[meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Andrew Davis]

Use the new ti-k3-secdev package to pull in the signing tools if they are
not provided by the environment. This allows us to use these tools
unconditionally. Remove the checks for the script and do the signing
for all K3 machines. The signature is automatically stripped from
the binaries on non-HS devices at boot time as needed so this change
is harmless for GP devices.

Signed-off-by: Andrew Davis <afd@ti.com>
---
 .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
 1 file changed, 12 insertions(+), 31 deletions(-)

diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
index 5acc5c2e..95f1d2d9 100644
--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
 TFA_INSTALL_TARGET:k3 = "bl31"
 TFA_SPD:k3 = "opteed"
 
+# Use default package TI SECDEV is one is not provided
+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
+
+# Set a default value for TI_K3_SECDEV_INSTALL_DIR
+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
+include recipes-ti/includes/ti-paths.inc
+TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
+
 EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
 EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
 
-# Signing procedure for K3 HS devices
-tfa_sign_k3hs() {
+# Signing procedure for K3 devices
+do_compile:append:k3() {
 	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
-	( cd ${BUILD_DIR}; \
-		mv bl31.bin bl31.bin.unsigned; \
-		if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
-			${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
-		else \
-			echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
-			cp bl31.bin.unsigned bl31.bin; \
-		fi; \
-	)
-}
-
-do_compile:append:am65xx-hs-evm() {
-	tfa_sign_k3hs
-}
-
-do_compile:append:am64xx-evm() {
-	tfa_sign_k3hs
-}
-
-do_compile:append:j721e-hs-evm() {
-	tfa_sign_k3hs
-}
-
-do_compile:append:j7200-hs-evm() {
-	tfa_sign_k3hs
-}
-
-do_compile:append:j721s2-hs-evm() {
-	tfa_sign_k3hs
+	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
+	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
 }
-- 
2.39.1

[meta-ti][master/kirkstone][PATCH 2/4] optee-os: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Andrew Davis]

Use the new ti-k3-secdev package to pull in the signing tools if they are
not provided by the environment. This allows us to use these tools
unconditionally. Remove the checks for the script and do the signing
for all K3 machines. The signature is automatically stripped from
the binaries on non-HS devices at boot time as needed so this change
is harmless for GP devices.

Signed-off-by: Andrew Davis <afd@ti.com>
---
 .../optee/optee-os_3.16%.bbappend             | 44 +++++--------------
 1 file changed, 12 insertions(+), 32 deletions(-)

diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
index 6913851b..5a693247 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
+++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
@@ -1,6 +1,14 @@
 PV:ti-soc = "3.19.0+git${SRCPV}"
 SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52"
 
+# Use default package TI SECDEV is one is not provided
+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
+
+# set a default value for TI_K3_SECDEV_INSTALL_DIR
+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
+include recipes-ti/includes/ti-paths.inc
+TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
+
 EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
 
 EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
@@ -35,20 +43,6 @@ optee_sign_legacyhs() {
     fi
 }
 
-# Signing procedure for K3 HS devices
-optee_sign_k3hs() {
-    ( cd ${B}/core/; \
-        if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
-            ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \
-        else \
-            echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \
-            cp tee-pager_v2.bin tee-pager.bin.signed; \
-        fi; \
-        mv tee-pager.bin.signed ${B}/bl32.bin; \
-        cp tee.elf ${B}/bl32.elf; \
-    )
-}
-
 do_compile:append:ti43x() {
     optee_sign_legacyhs
 }
@@ -57,24 +51,10 @@ do_compile:append:dra7xx() {
     optee_sign_legacyhs
 }
 
-do_compile:append:am65xx-hs-evm() {
-    optee_sign_k3hs
-}
-
-do_compile:append:am64xx-evm() {
-    optee_sign_k3hs
-}
-
-do_compile:append:j721e-hs-evm() {
-    optee_sign_k3hs
-}
-
-do_compile:append:j7200-hs-evm() {
-    optee_sign_k3hs
-}
-
-do_compile:append:j721s2-hs-evm() {
-    optee_sign_k3hs
+# Signing procedure for K3 devices
+do_compile:append:k3() {
+    ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin
+    cp ${B}/core/tee.elf ${B}/bl32.elf
 }
 
 do_install:append:ti-soc() {
-- 
2.39.1

[meta-ti][master/kirkstone][PATCH 3/4] u-boot-ti: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Andrew Davis]

Use the new ti-k3-secdev package to pull in the signing tools if they are
not provided by the environment. This allows us to use these tools
unconditionally. Remove the checks for the script and do the signing
for all K3 machines. The signature is automatically stripped from
the binaries on non-HS devices at boot time as needed so this change
is harmless for GP devices.

Signed-off-by: Andrew Davis <afd@ti.com>
---
 meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc b/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
index 6f5b6313..ae87ec6a 100644
--- a/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
+++ b/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
@@ -24,6 +24,7 @@ PV:append = "+git${SRCPV}"
 
 # u-boot needs devtree compiler to parse dts files
 DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native"
+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
 
 DM_FIRMWARE = "ipc_echo_testb_mcu1_0_release_strip.xer5f"
 
@@ -49,8 +50,13 @@ PKG:${PN}-dbg = "u-boot-dbg"
 
 S = "${WORKDIR}/git"
 
+# set a default value for TI_K3_SECDEV_INSTALL_DIR
+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
+include recipes-ti/includes/ti-paths.inc
+
 # Support for secure devices - detailed info is in doc/README.ti-secure
 TI_SECURE_DEV_PKG ?= ""
+TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
 export TI_SECURE_DEV_PKG
 
 SYSROOT_DIRS += "/boot"
-- 
2.39.1

[meta-ti][master/kirkstone][PATCH 4/4] conf: machine: k3: Remove unneeded TI_SECURE_DEV_PKG_K3 assignments

[Andrew Davis]

For K3 machines the SECDEV selection happens in the recipes that use it.
This assignment is therefor no longer needed. Remove it.

Suggested-by: Ryan Eatmon <reatmon@ti.com>
Signed-off-by: Andrew Davis <afd@ti.com>
---
 meta-ti-bsp/conf/machine/include/k3.inc   | 2 --
 meta-ti-bsp/conf/machine/include/k3r5.inc | 2 --
 2 files changed, 4 deletions(-)

diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
index a34b67ff..3b59645b 100644
--- a/meta-ti-bsp/conf/machine/include/k3.inc
+++ b/meta-ti-bsp/conf/machine/include/k3.inc
@@ -48,5 +48,3 @@ MACHINE_FEATURES += "efi"
 WKS_FILE ?= "sdimage-2part-efi.wks"
 do_image_wic[depends] += "virtual/bootloader:do_deploy"
 do_image_wic[mcdepends] += "mc::k3r5:ti-sci-fw:do_deploy"
-
-TI_SECURE_DEV_PKG = "${TI_SECURE_DEV_PKG_K3}"
diff --git a/meta-ti-bsp/conf/machine/include/k3r5.inc b/meta-ti-bsp/conf/machine/include/k3r5.inc
index 31646f5a..d000404e 100644
--- a/meta-ti-bsp/conf/machine/include/k3r5.inc
+++ b/meta-ti-bsp/conf/machine/include/k3r5.inc
@@ -22,5 +22,3 @@ UBOOT_SYMLINK = "u-boot-r5spl.${UBOOT_SUFFIX}"
 
 PACKAGECONFIG:pn-u-boot-ti-staging = ""
 PACKAGECONFIG:pn-u-boot-ti-mainline = ""
-
-TI_SECURE_DEV_PKG = "${TI_SECURE_DEV_PKG_K3}"
-- 
2.39.1

Re: [meta-ti][master/kirkstone][PATCH 2/4] optee-os: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Ryan Eatmon]

I had to hand apply the patch to master since the file names for 
optee_os differ between the two branches due to this kirkstone patch:

https://lists.yoctoproject.org/g/meta-ti/message/15331


On 2/8/2023 17:10, Andrew Davis wrote:
> Use the new ti-k3-secdev package to pull in the signing tools if they are
> not provided by the environment. This allows us to use these tools
> unconditionally. Remove the checks for the script and do the signing
> for all K3 machines. The signature is automatically stripped from
> the binaries on non-HS devices at boot time as needed so this change
> is harmless for GP devices.
> 
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>   .../optee/optee-os_3.16%.bbappend             | 44 +++++--------------
>   1 file changed, 12 insertions(+), 32 deletions(-)
> 
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> index 6913851b..5a693247 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> @@ -1,6 +1,14 @@
>   PV:ti-soc = "3.19.0+git${SRCPV}"
>   SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52"
>   
> +# Use default package TI SECDEV is one is not provided
> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
> +
> +# set a default value for TI_K3_SECDEV_INSTALL_DIR
> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> +include recipes-ti/includes/ti-paths.inc
> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
> +
>   EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
>   
>   EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> @@ -35,20 +43,6 @@ optee_sign_legacyhs() {
>       fi
>   }
>   
> -# Signing procedure for K3 HS devices
> -optee_sign_k3hs() {
> -    ( cd ${B}/core/; \
> -        if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
> -            ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \
> -        else \
> -            echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \
> -            cp tee-pager_v2.bin tee-pager.bin.signed; \
> -        fi; \
> -        mv tee-pager.bin.signed ${B}/bl32.bin; \
> -        cp tee.elf ${B}/bl32.elf; \
> -    )
> -}
> -
>   do_compile:append:ti43x() {
>       optee_sign_legacyhs
>   }
> @@ -57,24 +51,10 @@ do_compile:append:dra7xx() {
>       optee_sign_legacyhs
>   }
>   
> -do_compile:append:am65xx-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:am64xx-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j721e-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j7200-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j721s2-hs-evm() {
> -    optee_sign_k3hs
> +# Signing procedure for K3 devices
> +do_compile:append:k3() {
> +    ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin
> +    cp ${B}/core/tee.elf ${B}/bl32.elf
>   }
>   
>   do_install:append:ti-soc() {

-- 
Ryan Eatmon                reatmon@ti.com
-----------------------------------------
Texas Instruments, Inc.  -  LCPD  -  MGTS

Re: [meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Denys Dmytriyenko]

On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> Use the new ti-k3-secdev package to pull in the signing tools if they are
> not provided by the environment. This allows us to use these tools
> unconditionally. Remove the checks for the script and do the signing
> for all K3 machines. The signature is automatically stripped from
> the binaries on non-HS devices at boot time as needed so this change
> is harmless for GP devices.
> 
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>  .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
>  1 file changed, 12 insertions(+), 31 deletions(-)
> 
> diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> index 5acc5c2e..95f1d2d9 100644
> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
>  TFA_INSTALL_TARGET:k3 = "bl31"
>  TFA_SPD:k3 = "opteed"
>  
> +# Use default package TI SECDEV is one is not provided

typo - *if* one is not provided


> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
> +
> +# Set a default value for TI_K3_SECDEV_INSTALL_DIR
> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> +include recipes-ti/includes/ti-paths.inc

If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include 
ti-paths.inc here?


> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
> +
>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
>  
> -# Signing procedure for K3 HS devices
> -tfa_sign_k3hs() {
> +# Signing procedure for K3 devices
> +do_compile:append:k3() {
>  	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
> -	( cd ${BUILD_DIR}; \
> -		mv bl31.bin bl31.bin.unsigned; \
> -		if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
> -			${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
> -		else \
> -			echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
> -			cp bl31.bin.unsigned bl31.bin; \
> -		fi; \
> -	)
> -}
> -
> -do_compile:append:am65xx-hs-evm() {
> -	tfa_sign_k3hs
> -}
> -
> -do_compile:append:am64xx-evm() {
> -	tfa_sign_k3hs
> -}
> -
> -do_compile:append:j721e-hs-evm() {
> -	tfa_sign_k3hs
> -}
> -
> -do_compile:append:j7200-hs-evm() {
> -	tfa_sign_k3hs
> -}
> -
> -do_compile:append:j721s2-hs-evm() {
> -	tfa_sign_k3hs
> +	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
> +	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
>  }
> -- 
> 2.39.1

Re: [meta-ti][master/kirkstone][PATCH 2/4] optee-os: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Denys Dmytriyenko]

On Wed, Feb 08, 2023 at 05:10:29PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> Use the new ti-k3-secdev package to pull in the signing tools if they are
> not provided by the environment. This allows us to use these tools
> unconditionally. Remove the checks for the script and do the signing
> for all K3 machines. The signature is automatically stripped from
> the binaries on non-HS devices at boot time as needed so this change
> is harmless for GP devices.
> 
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>  .../optee/optee-os_3.16%.bbappend             | 44 +++++--------------
>  1 file changed, 12 insertions(+), 32 deletions(-)
> 
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> index 6913851b..5a693247 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend
> @@ -1,6 +1,14 @@
>  PV:ti-soc = "3.19.0+git${SRCPV}"
>  SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52"
>  
> +# Use default package TI SECDEV is one is not provided

Same typo


> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
> +
> +# set a default value for TI_K3_SECDEV_INSTALL_DIR
> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> +include recipes-ti/includes/ti-paths.inc

Same comment


> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
> +
>  EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
>  
>  EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> @@ -35,20 +43,6 @@ optee_sign_legacyhs() {
>      fi
>  }
>  
> -# Signing procedure for K3 HS devices
> -optee_sign_k3hs() {
> -    ( cd ${B}/core/; \
> -        if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
> -            ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \
> -        else \
> -            echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \
> -            cp tee-pager_v2.bin tee-pager.bin.signed; \
> -        fi; \
> -        mv tee-pager.bin.signed ${B}/bl32.bin; \
> -        cp tee.elf ${B}/bl32.elf; \
> -    )
> -}
> -
>  do_compile:append:ti43x() {
>      optee_sign_legacyhs
>  }
> @@ -57,24 +51,10 @@ do_compile:append:dra7xx() {
>      optee_sign_legacyhs
>  }
>  
> -do_compile:append:am65xx-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:am64xx-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j721e-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j7200-hs-evm() {
> -    optee_sign_k3hs
> -}
> -
> -do_compile:append:j721s2-hs-evm() {
> -    optee_sign_k3hs
> +# Signing procedure for K3 devices
> +do_compile:append:k3() {
> +    ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin
> +    cp ${B}/core/tee.elf ${B}/bl32.elf
>  }
>  
>  do_install:append:ti-soc() {
> -- 
> 2.39.1

Re: [meta-ti][master/kirkstone][PATCH 3/4] u-boot-ti: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Denys Dmytriyenko]

On Wed, Feb 08, 2023 at 05:10:30PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> Use the new ti-k3-secdev package to pull in the signing tools if they are
> not provided by the environment. This allows us to use these tools
> unconditionally. Remove the checks for the script and do the signing
> for all K3 machines. The signature is automatically stripped from
> the binaries on non-HS devices at boot time as needed so this change
> is harmless for GP devices.
> 
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>  meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc b/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
> index 6f5b6313..ae87ec6a 100644
> --- a/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
> +++ b/meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc
> @@ -24,6 +24,7 @@ PV:append = "+git${SRCPV}"
>  
>  # u-boot needs devtree compiler to parse dts files
>  DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native"
> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
>  
>  DM_FIRMWARE = "ipc_echo_testb_mcu1_0_release_strip.xer5f"
>  
> @@ -49,8 +50,13 @@ PKG:${PN}-dbg = "u-boot-dbg"
>  
>  S = "${WORKDIR}/git"
>  
> +# set a default value for TI_K3_SECDEV_INSTALL_DIR
> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> +include recipes-ti/includes/ti-paths.inc

Here as well


> +
>  # Support for secure devices - detailed info is in doc/README.ti-secure
>  TI_SECURE_DEV_PKG ?= ""
> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
>  export TI_SECURE_DEV_PKG
>  
>  SYSROOT_DIRS += "/boot"
> -- 
> 2.39.1

Re: [meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Andrew Davis]

On 2/10/23 12:51 PM, Denys Dmytriyenko wrote:
> On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
>> Use the new ti-k3-secdev package to pull in the signing tools if they are
>> not provided by the environment. This allows us to use these tools
>> unconditionally. Remove the checks for the script and do the signing
>> for all K3 machines. The signature is automatically stripped from
>> the binaries on non-HS devices at boot time as needed so this change
>> is harmless for GP devices.
>>
>> Signed-off-by: Andrew Davis <afd@ti.com>
>> ---
>>   .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
>>   1 file changed, 12 insertions(+), 31 deletions(-)
>>
>> diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>> index 5acc5c2e..95f1d2d9 100644
>> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>> @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
>>   TFA_INSTALL_TARGET:k3 = "bl31"
>>   TFA_SPD:k3 = "opteed"
>>   
>> +# Use default package TI SECDEV is one is not provided
> 
> typo - *if* one is not provided
> 

Good catch

> 
>> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
>> +
>> +# Set a default value for TI_K3_SECDEV_INSTALL_DIR
>> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
>> +include recipes-ti/includes/ti-paths.inc
> 
> If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include
> ti-paths.inc here?
> 

ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack.
If not, this is a sane default, but ti-paths.inc can still override that path if available.

Andrew

> 
>> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
>> +
>>   EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
>>   EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
>>   
>> -# Signing procedure for K3 HS devices
>> -tfa_sign_k3hs() {
>> +# Signing procedure for K3 devices
>> +do_compile:append:k3() {
>>   	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
>> -	( cd ${BUILD_DIR}; \
>> -		mv bl31.bin bl31.bin.unsigned; \
>> -		if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
>> -			${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
>> -		else \
>> -			echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
>> -			cp bl31.bin.unsigned bl31.bin; \
>> -		fi; \
>> -	)
>> -}
>> -
>> -do_compile:append:am65xx-hs-evm() {
>> -	tfa_sign_k3hs
>> -}
>> -
>> -do_compile:append:am64xx-evm() {
>> -	tfa_sign_k3hs
>> -}
>> -
>> -do_compile:append:j721e-hs-evm() {
>> -	tfa_sign_k3hs
>> -}
>> -
>> -do_compile:append:j7200-hs-evm() {
>> -	tfa_sign_k3hs
>> -}
>> -
>> -do_compile:append:j721s2-hs-evm() {
>> -	tfa_sign_k3hs
>> +	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
>> +	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
>>   }
>> -- 
>> 2.39.1

Re: [meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Denys Dmytriyenko]

On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote:
> On 2/10/23 12:51 PM, Denys Dmytriyenko wrote:
> >On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> >>Use the new ti-k3-secdev package to pull in the signing tools if they are
> >>not provided by the environment. This allows us to use these tools
> >>unconditionally. Remove the checks for the script and do the signing
> >>for all K3 machines. The signature is automatically stripped from
> >>the binaries on non-HS devices at boot time as needed so this change
> >>is harmless for GP devices.
> >>
> >>Signed-off-by: Andrew Davis <afd@ti.com>
> >>---
> >>  .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
> >>  1 file changed, 12 insertions(+), 31 deletions(-)
> >>
> >>diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>index 5acc5c2e..95f1d2d9 100644
> >>--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>@@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
> >>  TFA_INSTALL_TARGET:k3 = "bl31"
> >>  TFA_SPD:k3 = "opteed"
> >>+# Use default package TI SECDEV is one is not provided
> >
> >typo - *if* one is not provided
> >
> 
> Good catch
> 
> >
> >>+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
> >>+
> >>+# Set a default value for TI_K3_SECDEV_INSTALL_DIR
> >>+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> >>+include recipes-ti/includes/ti-paths.inc
> >
> >If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include
> >ti-paths.inc here?
> >
> 
> ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack.
> If not, this is a sane default, but ti-paths.inc can still override that path if available.

No, we shouldn't be using ti-paths.inc here at all. The file was mostly used 
by RTOS components back when they were built from sources. That is now only 
used on some legacy platforms. Eventually it will be removed, no reason to 
start using the file for K3 SECDEV. Just come up with the proper default 
(something other than ${datadir}...) and be done with it, right?


> >>+TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
> >>+
> >>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
> >>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
> >>-# Signing procedure for K3 HS devices
> >>-tfa_sign_k3hs() {
> >>+# Signing procedure for K3 devices
> >>+do_compile:append:k3() {
> >>  	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
> >>-	( cd ${BUILD_DIR}; \
> >>-		mv bl31.bin bl31.bin.unsigned; \
> >>-		if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
> >>-			${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
> >>-		else \
> >>-			echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
> >>-			cp bl31.bin.unsigned bl31.bin; \
> >>-		fi; \
> >>-	)
> >>-}
> >>-
> >>-do_compile:append:am65xx-hs-evm() {
> >>-	tfa_sign_k3hs
> >>-}
> >>-
> >>-do_compile:append:am64xx-evm() {
> >>-	tfa_sign_k3hs
> >>-}
> >>-
> >>-do_compile:append:j721e-hs-evm() {
> >>-	tfa_sign_k3hs
> >>-}
> >>-
> >>-do_compile:append:j7200-hs-evm() {
> >>-	tfa_sign_k3hs
> >>-}
> >>-
> >>-do_compile:append:j721s2-hs-evm() {
> >>-	tfa_sign_k3hs
> >>+	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
> >>+	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
> >>  }
> >>-- 
> >>2.39.1

Re: [meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Andrew Davis]

On 2/10/23 1:05 PM, Denys Dmytriyenko wrote:
> On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote:
>> On 2/10/23 12:51 PM, Denys Dmytriyenko wrote:
>>> On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
>>>> Use the new ti-k3-secdev package to pull in the signing tools if they are
>>>> not provided by the environment. This allows us to use these tools
>>>> unconditionally. Remove the checks for the script and do the signing
>>>> for all K3 machines. The signature is automatically stripped from
>>>> the binaries on non-HS devices at boot time as needed so this change
>>>> is harmless for GP devices.
>>>>
>>>> Signed-off-by: Andrew Davis <afd@ti.com>
>>>> ---
>>>>   .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
>>>>   1 file changed, 12 insertions(+), 31 deletions(-)
>>>>
>>>> diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>>>> index 5acc5c2e..95f1d2d9 100644
>>>> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>>>> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
>>>> @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
>>>>   TFA_INSTALL_TARGET:k3 = "bl31"
>>>>   TFA_SPD:k3 = "opteed"
>>>> +# Use default package TI SECDEV is one is not provided
>>>
>>> typo - *if* one is not provided
>>>
>>
>> Good catch
>>
>>>
>>>> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
>>>> +
>>>> +# Set a default value for TI_K3_SECDEV_INSTALL_DIR
>>>> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
>>>> +include recipes-ti/includes/ti-paths.inc
>>>
>>> If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include
>>> ti-paths.inc here?
>>>
>>
>> ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack.
>> If not, this is a sane default, but ti-paths.inc can still override that path if available.
> 
> No, we shouldn't be using ti-paths.inc here at all. The file was mostly used
> by RTOS components back when they were built from sources. That is now only
> used on some legacy platforms. Eventually it will be removed, no reason to
> start using the file for K3 SECDEV. Just come up with the proper default
> (something other than ${datadir}...) and be done with it, right?
> 

I'm thinking ${datadir} is the right spot, do you have another spot in mind?

Once we agree on a spot, then I'll go drop out the ti-paths.inc everywhere in
a follow up patch.

Andrew

> 
>>>> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }"
>>>> +
>>>>   EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
>>>>   EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
>>>> -# Signing procedure for K3 HS devices
>>>> -tfa_sign_k3hs() {
>>>> +# Signing procedure for K3 devices
>>>> +do_compile:append:k3() {
>>>>   	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
>>>> -	( cd ${BUILD_DIR}; \
>>>> -		mv bl31.bin bl31.bin.unsigned; \
>>>> -		if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
>>>> -			${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
>>>> -		else \
>>>> -			echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
>>>> -			cp bl31.bin.unsigned bl31.bin; \
>>>> -		fi; \
>>>> -	)
>>>> -}
>>>> -
>>>> -do_compile:append:am65xx-hs-evm() {
>>>> -	tfa_sign_k3hs
>>>> -}
>>>> -
>>>> -do_compile:append:am64xx-evm() {
>>>> -	tfa_sign_k3hs
>>>> -}
>>>> -
>>>> -do_compile:append:j721e-hs-evm() {
>>>> -	tfa_sign_k3hs
>>>> -}
>>>> -
>>>> -do_compile:append:j7200-hs-evm() {
>>>> -	tfa_sign_k3hs
>>>> -}
>>>> -
>>>> -do_compile:append:j721s2-hs-evm() {
>>>> -	tfa_sign_k3hs
>>>> +	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
>>>> +	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
>>>>   }
>>>> -- 
>>>> 2.39.1

Re: [meta-ti][master/kirkstone][PATCH 1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined

[Denys Dmytriyenko]

On Fri, Feb 10, 2023 at 01:55:24PM -0600, Andrew Davis wrote:
> On 2/10/23 1:05 PM, Denys Dmytriyenko wrote:
> >On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote:
> >>On 2/10/23 12:51 PM, Denys Dmytriyenko wrote:
> >>>On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> >>>>Use the new ti-k3-secdev package to pull in the signing tools if they are
> >>>>not provided by the environment. This allows us to use these tools
> >>>>unconditionally. Remove the checks for the script and do the signing
> >>>>for all K3 machines. The signature is automatically stripped from
> >>>>the binaries on non-HS devices at boot time as needed so this change
> >>>>is harmless for GP devices.
> >>>>
> >>>>Signed-off-by: Andrew Davis <afd@ti.com>
> >>>>---
> >>>>  .../trusted-firmware-a_%.bbappend             | 43 ++++++-------------
> >>>>  1 file changed, 12 insertions(+), 31 deletions(-)
> >>>>
> >>>>diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>>>index 5acc5c2e..95f1d2d9 100644
> >>>>--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>>>+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> >>>>@@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all"
> >>>>  TFA_INSTALL_TARGET:k3 = "bl31"
> >>>>  TFA_SPD:k3 = "opteed"
> >>>>+# Use default package TI SECDEV is one is not provided
> >>>
> >>>typo - *if* one is not provided
> >>>
> >>
> >>Good catch
> >>
> >>>
> >>>>+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }"
> >>>>+
> >>>>+# Set a default value for TI_K3_SECDEV_INSTALL_DIR
> >>>>+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev"
> >>>>+include recipes-ti/includes/ti-paths.inc
> >>>
> >>>If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include
> >>>ti-paths.inc here?
> >>>
> >>
> >>ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack.
> >>If not, this is a sane default, but ti-paths.inc can still override that path if available.
> >
> >No, we shouldn't be using ti-paths.inc here at all. The file was mostly used
> >by RTOS components back when they were built from sources. That is now only
> >used on some legacy platforms. Eventually it will be removed, no reason to
> >start using the file for K3 SECDEV. Just come up with the proper default
> >(something other than ${datadir}...) and be done with it, right?
> >
> 
> I'm thinking ${datadir} is the right spot, do you have another spot in mind?

Hmm, I don't oppose that heavily against ${datadir}... I guess if we were 
introducing SECDEV for the first time, I'd argue we should install scripts 
into ${bindir} and everything else into ${datadir} or something more FHS 
complieant? But I guess in order to keep the legacy setup of TI_SECURE_DEV_PKG 
passed through environment working as is, changing directory structure is out 
of the question now.

-- 
Denys