From: Alexandre Belloni <alexandre.belloni@bootlin.com>
To: jamin_lin@aspeedtech.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH v1] uboot-sign: support to load optee-os and TFA images
Date: Thu, 18 Jan 2024 14:52:42 +0100 [thread overview]
Message-ID: <20240118135242eb1e86c8@mail.local> (raw)
In-Reply-To: <20240117021051.2102450-1-jamin_lin@aspeedtech.com>
Hello,
This doesn't apply on top of your previous patches. Can you send a
proper series with what you want to be tested/applied?
Thanks!
On 17/01/2024 10:10:51+0800, Jamin Lin via lists.openembedded.org wrote:
> Currently, u-boot FIT image only support to load u-boot image.
> To support optee-os and trusted-firmware-a, update ITS file generation
> scripts, so users are able to use u-boot FIT image to load
> u-boot, optee-os and treustred-firmware-a images
>
> Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> enable trusted-firmware-a image and it is disable by default.
>
> Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> and it is disable by default.
>
> The ITS file creation looks like as following.
> 1. Both optee-os and trusted-firmware-a are disabled.
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
>
> };
> fdt {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 2. Only enable optee-os
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "optee";
> loadables = "uboot";
> fdt = "fdt";
> };
> };
> };
> '''
>
> 3: Both optee-os and trusted-firmware-a are enabled
> '''
> /dts-v1/;
>
> / {
> images {
> uboot {
> };
> fdt {
> };
> atf {
> };
> optee {
> };
> };
>
> configurations {
> default = "conf";
> conf {
> firmware = "atf";
> loadables = "uboot", "optee";
> fdt = "fdt";
> };
> };
> };
> '''
>
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> ---
> meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
> 1 file changed, 90 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
> index ad04c82378..b874eb84db 100644
> --- a/meta/classes-recipe/uboot-sign.bbclass
> +++ b/meta/classes-recipe/uboot-sign.bbclass
> @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1"
> # This is only necessary for determining the signing configuration
> KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
>
> +# Trusted Firmware-A (TF-A) provides a reference implementation of
> +# secure world software for Armv7-A and Armv8-A,
> +# including a Secure Monitor executing at Exception Level 3 (EL3)
> +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
> +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
> +
> +# OP-TEE is a Trusted Execution Environment (TEE) designed as
> +# companion to a non-secure Linux kernel running on Arm
> +UBOOT_FIT_OPTEE_OS ?= "0"
> +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
> +
> python() {
> # We need u-boot-tools-native if we're creating a U-Boot fitImage
> sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
> @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
> # Create a ITS file for the U-boot FIT, for use when
> # we want to sign it so that the SPL can verify it
> uboot_fitimage_assemble() {
> + conf_loadables="\"uboot\""
> + conf_firmware=""
> +
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
> + conf_firmware="\"atf\""
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_loadables="\"uboot\", \"optee\""
> + fi
> + else
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> + conf_firmware="\"optee\""
> + fi
> + fi
> +
> rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
>
> # First we create the ITS script
> @@ -282,13 +308,76 @@ EOF
>
> cat << EOF >> ${UBOOT_ITS}
> };
> +EOF
> + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + atf {
> + description = "ARM Trusted Firmware-A";
> + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
> + type = "firmware";
> + arch = "${UBOOT_ARCH}";
> + os = "arm-trusted-firmware";
> + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + optee {
> + description = "OPTEE OS Image";
> + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
> + type = "tee";
> + arch = "${UBOOT_ARCH}";
> + os = "tee";
> + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
> + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
> + compression = "none";
> +EOF
> +
> + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> + cat << EOF >> ${UBOOT_ITS}
> + signature {
> + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> + key-name-hint = "${SPL_SIGN_KEYNAME}";
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> + };
> +EOF
> + fi
> +
> + cat << EOF >> ${UBOOT_ITS}
> };
>
> configurations {
> default = "conf";
> conf {
> description = "Boot with signed U-Boot FIT";
> - loadables = "uboot";
> +EOF
> + if [ -n "${conf_firmware}" ]; then
> + cat << EOF >> ${UBOOT_ITS}
> + firmware = ${conf_firmware};
> +EOF
> + fi
> + cat << EOF >> ${UBOOT_ITS}
> + loadables = ${conf_loadables};
> fdt = "fdt";
> };
> };
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#193883): https://lists.openembedded.org/g/openembedded-core/message/193883
> Mute This Topic: https://lists.openembedded.org/mt/103778291/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2024-01-18 13:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-17 2:10 [PATCH v1] uboot-sign: support to load optee-os and TFA images Jamin Lin
2024-01-18 13:52 ` Alexandre Belloni [this message]
2024-01-19 6:29 ` [OE-core] " Jamin Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240118135242eb1e86c8@mail.local \
--to=alexandre.belloni@bootlin.com \
--cc=jamin_lin@aspeedtech.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox