From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 18270C433F5
	for <u-boot@archiver.kernel.org>; Mon,  9 May 2022 07:30:07 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id B9A5183F27;
	Mon,  9 May 2022 09:29:55 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="drHbfXjT";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id E8FBF83F40; Mon,  9 May 2022 09:29:53 +0200 (CEST)
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id E27D5839A8
 for <u-boot@lists.denx.de>; Mon,  9 May 2022 09:29:48 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rogerq@kernel.org
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dfw.source.kernel.org (Postfix) with ESMTPS id 18DB3612C6;
 Mon,  9 May 2022 07:29:47 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF37BC385B0;
 Mon,  9 May 2022 07:29:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1652081386;
 bh=WXRi3ZpKDF9kMcSTGoy5ccGLpdMXkFJXmh2G/O8lt3w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=drHbfXjTsSD3vQHsKpSCGNseGLEMsRjL6Lbc7rT38Z652jC6PdDF9z/jXBvI5wv3f
 U+vyXNSJRs/HlOYWpPI07Vswvvq3sqmHzT/r78dzUIjjuaD/892+OWGcZrc1QQgkdR
 judy0Gm+aJk/8xl4LH5s5DupMtBTN63g8mZODAKc52/ce6Hu0SwO+saBizaySbvtgr
 O5blAUGHQm8QQ0K1NLheUvPepJfzW4HYvTkAs+A3JxeMeVcpxI458bKR4U6zaHLIhj
 tloxSdo1uatnp6nn4VCb+iqYLCqZ/fP2rd6ISf2ZRQzdCffDvN/gc3gPags1tTn4vl
 SMMIhzOjKoQ8w==
From: Roger Quadros <rogerq@kernel.org>
To: sjg@chromium.org,
	vigneshr@ti.com,
	nm@ti.com
Cc: trini@konsulko.com, praneeth@ti.com, u-boot@lists.denx.de,
 Roger Quadros <rogerq@kernel.org>
Subject: [u-boot PATCH 1/3] tools: binman: add ti-secure entry type
Date: Mon,  9 May 2022 10:29:34 +0300
Message-Id: <20220509072936.12899-2-rogerq@kernel.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220509072936.12899-1-rogerq@kernel.org>
References: <20220509072936.12899-1-rogerq@kernel.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

This entry type is used to create a secured binary
for use with K3 High Security (HS) devices.

This allows us to no longer depend on k3_fit_atf.sh for
A53 SPL and u-boot image generation for HS devices.

We still depend on the availability of an external
tool provided by the TI_SECURE_DEV_PKG environment
variable to secure the binaries.

Signed-off-by: Roger Quadros <rogerq@kernel.org>
---
 Makefile                            |  1 +
 tools/binman/entries.rst            | 15 ++++++++
 tools/binman/etype/ti_secure.py     | 59 +++++++++++++++++++++++++++++
 tools/binman/ftest.py               |  7 ++++
 tools/binman/test/225_ti_secure.dts | 14 +++++++
 5 files changed, 96 insertions(+)
 create mode 100644 tools/binman/etype/ti_secure.py
 create mode 100644 tools/binman/test/225_ti_secure.dts

diff --git a/Makefile b/Makefile
index ad83d60dc3..d9aac41d60 100644
--- a/Makefile
+++ b/Makefile
@@ -1328,6 +1328,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
 		$(foreach f,$(BINMAN_INDIRS),-I $(f)) \
 		-a atf-bl31-path=${BL31} \
 		-a tee-os-path=${TEE} \
+		-a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \
 		-a opensbi-path=${OPENSBI} \
 		-a default-dt=$(default_dt) \
 		-a scp-path=$(SCP) \
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 484cde5c80..c9faad51b6 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1788,3 +1788,18 @@ may be used instead.
 
 
 
+Entry: ti-secure: Entry containing a Secured binary blob
+--------------------------------------------------------
+
+Properties / Entry arguments:
+    - filename: Filename of file to sign and read into entry
+
+Texas Instruments High-Security (HS) devices need secure binaries to be
+provided. This entry uses an external tool to append a x509 certificate
+to the file provided in the filename property and places it in the entry.
+
+The path for the external tool is fetched from TI_SECURE_DEV_PKG
+environment variable.
+
+
+
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
new file mode 100644
index 0000000000..86772994bc
--- /dev/null
+++ b/tools/binman/etype/ti_secure.py
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+
+# Support for secure binaries for TI K3 platform
+
+from collections import OrderedDict
+import os
+
+from binman.entry import Entry, EntryArg
+
+from dtoc import fdt_util
+from patman import tools
+
+class Entry_ti_secure(Entry):
+    """An entry which contains a secure binary for High-Security (HS) device use.
+
+    Properties / Entry arguments:
+	- filename: filename of binary file to be secured
+
+    Output files:
+        - filename_HS - output file generated by secure uility (which is
+            used as the entry contents)
+
+    """
+    def __init__(self, section, etype, node):
+        super().__init__(section, etype, node)
+        self.filename = fdt_util.GetString(self._node, 'filename')
+        self.toolpresent = False
+        if not self.filename:
+            self.Raise("ti_secure must have a 'filename' property")
+        self.toolspath, = self.GetEntryArgsOrProps(
+            [EntryArg('ti-secure-dev-pkg-path', str)])
+        if not self.toolspath:
+            print("WARNING: TI_SECURE_DEV_PKG environment " \
+                  "variable must be defined for TI secure devices. " +
+                  self.filename + " was NOT secured!")
+            return
+
+        self.tool = self.toolspath + "/scripts/secure-binary-image.sh"
+        self.toolpresent = os.path.exists(self.tool)
+        if not self.toolpresent:
+            print(self.tool + " not found. " +
+                  self.filename + " was NOT secured!")
+
+    def ObtainContents(self):
+        input_fname = self.filename
+        output_fname =  input_fname + "_HS"
+        args = [
+            input_fname, output_fname,
+        ]
+        if self.toolpresent:
+            stdout = tools.Run(self.tool, *args)
+        else:
+            stdout = tools.Run('cp', *args)
+            print(output_fname + ' not secured!')
+
+        self.SetContents(tools.ReadFile(output_fname))
+        return True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 8f00db6945..996e4d9aa6 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -91,6 +91,7 @@ SCP_DATA              = b'scp'
 TEST_FDT1_DATA        = b'fdt1'
 TEST_FDT2_DATA        = b'test-fdt2'
 ENV_DATA              = b'var1=1\nvar2="2"'
+TI_UNSECURE_DATA      = b'this is some unsecure data'
 
 # Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@@ -201,6 +202,7 @@ class TestFunctional(unittest.TestCase):
                                       TEST_FDT2_DATA)
 
         TestFunctional._MakeInputFile('env.txt', ENV_DATA)
+        TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
 
         cls.have_lz4 = comp_util.HAVE_LZ4
 
@@ -5321,6 +5323,11 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
         self.assertIn("Node '/binman/fit': Unknown operation 'unknown'",
                       str(exc.exception))
 
+    def testPackTisecure(self):
+        """Test that an image with a TI secured binary can be created"""
+        data = self._DoReadFile('225_ti_secure.dts')
+        securedata = tools.ReadFile('ti_unsecure.bin_HS')
+        self.assertGreater(len(securedata), len(data))
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/225_ti_secure.dts b/tools/binman/test/225_ti_secure.dts
new file mode 100644
index 0000000000..1a9f4374f9
--- /dev/null
+++ b/tools/binman/test/225_ti_secure.dts
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		ti-secure {
+			filename = "ti_unsecure.bin";
+		};
+	};
+};
-- 
2.17.1