From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 14CA1C05027 for ; Thu, 2 Feb 2023 08:15:12 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2235B85ED8; Thu, 2 Feb 2023 09:11:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=siemens.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=siemens.com header.i=jan.kiszka@siemens.com header.b="SqBN6ic3"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E2ED385E40; Thu, 2 Feb 2023 09:09:47 +0100 (CET) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4E85985EB5 for ; Thu, 2 Feb 2023 09:08:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=siemens.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jan.kiszka@siemens.com Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202302020808023feac3c301ffb40e94 for ; Thu, 02 Feb 2023 09:08:02 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=qrZOEKe+DGMEq3NxERjl5FCXWa73jB0T4Kg96J/tBDg=; b=SqBN6ic3wADCk2Ry2wINsPp0+rKsUm/CbYEfhDrlhBqzVpy4df6T+vVLhY2b8i8azwok8n jcdsE+FMGhKiso5ra7Hrq8JEagWYSEFY8q77+dujraB5Vj5dhp8sHaKXiGKgl5zV6lnLujjA V2AgBCUBVzGU5pfAuAujdU7sPKDrE=; From: Jan Kiszka To: U-Boot Mailing List Subject: [PATCH V4 11/14] arm: dts: iot2050: Optionally embed OTP programming data into image Date: Thu, 2 Feb 2023 09:07:56 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean From: Jan Kiszka Use external blob otpcmd.bin to replace the 0xff filled OTP programming command block to create a firmware image that provisions the OTP on first boot. This otpcmd.bin is generated from the customer keys using steps described in the meta-iot2050 integration layer for the device. Based on original patch by Baocheng Su. Signed-off-by: Jan Kiszka --- arch/arm/dts/k3-am65-iot2050-boot-image.dtsi | 8 ++++++++ board/siemens/iot2050/Kconfig | 7 +++++++ doc/board/siemens/iot2050.rst | 8 ++++++++ tools/binman/missing-blob-help | 8 ++++++++ 4 files changed, 31 insertions(+) diff --git a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi index 9082a79a034..25a22a7b7b8 100644 --- a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi +++ b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi @@ -111,10 +111,18 @@ }; /* OTP update command block */ +#if CONFIG_IOT2050_EMBED_OTPCMD + blob-ext@0x6c0000 { + offset = <0x6c0000>; + size = <0x010000>; + filename = "otpcmd.bin"; + missing-msg = "iot2050-otpcmd"; +#else fill@0x6c0000 { offset = <0x6c0000>; size = <0x010000>; fill-byte = [ff]; +#endif }; }; }; diff --git a/board/siemens/iot2050/Kconfig b/board/siemens/iot2050/Kconfig index a2b40881d11..e66b2427d95 100644 --- a/board/siemens/iot2050/Kconfig +++ b/board/siemens/iot2050/Kconfig @@ -49,4 +49,11 @@ config IOT2050_BOOT_SWITCH bool "Disable eMMC boot via USER button (Advanced version only)" default y +config IOT2050_EMBED_OTPCMD + bool "Embed OTP programming data" + help + Embed signed OTP programming data 'otpcmd.bin' into the firmware + image. This data will be evaluated and executed on first boot of the + device. + endif diff --git a/doc/board/siemens/iot2050.rst b/doc/board/siemens/iot2050.rst index 4e0925c72c9..cb49a0e36bf 100644 --- a/doc/board/siemens/iot2050.rst +++ b/doc/board/siemens/iot2050.rst @@ -27,6 +27,14 @@ The following binaries from that source need to be present in the build folder: - seboot_pg1.bin - seboot_pg2.bin +For building an image containing the OTP key provisioning data, below binary +needs to be present in the build folder: + + - otpcmd.bin + +Regarding how to generating this otpcmd.bin, please refer to: +https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh + Building -------- diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help index 5bb8961ce03..7e88cd03954 100644 --- a/tools/binman/missing-blob-help +++ b/tools/binman/missing-blob-help @@ -23,6 +23,14 @@ See the documentation for IOT2050 board. Your image is missing SEBoot which is mandatory for board startup. Prebuilt SEBoot located at meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin. +iot2050-otpcmd: +See the documentation for IOT2050 board. Your image is missing OTP command data +block which is used for provisioning the customer keys to the board. +Please refer to +meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh +for how to generate this binary. If you are not using secure boot or do not +intend to provision the keys, disable CONFIG_IOT2050_EMBED_OTPCMD. + k3-rti-wdt-firmware: If CONFIG_WDT_K3_RTI_LOAD_FW is enabled, a firmware image is needed for the R5F core(s) to trigger the system reset. One possible source is -- 2.35.3