From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: jamin_lin@aspeedtech.com, openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
Date: Fri, 26 Jan 2024 17:05:11 +0000 [thread overview]
Message-ID: <12ffb6f38cba0eacf365bb36806a1bd2f69771d2.camel@linuxfoundation.org> (raw)
In-Reply-To: <20240119061937.1368163-4-jamin_lin@aspeedtech.com>
On Fri, 2024-01-19 at 14:19 +0800, Jamin Lin via lists.openembedded.org
wrote:
> Currently, u-boot FIT image only support to load u-boot image.
> To support optee-os and trusted-firmware-a, update ITS file generation
> scripts, so users are able to use u-boot FIT image to load
> u-boot, optee-os and treustred-firmware-a images
>
> Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> enable trusted-firmware-a image and it is disable by default.
>
> Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> and it is disable by default.
>
> The ITS file creation looks like as following.
> 1. Both optee-os and trusted-firmware-a are disabled.
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 2. Only enable optee-os
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "optee";
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 3. Both optee-os and trusted-firmware-a are enabled
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> atf {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "atf";
> loadables = "uboot", "optee";
> fdt = "fdt";
> };
> };
> };
> '''
>
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> ---
> meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
> 1 file changed, 90 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
> index 7a0b8047e4..d2b1013b93 100644
> --- a/meta/classes-recipe/uboot-sign.bbclass
> +++ b/meta/classes-recipe/uboot-sign.bbclass
> @@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
> UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
> UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
>
> +# Trusted Firmware-A (TF-A) provides a reference implementation of
> +# secure world software for Armv7-A and Armv8-A,
> +# including a Secure Monitor executing at Exception Level 3 (EL3)
> +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
> +
> +# OP-TEE is a Trusted Execution Environment (TEE) designed as
> +# companion to a non-secure Linux kernel running on Arm
> +UBOOT_FIT_OPTEE_OS ?= "0"
> +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
> +
> python() {
> # We need u-boot-tools-native if we're creating a U-Boot fitImage
> sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
> @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
> # Create a ITS file for the U-boot FIT, for use when
> # we want to sign it so that the SPL can verify it
> uboot_fitimage_assemble() {
> + conf_loadables="\"uboot\""
> + conf_firmware=""
> +
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
> + conf_firmware="\"atf\""
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_loadables="\"uboot\", \"optee\""
> + fi
> + else
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_firmware="\"optee\""
> + fi
> + fi
> +
> rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
>
> # First we create the ITS script
> @@ -289,13 +315,76 @@ EOF
>
> cat << EOF >> ${UBOOT_ITS}
> };
> +EOF
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + atf {
> + description = "ARM Trusted Firmware-A";
> + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
> + type = "firmware";
> + arch = "${UBOOT_ARCH}";
> + os = "arm-trusted-firmware";
> + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + optee {
> + description = "OPTEE OS Image";
> + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
> + type = "tee";
> + arch = "${UBOOT_ARCH}";
> + os = "tee";
> + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> };
>
> configurations {
> default = "conf";
> conf {
> description = "Boot with signed U-Boot FIT";
> - loadables = "uboot";
> +EOF
> + if [ -n "${conf_firmware}" ]; then
> + cat << EOF >> ${UBOOT_ITS}
> + firmware = ${conf_firmware};
> +EOF
> + fi
> + cat << EOF >> ${UBOOT_ITS}
> + loadables = ${conf_loadables};
> fdt = "fdt";
> };
> };
These changes look good thanks. I'm just a bit worried they don't have
any test coverage so they're easily going to regress?
There are also no documentation patches?
Cheers,
Richard
next prev parent reply other threads:[~2024-01-26 17:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-19 6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
2024-01-19 6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
2024-01-19 6:19 ` [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image Jamin Lin
2024-01-19 6:19 ` [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Jamin Lin
2024-01-26 17:05 ` Richard Purdie [this message]
2024-01-31 8:54 ` [OE-core] " Jamin Lin
2024-01-31 13:26 ` Richard Purdie
2024-02-01 2:00 ` Jamin Lin
2024-02-08 18:02 ` Ross Burton
2024-02-15 2:31 ` Jamin Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12ffb6f38cba0eacf365bb36806a1bd2f69771d2.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=jamin_lin@aspeedtech.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox