[PATCH 0/7] binman: ti: create binman nodes for EFI capsules

[PATCH 0/7] binman: ti: create binman nodes for EFI capsules

[Jonathan Humphreys]

Add binman nodes for EFI capsules of firmware components.

This is enabled for several TI SoC based platforms: AM64, AM62, AM62p,
BeaglePlay, J7, and BeagleboneAI.

Jonathan Humphreys (7):
  dts: ti: binman: Add base K3 firmware capsule nodes
  dts: am64x: binman: Include base K3 firmware capsule binman nodes
  dts: j721e: binman: Include firmware capsules binman nodes
  dts: beagleplay: binman: Include firmware capsules binman nodes
  dts: am62px: binman: Include base K3 firmware capsule binman nodes
  dts: am62x: binman: Include base K3 firmware capsule binman nodes
  dts: beagleboneai64: binman: Include firmware capsules binman nodes

 arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi  |  9 ++++
 arch/arm/dts/k3-am625-r5-beagleplay.dts       |  5 +++
 arch/arm/dts/k3-am625-sk-binman.dtsi          |  5 +++
 arch/arm/dts/k3-am62p-sk-binman.dtsi          |  4 ++
 arch/arm/dts/k3-am64x-binman.dtsi             |  5 +++
 arch/arm/dts/k3-binman-capsule-r5.dtsi        | 24 +++++++++++
 arch/arm/dts/k3-binman-capsule.dtsi           | 42 +++++++++++++++++++
 .../dts/k3-j721e-beagleboneai64-u-boot.dtsi   |  9 ++++
 arch/arm/dts/k3-j721e-binman.dtsi             | 32 ++++++++++++++
 arch/arm/dts/k3-j721e-r5-beagleboneai64.dts   | 22 ++++++++++
 10 files changed, 157 insertions(+)
 create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi
 create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi

-- 
2.34.1

[PATCH 1/7] dts: ti: binman: Add base K3 firmware capsule nodes

[Jonathan Humphreys]

Create capsule files for tiboot3.bin, tispl.bin, and u-boot.img.

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-binman-capsule-r5.dtsi | 24 +++++++++++++++
 arch/arm/dts/k3-binman-capsule.dtsi    | 42 ++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi
 create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi

diff --git a/arch/arm/dts/k3-binman-capsule-r5.dtsi b/arch/arm/dts/k3-binman-capsule-r5.dtsi
new file mode 100644
index 00000000000..7a20afa46aa
--- /dev/null
+++ b/arch/arm/dts/k3-binman-capsule-r5.dtsi
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/
+ */
+
+// Capsue update GUIDs.  See ti_armv7_common.h.
+#define K3_TIBOOT3_IMAGE_UUID_STR "e672b518-7cd7-4014-bd8d-40724d0ad4dc"
+
+&binman {
+	capsule-tiboot3 {
+		filename = "tiboot3-capsule.bin";
+		efi-capsule {
+			image-index = <0x1>;
+			image-guid = K3_TIBOOT3_IMAGE_UUID_STR;
+			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
+			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
+			monotonic-count = <0x1>;
+
+			tiboot3_name: blob {
+				filename = "tiboot3.bin";
+			};
+		};
+	};
+};
diff --git a/arch/arm/dts/k3-binman-capsule.dtsi b/arch/arm/dts/k3-binman-capsule.dtsi
new file mode 100644
index 00000000000..4f11ca6f0ef
--- /dev/null
+++ b/arch/arm/dts/k3-binman-capsule.dtsi
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/
+ */
+
+// Capsue update GUIDs.  See ti_armv7_common.h.
+#define K3_SPL_IMAGE_UUID_STR "86f710ad-10cf-46ea-ac67-856ae06efad2"
+#define K3_UBOOT_IMAGE_UUID_STR "81b58fb0-3b00-4add-a20a-c185bbaca1ed"
+
+&binman {
+	capsule-tispl {
+		filename = "tispl-capsule.bin";
+		efi-capsule {
+			image-index = <0x2>;
+			image-guid = K3_SPL_IMAGE_UUID_STR;
+			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
+			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
+			monotonic-count = <0x1>;
+
+			tispl_name: blob {
+				filename = "tispl.bin";
+			};
+		};
+	};
+};
+
+&binman {
+	capsule-uboot {
+		filename = "uboot-capsule.bin";
+		efi-capsule {
+			image-index = <0x3>;
+			image-guid = K3_UBOOT_IMAGE_UUID_STR;
+			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
+			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
+			monotonic-count = <0x1>;
+
+			uboot_name: blob {
+				filename = "u-boot.img";
+			};
+		};
+	};
+};
-- 
2.34.1

[PATCH 2/7] dts: am64x: binman: Include base K3 firmware capsule binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-am64x-binman.dtsi | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/dts/k3-am64x-binman.dtsi b/arch/arm/dts/k3-am64x-binman.dtsi
index 37817ba60d2..89cf048db1f 100644
--- a/arch/arm/dts/k3-am64x-binman.dtsi
+++ b/arch/arm/dts/k3-am64x-binman.dtsi
@@ -114,6 +114,8 @@
 	};
 };
 
+#include "k3-binman-capsule-r5.dtsi"
+
 #endif
 
 #ifdef CONFIG_TARGET_AM642_A53_EVM
@@ -373,4 +375,7 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule.dtsi"
+
 #endif
-- 
2.34.1

[PATCH 3/7] dts: j721e: binman: Include firmware capsules binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
index 75a6e9599b9..9169551c422 100644
--- a/arch/arm/dts/k3-j721e-binman.dtsi
+++ b/arch/arm/dts/k3-j721e-binman.dtsi
@@ -207,6 +207,29 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule-r5.dtsi"
+
+// Capsue update GUIDs.  See ti_armv7_common.h.
+#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
+
+&binman {
+	capsule-sysfw {
+		filename = "sysfw-capsule.bin";
+		efi-capsule {
+			image-index = <0x4>;
+			image-guid = K3_SYSFW_IMAGE_UUID_STR;
+			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
+			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
+			monotonic-count = <0x1>;
+
+			blob {
+				filename = "sysfw.itb";
+			};
+		};
+	};
+};
+
 #endif
 
 #ifdef CONFIG_TARGET_J721E_A72_EVM
@@ -585,4 +608,13 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule.dtsi"
+&tispl_name {
+	filename = "tispl.bin_unsigned";
+};
+&uboot_name {
+	filename = "u-boot.img_unsigned";
+};
+
 #endif
-- 
2.34.1

[PATCH 4/7] dts: beagleplay: binman: Include firmware capsules binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 9 +++++++++
 arch/arm/dts/k3-am625-r5-beagleplay.dts      | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi
index cca0f44b7d8..315f42e7464 100644
--- a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi
+++ b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi
@@ -212,4 +212,13 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule.dtsi"
+&tispl_name {
+	filename = "tispl.bin_unsigned";
+};
+&uboot_name {
+	filename = "u-boot.img_unsigned";
+};
+
 #endif
diff --git a/arch/arm/dts/k3-am625-r5-beagleplay.dts b/arch/arm/dts/k3-am625-r5-beagleplay.dts
index 9db58f093c8..5ee0c2bd56d 100644
--- a/arch/arm/dts/k3-am625-r5-beagleplay.dts
+++ b/arch/arm/dts/k3-am625-r5-beagleplay.dts
@@ -114,3 +114,8 @@
 
 	};
 };
+
+#include "k3-binman-capsule-r5.dtsi"
+&tiboot3_name {
+	filename = "tiboot3-am62x-gp-evm.bin";
+};
-- 
2.34.1

[PATCH 5/7] dts: am62px: binman: Include base K3 firmware capsule binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-am62p-sk-binman.dtsi | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/dts/k3-am62p-sk-binman.dtsi b/arch/arm/dts/k3-am62p-sk-binman.dtsi
index dea14945bf5..9b27c879f79 100644
--- a/arch/arm/dts/k3-am62p-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am62p-sk-binman.dtsi
@@ -59,6 +59,8 @@
 	};
 };
 
+#include "k3-binman-capsule-r5.dtsi"
+
 #endif /* CONFIG_TARGET_AM62P5_R5_EVM */
 
 #if IS_ENABLED(CONFIG_TARGET_AM62P5_A53_EVM)
@@ -170,4 +172,6 @@
 	};
 };
 
+#include "k3-binman-capsule.dtsi"
+
 #endif /* CONFIG_TARGET_AM62P5_A53_EVM */
-- 
2.34.1

[PATCH 6/7] dts: am62x: binman: Include base K3 firmware capsule binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-am625-sk-binman.dtsi | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi
index 5b058bd03a0..921c2bdcc5e 100644
--- a/arch/arm/dts/k3-am625-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am625-sk-binman.dtsi
@@ -137,6 +137,8 @@
 	};
 };
 
+#include "k3-binman-capsule-r5.dtsi"
+
 #endif
 
 #ifdef CONFIG_TARGET_AM625_A53_EVM
@@ -315,4 +317,7 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule.dtsi"
+
 #endif
-- 
2.34.1

[PATCH 7/7] dts: beagleboneai64: binman: Include firmware capsules binman nodes

[Jonathan Humphreys]

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 .../dts/k3-j721e-beagleboneai64-u-boot.dtsi   |  9 ++++++++
 arch/arm/dts/k3-j721e-r5-beagleboneai64.dts   | 22 +++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi
index 116ee373118..a3c5fa1f0b5 100644
--- a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi
+++ b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi
@@ -355,4 +355,13 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule.dtsi"
+&tispl_name {
+	filename = "tispl.bin_unsigned";
+};
+&uboot_name {
+	filename = "u-boot.img_unsigned";
+};
+
 #endif
diff --git a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts
index 43da4dafba8..1a98ad9e34f 100644
--- a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts
+++ b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts
@@ -183,3 +183,25 @@
 		};
 	};
 };
+
+#include "k3-binman-capsule-r5.dtsi"
+
+// Capsue update GUIDs.  See ti_armv7_common.h.
+#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
+
+&binman {
+	capsule-sysfw {
+		filename = "sysfw-capsule.bin";
+		efi-capsule {
+			image-index = <0x4>;
+			image-guid = K3_SYSFW_IMAGE_UUID_STR;
+			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
+			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
+			monotonic-count = <0x1>;
+
+			blob {
+				filename = "sysfw.itb";
+			};
+		};
+	};
+};
-- 
2.34.1

Re: [PATCH 3/7] dts: j721e: binman: Include firmware capsules binman nodes

[Andrew Davis]

On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
> ---
>   arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>   1 file changed, 32 insertions(+)
> 
> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
> index 75a6e9599b9..9169551c422 100644
> --- a/arch/arm/dts/k3-j721e-binman.dtsi
> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
> @@ -207,6 +207,29 @@
>   		};
>   	};
>   };
> +
> +#include "k3-binman-capsule-r5.dtsi"
> +
> +// Capsue update GUIDs.  See ti_armv7_common.h.
> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
> +
> +&binman {
> +	capsule-sysfw {
> +		filename = "sysfw-capsule.bin";
> +		efi-capsule {
> +			image-index = <0x4>;
> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
> +			monotonic-count = <0x1>;
> +
> +			blob {
> +				filename = "sysfw.itb";
> +			};
> +		};
> +	};
> +};
> +
>   #endif
>   
>   #ifdef CONFIG_TARGET_J721E_A72_EVM
> @@ -585,4 +608,13 @@
>   		};
>   	};
>   };
> +
> +#include "k3-binman-capsule.dtsi"
> +&tispl_name {
> +	filename = "tispl.bin_unsigned";

Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
but both GP and HS devices *can* boot the normal signed images (GP just strips
the signatures off). So no need to use the _unsigned images anymore (I'm
planning to just remove them at some point to prevent this confusion).

Andrew

> +};
> +&uboot_name {
> +	filename = "u-boot.img_unsigned";
> +};
> +
>   #endif

Re: [PATCH 3/7] dts: j721e: binman: Include firmware capsules binman nodes

[Jon Humphreys]

Andrew Davis <afd@ti.com> writes:

> On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
>> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
>> ---
>>   arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>>   1 file changed, 32 insertions(+)
>> 
>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
>> index 75a6e9599b9..9169551c422 100644
>> --- a/arch/arm/dts/k3-j721e-binman.dtsi
>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
>> @@ -207,6 +207,29 @@
>>   		};
>>   	};
>>   };
>> +
>> +#include "k3-binman-capsule-r5.dtsi"
>> +
>> +// Capsue update GUIDs.  See ti_armv7_common.h.
>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
>> +
>> +&binman {
>> +	capsule-sysfw {
>> +		filename = "sysfw-capsule.bin";
>> +		efi-capsule {
>> +			image-index = <0x4>;
>> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
>> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
>> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
>> +			monotonic-count = <0x1>;
>> +
>> +			blob {
>> +				filename = "sysfw.itb";
>> +			};
>> +		};
>> +	};
>> +};
>> +
>>   #endif
>>   
>>   #ifdef CONFIG_TARGET_J721E_A72_EVM
>> @@ -585,4 +608,13 @@
>>   		};
>>   	};
>>   };
>> +
>> +#include "k3-binman-capsule.dtsi"
>> +&tispl_name {
>> +	filename = "tispl.bin_unsigned";
>
> Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
> but both GP and HS devices *can* boot the normal signed images (GP just strips
> the signatures off). So no need to use the _unsigned images anymore (I'm
> planning to just remove them at some point to prevent this confusion).
>
I can do that.

Note that you will then see warnings on GP devices during boot:

  Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted

Jon

> Andrew
>
>> +};
>> +&uboot_name {
>> +	filename = "u-boot.img_unsigned";
>> +};
>> +
>>   #endif

Re: [PATCH 3/7] dts: j721e: binman: Include firmware capsules binman nodes

[Andrew Davis]

On 4/10/24 1:24 PM, Jon Humphreys wrote:
> Andrew Davis <afd@ti.com> writes:
> 
>> On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
>>> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
>>> ---
>>>    arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>>>    1 file changed, 32 insertions(+)
>>>
>>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
>>> index 75a6e9599b9..9169551c422 100644
>>> --- a/arch/arm/dts/k3-j721e-binman.dtsi
>>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
>>> @@ -207,6 +207,29 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule-r5.dtsi"
>>> +
>>> +// Capsue update GUIDs.  See ti_armv7_common.h.
>>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
>>> +
>>> +&binman {
>>> +	capsule-sysfw {
>>> +		filename = "sysfw-capsule.bin";
>>> +		efi-capsule {
>>> +			image-index = <0x4>;
>>> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
>>> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
>>> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
>>> +			monotonic-count = <0x1>;
>>> +
>>> +			blob {
>>> +				filename = "sysfw.itb";
>>> +			};
>>> +		};
>>> +	};
>>> +};
>>> +
>>>    #endif
>>>    
>>>    #ifdef CONFIG_TARGET_J721E_A72_EVM
>>> @@ -585,4 +608,13 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule.dtsi"
>>> +&tispl_name {
>>> +	filename = "tispl.bin_unsigned";
>>
>> Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
>> but both GP and HS devices *can* boot the normal signed images (GP just strips
>> the signatures off). So no need to use the _unsigned images anymore (I'm
>> planning to just remove them at some point to prevent this confusion).
>>
> I can do that.
> 
> Note that you will then see warnings on GP devices during boot:
> 
>    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
> 

True, I'll send a fix for that.

Andrew

> Jon
> 
>> Andrew
>>
>>> +};
>>> +&uboot_name {
>>> +	filename = "u-boot.img_unsigned";
>>> +};
>>> +
>>>    #endif