[PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Jamin Lin <jamin_lin@aspeedtech.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
Date: Fri, 19 Jan 2024 14:19:37 +0800	[thread overview]
Message-ID: <20240119061937.1368163-4-jamin_lin@aspeedtech.com> (raw)
In-Reply-To: <20240119061937.1368163-1-jamin_lin@aspeedtech.com>

Currently, u-boot FIT image only support to load u-boot image.
To support optee-os and trusted-firmware-a, update ITS file generation
scripts, so users are able to use u-boot FIT image to load
u-boot, optee-os and treustred-firmware-a images

Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
enable trusted-firmware-a image and it is disable by default.

Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
and it is disable by default.

The ITS file creation looks like as following.
1. Both optee-os and trusted-firmware-a are disabled.
'''
/dts-v1/;

/ {
    images {
        uboot {
        };
        fdt {
        };
    };

    configurations {
        default = "conf";
        conf {
            loadables = "uboot";
            fdt = "fdt";
        };
    };
};
'''

2. Only enable optee-os
'''
/dts-v1/;

/ {
    images {
        uboot {
        };
        fdt {
        };
        optee {
        };
    };

    configurations {
        default = "conf";
        conf {
            firmware = "optee";
            loadables = "uboot";
            fdt = "fdt";
        };
    };
};
'''

3. Both optee-os and trusted-firmware-a are enabled
'''
/dts-v1/;

/ {
    images {
        uboot {
        };
        fdt {
        };
        atf {
        };
        optee {
        };
    };

    configurations {
        default = "conf";
        conf {
            firmware = "atf";
            loadables = "uboot", "optee";
            fdt = "fdt";
        };
    };
};
'''

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 7a0b8047e4..d2b1013b93 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
 UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
 UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
 
+# Trusted Firmware-A (TF-A) provides a reference implementation of
+# secure world software for Armv7-A and Armv8-A,
+# including a Secure Monitor executing at Exception Level 3 (EL3)
+# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
+
+# OP-TEE is a Trusted Execution Environment (TEE) designed as
+# companion to a non-secure Linux kernel running on Arm
+UBOOT_FIT_OPTEE_OS ?= "0"
+UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
+
 python() {
     # We need u-boot-tools-native if we're creating a U-Boot fitImage
     sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
@@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
 # Create a ITS file for the U-boot FIT, for use when
 # we want to sign it so that the SPL can verify it
 uboot_fitimage_assemble() {
+	conf_loadables="\"uboot\""
+	conf_firmware=""
+
+	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
+		conf_firmware="\"atf\""
+		if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+			conf_loadables="\"uboot\", \"optee\""
+		fi
+	else
+		if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+			conf_firmware="\"optee\""
+		fi
+	fi
+
 	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
 
 	# First we create the ITS script
@@ -289,13 +315,76 @@ EOF
 
 	cat << EOF >> ${UBOOT_ITS}
         };
+EOF
+	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+        atf {
+            description = "ARM Trusted Firmware-A";
+            data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
+            type = "firmware";
+            arch = "${UBOOT_ARCH}";
+            os = "arm-trusted-firmware";
+            load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
+            compression = "none";
+EOF
+
+		if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+			cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+		fi
+
+	cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+	fi
+
+	if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+        optee {
+            description = "OPTEE OS Image";
+            data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
+            type = "tee";
+            arch = "${UBOOT_ARCH}";
+            os = "tee";
+            load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
+            compression = "none";
+EOF
+
+		if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+			cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+		fi
+
+	cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+	fi
+
+	cat << EOF >> ${UBOOT_ITS}
     };
 
     configurations {
         default = "conf";
         conf {
             description = "Boot with signed U-Boot FIT";
-            loadables = "uboot";
+EOF
+	if [ -n "${conf_firmware}" ]; then
+	cat << EOF >> ${UBOOT_ITS}
+            firmware = ${conf_firmware};
+EOF
+	fi
+	cat << EOF >> ${UBOOT_ITS}
+            loadables = ${conf_loadables};
             fdt = "fdt";
         };
     };
-- 
2.25.1

next prev parent reply	other threads:[~2024-01-19  6:19 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-19  6:19 [PATCH v2 1/4] uboot-sign: set load address and entrypoint Jamin Lin
2024-01-19  6:19 ` [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file Jamin Lin
2024-01-19  6:19 ` [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image Jamin Lin
2024-01-19  6:19 ` Jamin Lin [this message]
2024-01-26 17:05   ` [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images Richard Purdie
2024-01-31  8:54     ` Jamin Lin
2024-01-31 13:26       ` Richard Purdie
2024-02-01  2:00         ` Jamin Lin
2024-02-08 18:02           ` Ross Burton
2024-02-15  2:31             ` Jamin Lin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7a0b8047e dfblob:d2b1013b9 )
 OR (
bs:"[PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240119061937.1368163-4-jamin_lin@aspeedtech.com \
    --to=jamin_lin@aspeedtech.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox