| Message ID | 20230714135110.109928-1-n-francis@ti.com |
|---|---|
| Headers | show |
| Series | Migration to using binman for bootloader | expand |
On 7/14/23 15:50, Neha Malcom Francis wrote: > This series aims to eliminate the use of additional custom repositories > such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 > Security Development Tools) that was plumbed into the U-Boot build flow > to generate boot images for TI K3 platform devices. And instead, we move > towards using binman that aligns better with the community standard build > flow. > > This series uses binman for all K3 platforms supported on U-Boot currently; > both HS (High Security, both SE and FS) and GP (General Purpose) devices. > > Background on using k3-image-gen: > * TI K3 devices require a SYSFW (System Firmware) image consisting > of a signed system firmware image and board configuration binaries, > this is needed to bring up system firmware during U-Boot R5 SPL > startup. > * Board configuration data contain board-specific information > such as resource management, power management and security. > > Background on using core-secdev-k3: > * Contains resources to sign x509 certificates for HS devices > > Series intends to use binman to take over the packaging and signing for > the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined > boot flow) instead of k3-image-gen. > > Series also packages the A72/A53 bootloader images (tispl.bin and > u-boot.img) using ATF, OPTEE and DM (Device Manager) > > Changes in v7: > - corrected Texas Instruments copyright year > - k3-am65-iot2050 image fit@0x180000 filename retained as > tispl.bin > > Changes in v6: > - addressed whitespace warnings > - added testcase for overwriting symlink functionality > - %s/Arm Trusted Firmware/Trusted Firmware-A > - %s/tee-pager_v2.bin/tee-raw.bin I can still find quite a few occurrences of tee-pager_v2.bin in the patch set (and in v7 too). Did you forget to change? Another note applicable to several patches in v7: 'description = "OPTEE"' should be 'description = "OP-TEE"' (the official spelling has a hyphen).
Hi Jerome On 14/07/23 19:37, Jerome Forissier wrote: > > > On 7/14/23 15:50, Neha Malcom Francis wrote: >> This series aims to eliminate the use of additional custom repositories >> such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 >> Security Development Tools) that was plumbed into the U-Boot build flow >> to generate boot images for TI K3 platform devices. And instead, we move >> towards using binman that aligns better with the community standard build >> flow. >> >> This series uses binman for all K3 platforms supported on U-Boot currently; >> both HS (High Security, both SE and FS) and GP (General Purpose) devices. >> >> Background on using k3-image-gen: >> * TI K3 devices require a SYSFW (System Firmware) image consisting >> of a signed system firmware image and board configuration binaries, >> this is needed to bring up system firmware during U-Boot R5 SPL >> startup. >> * Board configuration data contain board-specific information >> such as resource management, power management and security. >> >> Background on using core-secdev-k3: >> * Contains resources to sign x509 certificates for HS devices >> >> Series intends to use binman to take over the packaging and signing for >> the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined >> boot flow) instead of k3-image-gen. >> >> Series also packages the A72/A53 bootloader images (tispl.bin and >> u-boot.img) using ATF, OPTEE and DM (Device Manager) >> >> Changes in v7: >> - corrected Texas Instruments copyright year >> - k3-am65-iot2050 image fit@0x180000 filename retained as >> tispl.bin >> >> Changes in v6: >> - addressed whitespace warnings >> - added testcase for overwriting symlink functionality >> - %s/Arm Trusted Firmware/Trusted Firmware-A >> - %s/tee-pager_v2.bin/tee-raw.bin > > I can still find quite a few occurrences of tee-pager_v2.bin in the patch > set (and in v7 too). Did you forget to change? > > Another note applicable to several patches in v7: > 'description = "OPTEE"' should be > 'description = "OP-TEE"' (the official spelling has a hyphen). > Thanks for catching these, it was an oversight. Will change it.
Hi, On Fri, Jul 14, 2023 at 07:20:47PM +0530, Neha Malcom Francis wrote: > This series aims to eliminate the use of additional custom repositories > such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 > Security Development Tools) that was plumbed into the U-Boot build flow > to generate boot images for TI K3 platform devices. And instead, we move > towards using binman that aligns better with the community standard build > flow. > > This series uses binman for all K3 platforms supported on U-Boot currently; > both HS (High Security, both SE and FS) and GP (General Purpose) devices. > > Background on using k3-image-gen: > * TI K3 devices require a SYSFW (System Firmware) image consisting > of a signed system firmware image and board configuration binaries, > this is needed to bring up system firmware during U-Boot R5 SPL > startup. > * Board configuration data contain board-specific information > such as resource management, power management and security. > > Background on using core-secdev-k3: > * Contains resources to sign x509 certificates for HS devices > > Series intends to use binman to take over the packaging and signing for > the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined > boot flow) instead of k3-image-gen. > > Series also packages the A72/A53 bootloader images (tispl.bin and > u-boot.img) using ATF, OPTEE and DM (Device Manager) Tested-by: Maxime Ripard <mripard@kernel.org> It took a while to figure out that the tiboot3.bin file was for the HS-FS variant now, while I was using a GP board. Maybe we should clarify that in the doc? Maxime
Hi Maxime On 17/07/23 18:19, Maxime Ripard wrote: > Hi, > > On Fri, Jul 14, 2023 at 07:20:47PM +0530, Neha Malcom Francis wrote: >> This series aims to eliminate the use of additional custom repositories >> such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 >> Security Development Tools) that was plumbed into the U-Boot build flow >> to generate boot images for TI K3 platform devices. And instead, we move >> towards using binman that aligns better with the community standard build >> flow. >> >> This series uses binman for all K3 platforms supported on U-Boot currently; >> both HS (High Security, both SE and FS) and GP (General Purpose) devices. >> >> Background on using k3-image-gen: >> * TI K3 devices require a SYSFW (System Firmware) image consisting >> of a signed system firmware image and board configuration binaries, >> this is needed to bring up system firmware during U-Boot R5 SPL >> startup. >> * Board configuration data contain board-specific information >> such as resource management, power management and security. >> >> Background on using core-secdev-k3: >> * Contains resources to sign x509 certificates for HS devices >> >> Series intends to use binman to take over the packaging and signing for >> the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined >> boot flow) instead of k3-image-gen. >> >> Series also packages the A72/A53 bootloader images (tispl.bin and >> u-boot.img) using ATF, OPTEE and DM (Device Manager) > > Tested-by: Maxime Ripard <mripard@kernel.org> > Thanks for testing! > It took a while to figure out that the tiboot3.bin file was for the > HS-FS variant now, while I was using a GP board. > Depends on the board, based on the commonly available boards tiboot3.bin is symlinked to either GP or HS-FS. > Maybe we should clarify that in the doc? But yes, I will factor this into the docs. > > Maxime
On Mon, Jul 17, 2023 at 06:38:22PM +0530, Neha Malcom Francis wrote: > Hi Maxime > > On 17/07/23 18:19, Maxime Ripard wrote: > > Hi, > > > > On Fri, Jul 14, 2023 at 07:20:47PM +0530, Neha Malcom Francis wrote: > > > This series aims to eliminate the use of additional custom repositories > > > such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 > > > Security Development Tools) that was plumbed into the U-Boot build flow > > > to generate boot images for TI K3 platform devices. And instead, we move > > > towards using binman that aligns better with the community standard build > > > flow. > > > > > > This series uses binman for all K3 platforms supported on U-Boot currently; > > > both HS (High Security, both SE and FS) and GP (General Purpose) devices. > > > > > > Background on using k3-image-gen: > > > * TI K3 devices require a SYSFW (System Firmware) image consisting > > > of a signed system firmware image and board configuration binaries, > > > this is needed to bring up system firmware during U-Boot R5 SPL > > > startup. > > > * Board configuration data contain board-specific information > > > such as resource management, power management and security. > > > > > > Background on using core-secdev-k3: > > > * Contains resources to sign x509 certificates for HS devices > > > > > > Series intends to use binman to take over the packaging and signing for > > > the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined > > > boot flow) instead of k3-image-gen. > > > > > > Series also packages the A72/A53 bootloader images (tispl.bin and > > > u-boot.img) using ATF, OPTEE and DM (Device Manager) > > > > Tested-by: Maxime Ripard <mripard@kernel.org> > > > > Thanks for testing! > > > It took a while to figure out that the tiboot3.bin file was for the > > HS-FS variant now, while I was using a GP board. > > Depends on the board, based on the commonly available boards tiboot3.bin is > symlinked to either GP or HS-FS. Sure, I guess that my point was that prior to your patches we would specify the firmware that match our board and thus tiboot3.bin was always the right one. Now, it can be the wrong one and we have, most likely, to use the proper image instead of following the symlink. But the doc still says we should pick the symlink. > > Maybe we should clarify that in the doc? > > But yes, I will factor this into the docs. Thanks :) Maxime
This series aims to eliminate the use of additional custom repositories such as k3-image-gen (K3 Image Generation) repo and core-secdev-k3 (K3 Security Development Tools) that was plumbed into the U-Boot build flow to generate boot images for TI K3 platform devices. And instead, we move towards using binman that aligns better with the community standard build flow. This series uses binman for all K3 platforms supported on U-Boot currently; both HS (High Security, both SE and FS) and GP (General Purpose) devices. Background on using k3-image-gen: * TI K3 devices require a SYSFW (System Firmware) image consisting of a signed system firmware image and board configuration binaries, this is needed to bring up system firmware during U-Boot R5 SPL startup. * Board configuration data contain board-specific information such as resource management, power management and security. Background on using core-secdev-k3: * Contains resources to sign x509 certificates for HS devices Series intends to use binman to take over the packaging and signing for the R5 bootloader images tiboot3.bin (and sysfw.itb, for non-combined boot flow) instead of k3-image-gen. Series also packages the A72/A53 bootloader images (tispl.bin and u-boot.img) using ATF, OPTEE and DM (Device Manager) Changes in v7: - corrected Texas Instruments copyright year - k3-am65-iot2050 image fit@0x180000 filename retained as tispl.bin Changes in v6: - addressed whitespace warnings - added testcase for overwriting symlink functionality - %s/Arm Trusted Firmware/Trusted Firmware-A - %s/tee-pager_v2.bin/tee-raw.bin Changes in v5: - updated all board configurations to latest - changed output binary filenames - fixed multiple certificate generation leading to packaging inconsistency in ti-secure*.py - added patch to overwrite symlink if exists, patch 21/23 ("binman: Overwrite symlink if it already exists") Changes in v4: - added support for iot2050 - documentation fixes - move to using self.Raise in ti-board-config etype - introduced common k3-binman.dtsi (further reduction in code duplication can be targeted, this as first step) Changes in v3: - added support for HS-FS devices - added support for AM68-sk - added back dropped documentation patch - changed prefix for SYSFW and DM files to expected directory name - extended test coverage to 100% - documentation fixes - corrected formatting changes Changes in v2: - removed all external scripts - created ti-board-config etype to support generation of board config binaries - created ti-secure and ti-secure-rom etypes to handle signing instead of using external TI_SECURE_DEV_PKG - updated openssl btool to support x509 certificate generation - dropped Makefile changes to obtain external binary components, moving to using BINMAN_INDIRS to achieve the same CI/CD passes 100% (series based on -next) [1] v1: https://patchwork.ozlabs.org/project/uboot/cover/20230120101903.179959-1-n-francis@ti.com/ v2: https://patchwork.ozlabs.org/project/uboot/cover/20230404121342.446935-1-n-francis@ti.com/ v3: https://patchwork.ozlabs.org/project/uboot/cover/20230421123203.1315330-1-n-francis@ti.com/ v4: https://patchwork.ozlabs.org/project/uboot/cover/20230518142713.184164-1-n-francis@ti.com/ v5: https://patchwork.ozlabs.org/project/uboot/cover/20230707123450.30329-1-n-francis@ti.com/ v6: https://patchwork.ozlabs.org/project/uboot/cover/20230712183453.7623-1-n-francis@ti.com/ [1] https://github.com/u-boot/u-boot/pull/363 Andrew Davis (1): binman: Overwrite symlink if it already exists Neha Malcom Francis (20): binman: ti-board-config: Add support for TI board config binaries binman: ti-secure: Add support for TI signing arm: dts: k3: Add support for packaging sysfw.itb and tiboot3.bin j721e: schema: yaml: Add general schema and J721E board config files j721e: dts: binman: Package tiboot3.bin, sysfw.itb, tispl.bin, u-boot.img j7200: yaml: Add J7200 board config files j7200: dts: binman: Package tiboot3.bin, tispl.bin, u-boot.img am65x: yaml: Add AM65x board config files am65: dts: binman: Package tiboot3.bin, sysfw.itb, tispl.bin, u-boot.img am64x: yaml: Add board configs for AM64x am64x: dts: binman: Package tiboot3.bin, tispl.bin u-boot.img j721s2: yaml: Add board configs for J721S2 j721s2: dts: binman: Package tiboot3.bin, tispl.bin and u-boot.img am62: yaml: Add board configs for AM62 am625: dts: binman: Package tiboot3.bin, tispl.bin and u-boot.img am62a: yaml: Add board configs for AM62ax am62a: dts: binman: Package tiboot3.bin, tispl.bin, u-boot.img arm: k3-am65x-iot2050: Use binman for tispl.bin for iot2050 k3: tools: config.mk: Update makefile and remove scripts doc: board: ti: Update documentation for binman flow Tom Rini (2): buildman: Create a requirements.txt file CI: Make use of buildman requirements.txt .azure-pipelines.yml | 4 + .gitlab-ci.yml | 4 + arch/arm/dts/k3-am625-r5-sk.dts | 1 + arch/arm/dts/k3-am625-sk-binman.dtsi | 463 +++ arch/arm/dts/k3-am625-sk-u-boot.dtsi | 2 + arch/arm/dts/k3-am62a-sk-binman.dtsi | 466 +++ arch/arm/dts/k3-am62a7-r5-sk.dts | 1 + arch/arm/dts/k3-am62a7-sk.dts | 1 + arch/arm/dts/k3-am642-evm-u-boot.dtsi | 2 + arch/arm/dts/k3-am642-r5-evm.dts | 1 + arch/arm/dts/k3-am642-sk-u-boot.dtsi | 2 + arch/arm/dts/k3-am64x-binman.dtsi | 515 +++ arch/arm/dts/k3-am65-iot2050-boot-image.dtsi | 75 +- arch/arm/dts/k3-am654-base-board-u-boot.dtsi | 1 + .../dts/k3-am654-r5-base-board-u-boot.dtsi | 1 + arch/arm/dts/k3-am65x-binman.dtsi | 518 +++ .../arm/dts/k3-am68-sk-base-board-u-boot.dtsi | 2 + arch/arm/dts/k3-binman.dtsi | 116 + arch/arm/dts/k3-j7200-binman.dtsi | 502 +++ .../k3-j7200-common-proc-board-u-boot.dtsi | 2 + arch/arm/dts/k3-j721e-binman.dtsi | 701 ++++ .../k3-j721e-common-proc-board-u-boot.dtsi | 1 + .../arm/dts/k3-j721e-r5-common-proc-board.dts | 1 + arch/arm/dts/k3-j721e-sk-u-boot.dtsi | 1 + arch/arm/dts/k3-j721s2-binman.dtsi | 546 +++ .../k3-j721s2-common-proc-board-u-boot.dtsi | 2 + .../dts/k3-j721s2-r5-common-proc-board.dts | 1 + arch/arm/mach-k3/config.mk | 103 - board/ti/am62ax/Kconfig | 2 + board/ti/am62ax/board-cfg.yaml | 36 + board/ti/am62ax/pm-cfg.yaml | 12 + board/ti/am62ax/rm-cfg.yaml | 1151 ++++++ board/ti/am62ax/sec-cfg.yaml | 379 ++ board/ti/am62ax/tifs-rm-cfg.yaml | 1011 ++++++ board/ti/am62x/Kconfig | 2 + board/ti/am62x/board-cfg.yaml | 36 + board/ti/am62x/pm-cfg.yaml | 12 + board/ti/am62x/rm-cfg.yaml | 1088 ++++++ board/ti/am62x/sec-cfg.yaml | 379 ++ board/ti/am64x/Kconfig | 2 + board/ti/am64x/board-cfg.yaml | 36 + board/ti/am64x/pm-cfg.yaml | 12 + board/ti/am64x/rm-cfg.yaml | 1400 ++++++++ board/ti/am64x/sec-cfg.yaml | 380 ++ board/ti/am65x/Kconfig | 2 + board/ti/am65x/board-cfg.yaml | 36 + board/ti/am65x/pm-cfg.yaml | 12 + board/ti/am65x/rm-cfg.yaml | 2068 +++++++++++ board/ti/am65x/sec-cfg.yaml | 379 ++ board/ti/common/schema.yaml | 436 +++ board/ti/j721e/Kconfig | 4 + board/ti/j721e/board-cfg.yaml | 36 + board/ti/j721e/board-cfg_j7200.yaml | 36 + board/ti/j721e/pm-cfg.yaml | 12 + board/ti/j721e/pm-cfg_j7200.yaml | 12 + board/ti/j721e/rm-cfg.yaml | 3174 +++++++++++++++++ board/ti/j721e/rm-cfg_j7200.yaml | 2065 +++++++++++ board/ti/j721e/sec-cfg.yaml | 380 ++ board/ti/j721e/sec-cfg_j7200.yaml | 380 ++ board/ti/j721s2/Kconfig | 2 + board/ti/j721s2/board-cfg.yaml | 36 + board/ti/j721s2/pm-cfg.yaml | 12 + board/ti/j721s2/rm-cfg.yaml | 2901 +++++++++++++++ board/ti/j721s2/sec-cfg.yaml | 379 ++ board/ti/keys/custMpk.pem | 51 + board/ti/keys/ti-degenerate-key.pem | 10 + doc/board/ti/am62x_sk.rst | 54 +- doc/board/ti/j7200_evm.rst | 55 +- doc/board/ti/j721e_evm.rst | 58 +- doc/board/ti/k3.rst | 107 +- tools/binman/btool/openssl.py | 244 ++ tools/binman/entries.rst | 113 + tools/binman/etype/ti_board_config.py | 259 ++ tools/binman/etype/ti_secure.py | 78 + tools/binman/etype/ti_secure_rom.py | 249 ++ tools/binman/etype/x509_cert.py | 87 +- tools/binman/ftest.py | 90 +- tools/binman/image.py | 2 + tools/binman/test/277_ti_board_cfg.dts | 14 + .../binman/test/278_ti_board_cfg_combined.dts | 25 + .../binman/test/279_ti_board_cfg_no_type.dts | 11 + tools/binman/test/279_ti_secure.dts | 17 + tools/binman/test/280_ti_secure_rom.dts | 17 + .../test/281_ti_secure_rom_combined.dts | 25 + tools/binman/test/288_ti_secure_rom_a.dts | 19 + tools/binman/test/289_ti_secure_rom_b.dts | 18 + tools/binman/test/yaml/config.yaml | 18 + tools/binman/test/yaml/schema.yaml | 49 + tools/binman/test/yaml/schema_notype.yaml | 38 + tools/buildman/requirements.txt | 2 + tools/k3_fit_atf.sh | 123 - tools/k3_gen_x509_cert.sh | 262 -- 92 files changed, 23770 insertions(+), 660 deletions(-) create mode 100644 arch/arm/dts/k3-am625-sk-binman.dtsi create mode 100644 arch/arm/dts/k3-am62a-sk-binman.dtsi create mode 100644 arch/arm/dts/k3-am64x-binman.dtsi create mode 100644 arch/arm/dts/k3-am65x-binman.dtsi create mode 100644 arch/arm/dts/k3-binman.dtsi create mode 100644 arch/arm/dts/k3-j7200-binman.dtsi create mode 100644 arch/arm/dts/k3-j721e-binman.dtsi create mode 100644 arch/arm/dts/k3-j721s2-binman.dtsi delete mode 100644 arch/arm/mach-k3/config.mk create mode 100644 board/ti/am62ax/board-cfg.yaml create mode 100644 board/ti/am62ax/pm-cfg.yaml create mode 100644 board/ti/am62ax/rm-cfg.yaml create mode 100644 board/ti/am62ax/sec-cfg.yaml create mode 100644 board/ti/am62ax/tifs-rm-cfg.yaml create mode 100644 board/ti/am62x/board-cfg.yaml create mode 100644 board/ti/am62x/pm-cfg.yaml create mode 100644 board/ti/am62x/rm-cfg.yaml create mode 100644 board/ti/am62x/sec-cfg.yaml create mode 100644 board/ti/am64x/board-cfg.yaml create mode 100644 board/ti/am64x/pm-cfg.yaml create mode 100644 board/ti/am64x/rm-cfg.yaml create mode 100644 board/ti/am64x/sec-cfg.yaml create mode 100644 board/ti/am65x/board-cfg.yaml create mode 100644 board/ti/am65x/pm-cfg.yaml create mode 100644 board/ti/am65x/rm-cfg.yaml create mode 100644 board/ti/am65x/sec-cfg.yaml create mode 100644 board/ti/common/schema.yaml create mode 100644 board/ti/j721e/board-cfg.yaml create mode 100644 board/ti/j721e/board-cfg_j7200.yaml create mode 100644 board/ti/j721e/pm-cfg.yaml create mode 100644 board/ti/j721e/pm-cfg_j7200.yaml create mode 100644 board/ti/j721e/rm-cfg.yaml create mode 100644 board/ti/j721e/rm-cfg_j7200.yaml create mode 100644 board/ti/j721e/sec-cfg.yaml create mode 100644 board/ti/j721e/sec-cfg_j7200.yaml create mode 100644 board/ti/j721s2/board-cfg.yaml create mode 100644 board/ti/j721s2/pm-cfg.yaml create mode 100644 board/ti/j721s2/rm-cfg.yaml create mode 100644 board/ti/j721s2/sec-cfg.yaml create mode 100644 board/ti/keys/custMpk.pem create mode 100644 board/ti/keys/ti-degenerate-key.pem create mode 100644 tools/binman/etype/ti_board_config.py create mode 100644 tools/binman/etype/ti_secure.py create mode 100644 tools/binman/etype/ti_secure_rom.py create mode 100644 tools/binman/test/277_ti_board_cfg.dts create mode 100644 tools/binman/test/278_ti_board_cfg_combined.dts create mode 100644 tools/binman/test/279_ti_board_cfg_no_type.dts create mode 100644 tools/binman/test/279_ti_secure.dts create mode 100644 tools/binman/test/280_ti_secure_rom.dts create mode 100644 tools/binman/test/281_ti_secure_rom_combined.dts create mode 100644 tools/binman/test/288_ti_secure_rom_a.dts create mode 100644 tools/binman/test/289_ti_secure_rom_b.dts create mode 100644 tools/binman/test/yaml/config.yaml create mode 100644 tools/binman/test/yaml/schema.yaml create mode 100644 tools/binman/test/yaml/schema_notype.yaml create mode 100644 tools/buildman/requirements.txt delete mode 100755 tools/k3_fit_atf.sh delete mode 100755 tools/k3_gen_x509_cert.sh