From: Tom Rini <trini@konsulko.com>
To: Roger Quadros <rogerq@kernel.org>,
Alper Nebi Yasak <alpernebiyasak@gmail.com>
Cc: Andrew Davis <afd@ti.com>,
sjg@chromium.org, vigneshr@ti.com, nm@ti.com, praneeth@ti.com,
u-boot@lists.denx.de
Subject: Re: [u-boot PATCH 3/3] k3-am642-evm-u-boot: Use binman to generate u-boot.img and tispl.bin
Date: Thu, 26 May 2022 10:15:29 -0400 [thread overview]
Message-ID: <20220526141529.GV13239@bill-the-cat> (raw)
In-Reply-To: <3d5690e0-d77b-4592-dd55-0952d849a84b@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 13444 bytes --]
On Thu, May 26, 2022 at 10:28:45AM +0300, Roger Quadros wrote:
> On 25/05/2022 18:14, Andrew Davis wrote:
> > On 5/25/22 3:30 AM, Roger Quadros wrote:
> >> Hi Andrew,
> >>
> >> On 25/05/2022 01:03, Andrew Davis wrote:
> >>> On 5/9/22 2:29 AM, Roger Quadros wrote:
> >>>> Introduce k3-am642-evm-binman.dtsi to provide binman configuration.
> >>>>
> >>>> R5 build is still not converted to use binman so restrict binman.dtsi
> >>>> to A53 builds only.
> >>>>
> >>>> This patch also take care of building Secure (HS) images using
> >>>> binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set.
> >>>>
> >>>> Signed-off-by: Roger Quadros <rogerq@kernel.org>
> >>>> ---
> >>>> arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++
> >>>> arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 +
> >>>> arch/arm/mach-k3/Kconfig | 1 +
> >>>> arch/arm/mach-k3/config.mk | 7 +
> >>>> 4 files changed, 241 insertions(+)
> >>>> create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi
> >>>>
> >>>> diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi
> >>>> new file mode 100644
> >>>> index 0000000000..9e85ef41b0
> >>>> --- /dev/null
> >>>> +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi
> >>>> @@ -0,0 +1,230 @@
> >>>> +// SPDX-License-Identifier: GPL-2.0
> >>>> +/*
> >>>> + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/
> >>>> + */
> >>>> +
> >>>> +/ {
> >>>> + binman: binman {
> >>>> + multiple-images;
> >>>> + };
> >>>> +};
> >>>> +
> >>>> +#ifdef CONFIG_TARGET_AM642_A53_EVM
> >>>> +
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> +#define TISPL "tispl.bin_HS"
> >>>> +#define UBOOT_IMG "u-boot.img_HS"
> >>>> +#else
> >>>> +#define TISPL "tispl.bin"
> >>>> +#define UBOOT_IMG "u-boot.img"
> >>>> +#endif
> >>>> +
> >>>> +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin"
> >>>> +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb"
> >>>> +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb"
> >>>> +
> >>>> +#define UBOOT_NODTB "u-boot-nodtb.bin"
> >>>> +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb"
> >>>> +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb"
> >>>> +
> >>>> +&binman {
> >>>> + ti-spl {
> >>>> + filename = TISPL;
> >>>> + pad-byte = <0xff>;
> >>>> +
> >>>> + fit {
> >>>> + description = "Configuration to load ATF and SPL";
> >>>> + #address-cells = <1>;
> >>>> +
> >>>> + images {
> >>>> +
> >>>> + atf {
> >>>> + description = "ARM Trusted Firmware";
> >>>> + type = "firmware";
> >>>> + arch = "arm64";
> >>>> + compression = "none";
> >>>> + os = "arm-trusted-firmware";
> >>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>;
> >>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>;
> >>>> + atf-bl31 {
> >>>> + filename = "bl31.bin";
> >>>> + };
> >>>
> >>>
> >>> On HS, bl31.bin and the below TEE and DM images must also be signed
> >>> before being packaged into tispl.bin.
> >>> Can we add signing here?
> >>
> >> I'm wondering how this is working as is on HS boards.
> >>
> >
> >
> > Today we manually sign those two before we feed them to U-Boot build.
> > I'd like to fix that and have them signed along with all the other
> > parts here when packaging them together.
> >
>
> OK. Then this is new feature. Do you mind if I make a separate patch for it?
> But first I need to figure out what to do ;)
>
> >
> >> Another thing to note is that the atf and tee entries take into consideration
> >> the below environment variables
> >> -a atf-bl31-path=${BL31} \
> >> -a tee-os-path=${TEE} \
> >>
> >> How do we continue to support that while adding the signing bits?
> >>
> >
> >
> > That's my question also, I'm not sure how we would make the type 'ti-secure'
> > while also changing their path names, seems like a limitation currently
> > of using etypes to do the signing, since we can do path renames from
> > command line.
>
> Simon,
>
> Any thoughts on how to get the new ti-secure etype work with atf-bl31 and
> tee-os etypes so that it can take the data output of those entries and create
> a signed binary with filenames from those entries or atf-bl31-path and
> tee-os-path?
>
> Can something like this work?
>
> ti-secure {
> atf-bl31 {
> filename = "bl31.bin";
> };
> }
>
> We could probably get rid of filename property from ti-secure etype and use
> blob for regular files.
>
> ti-secure {
> blob {
> filename = "somefile.ext";
> }
> }
Adding in Alper as well..
>
> cheers,
> -roger
>
> >
> > Andrew
> >
> >
> >> cheers,
> >> -roger
> >>
> >>>
> >>> Andrew
> >>>
> >>>
> >>>> + };
> >>>> +
> >>>> + tee {
> >>>> + description = "OPTEE";
> >>>> + type = "tee";
> >>>> + arch = "arm64";
> >>>> + compression = "none";
> >>>> + os = "tee";
> >>>> + load = <0x9e800000>;
> >>>> + entry = <0x9e800000>;
> >>>> + tee-os {
> >>>> + filename = "tee-pager_v2.bin";
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + dm {
> >>>> + description = "DM binary";
> >>>> + type = "firmware";
> >>>> + arch = "arm32";
> >>>> + compression = "none";
> >>>> + os = "DM";
> >>>> + load = <0x89000000>;
> >>>> + entry = <0x89000000>;
> >>>> + blob-ext {
> >>>> + filename = "/dev/null";
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + spl {
> >>>> + description = "SPL (64-bit)";
> >>>> + type = "standalone";
> >>>> + os = "U-Boot";
> >>>> + arch = "arm64";
> >>>> + compression = "none";
> >>>> + load = <0x80080000>;
> >>>> + entry = <0x80080000>;
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = SPL_NODTB;
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + fdt-1 {
> >>>> + description = "k3-am642-evm";
> >>>> + type = "flat_dt";
> >>>> + arch = "arm";
> >>>> + compression = "none";
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = SPL_AM642_EVM_DTB;
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + fdt-2 {
> >>>> + description = "k3-am642-sk";
> >>>> + type = "flat_dt";
> >>>> + arch = "arm";
> >>>> + compression = "none";
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = SPL_AM642_SK_DTB;
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + configurations {
> >>>> + default = "conf-1";
> >>>> +
> >>>> + conf-1 {
> >>>> + description = "k3-am642-evm";
> >>>> + firmware = "atf";
> >>>> + loadables = "tee", "dm", "spl";
> >>>> + fdt = "fdt-1";
> >>>> + };
> >>>> +
> >>>> + conf-2 {
> >>>> + description = "k3-am642-sk";
> >>>> + firmware = "atf";
> >>>> + loadables = "tee", "dm", "spl";
> >>>> + fdt = "fdt-2";
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> +};
> >>>> +
> >>>> +&binman {
> >>>> + u-boot {
> >>>> + filename = UBOOT_IMG;
> >>>> + pad-byte = <0xff>;
> >>>> +
> >>>> + fit {
> >>>> + description = "FIT image with multiple configurations";
> >>>> +
> >>>> + images {
> >>>> + uboot {
> >>>> + description = "U-Boot for am64x board";
> >>>> + type = "firmware";
> >>>> + os = "u-boot";
> >>>> + arch = "arm";
> >>>> + compression = "none";
> >>>> + load = <CONFIG_SYS_TEXT_BASE>;
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = UBOOT_NODTB;
> >>>> + };
> >>>> + hash {
> >>>> + algo = "crc32";
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + fdt-1 {
> >>>> + description = "k3-am642-evm";
> >>>> + type = "flat_dt";
> >>>> + arch = "arm";
> >>>> + compression = "none";
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = AM642_EVM_DTB;
> >>>> + };
> >>>> + hash {
> >>>> + algo = "crc32";
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + fdt-2 {
> >>>> + description = "k3-am642-sk";
> >>>> + type = "flat_dt";
> >>>> + arch = "arm";
> >>>> + compression = "none";
> >>>> +#ifdef CONFIG_TI_SECURE_DEVICE
> >>>> + ti-secure {
> >>>> +#else
> >>>> + blob {
> >>>> +#endif
> >>>> + filename = AM642_SK_DTB;
> >>>> + };
> >>>> + hash {
> >>>> + algo = "crc32";
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> +
> >>>> + configurations {
> >>>> + default = "conf-1";
> >>>> +
> >>>> + conf-1 {
> >>>> + description = "k3-am642-evm";
> >>>> + firmware = "uboot";
> >>>> + loadables = "uboot";
> >>>> + fdt = "fdt-1";
> >>>> + };
> >>>> +
> >>>> + conf-2 {
> >>>> + description = "k3-am642-sk";
> >>>> + firmware = "uboot";
> >>>> + loadables = "uboot";
> >>>> + fdt = "fdt-2";
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> + };
> >>>> +};
> >>>> +#endif
> >>>> diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi
> >>>> index 03688a51a3..db0a529f0f 100644
> >>>> --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi
> >>>> +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi
> >>>> @@ -2,6 +2,9 @@
> >>>> /*
> >>>> * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/
> >>>> */
> >>>> +#include <config.h>
> >>>> +
> >>>> +#include "k3-am642-evm-binman.dtsi"
> >>>> / {
> >>>> chosen {
> >>>> diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
> >>>> index a01bf23514..a4c561254d 100644
> >>>> --- a/arch/arm/mach-k3/Kconfig
> >>>> +++ b/arch/arm/mach-k3/Kconfig
> >>>> @@ -15,6 +15,7 @@ config SOC_K3_J721S2
> >>>> config SOC_K3_AM642
> >>>> bool "TI's K3 based AM642 SoC Family Support"
> >>>> + select BINMAN if TARGET_AM642_A53_EVM
> >>>> endchoice
> >>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
> >>>> index da458bcfb2..d2c490818a 100644
> >>>> --- a/arch/arm/mach-k3/config.mk
> >>>> +++ b/arch/arm/mach-k3/config.mk
> >>>> @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE
> >>>> INPUTS-y += tiboot3.bin
> >>>> endif
> >>>> +ifndef CONFIG_BINMAN
> >>>> ifdef CONFIG_ARM64
> >>>> ifeq ($(CONFIG_SOC_K3_J721E),)
> >>>> @@ -77,9 +78,11 @@ cmd_k3_mkits = \
> >>>> $(SPL_ITS): FORCE
> >>>> $(call cmd,k3_mkits)
> >>>> endif
> >>>> +endif
> >>>> else
> >>>> +ifndef CONFIG_BINMAN
> >>>> ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
> >>>> INPUTS-y += u-boot.img_HS
> >>>> else
> >>>> @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img
> >>>> endif
> >>>> endif
> >>>> +endif
> >>>> +
> >>>> +ifndef CONFIG_BINMAN
> >>>> include $(srctree)/arch/arm/mach-k3/config_secure.mk
> >>>> +endif
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2022-05-26 14:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-09 7:29 [u-boot PATCH 0/3] k3-am642-evm-u-boot: Use binman to generate u-boot.img and tispl.bin Roger Quadros
2022-05-09 7:29 ` [u-boot PATCH 1/3] tools: binman: add ti-secure entry type Roger Quadros
2022-05-09 7:29 ` [u-boot PATCH 2/3] tools/fdtgrep: Include __symbols__ table Roger Quadros
2022-06-10 13:42 ` Tom Rini
2022-06-11 8:43 ` Roger Quadros
2022-06-11 13:26 ` Tom Rini
2022-05-09 7:29 ` [u-boot PATCH 3/3] k3-am642-evm-u-boot: Use binman to generate u-boot.img and tispl.bin Roger Quadros
2022-05-24 22:03 ` Andrew Davis
2022-05-25 8:30 ` Roger Quadros
2022-05-25 15:14 ` Andrew Davis
2022-05-26 7:28 ` Roger Quadros
2022-05-26 14:15 ` Tom Rini [this message]
2022-05-27 17:50 ` Alper Nebi Yasak
2022-05-31 5:06 ` Roger Quadros
2022-05-31 14:15 ` Andrew Davis
2022-06-02 17:34 ` Alper Nebi Yasak
2022-05-09 13:39 ` [u-boot PATCH 0/3] " Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220526141529.GV13239@bill-the-cat \
--to=trini@konsulko.com \
--cc=afd@ti.com \
--cc=alpernebiyasak@gmail.com \
--cc=nm@ti.com \
--cc=praneeth@ti.com \
--cc=rogerq@kernel.org \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox