Message ID | 20240408221735.164871-4-j-humphreys@ti.com |
---|---|
State | Changes Requested |
Delegated to: | Tom Rini |
Headers | show |
Series | binman: ti: create binman nodes for EFI capsules | expand |
On 4/8/24 5:17 PM, Jonathan Humphreys wrote: > Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com> > --- > arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi > index 75a6e9599b9..9169551c422 100644 > --- a/arch/arm/dts/k3-j721e-binman.dtsi > +++ b/arch/arm/dts/k3-j721e-binman.dtsi > @@ -207,6 +207,29 @@ > }; > }; > }; > + > +#include "k3-binman-capsule-r5.dtsi" > + > +// Capsue update GUIDs. See ti_armv7_common.h. > +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" > + > +&binman { > + capsule-sysfw { > + filename = "sysfw-capsule.bin"; > + efi-capsule { > + image-index = <0x4>; > + image-guid = K3_SYSFW_IMAGE_UUID_STR; > + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; > + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; > + monotonic-count = <0x1>; > + > + blob { > + filename = "sysfw.itb"; > + }; > + }; > + }; > +}; > + > #endif > > #ifdef CONFIG_TARGET_J721E_A72_EVM > @@ -585,4 +608,13 @@ > }; > }; > }; > + > +#include "k3-binman-capsule.dtsi" > +&tispl_name { > + filename = "tispl.bin_unsigned"; Why use the _unsigned images here? HS devices cannot boot unsigned GP images, but both GP and HS devices *can* boot the normal signed images (GP just strips the signatures off). So no need to use the _unsigned images anymore (I'm planning to just remove them at some point to prevent this confusion). Andrew > +}; > +&uboot_name { > + filename = "u-boot.img_unsigned"; > +}; > + > #endif
Andrew Davis <afd@ti.com> writes: > On 4/8/24 5:17 PM, Jonathan Humphreys wrote: >> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com> >> --- >> arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ >> 1 file changed, 32 insertions(+) >> >> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi >> index 75a6e9599b9..9169551c422 100644 >> --- a/arch/arm/dts/k3-j721e-binman.dtsi >> +++ b/arch/arm/dts/k3-j721e-binman.dtsi >> @@ -207,6 +207,29 @@ >> }; >> }; >> }; >> + >> +#include "k3-binman-capsule-r5.dtsi" >> + >> +// Capsue update GUIDs. See ti_armv7_common.h. >> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" >> + >> +&binman { >> + capsule-sysfw { >> + filename = "sysfw-capsule.bin"; >> + efi-capsule { >> + image-index = <0x4>; >> + image-guid = K3_SYSFW_IMAGE_UUID_STR; >> + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; >> + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; >> + monotonic-count = <0x1>; >> + >> + blob { >> + filename = "sysfw.itb"; >> + }; >> + }; >> + }; >> +}; >> + >> #endif >> >> #ifdef CONFIG_TARGET_J721E_A72_EVM >> @@ -585,4 +608,13 @@ >> }; >> }; >> }; >> + >> +#include "k3-binman-capsule.dtsi" >> +&tispl_name { >> + filename = "tispl.bin_unsigned"; > > Why use the _unsigned images here? HS devices cannot boot unsigned GP images, > but both GP and HS devices *can* boot the normal signed images (GP just strips > the signatures off). So no need to use the _unsigned images anymore (I'm > planning to just remove them at some point to prevent this confusion). > I can do that. Note that you will then see warnings on GP devices during boot: Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted Jon > Andrew > >> +}; >> +&uboot_name { >> + filename = "u-boot.img_unsigned"; >> +}; >> + >> #endif
On 4/10/24 1:24 PM, Jon Humphreys wrote: > Andrew Davis <afd@ti.com> writes: > >> On 4/8/24 5:17 PM, Jonathan Humphreys wrote: >>> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com> >>> --- >>> arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ >>> 1 file changed, 32 insertions(+) >>> >>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi >>> index 75a6e9599b9..9169551c422 100644 >>> --- a/arch/arm/dts/k3-j721e-binman.dtsi >>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi >>> @@ -207,6 +207,29 @@ >>> }; >>> }; >>> }; >>> + >>> +#include "k3-binman-capsule-r5.dtsi" >>> + >>> +// Capsue update GUIDs. See ti_armv7_common.h. >>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" >>> + >>> +&binman { >>> + capsule-sysfw { >>> + filename = "sysfw-capsule.bin"; >>> + efi-capsule { >>> + image-index = <0x4>; >>> + image-guid = K3_SYSFW_IMAGE_UUID_STR; >>> + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; >>> + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; >>> + monotonic-count = <0x1>; >>> + >>> + blob { >>> + filename = "sysfw.itb"; >>> + }; >>> + }; >>> + }; >>> +}; >>> + >>> #endif >>> >>> #ifdef CONFIG_TARGET_J721E_A72_EVM >>> @@ -585,4 +608,13 @@ >>> }; >>> }; >>> }; >>> + >>> +#include "k3-binman-capsule.dtsi" >>> +&tispl_name { >>> + filename = "tispl.bin_unsigned"; >> >> Why use the _unsigned images here? HS devices cannot boot unsigned GP images, >> but both GP and HS devices *can* boot the normal signed images (GP just strips >> the signatures off). So no need to use the _unsigned images anymore (I'm >> planning to just remove them at some point to prevent this confusion). >> > I can do that. > > Note that you will then see warnings on GP devices during boot: > > Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted > True, I'll send a fix for that. Andrew > Jon > >> Andrew >> >>> +}; >>> +&uboot_name { >>> + filename = "u-boot.img_unsigned"; >>> +}; >>> + >>> #endif
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..9169551c422 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,29 @@ }; }; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" + +&binman { + capsule-sysfw { + filename = "sysfw-capsule.bin"; + efi-capsule { + image-index = <0x4>; + image-guid = K3_SYSFW_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "sysfw.itb"; + }; + }; + }; +}; + #endif #ifdef CONFIG_TARGET_J721E_A72_EVM @@ -585,4 +608,13 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" +&tispl_name { + filename = "tispl.bin_unsigned"; +}; +&uboot_name { + filename = "u-boot.img_unsigned"; +}; + #endif
Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com> --- arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)