl-k3_HS.its > +$(SPL_ITS): FORCE > + IS_HS=1 \ > + $(srctree)/tools/k3_fit_atf.sh \ > + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@ > + > +ALL-y += tispl.bin_HS > +else > SPL_ITS := u-boot-spl-k3.its > $(SPL_ITS): FORCE > $(srctree)/tools/k3_fit_atf.sh \ > @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE > > ALL-y += tispl.bin > endif > +endif > + > +else > > +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > +ALL-y += u-boot.img_HS > else > ALL-y += u-boot.img > endif > +endif > + > +include $(srctree)/arch/arm/mach-k3/config_secure.mk > diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk > new file mode 100644 > index 0000000000..6d63c57665 > --- /dev/null > +++ b/arch/arm/mach-k3/config_secure.mk > @@ -0,0 +1,44 @@ > +# SPDX-License-Identifier: GPL-2.0 > +# > +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/ > +# Andrew F. Davis > + > +quiet_cmd_k3secureimg = SECURE $@ > +ifneq ($(TI_SECURE_DEV_PKG),) > +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) > +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ > + $< $@ \ > + $(if $(KBUILD_VERBOSE:1=), >/dev/null) > +else > +cmd_k3secureimg = echo "WARNING:" \ > + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ > + "$@ was NOT secured!"; cp $< $@ > +endif > +else > +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ > + "variable must be defined for TI secure devices." \ > + "$@ was NOT secured!"; cp $< $@ > +endif > + > +%.dtb_HS: %.dtb FORCE > + $(call if_changed,k3secureimg) > + > +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE > + $(call if_changed,k3secureimg) > + > +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE > + $(call if_changed,mkfitimage) > + > +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \ > + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ > + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ > + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST))) I guess these HS postfixed dtbs will never get cleaned. I see the same issue with other TI secure devices as well. Can you update the clean rules as well? Thanks and regards, Lokesh > + > +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) > +$(OF_LIST_TARGETS): dtbs > + > +u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE > + $(call if_changed,k3secureimg) > + > +u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE > + $(call if_changed,mkimage) > diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh > index 430b5ca616..4e9f69c087 100755 > --- a/tools/k3_fit_atf.sh > +++ b/tools/k3_fit_atf.sh > @@ -21,6 +21,10 @@ if [ ! -f $TEE ]; then > TEE=/dev/null > fi > > +if [ ! -z "$IS_HS" ]; then > + HS_APPEND=_HS > +fi > + > cat << __HEADER_EOF > /dts-v1/; > > @@ -51,7 +55,7 @@ cat << __HEADER_EOF > }; > spl { > description = "SPL (64-bit)"; > - data = /incbin/("spl/u-boot-spl-nodtb.bin"); > + data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND"); > type = "standalone"; > os = "U-Boot"; > arch = "arm64"; > @@ -66,7 +70,7 @@ do > cat << __FDT_IMAGE_EOF > $(basename $dtname) { > description = "$(basename $dtname .dtb)"; > - data = /incbin/("$dtname"); > + data = /incbin/("$dtname$HS_APPEND"); > type = "flat_dt"; > arch = "arm"; > compression = "none"; >