[PATCH -next 0/5] add a few entries into missing-blob-help

[PATCH -next 0/5] add a few entries into missing-blob-help

[Bryan Brattlof]

Hello everyone,

Now that TIFS and DM firmwares are marked as mandatory items for a 
successful build[0] we should provide some more descriptive help text on 
where to get the firmware in the event they are not found and add links 
to more information about them.

We do need to expand the regex to allow the '.' dot in 'ti-fs-enc.bin' 
so we can add it to the list which was the lesser number of lines 
changed than renaming all these entries to 'tifs' or 'ti-fs' which the 
current regex will match.

Happy Hacking
~Bryan

[0] https://lore.kernel.org/u-boot/20250506-non-optional-v2-1-f58b12aab913@ti.com

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
Bryan Brattlof (5):
      binman: alphabetize missing-blob entries
      binman: add ti-dm entry to missing-blob-help
      binman: add sysfw-inner-cert to missing-blob-help
      binman: allow '.' to be included in the missing blob tags
      binmain: include ti-fs-enc.bin into missing-blob-help

 tools/binman/control.py        |  2 +-
 tools/binman/missing-blob-help | 67 ++++++++++++++++++++++++++++++------------
 2 files changed, 50 insertions(+), 19 deletions(-)
---
base-commit: 59d00e20fced23e6463aa09db889dd548baee677
change-id: 20250611-missing-blob-help-entries-2b8f00ab8077

Best regards,
-- 
Bryan Brattlof <bb@ti.com>

[PATCH -next 1/5] binman: alphabetize missing-blob entries

[Bryan Brattlof]

As the list of entries grows let's alphabetize the list to make
searching a little easier. No functional changes intended

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
 tools/binman/missing-blob-help | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
index ab0023eb9fb59fb84757770bcec4993d8351e9fb..b73b16f18491c2b45300ee4734d0f57eebb5635b 100644
--- a/tools/binman/missing-blob-help
+++ b/tools/binman/missing-blob-help
@@ -14,15 +14,6 @@ atf-bl31-sunxi:
 Please read the section on ARM Trusted Firmware (ATF) in
 board/sunxi/README.sunxi64
 
-scp-sunxi:
-SCP firmware is required for system suspend, but is otherwise optional.
-Please read the section on SCP firmware in board/sunxi/README.sunxi64
-
-iot2050-seboot:
-See the documentation for IOT2050 board. Your image is missing SEBoot
-which is mandatory for board startup. Prebuilt SEBoot located at
-meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin.
-
 iot2050-otpcmd:
 See the documentation for IOT2050 board. Your image is missing OTP command data
 block which is used for provisioning the customer keys to the board.
@@ -31,22 +22,31 @@ meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otp
 for how to generate this binary. If you are not using secure boot or do not
 intend to provision the keys, disable CONFIG_IOT2050_EMBED_OTPCMD.
 
+iot2050-seboot:
+See the documentation for IOT2050 board. Your image is missing SEBoot
+which is mandatory for board startup. Prebuilt SEBoot located at
+meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin.
+
 k3-rti-wdt-firmware:
 If CONFIG_WDT_K3_RTI_LOAD_FW is enabled, a firmware image is needed for
 the R5F core(s) to trigger the system reset. One possible source is
 https://github.com/siemens/k3-rti-wdt.
 
-rockchip-tpl:
-An external TPL is required to initialize DRAM. Get the external TPL
-binary and build with ROCKCHIP_TPL=/path/to/ddr.bin. One possible source
-for the external TPL binary is https://github.com/rockchip-linux/rkbin.
-
-tee-os:
-See the documentation for your board. You may need to build Open Portable
-Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin
-
 opensbi:
 See the documentation for your board. The OpenSBI git repo is at
 https://github.com/riscv/opensbi.git
 You may need to build fw_dynamic.bin first and re-build u-boot with
 OPENSBI=/path/to/fw_dynamic.bin
+
+rockchip-tpl:
+An external TPL is required to initialize DRAM. Get the external TPL
+binary and build with ROCKCHIP_TPL=/path/to/ddr.bin. One possible source
+for the external TPL binary is https://github.com/rockchip-linux/rkbin.
+
+scp-sunxi:
+SCP firmware is required for system suspend, but is otherwise optional.
+Please read the section on SCP firmware in board/sunxi/README.sunxi64
+
+tee-os:
+See the documentation for your board. You may need to build Open Portable
+Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin

-- 
2.49.0

Re: [PATCH -next 1/5] binman: alphabetize missing-blob entries

[Anshul Dalal]

On Wed Jun 11, 2025 at 11:47 PM IST, Bryan Brattlof wrote:
> As the list of entries grows let's alphabetize the list to make
> searching a little easier. No functional changes intended
>
> Signed-off-by: Bryan Brattlof <bb@ti.com>

Reviewed-by: Anshul Dalal <anshuld@ti.com>

[PATCH -next 2/5] binman: add ti-dm entry to missing-blob-help

[Bryan Brattlof]

Now that ti-dm is marked as a mandatory component for a successful
build, adding some helping text about how to resolve a failed build will
be needed. Add some text around what ti-dm is and links to more
documentation on how to obtain the firmware binaries

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
 tools/binman/missing-blob-help | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
index b73b16f18491c2b45300ee4734d0f57eebb5635b..e28eaa2015443f256a469df4ead87793e23ba219 100644
--- a/tools/binman/missing-blob-help
+++ b/tools/binman/missing-blob-help
@@ -50,3 +50,13 @@ Please read the section on SCP firmware in board/sunxi/README.sunxi64
 tee-os:
 See the documentation for your board. You may need to build Open Portable
 Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin
+
+ti-dm:
+You are missing TI's Device Management (DM) firmware which is critical to
+provide resource and power management services for your board. Your board
+will not boot without this firmware.
+
+Have a look at your board's documentation to find the latest version of
+the DM firmware binary and how to include it in the build.
+
+    https://docs.u-boot.org/en/latest/board/ti/k3.html

-- 
2.49.0

Re: [PATCH -next 2/5] binman: add ti-dm entry to missing-blob-help

[Anshul Dalal]

On Wed Jun 11, 2025 at 11:47 PM IST, Bryan Brattlof wrote:
> Now that ti-dm is marked as a mandatory component for a successful
> build, adding some helping text about how to resolve a failed build will
> be needed. Add some text around what ti-dm is and links to more
> documentation on how to obtain the firmware binaries
>
> Signed-off-by: Bryan Brattlof <bb@ti.com>

Reviewed-by: Anshul Dalal <anshuld@ti.com>

[PATCH -next 3/5] binman: add sysfw-inner-cert to missing-blob-help

[Bryan Brattlof]

Now that the inner certificate for TI' Foundation Security TIFS firmware
is mandatory to a successful build, provide some guidance on what it is
and links to the documentation on how to obtain the firmware blobs.

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
 tools/binman/missing-blob-help | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
index e28eaa2015443f256a469df4ead87793e23ba219..fcc989ed757e0d0a8d5bc8238c3d013da98aa390 100644
--- a/tools/binman/missing-blob-help
+++ b/tools/binman/missing-blob-help
@@ -60,3 +60,13 @@ Have a look at your board's documentation to find the latest version of
 the DM firmware binary and how to include it in the build.
 
     https://docs.u-boot.org/en/latest/board/ti/k3.html
+
+sysfw-inner-cert:
+You are missing the inner certificate for TI's Foundational Security (TIFS)
+firmware which is critical to authenticating the TIFS firmware during boot.
+HS-FS and HS-SE parts will not boot without this certificate.
+
+Have a look at your board's documentation to find and include the latest
+TIFS certificate blobs and how to include them in the build.
+
+    https://docs.u-boot.org/en/latest/board/ti/k3.html

-- 
2.49.0

Re: [PATCH -next 3/5] binman: add sysfw-inner-cert to missing-blob-help

[Anshul Dalal]

On Wed Jun 11, 2025 at 11:47 PM IST, Bryan Brattlof wrote:
> Now that the inner certificate for TI' Foundation Security TIFS firmware
> is mandatory to a successful build, provide some guidance on what it is
> and links to the documentation on how to obtain the firmware blobs.
>
> Signed-off-by: Bryan Brattlof <bb@ti.com>
> ---
>  tools/binman/missing-blob-help | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
> index e28eaa2015443f256a469df4ead87793e23ba219..fcc989ed757e0d0a8d5bc8238c3d013da98aa390 100644
> --- a/tools/binman/missing-blob-help
> +++ b/tools/binman/missing-blob-help
> @@ -60,3 +60,13 @@ Have a look at your board's documentation to find the latest version of
>  the DM firmware binary and how to include it in the build.
>  
>      https://docs.u-boot.org/en/latest/board/ti/k3.html
> +
> +sysfw-inner-cert:
> +You are missing the inner certificate for TI's Foundational Security (TIFS)
> +firmware which is critical to authenticating the TIFS firmware during boot.
> +HS-FS and HS-SE parts will not boot without this certificate.
> +
> +Have a look at your board's documentation to find and include the latest
> +TIFS certificate blobs and how to include them in the build.
> +
> +    https://docs.u-boot.org/en/latest/board/ti/k3.html

Nit: With the entries ordered alphabetically in the 1st patch, the entry
`sysfw-inner-cert` should go after `scp-sunxi` instead.

Reviewed-by: Anshul Dalal <anshuld@ti.com>

Re: [PATCH -next 3/5] binman: add sysfw-inner-cert to missing-blob-help

[Bryan Brattlof]

On June 12, 2025 thus sayeth Anshul Dalal:
> On Wed Jun 11, 2025 at 11:47 PM IST, Bryan Brattlof wrote:
> > Now that the inner certificate for TI' Foundation Security TIFS firmware
> > is mandatory to a successful build, provide some guidance on what it is
> > and links to the documentation on how to obtain the firmware blobs.
> >
> > Signed-off-by: Bryan Brattlof <bb@ti.com>
> > ---
> >  tools/binman/missing-blob-help | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> >
> > diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
> > index e28eaa2015443f256a469df4ead87793e23ba219..fcc989ed757e0d0a8d5bc8238c3d013da98aa390 100644
> > --- a/tools/binman/missing-blob-help
> > +++ b/tools/binman/missing-blob-help
> > @@ -60,3 +60,13 @@ Have a look at your board's documentation to find the latest version of
> >  the DM firmware binary and how to include it in the build.
> >  
> >      https://docs.u-boot.org/en/latest/board/ti/k3.html
> > +
> > +sysfw-inner-cert:
> > +You are missing the inner certificate for TI's Foundational Security (TIFS)
> > +firmware which is critical to authenticating the TIFS firmware during boot.
> > +HS-FS and HS-SE parts will not boot without this certificate.
> > +
> > +Have a look at your board's documentation to find and include the latest
> > +TIFS certificate blobs and how to include them in the build.
> > +
> > +    https://docs.u-boot.org/en/latest/board/ti/k3.html
> 
> Nit: With the entries ordered alphabetically in the 1st patch, the entry
> `sysfw-inner-cert` should go after `scp-sunxi` instead.
> 

Oops you're right. Thanks for the review

~Bryan

[PATCH -next 4/5] binman: allow '.' to be included in the missing blob tags

[Bryan Brattlof]

Extend the regex to add periods '.' in the tag so entries like
ti-fs-enc.bin can be represented in the missing-blob-help file.

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
 tools/binman/control.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/binman/control.py b/tools/binman/control.py
index 1946656f7d368209df3299a0e7c833b93edf2120..e5bd78898069205498c13c443d76000791fd7fa3 100644
--- a/tools/binman/control.py
+++ b/tools/binman/control.py
@@ -97,7 +97,7 @@ def _ReadMissingBlobHelp():
         return tag, msg
 
     my_data = pkg_resources.resource_string(__name__, 'missing-blob-help')
-    re_tag = re.compile('^([-a-z0-9]+):$')
+    re_tag = re.compile(r"^([-\.a-z0-9]+):$")
     result = {}
     tag = None
     msg = ''

-- 
2.49.0

[PATCH -next 5/5] binmain: include ti-fs-enc.bin into missing-blob-help

[Bryan Brattlof]

Now that the TIFS firmware is marked as a mandatory component to a
successful build, provide some helpful descriptions to what it is and
links to more information about how to get this needed firmware.

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
 tools/binman/missing-blob-help | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help
index fcc989ed757e0d0a8d5bc8238c3d013da98aa390..d6f2de23735f987f9f5e2529b33df111440cc01b 100644
--- a/tools/binman/missing-blob-help
+++ b/tools/binman/missing-blob-help
@@ -61,6 +61,17 @@ the DM firmware binary and how to include it in the build.
 
     https://docs.u-boot.org/en/latest/board/ti/k3.html
 
+ti-fs-enc.bin:
+You are missing TI's Foundational Security (TIFS) firmware which is
+critical to provide foundational security services like authenticated boot,
+and firewall management for the SoC. Your board will not boot without
+this firmware.
+
+Have a look at your board's documentation to find the latest version of the
+TIFS firmware binary and how to include them in the build.
+
+    https://docs.u-boot.org/en/latest/board/ti/k3.html
+
 sysfw-inner-cert:
 You are missing the inner certificate for TI's Foundational Security (TIFS)
 firmware which is critical to authenticating the TIFS firmware during boot.

-- 
2.49.0