| Message ID | 20220509072936.12899-4-rogerq@kernel.org |
|---|---|
| State | Changes Requested |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | k3-am642-evm-u-boot: Use binman to generate u-boot.img and tispl.bin | expand |
On 5/9/22 2:29 AM, Roger Quadros wrote: > Introduce k3-am642-evm-binman.dtsi to provide binman configuration. > > R5 build is still not converted to use binman so restrict binman.dtsi > to A53 builds only. > > This patch also take care of building Secure (HS) images using > binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. > > Signed-off-by: Roger Quadros <rogerq@kernel.org> > --- > arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ > arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + > arch/arm/mach-k3/Kconfig | 1 + > arch/arm/mach-k3/config.mk | 7 + > 4 files changed, 241 insertions(+) > create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi > > diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi > new file mode 100644 > index 0000000000..9e85ef41b0 > --- /dev/null > +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi > @@ -0,0 +1,230 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ > + */ > + > +/ { > + binman: binman { > + multiple-images; > + }; > +}; > + > +#ifdef CONFIG_TARGET_AM642_A53_EVM > + > +#ifdef CONFIG_TI_SECURE_DEVICE > +#define TISPL "tispl.bin_HS" > +#define UBOOT_IMG "u-boot.img_HS" > +#else > +#define TISPL "tispl.bin" > +#define UBOOT_IMG "u-boot.img" > +#endif > + > +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" > +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" > +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" > + > +#define UBOOT_NODTB "u-boot-nodtb.bin" > +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" > +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" > + > +&binman { > + ti-spl { > + filename = TISPL; > + pad-byte = <0xff>; > + > + fit { > + description = "Configuration to load ATF and SPL"; > + #address-cells = <1>; > + > + images { > + > + atf { > + description = "ARM Trusted Firmware"; > + type = "firmware"; > + arch = "arm64"; > + compression = "none"; > + os = "arm-trusted-firmware"; > + load = <CONFIG_K3_ATF_LOAD_ADDR>; > + entry = <CONFIG_K3_ATF_LOAD_ADDR>; > + atf-bl31 { > + filename = "bl31.bin"; > + }; On HS, bl31.bin and the below TEE and DM images must also be signed before being packaged into tispl.bin. Can we add signing here? Andrew > + }; > + > + tee { > + description = "OPTEE"; > + type = "tee"; > + arch = "arm64"; > + compression = "none"; > + os = "tee"; > + load = <0x9e800000>; > + entry = <0x9e800000>; > + tee-os { > + filename = "tee-pager_v2.bin"; > + }; > + }; > + > + dm { > + description = "DM binary"; > + type = "firmware"; > + arch = "arm32"; > + compression = "none"; > + os = "DM"; > + load = <0x89000000>; > + entry = <0x89000000>; > + blob-ext { > + filename = "/dev/null"; > + }; > + }; > + > + spl { > + description = "SPL (64-bit)"; > + type = "standalone"; > + os = "U-Boot"; > + arch = "arm64"; > + compression = "none"; > + load = <0x80080000>; > + entry = <0x80080000>; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = SPL_NODTB; > + }; > + }; > + > + fdt-1 { > + description = "k3-am642-evm"; > + type = "flat_dt"; > + arch = "arm"; > + compression = "none"; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = SPL_AM642_EVM_DTB; > + }; > + }; > + > + fdt-2 { > + description = "k3-am642-sk"; > + type = "flat_dt"; > + arch = "arm"; > + compression = "none"; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = SPL_AM642_SK_DTB; > + }; > + }; > + }; > + > + configurations { > + default = "conf-1"; > + > + conf-1 { > + description = "k3-am642-evm"; > + firmware = "atf"; > + loadables = "tee", "dm", "spl"; > + fdt = "fdt-1"; > + }; > + > + conf-2 { > + description = "k3-am642-sk"; > + firmware = "atf"; > + loadables = "tee", "dm", "spl"; > + fdt = "fdt-2"; > + }; > + }; > + }; > + }; > +}; > + > +&binman { > + u-boot { > + filename = UBOOT_IMG; > + pad-byte = <0xff>; > + > + fit { > + description = "FIT image with multiple configurations"; > + > + images { > + uboot { > + description = "U-Boot for am64x board"; > + type = "firmware"; > + os = "u-boot"; > + arch = "arm"; > + compression = "none"; > + load = <CONFIG_SYS_TEXT_BASE>; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = UBOOT_NODTB; > + }; > + hash { > + algo = "crc32"; > + }; > + }; > + > + fdt-1 { > + description = "k3-am642-evm"; > + type = "flat_dt"; > + arch = "arm"; > + compression = "none"; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = AM642_EVM_DTB; > + }; > + hash { > + algo = "crc32"; > + }; > + }; > + > + fdt-2 { > + description = "k3-am642-sk"; > + type = "flat_dt"; > + arch = "arm"; > + compression = "none"; > +#ifdef CONFIG_TI_SECURE_DEVICE > + ti-secure { > +#else > + blob { > +#endif > + filename = AM642_SK_DTB; > + }; > + hash { > + algo = "crc32"; > + }; > + }; > + }; > + > + configurations { > + default = "conf-1"; > + > + conf-1 { > + description = "k3-am642-evm"; > + firmware = "uboot"; > + loadables = "uboot"; > + fdt = "fdt-1"; > + }; > + > + conf-2 { > + description = "k3-am642-sk"; > + firmware = "uboot"; > + loadables = "uboot"; > + fdt = "fdt-2"; > + }; > + }; > + }; > + }; > +}; > +#endif > diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi > index 03688a51a3..db0a529f0f 100644 > --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi > +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi > @@ -2,6 +2,9 @@ > /* > * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ > */ > +#include <config.h> > + > +#include "k3-am642-evm-binman.dtsi" > > / { > chosen { > diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig > index a01bf23514..a4c561254d 100644 > --- a/arch/arm/mach-k3/Kconfig > +++ b/arch/arm/mach-k3/Kconfig > @@ -15,6 +15,7 @@ config SOC_K3_J721S2 > > config SOC_K3_AM642 > bool "TI's K3 based AM642 SoC Family Support" > + select BINMAN if TARGET_AM642_A53_EVM > > endchoice > > diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk > index da458bcfb2..d2c490818a 100644 > --- a/arch/arm/mach-k3/config.mk > +++ b/arch/arm/mach-k3/config.mk > @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE > INPUTS-y += tiboot3.bin > endif > > +ifndef CONFIG_BINMAN > ifdef CONFIG_ARM64 > > ifeq ($(CONFIG_SOC_K3_J721E),) > @@ -77,9 +78,11 @@ cmd_k3_mkits = \ > $(SPL_ITS): FORCE > $(call cmd,k3_mkits) > endif > +endif > > else > > +ifndef CONFIG_BINMAN > ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > INPUTS-y += u-boot.img_HS > else > @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img > endif > endif > > +endif > + > +ifndef CONFIG_BINMAN > include $(srctree)/arch/arm/mach-k3/config_secure.mk > +endif
Hi Andrew, On 25/05/2022 01:03, Andrew Davis wrote: > On 5/9/22 2:29 AM, Roger Quadros wrote: >> Introduce k3-am642-evm-binman.dtsi to provide binman configuration. >> >> R5 build is still not converted to use binman so restrict binman.dtsi >> to A53 builds only. >> >> This patch also take care of building Secure (HS) images using >> binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. >> >> Signed-off-by: Roger Quadros <rogerq@kernel.org> >> --- >> arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ >> arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + >> arch/arm/mach-k3/Kconfig | 1 + >> arch/arm/mach-k3/config.mk | 7 + >> 4 files changed, 241 insertions(+) >> create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi >> >> diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi >> new file mode 100644 >> index 0000000000..9e85ef41b0 >> --- /dev/null >> +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi >> @@ -0,0 +1,230 @@ >> +// SPDX-License-Identifier: GPL-2.0 >> +/* >> + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ >> + */ >> + >> +/ { >> + binman: binman { >> + multiple-images; >> + }; >> +}; >> + >> +#ifdef CONFIG_TARGET_AM642_A53_EVM >> + >> +#ifdef CONFIG_TI_SECURE_DEVICE >> +#define TISPL "tispl.bin_HS" >> +#define UBOOT_IMG "u-boot.img_HS" >> +#else >> +#define TISPL "tispl.bin" >> +#define UBOOT_IMG "u-boot.img" >> +#endif >> + >> +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" >> +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" >> +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" >> + >> +#define UBOOT_NODTB "u-boot-nodtb.bin" >> +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" >> +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" >> + >> +&binman { >> + ti-spl { >> + filename = TISPL; >> + pad-byte = <0xff>; >> + >> + fit { >> + description = "Configuration to load ATF and SPL"; >> + #address-cells = <1>; >> + >> + images { >> + >> + atf { >> + description = "ARM Trusted Firmware"; >> + type = "firmware"; >> + arch = "arm64"; >> + compression = "none"; >> + os = "arm-trusted-firmware"; >> + load = <CONFIG_K3_ATF_LOAD_ADDR>; >> + entry = <CONFIG_K3_ATF_LOAD_ADDR>; >> + atf-bl31 { >> + filename = "bl31.bin"; >> + }; > > > On HS, bl31.bin and the below TEE and DM images must also be signed > before being packaged into tispl.bin. > Can we add signing here? I'm wondering how this is working as is on HS boards. Another thing to note is that the atf and tee entries take into consideration the below environment variables -a atf-bl31-path=${BL31} \ -a tee-os-path=${TEE} \ How do we continue to support that while adding the signing bits? cheers, -roger > > Andrew > > >> + }; >> + >> + tee { >> + description = "OPTEE"; >> + type = "tee"; >> + arch = "arm64"; >> + compression = "none"; >> + os = "tee"; >> + load = <0x9e800000>; >> + entry = <0x9e800000>; >> + tee-os { >> + filename = "tee-pager_v2.bin"; >> + }; >> + }; >> + >> + dm { >> + description = "DM binary"; >> + type = "firmware"; >> + arch = "arm32"; >> + compression = "none"; >> + os = "DM"; >> + load = <0x89000000>; >> + entry = <0x89000000>; >> + blob-ext { >> + filename = "/dev/null"; >> + }; >> + }; >> + >> + spl { >> + description = "SPL (64-bit)"; >> + type = "standalone"; >> + os = "U-Boot"; >> + arch = "arm64"; >> + compression = "none"; >> + load = <0x80080000>; >> + entry = <0x80080000>; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = SPL_NODTB; >> + }; >> + }; >> + >> + fdt-1 { >> + description = "k3-am642-evm"; >> + type = "flat_dt"; >> + arch = "arm"; >> + compression = "none"; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = SPL_AM642_EVM_DTB; >> + }; >> + }; >> + >> + fdt-2 { >> + description = "k3-am642-sk"; >> + type = "flat_dt"; >> + arch = "arm"; >> + compression = "none"; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = SPL_AM642_SK_DTB; >> + }; >> + }; >> + }; >> + >> + configurations { >> + default = "conf-1"; >> + >> + conf-1 { >> + description = "k3-am642-evm"; >> + firmware = "atf"; >> + loadables = "tee", "dm", "spl"; >> + fdt = "fdt-1"; >> + }; >> + >> + conf-2 { >> + description = "k3-am642-sk"; >> + firmware = "atf"; >> + loadables = "tee", "dm", "spl"; >> + fdt = "fdt-2"; >> + }; >> + }; >> + }; >> + }; >> +}; >> + >> +&binman { >> + u-boot { >> + filename = UBOOT_IMG; >> + pad-byte = <0xff>; >> + >> + fit { >> + description = "FIT image with multiple configurations"; >> + >> + images { >> + uboot { >> + description = "U-Boot for am64x board"; >> + type = "firmware"; >> + os = "u-boot"; >> + arch = "arm"; >> + compression = "none"; >> + load = <CONFIG_SYS_TEXT_BASE>; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = UBOOT_NODTB; >> + }; >> + hash { >> + algo = "crc32"; >> + }; >> + }; >> + >> + fdt-1 { >> + description = "k3-am642-evm"; >> + type = "flat_dt"; >> + arch = "arm"; >> + compression = "none"; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = AM642_EVM_DTB; >> + }; >> + hash { >> + algo = "crc32"; >> + }; >> + }; >> + >> + fdt-2 { >> + description = "k3-am642-sk"; >> + type = "flat_dt"; >> + arch = "arm"; >> + compression = "none"; >> +#ifdef CONFIG_TI_SECURE_DEVICE >> + ti-secure { >> +#else >> + blob { >> +#endif >> + filename = AM642_SK_DTB; >> + }; >> + hash { >> + algo = "crc32"; >> + }; >> + }; >> + }; >> + >> + configurations { >> + default = "conf-1"; >> + >> + conf-1 { >> + description = "k3-am642-evm"; >> + firmware = "uboot"; >> + loadables = "uboot"; >> + fdt = "fdt-1"; >> + }; >> + >> + conf-2 { >> + description = "k3-am642-sk"; >> + firmware = "uboot"; >> + loadables = "uboot"; >> + fdt = "fdt-2"; >> + }; >> + }; >> + }; >> + }; >> +}; >> +#endif >> diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >> index 03688a51a3..db0a529f0f 100644 >> --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi >> +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >> @@ -2,6 +2,9 @@ >> /* >> * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ >> */ >> +#include <config.h> >> + >> +#include "k3-am642-evm-binman.dtsi" >> / { >> chosen { >> diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig >> index a01bf23514..a4c561254d 100644 >> --- a/arch/arm/mach-k3/Kconfig >> +++ b/arch/arm/mach-k3/Kconfig >> @@ -15,6 +15,7 @@ config SOC_K3_J721S2 >> config SOC_K3_AM642 >> bool "TI's K3 based AM642 SoC Family Support" >> + select BINMAN if TARGET_AM642_A53_EVM >> endchoice >> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk >> index da458bcfb2..d2c490818a 100644 >> --- a/arch/arm/mach-k3/config.mk >> +++ b/arch/arm/mach-k3/config.mk >> @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE >> INPUTS-y += tiboot3.bin >> endif >> +ifndef CONFIG_BINMAN >> ifdef CONFIG_ARM64 >> ifeq ($(CONFIG_SOC_K3_J721E),) >> @@ -77,9 +78,11 @@ cmd_k3_mkits = \ >> $(SPL_ITS): FORCE >> $(call cmd,k3_mkits) >> endif >> +endif >> else >> +ifndef CONFIG_BINMAN >> ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >> INPUTS-y += u-boot.img_HS >> else >> @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img >> endif >> endif >> +endif >> + >> +ifndef CONFIG_BINMAN >> include $(srctree)/arch/arm/mach-k3/config_secure.mk >> +endif
On 5/25/22 3:30 AM, Roger Quadros wrote: > Hi Andrew, > > On 25/05/2022 01:03, Andrew Davis wrote: >> On 5/9/22 2:29 AM, Roger Quadros wrote: >>> Introduce k3-am642-evm-binman.dtsi to provide binman configuration. >>> >>> R5 build is still not converted to use binman so restrict binman.dtsi >>> to A53 builds only. >>> >>> This patch also take care of building Secure (HS) images using >>> binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. >>> >>> Signed-off-by: Roger Quadros <rogerq@kernel.org> >>> --- >>> arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ >>> arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + >>> arch/arm/mach-k3/Kconfig | 1 + >>> arch/arm/mach-k3/config.mk | 7 + >>> 4 files changed, 241 insertions(+) >>> create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi >>> >>> diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi >>> new file mode 100644 >>> index 0000000000..9e85ef41b0 >>> --- /dev/null >>> +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi >>> @@ -0,0 +1,230 @@ >>> +// SPDX-License-Identifier: GPL-2.0 >>> +/* >>> + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ >>> + */ >>> + >>> +/ { >>> + binman: binman { >>> + multiple-images; >>> + }; >>> +}; >>> + >>> +#ifdef CONFIG_TARGET_AM642_A53_EVM >>> + >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> +#define TISPL "tispl.bin_HS" >>> +#define UBOOT_IMG "u-boot.img_HS" >>> +#else >>> +#define TISPL "tispl.bin" >>> +#define UBOOT_IMG "u-boot.img" >>> +#endif >>> + >>> +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" >>> +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" >>> +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" >>> + >>> +#define UBOOT_NODTB "u-boot-nodtb.bin" >>> +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" >>> +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" >>> + >>> +&binman { >>> + ti-spl { >>> + filename = TISPL; >>> + pad-byte = <0xff>; >>> + >>> + fit { >>> + description = "Configuration to load ATF and SPL"; >>> + #address-cells = <1>; >>> + >>> + images { >>> + >>> + atf { >>> + description = "ARM Trusted Firmware"; >>> + type = "firmware"; >>> + arch = "arm64"; >>> + compression = "none"; >>> + os = "arm-trusted-firmware"; >>> + load = <CONFIG_K3_ATF_LOAD_ADDR>; >>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>; >>> + atf-bl31 { >>> + filename = "bl31.bin"; >>> + }; >> >> >> On HS, bl31.bin and the below TEE and DM images must also be signed >> before being packaged into tispl.bin. >> Can we add signing here? > > I'm wondering how this is working as is on HS boards. > Today we manually sign those two before we feed them to U-Boot build. I'd like to fix that and have them signed along with all the other parts here when packaging them together. > Another thing to note is that the atf and tee entries take into consideration > the below environment variables > -a atf-bl31-path=${BL31} \ > -a tee-os-path=${TEE} \ > > How do we continue to support that while adding the signing bits? > That's my question also, I'm not sure how we would make the type 'ti-secure' while also changing their path names, seems like a limitation currently of using etypes to do the signing, since we can do path renames from command line. Andrew > cheers, > -roger > >> >> Andrew >> >> >>> + }; >>> + >>> + tee { >>> + description = "OPTEE"; >>> + type = "tee"; >>> + arch = "arm64"; >>> + compression = "none"; >>> + os = "tee"; >>> + load = <0x9e800000>; >>> + entry = <0x9e800000>; >>> + tee-os { >>> + filename = "tee-pager_v2.bin"; >>> + }; >>> + }; >>> + >>> + dm { >>> + description = "DM binary"; >>> + type = "firmware"; >>> + arch = "arm32"; >>> + compression = "none"; >>> + os = "DM"; >>> + load = <0x89000000>; >>> + entry = <0x89000000>; >>> + blob-ext { >>> + filename = "/dev/null"; >>> + }; >>> + }; >>> + >>> + spl { >>> + description = "SPL (64-bit)"; >>> + type = "standalone"; >>> + os = "U-Boot"; >>> + arch = "arm64"; >>> + compression = "none"; >>> + load = <0x80080000>; >>> + entry = <0x80080000>; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = SPL_NODTB; >>> + }; >>> + }; >>> + >>> + fdt-1 { >>> + description = "k3-am642-evm"; >>> + type = "flat_dt"; >>> + arch = "arm"; >>> + compression = "none"; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = SPL_AM642_EVM_DTB; >>> + }; >>> + }; >>> + >>> + fdt-2 { >>> + description = "k3-am642-sk"; >>> + type = "flat_dt"; >>> + arch = "arm"; >>> + compression = "none"; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = SPL_AM642_SK_DTB; >>> + }; >>> + }; >>> + }; >>> + >>> + configurations { >>> + default = "conf-1"; >>> + >>> + conf-1 { >>> + description = "k3-am642-evm"; >>> + firmware = "atf"; >>> + loadables = "tee", "dm", "spl"; >>> + fdt = "fdt-1"; >>> + }; >>> + >>> + conf-2 { >>> + description = "k3-am642-sk"; >>> + firmware = "atf"; >>> + loadables = "tee", "dm", "spl"; >>> + fdt = "fdt-2"; >>> + }; >>> + }; >>> + }; >>> + }; >>> +}; >>> + >>> +&binman { >>> + u-boot { >>> + filename = UBOOT_IMG; >>> + pad-byte = <0xff>; >>> + >>> + fit { >>> + description = "FIT image with multiple configurations"; >>> + >>> + images { >>> + uboot { >>> + description = "U-Boot for am64x board"; >>> + type = "firmware"; >>> + os = "u-boot"; >>> + arch = "arm"; >>> + compression = "none"; >>> + load = <CONFIG_SYS_TEXT_BASE>; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = UBOOT_NODTB; >>> + }; >>> + hash { >>> + algo = "crc32"; >>> + }; >>> + }; >>> + >>> + fdt-1 { >>> + description = "k3-am642-evm"; >>> + type = "flat_dt"; >>> + arch = "arm"; >>> + compression = "none"; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = AM642_EVM_DTB; >>> + }; >>> + hash { >>> + algo = "crc32"; >>> + }; >>> + }; >>> + >>> + fdt-2 { >>> + description = "k3-am642-sk"; >>> + type = "flat_dt"; >>> + arch = "arm"; >>> + compression = "none"; >>> +#ifdef CONFIG_TI_SECURE_DEVICE >>> + ti-secure { >>> +#else >>> + blob { >>> +#endif >>> + filename = AM642_SK_DTB; >>> + }; >>> + hash { >>> + algo = "crc32"; >>> + }; >>> + }; >>> + }; >>> + >>> + configurations { >>> + default = "conf-1"; >>> + >>> + conf-1 { >>> + description = "k3-am642-evm"; >>> + firmware = "uboot"; >>> + loadables = "uboot"; >>> + fdt = "fdt-1"; >>> + }; >>> + >>> + conf-2 { >>> + description = "k3-am642-sk"; >>> + firmware = "uboot"; >>> + loadables = "uboot"; >>> + fdt = "fdt-2"; >>> + }; >>> + }; >>> + }; >>> + }; >>> +}; >>> +#endif >>> diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>> index 03688a51a3..db0a529f0f 100644 >>> --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>> +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>> @@ -2,6 +2,9 @@ >>> /* >>> * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ >>> */ >>> +#include <config.h> >>> + >>> +#include "k3-am642-evm-binman.dtsi" >>> / { >>> chosen { >>> diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig >>> index a01bf23514..a4c561254d 100644 >>> --- a/arch/arm/mach-k3/Kconfig >>> +++ b/arch/arm/mach-k3/Kconfig >>> @@ -15,6 +15,7 @@ config SOC_K3_J721S2 >>> config SOC_K3_AM642 >>> bool "TI's K3 based AM642 SoC Family Support" >>> + select BINMAN if TARGET_AM642_A53_EVM >>> endchoice >>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk >>> index da458bcfb2..d2c490818a 100644 >>> --- a/arch/arm/mach-k3/config.mk >>> +++ b/arch/arm/mach-k3/config.mk >>> @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE >>> INPUTS-y += tiboot3.bin >>> endif >>> +ifndef CONFIG_BINMAN >>> ifdef CONFIG_ARM64 >>> ifeq ($(CONFIG_SOC_K3_J721E),) >>> @@ -77,9 +78,11 @@ cmd_k3_mkits = \ >>> $(SPL_ITS): FORCE >>> $(call cmd,k3_mkits) >>> endif >>> +endif >>> else >>> +ifndef CONFIG_BINMAN >>> ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >>> INPUTS-y += u-boot.img_HS >>> else >>> @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img >>> endif >>> endif >>> +endif >>> + >>> +ifndef CONFIG_BINMAN >>> include $(srctree)/arch/arm/mach-k3/config_secure.mk >>> +endif
On 25/05/2022 18:14, Andrew Davis wrote: > On 5/25/22 3:30 AM, Roger Quadros wrote: >> Hi Andrew, >> >> On 25/05/2022 01:03, Andrew Davis wrote: >>> On 5/9/22 2:29 AM, Roger Quadros wrote: >>>> Introduce k3-am642-evm-binman.dtsi to provide binman configuration. >>>> >>>> R5 build is still not converted to use binman so restrict binman.dtsi >>>> to A53 builds only. >>>> >>>> This patch also take care of building Secure (HS) images using >>>> binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. >>>> >>>> Signed-off-by: Roger Quadros <rogerq@kernel.org> >>>> --- >>>> arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ >>>> arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + >>>> arch/arm/mach-k3/Kconfig | 1 + >>>> arch/arm/mach-k3/config.mk | 7 + >>>> 4 files changed, 241 insertions(+) >>>> create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi >>>> >>>> diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi >>>> new file mode 100644 >>>> index 0000000000..9e85ef41b0 >>>> --- /dev/null >>>> +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi >>>> @@ -0,0 +1,230 @@ >>>> +// SPDX-License-Identifier: GPL-2.0 >>>> +/* >>>> + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ >>>> + */ >>>> + >>>> +/ { >>>> + binman: binman { >>>> + multiple-images; >>>> + }; >>>> +}; >>>> + >>>> +#ifdef CONFIG_TARGET_AM642_A53_EVM >>>> + >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> +#define TISPL "tispl.bin_HS" >>>> +#define UBOOT_IMG "u-boot.img_HS" >>>> +#else >>>> +#define TISPL "tispl.bin" >>>> +#define UBOOT_IMG "u-boot.img" >>>> +#endif >>>> + >>>> +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" >>>> +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" >>>> +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" >>>> + >>>> +#define UBOOT_NODTB "u-boot-nodtb.bin" >>>> +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" >>>> +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" >>>> + >>>> +&binman { >>>> + ti-spl { >>>> + filename = TISPL; >>>> + pad-byte = <0xff>; >>>> + >>>> + fit { >>>> + description = "Configuration to load ATF and SPL"; >>>> + #address-cells = <1>; >>>> + >>>> + images { >>>> + >>>> + atf { >>>> + description = "ARM Trusted Firmware"; >>>> + type = "firmware"; >>>> + arch = "arm64"; >>>> + compression = "none"; >>>> + os = "arm-trusted-firmware"; >>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>; >>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>; >>>> + atf-bl31 { >>>> + filename = "bl31.bin"; >>>> + }; >>> >>> >>> On HS, bl31.bin and the below TEE and DM images must also be signed >>> before being packaged into tispl.bin. >>> Can we add signing here? >> >> I'm wondering how this is working as is on HS boards. >> > > > Today we manually sign those two before we feed them to U-Boot build. > I'd like to fix that and have them signed along with all the other > parts here when packaging them together. > OK. Then this is new feature. Do you mind if I make a separate patch for it? But first I need to figure out what to do ;) > >> Another thing to note is that the atf and tee entries take into consideration >> the below environment variables >> -a atf-bl31-path=${BL31} \ >> -a tee-os-path=${TEE} \ >> >> How do we continue to support that while adding the signing bits? >> > > > That's my question also, I'm not sure how we would make the type 'ti-secure' > while also changing their path names, seems like a limitation currently > of using etypes to do the signing, since we can do path renames from > command line. Simon, Any thoughts on how to get the new ti-secure etype work with atf-bl31 and tee-os etypes so that it can take the data output of those entries and create a signed binary with filenames from those entries or atf-bl31-path and tee-os-path? Can something like this work? ti-secure { atf-bl31 { filename = "bl31.bin"; }; } We could probably get rid of filename property from ti-secure etype and use blob for regular files. ti-secure { blob { filename = "somefile.ext"; } } cheers, -roger > > Andrew > > >> cheers, >> -roger >> >>> >>> Andrew >>> >>> >>>> + }; >>>> + >>>> + tee { >>>> + description = "OPTEE"; >>>> + type = "tee"; >>>> + arch = "arm64"; >>>> + compression = "none"; >>>> + os = "tee"; >>>> + load = <0x9e800000>; >>>> + entry = <0x9e800000>; >>>> + tee-os { >>>> + filename = "tee-pager_v2.bin"; >>>> + }; >>>> + }; >>>> + >>>> + dm { >>>> + description = "DM binary"; >>>> + type = "firmware"; >>>> + arch = "arm32"; >>>> + compression = "none"; >>>> + os = "DM"; >>>> + load = <0x89000000>; >>>> + entry = <0x89000000>; >>>> + blob-ext { >>>> + filename = "/dev/null"; >>>> + }; >>>> + }; >>>> + >>>> + spl { >>>> + description = "SPL (64-bit)"; >>>> + type = "standalone"; >>>> + os = "U-Boot"; >>>> + arch = "arm64"; >>>> + compression = "none"; >>>> + load = <0x80080000>; >>>> + entry = <0x80080000>; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = SPL_NODTB; >>>> + }; >>>> + }; >>>> + >>>> + fdt-1 { >>>> + description = "k3-am642-evm"; >>>> + type = "flat_dt"; >>>> + arch = "arm"; >>>> + compression = "none"; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = SPL_AM642_EVM_DTB; >>>> + }; >>>> + }; >>>> + >>>> + fdt-2 { >>>> + description = "k3-am642-sk"; >>>> + type = "flat_dt"; >>>> + arch = "arm"; >>>> + compression = "none"; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = SPL_AM642_SK_DTB; >>>> + }; >>>> + }; >>>> + }; >>>> + >>>> + configurations { >>>> + default = "conf-1"; >>>> + >>>> + conf-1 { >>>> + description = "k3-am642-evm"; >>>> + firmware = "atf"; >>>> + loadables = "tee", "dm", "spl"; >>>> + fdt = "fdt-1"; >>>> + }; >>>> + >>>> + conf-2 { >>>> + description = "k3-am642-sk"; >>>> + firmware = "atf"; >>>> + loadables = "tee", "dm", "spl"; >>>> + fdt = "fdt-2"; >>>> + }; >>>> + }; >>>> + }; >>>> + }; >>>> +}; >>>> + >>>> +&binman { >>>> + u-boot { >>>> + filename = UBOOT_IMG; >>>> + pad-byte = <0xff>; >>>> + >>>> + fit { >>>> + description = "FIT image with multiple configurations"; >>>> + >>>> + images { >>>> + uboot { >>>> + description = "U-Boot for am64x board"; >>>> + type = "firmware"; >>>> + os = "u-boot"; >>>> + arch = "arm"; >>>> + compression = "none"; >>>> + load = <CONFIG_SYS_TEXT_BASE>; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = UBOOT_NODTB; >>>> + }; >>>> + hash { >>>> + algo = "crc32"; >>>> + }; >>>> + }; >>>> + >>>> + fdt-1 { >>>> + description = "k3-am642-evm"; >>>> + type = "flat_dt"; >>>> + arch = "arm"; >>>> + compression = "none"; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = AM642_EVM_DTB; >>>> + }; >>>> + hash { >>>> + algo = "crc32"; >>>> + }; >>>> + }; >>>> + >>>> + fdt-2 { >>>> + description = "k3-am642-sk"; >>>> + type = "flat_dt"; >>>> + arch = "arm"; >>>> + compression = "none"; >>>> +#ifdef CONFIG_TI_SECURE_DEVICE >>>> + ti-secure { >>>> +#else >>>> + blob { >>>> +#endif >>>> + filename = AM642_SK_DTB; >>>> + }; >>>> + hash { >>>> + algo = "crc32"; >>>> + }; >>>> + }; >>>> + }; >>>> + >>>> + configurations { >>>> + default = "conf-1"; >>>> + >>>> + conf-1 { >>>> + description = "k3-am642-evm"; >>>> + firmware = "uboot"; >>>> + loadables = "uboot"; >>>> + fdt = "fdt-1"; >>>> + }; >>>> + >>>> + conf-2 { >>>> + description = "k3-am642-sk"; >>>> + firmware = "uboot"; >>>> + loadables = "uboot"; >>>> + fdt = "fdt-2"; >>>> + }; >>>> + }; >>>> + }; >>>> + }; >>>> +}; >>>> +#endif >>>> diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>>> index 03688a51a3..db0a529f0f 100644 >>>> --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>>> +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi >>>> @@ -2,6 +2,9 @@ >>>> /* >>>> * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ >>>> */ >>>> +#include <config.h> >>>> + >>>> +#include "k3-am642-evm-binman.dtsi" >>>> / { >>>> chosen { >>>> diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig >>>> index a01bf23514..a4c561254d 100644 >>>> --- a/arch/arm/mach-k3/Kconfig >>>> +++ b/arch/arm/mach-k3/Kconfig >>>> @@ -15,6 +15,7 @@ config SOC_K3_J721S2 >>>> config SOC_K3_AM642 >>>> bool "TI's K3 based AM642 SoC Family Support" >>>> + select BINMAN if TARGET_AM642_A53_EVM >>>> endchoice >>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk >>>> index da458bcfb2..d2c490818a 100644 >>>> --- a/arch/arm/mach-k3/config.mk >>>> +++ b/arch/arm/mach-k3/config.mk >>>> @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE >>>> INPUTS-y += tiboot3.bin >>>> endif >>>> +ifndef CONFIG_BINMAN >>>> ifdef CONFIG_ARM64 >>>> ifeq ($(CONFIG_SOC_K3_J721E),) >>>> @@ -77,9 +78,11 @@ cmd_k3_mkits = \ >>>> $(SPL_ITS): FORCE >>>> $(call cmd,k3_mkits) >>>> endif >>>> +endif >>>> else >>>> +ifndef CONFIG_BINMAN >>>> ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >>>> INPUTS-y += u-boot.img_HS >>>> else >>>> @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img >>>> endif >>>> endif >>>> +endif >>>> + >>>> +ifndef CONFIG_BINMAN >>>> include $(srctree)/arch/arm/mach-k3/config_secure.mk >>>> +endif
On Thu, May 26, 2022 at 10:28:45AM +0300, Roger Quadros wrote: > On 25/05/2022 18:14, Andrew Davis wrote: > > On 5/25/22 3:30 AM, Roger Quadros wrote: > >> Hi Andrew, > >> > >> On 25/05/2022 01:03, Andrew Davis wrote: > >>> On 5/9/22 2:29 AM, Roger Quadros wrote: > >>>> Introduce k3-am642-evm-binman.dtsi to provide binman configuration. > >>>> > >>>> R5 build is still not converted to use binman so restrict binman.dtsi > >>>> to A53 builds only. > >>>> > >>>> This patch also take care of building Secure (HS) images using > >>>> binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. > >>>> > >>>> Signed-off-by: Roger Quadros <rogerq@kernel.org> > >>>> --- > >>>> arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ > >>>> arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + > >>>> arch/arm/mach-k3/Kconfig | 1 + > >>>> arch/arm/mach-k3/config.mk | 7 + > >>>> 4 files changed, 241 insertions(+) > >>>> create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi > >>>> > >>>> diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi > >>>> new file mode 100644 > >>>> index 0000000000..9e85ef41b0 > >>>> --- /dev/null > >>>> +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi > >>>> @@ -0,0 +1,230 @@ > >>>> +// SPDX-License-Identifier: GPL-2.0 > >>>> +/* > >>>> + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ > >>>> + */ > >>>> + > >>>> +/ { > >>>> + binman: binman { > >>>> + multiple-images; > >>>> + }; > >>>> +}; > >>>> + > >>>> +#ifdef CONFIG_TARGET_AM642_A53_EVM > >>>> + > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> +#define TISPL "tispl.bin_HS" > >>>> +#define UBOOT_IMG "u-boot.img_HS" > >>>> +#else > >>>> +#define TISPL "tispl.bin" > >>>> +#define UBOOT_IMG "u-boot.img" > >>>> +#endif > >>>> + > >>>> +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" > >>>> +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" > >>>> +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" > >>>> + > >>>> +#define UBOOT_NODTB "u-boot-nodtb.bin" > >>>> +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" > >>>> +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" > >>>> + > >>>> +&binman { > >>>> + ti-spl { > >>>> + filename = TISPL; > >>>> + pad-byte = <0xff>; > >>>> + > >>>> + fit { > >>>> + description = "Configuration to load ATF and SPL"; > >>>> + #address-cells = <1>; > >>>> + > >>>> + images { > >>>> + > >>>> + atf { > >>>> + description = "ARM Trusted Firmware"; > >>>> + type = "firmware"; > >>>> + arch = "arm64"; > >>>> + compression = "none"; > >>>> + os = "arm-trusted-firmware"; > >>>> + load = <CONFIG_K3_ATF_LOAD_ADDR>; > >>>> + entry = <CONFIG_K3_ATF_LOAD_ADDR>; > >>>> + atf-bl31 { > >>>> + filename = "bl31.bin"; > >>>> + }; > >>> > >>> > >>> On HS, bl31.bin and the below TEE and DM images must also be signed > >>> before being packaged into tispl.bin. > >>> Can we add signing here? > >> > >> I'm wondering how this is working as is on HS boards. > >> > > > > > > Today we manually sign those two before we feed them to U-Boot build. > > I'd like to fix that and have them signed along with all the other > > parts here when packaging them together. > > > > OK. Then this is new feature. Do you mind if I make a separate patch for it? > But first I need to figure out what to do ;) > > > > >> Another thing to note is that the atf and tee entries take into consideration > >> the below environment variables > >> -a atf-bl31-path=${BL31} \ > >> -a tee-os-path=${TEE} \ > >> > >> How do we continue to support that while adding the signing bits? > >> > > > > > > That's my question also, I'm not sure how we would make the type 'ti-secure' > > while also changing their path names, seems like a limitation currently > > of using etypes to do the signing, since we can do path renames from > > command line. > > Simon, > > Any thoughts on how to get the new ti-secure etype work with atf-bl31 and > tee-os etypes so that it can take the data output of those entries and create > a signed binary with filenames from those entries or atf-bl31-path and > tee-os-path? > > Can something like this work? > > ti-secure { > atf-bl31 { > filename = "bl31.bin"; > }; > } > > We could probably get rid of filename property from ti-secure etype and use > blob for regular files. > > ti-secure { > blob { > filename = "somefile.ext"; > } > } Adding in Alper as well.. > > cheers, > -roger > > > > > Andrew > > > > > >> cheers, > >> -roger > >> > >>> > >>> Andrew > >>> > >>> > >>>> + }; > >>>> + > >>>> + tee { > >>>> + description = "OPTEE"; > >>>> + type = "tee"; > >>>> + arch = "arm64"; > >>>> + compression = "none"; > >>>> + os = "tee"; > >>>> + load = <0x9e800000>; > >>>> + entry = <0x9e800000>; > >>>> + tee-os { > >>>> + filename = "tee-pager_v2.bin"; > >>>> + }; > >>>> + }; > >>>> + > >>>> + dm { > >>>> + description = "DM binary"; > >>>> + type = "firmware"; > >>>> + arch = "arm32"; > >>>> + compression = "none"; > >>>> + os = "DM"; > >>>> + load = <0x89000000>; > >>>> + entry = <0x89000000>; > >>>> + blob-ext { > >>>> + filename = "/dev/null"; > >>>> + }; > >>>> + }; > >>>> + > >>>> + spl { > >>>> + description = "SPL (64-bit)"; > >>>> + type = "standalone"; > >>>> + os = "U-Boot"; > >>>> + arch = "arm64"; > >>>> + compression = "none"; > >>>> + load = <0x80080000>; > >>>> + entry = <0x80080000>; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = SPL_NODTB; > >>>> + }; > >>>> + }; > >>>> + > >>>> + fdt-1 { > >>>> + description = "k3-am642-evm"; > >>>> + type = "flat_dt"; > >>>> + arch = "arm"; > >>>> + compression = "none"; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = SPL_AM642_EVM_DTB; > >>>> + }; > >>>> + }; > >>>> + > >>>> + fdt-2 { > >>>> + description = "k3-am642-sk"; > >>>> + type = "flat_dt"; > >>>> + arch = "arm"; > >>>> + compression = "none"; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = SPL_AM642_SK_DTB; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> + > >>>> + configurations { > >>>> + default = "conf-1"; > >>>> + > >>>> + conf-1 { > >>>> + description = "k3-am642-evm"; > >>>> + firmware = "atf"; > >>>> + loadables = "tee", "dm", "spl"; > >>>> + fdt = "fdt-1"; > >>>> + }; > >>>> + > >>>> + conf-2 { > >>>> + description = "k3-am642-sk"; > >>>> + firmware = "atf"; > >>>> + loadables = "tee", "dm", "spl"; > >>>> + fdt = "fdt-2"; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> +}; > >>>> + > >>>> +&binman { > >>>> + u-boot { > >>>> + filename = UBOOT_IMG; > >>>> + pad-byte = <0xff>; > >>>> + > >>>> + fit { > >>>> + description = "FIT image with multiple configurations"; > >>>> + > >>>> + images { > >>>> + uboot { > >>>> + description = "U-Boot for am64x board"; > >>>> + type = "firmware"; > >>>> + os = "u-boot"; > >>>> + arch = "arm"; > >>>> + compression = "none"; > >>>> + load = <CONFIG_SYS_TEXT_BASE>; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = UBOOT_NODTB; > >>>> + }; > >>>> + hash { > >>>> + algo = "crc32"; > >>>> + }; > >>>> + }; > >>>> + > >>>> + fdt-1 { > >>>> + description = "k3-am642-evm"; > >>>> + type = "flat_dt"; > >>>> + arch = "arm"; > >>>> + compression = "none"; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = AM642_EVM_DTB; > >>>> + }; > >>>> + hash { > >>>> + algo = "crc32"; > >>>> + }; > >>>> + }; > >>>> + > >>>> + fdt-2 { > >>>> + description = "k3-am642-sk"; > >>>> + type = "flat_dt"; > >>>> + arch = "arm"; > >>>> + compression = "none"; > >>>> +#ifdef CONFIG_TI_SECURE_DEVICE > >>>> + ti-secure { > >>>> +#else > >>>> + blob { > >>>> +#endif > >>>> + filename = AM642_SK_DTB; > >>>> + }; > >>>> + hash { > >>>> + algo = "crc32"; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> + > >>>> + configurations { > >>>> + default = "conf-1"; > >>>> + > >>>> + conf-1 { > >>>> + description = "k3-am642-evm"; > >>>> + firmware = "uboot"; > >>>> + loadables = "uboot"; > >>>> + fdt = "fdt-1"; > >>>> + }; > >>>> + > >>>> + conf-2 { > >>>> + description = "k3-am642-sk"; > >>>> + firmware = "uboot"; > >>>> + loadables = "uboot"; > >>>> + fdt = "fdt-2"; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> + }; > >>>> +}; > >>>> +#endif > >>>> diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi > >>>> index 03688a51a3..db0a529f0f 100644 > >>>> --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi > >>>> +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi > >>>> @@ -2,6 +2,9 @@ > >>>> /* > >>>> * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ > >>>> */ > >>>> +#include <config.h> > >>>> + > >>>> +#include "k3-am642-evm-binman.dtsi" > >>>> / { > >>>> chosen { > >>>> diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig > >>>> index a01bf23514..a4c561254d 100644 > >>>> --- a/arch/arm/mach-k3/Kconfig > >>>> +++ b/arch/arm/mach-k3/Kconfig > >>>> @@ -15,6 +15,7 @@ config SOC_K3_J721S2 > >>>> config SOC_K3_AM642 > >>>> bool "TI's K3 based AM642 SoC Family Support" > >>>> + select BINMAN if TARGET_AM642_A53_EVM > >>>> endchoice > >>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk > >>>> index da458bcfb2..d2c490818a 100644 > >>>> --- a/arch/arm/mach-k3/config.mk > >>>> +++ b/arch/arm/mach-k3/config.mk > >>>> @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE > >>>> INPUTS-y += tiboot3.bin > >>>> endif > >>>> +ifndef CONFIG_BINMAN > >>>> ifdef CONFIG_ARM64 > >>>> ifeq ($(CONFIG_SOC_K3_J721E),) > >>>> @@ -77,9 +78,11 @@ cmd_k3_mkits = \ > >>>> $(SPL_ITS): FORCE > >>>> $(call cmd,k3_mkits) > >>>> endif > >>>> +endif > >>>> else > >>>> +ifndef CONFIG_BINMAN > >>>> ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > >>>> INPUTS-y += u-boot.img_HS > >>>> else > >>>> @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img > >>>> endif > >>>> endif > >>>> +endif > >>>> + > >>>> +ifndef CONFIG_BINMAN > >>>> include $(srctree)/arch/arm/mach-k3/config_secure.mk > >>>> +endif
On 26/05/2022 17:15, Tom Rini wrote: > On Thu, May 26, 2022 at 10:28:45AM +0300, Roger Quadros wrote: >> Any thoughts on how to get the new ti-secure etype work with atf-bl31 and >> tee-os etypes so that it can take the data output of those entries and create >> a signed binary with filenames from those entries or atf-bl31-path and >> tee-os-path? >> >> Can something like this work? >> >> ti-secure { >> atf-bl31 { >> filename = "bl31.bin"; >> }; >> } >> >> We could probably get rid of filename property from ti-secure etype and use >> blob for regular files. >> >> ti-secure { >> blob { >> filename = "somefile.ext"; >> } >> } This would definitely work, see etype/mkimage.py for example. I'd prefer to know the file-format details (and maybe replicate them in binman) if you could afford to publish them, though... Sorry I couldn't look at either series yet, but I see mentions of k3_fit_atf.sh, so let me point out another series [1][2] that might also interest you: [1] [RESEND, RFC 0/8] Integration of sysfw and tispl with U-Boot https://lore.kernel.org/u-boot/20220406122919.6104-1-n-francis@ti.com/ [2] [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 https://lore.kernel.org/u-boot/20220506043759.8193-1-n-francis@ti.com/ > > Adding in Alper as well.. >
Hi, On 27/05/2022 20:50, Alper Nebi Yasak wrote: > On 26/05/2022 17:15, Tom Rini wrote: >> On Thu, May 26, 2022 at 10:28:45AM +0300, Roger Quadros wrote: >>> Any thoughts on how to get the new ti-secure etype work with atf-bl31 and >>> tee-os etypes so that it can take the data output of those entries and create >>> a signed binary with filenames from those entries or atf-bl31-path and >>> tee-os-path? >>> >>> Can something like this work? >>> >>> ti-secure { >>> atf-bl31 { >>> filename = "bl31.bin"; >>> }; >>> } >>> >>> We could probably get rid of filename property from ti-secure etype and use >>> blob for regular files. >>> >>> ti-secure { >>> blob { >>> filename = "somefile.ext"; >>> } >>> } > > This would definitely work, see etype/mkimage.py for example. I'd prefer > to know the file-format details (and maybe replicate them in binman) if > you could afford to publish them, though... This is a question to Nishanth/Andrew. > > > Sorry I couldn't look at either series yet, but I see mentions of > k3_fit_atf.sh, so let me point out another series [1][2] that might also > interest you: > > [1] [RESEND, RFC 0/8] Integration of sysfw and tispl with U-Boot > https://lore.kernel.org/u-boot/20220406122919.6104-1-n-francis@ti.com/ > > [2] [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 > https://lore.kernel.org/u-boot/20220506043759.8193-1-n-francis@ti.com/ Thanks for this pointer. I will review those patches and see how we can consolidate. cheers, -roger
On 5/31/22 12:06 AM, Roger Quadros wrote: > Hi, > > On 27/05/2022 20:50, Alper Nebi Yasak wrote: >> On 26/05/2022 17:15, Tom Rini wrote: >>> On Thu, May 26, 2022 at 10:28:45AM +0300, Roger Quadros wrote: >>>> Any thoughts on how to get the new ti-secure etype work with atf-bl31 and >>>> tee-os etypes so that it can take the data output of those entries and create >>>> a signed binary with filenames from those entries or atf-bl31-path and >>>> tee-os-path? >>>> >>>> Can something like this work? >>>> >>>> ti-secure { >>>> atf-bl31 { >>>> filename = "bl31.bin"; >>>> }; >>>> } >>>> >>>> We could probably get rid of filename property from ti-secure etype and use >>>> blob for regular files. >>>> >>>> ti-secure { >>>> blob { >>>> filename = "somefile.ext"; >>>> } >>>> } >> >> This would definitely work, see etype/mkimage.py for example. I'd prefer >> to know the file-format details (and maybe replicate them in binman) if >> you could afford to publish them, though... > > This is a question to Nishanth/Andrew. > What file format are we talking about here? If it is the signed format, it's an attached x509 certificate, that is already published [0] and the tools to make it are public [1]. There is also an effort to replicate some of this in binman too [2]. Thanks, Andrew [0] https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/sec_cert_format.html [1] https://git.ti.com/cgit/security-development-tools/core-secdev-k3 [2] https://lore.kernel.org/all/20220510200511.GK3901321@bill-the-cat/T/ >> >> >> Sorry I couldn't look at either series yet, but I see mentions of >> k3_fit_atf.sh, so let me point out another series [1][2] that might also >> interest you: >> >> [1] [RESEND, RFC 0/8] Integration of sysfw and tispl with U-Boot >> https://lore.kernel.org/u-boot/20220406122919.6104-1-n-francis@ti.com/ >> >> [2] [PATCH RFC v2 00/11] Integration of sysfw, tispl and tiboot3 >> https://lore.kernel.org/u-boot/20220506043759.8193-1-n-francis@ti.com/ > > Thanks for this pointer. I will review those patches and see how we can > consolidate. > > cheers, > -roger
On 31/05/2022 17:15, Andrew Davis wrote: > On 5/31/22 12:06 AM, Roger Quadros wrote: >> On 27/05/2022 20:50, Alper Nebi Yasak wrote: >>> This would definitely work, see etype/mkimage.py for example. I'd prefer >>> to know the file-format details (and maybe replicate them in binman) if >>> you could afford to publish them, though... >> >> This is a question to Nishanth/Andrew. > > What file format are we talking about here? If it is the signed format, > it's an attached x509 certificate, that is already published [0] and > the tools to make it are public [1]. Thanks, I meant this. I saw 'secure-binary-image.sh' in the first patch, which lead me to 'doc/README.ti-secure', which mentions NDA and logins, so I stopped looking there. > There is also an effort to replicate some of this in binman too [2]. > > Thanks, > Andrew > > [0] https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/sec_cert_format.html > [1] https://git.ti.com/cgit/security-development-tools/core-secdev-k3 > [2] https://lore.kernel.org/all/20220510200511.GK3901321@bill-the-cat/T/
diff --git a/arch/arm/dts/k3-am642-evm-binman.dtsi b/arch/arm/dts/k3-am642-evm-binman.dtsi new file mode 100644 index 0000000000..9e85ef41b0 --- /dev/null +++ b/arch/arm/dts/k3-am642-evm-binman.dtsi @@ -0,0 +1,230 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2021 Texas Instruments Incorporated - https://www.ti.com/ + */ + +/ { + binman: binman { + multiple-images; + }; +}; + +#ifdef CONFIG_TARGET_AM642_A53_EVM + +#ifdef CONFIG_TI_SECURE_DEVICE +#define TISPL "tispl.bin_HS" +#define UBOOT_IMG "u-boot.img_HS" +#else +#define TISPL "tispl.bin" +#define UBOOT_IMG "u-boot.img" +#endif + +#define SPL_NODTB "spl/u-boot-spl-nodtb.bin" +#define SPL_AM642_EVM_DTB "spl/dts/k3-am642-evm.dtb" +#define SPL_AM642_SK_DTB "spl/dts/k3-am642-sk.dtb" + +#define UBOOT_NODTB "u-boot-nodtb.bin" +#define AM642_EVM_DTB "arch/arm/dts/k3-am642-evm.dtb" +#define AM642_SK_DTB "arch/arm/dts/k3-am642-sk.dtb" + +&binman { + ti-spl { + filename = TISPL; + pad-byte = <0xff>; + + fit { + description = "Configuration to load ATF and SPL"; + #address-cells = <1>; + + images { + + atf { + description = "ARM Trusted Firmware"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + os = "arm-trusted-firmware"; + load = <CONFIG_K3_ATF_LOAD_ADDR>; + entry = <CONFIG_K3_ATF_LOAD_ADDR>; + atf-bl31 { + filename = "bl31.bin"; + }; + }; + + tee { + description = "OPTEE"; + type = "tee"; + arch = "arm64"; + compression = "none"; + os = "tee"; + load = <0x9e800000>; + entry = <0x9e800000>; + tee-os { + filename = "tee-pager_v2.bin"; + }; + }; + + dm { + description = "DM binary"; + type = "firmware"; + arch = "arm32"; + compression = "none"; + os = "DM"; + load = <0x89000000>; + entry = <0x89000000>; + blob-ext { + filename = "/dev/null"; + }; + }; + + spl { + description = "SPL (64-bit)"; + type = "standalone"; + os = "U-Boot"; + arch = "arm64"; + compression = "none"; + load = <0x80080000>; + entry = <0x80080000>; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = SPL_NODTB; + }; + }; + + fdt-1 { + description = "k3-am642-evm"; + type = "flat_dt"; + arch = "arm"; + compression = "none"; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = SPL_AM642_EVM_DTB; + }; + }; + + fdt-2 { + description = "k3-am642-sk"; + type = "flat_dt"; + arch = "arm"; + compression = "none"; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = SPL_AM642_SK_DTB; + }; + }; + }; + + configurations { + default = "conf-1"; + + conf-1 { + description = "k3-am642-evm"; + firmware = "atf"; + loadables = "tee", "dm", "spl"; + fdt = "fdt-1"; + }; + + conf-2 { + description = "k3-am642-sk"; + firmware = "atf"; + loadables = "tee", "dm", "spl"; + fdt = "fdt-2"; + }; + }; + }; + }; +}; + +&binman { + u-boot { + filename = UBOOT_IMG; + pad-byte = <0xff>; + + fit { + description = "FIT image with multiple configurations"; + + images { + uboot { + description = "U-Boot for am64x board"; + type = "firmware"; + os = "u-boot"; + arch = "arm"; + compression = "none"; + load = <CONFIG_SYS_TEXT_BASE>; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = UBOOT_NODTB; + }; + hash { + algo = "crc32"; + }; + }; + + fdt-1 { + description = "k3-am642-evm"; + type = "flat_dt"; + arch = "arm"; + compression = "none"; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = AM642_EVM_DTB; + }; + hash { + algo = "crc32"; + }; + }; + + fdt-2 { + description = "k3-am642-sk"; + type = "flat_dt"; + arch = "arm"; + compression = "none"; +#ifdef CONFIG_TI_SECURE_DEVICE + ti-secure { +#else + blob { +#endif + filename = AM642_SK_DTB; + }; + hash { + algo = "crc32"; + }; + }; + }; + + configurations { + default = "conf-1"; + + conf-1 { + description = "k3-am642-evm"; + firmware = "uboot"; + loadables = "uboot"; + fdt = "fdt-1"; + }; + + conf-2 { + description = "k3-am642-sk"; + firmware = "uboot"; + loadables = "uboot"; + fdt = "fdt-2"; + }; + }; + }; + }; +}; +#endif diff --git a/arch/arm/dts/k3-am642-evm-u-boot.dtsi b/arch/arm/dts/k3-am642-evm-u-boot.dtsi index 03688a51a3..db0a529f0f 100644 --- a/arch/arm/dts/k3-am642-evm-u-boot.dtsi +++ b/arch/arm/dts/k3-am642-evm-u-boot.dtsi @@ -2,6 +2,9 @@ /* * Copyright (C) 2020-2021 Texas Instruments Incorporated - https://www.ti.com/ */ +#include <config.h> + +#include "k3-am642-evm-binman.dtsi" / { chosen { diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig index a01bf23514..a4c561254d 100644 --- a/arch/arm/mach-k3/Kconfig +++ b/arch/arm/mach-k3/Kconfig @@ -15,6 +15,7 @@ config SOC_K3_J721S2 config SOC_K3_AM642 bool "TI's K3 based AM642 SoC Family Support" + select BINMAN if TARGET_AM642_A53_EVM endchoice diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk index da458bcfb2..d2c490818a 100644 --- a/arch/arm/mach-k3/config.mk +++ b/arch/arm/mach-k3/config.mk @@ -47,6 +47,7 @@ tiboot3.bin: image_check FORCE INPUTS-y += tiboot3.bin endif +ifndef CONFIG_BINMAN ifdef CONFIG_ARM64 ifeq ($(CONFIG_SOC_K3_J721E),) @@ -77,9 +78,11 @@ cmd_k3_mkits = \ $(SPL_ITS): FORCE $(call cmd,k3_mkits) endif +endif else +ifndef CONFIG_BINMAN ifeq ($(CONFIG_TI_SECURE_DEVICE),y) INPUTS-y += u-boot.img_HS else @@ -87,4 +90,8 @@ INPUTS-y += u-boot.img endif endif +endif + +ifndef CONFIG_BINMAN include $(srctree)/arch/arm/mach-k3/config_secure.mk +endif
Introduce k3-am642-evm-binman.dtsi to provide binman configuration. R5 build is still not converted to use binman so restrict binman.dtsi to A53 builds only. This patch also take care of building Secure (HS) images using binman instead of tools/k3_fit_atf.sh if CONFIG_BINMAN is set. Signed-off-by: Roger Quadros <rogerq@kernel.org> --- arch/arm/dts/k3-am642-evm-binman.dtsi | 230 ++++++++++++++++++++++++++ arch/arm/dts/k3-am642-evm-u-boot.dtsi | 3 + arch/arm/mach-k3/Kconfig | 1 + arch/arm/mach-k3/config.mk | 7 + 4 files changed, 241 insertions(+) create mode 100644 arch/arm/dts/k3-am642-evm-binman.dtsi