[3/7] dts: j721e: binman: Include firmware capsules binman nodes

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
---
 arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
> ---
>   arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>   1 file changed, 32 insertions(+)
> 
> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
> index 75a6e9599b9..9169551c422 100644
> --- a/arch/arm/dts/k3-j721e-binman.dtsi
> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
> @@ -207,6 +207,29 @@
>   		};
>   	};
>   };
> +
> +#include "k3-binman-capsule-r5.dtsi"
> +
> +// Capsue update GUIDs.  See ti_armv7_common.h.
> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
> +
> +&binman {
> +	capsule-sysfw {
> +		filename = "sysfw-capsule.bin";
> +		efi-capsule {
> +			image-index = <0x4>;
> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
> +			monotonic-count = <0x1>;
> +
> +			blob {
> +				filename = "sysfw.itb";
> +			};
> +		};
> +	};
> +};
> +
>   #endif
>   
>   #ifdef CONFIG_TARGET_J721E_A72_EVM
> @@ -585,4 +608,13 @@
>   		};
>   	};
>   };
> +
> +#include "k3-binman-capsule.dtsi"
> +&tispl_name {
> +	filename = "tispl.bin_unsigned";

Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
but both GP and HS devices *can* boot the normal signed images (GP just strips
the signatures off). So no need to use the _unsigned images anymore (I'm
planning to just remove them at some point to prevent this confusion).

Andrew

> +};
> +&uboot_name {
> +	filename = "u-boot.img_unsigned";
> +};
> +
>   #endif

Andrew Davis <afd@ti.com> writes:

> On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
>> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
>> ---
>>   arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>>   1 file changed, 32 insertions(+)
>> 
>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
>> index 75a6e9599b9..9169551c422 100644
>> --- a/arch/arm/dts/k3-j721e-binman.dtsi
>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
>> @@ -207,6 +207,29 @@
>>   		};
>>   	};
>>   };
>> +
>> +#include "k3-binman-capsule-r5.dtsi"
>> +
>> +// Capsue update GUIDs.  See ti_armv7_common.h.
>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
>> +
>> +&binman {
>> +	capsule-sysfw {
>> +		filename = "sysfw-capsule.bin";
>> +		efi-capsule {
>> +			image-index = <0x4>;
>> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
>> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
>> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
>> +			monotonic-count = <0x1>;
>> +
>> +			blob {
>> +				filename = "sysfw.itb";
>> +			};
>> +		};
>> +	};
>> +};
>> +
>>   #endif
>>   
>>   #ifdef CONFIG_TARGET_J721E_A72_EVM
>> @@ -585,4 +608,13 @@
>>   		};
>>   	};
>>   };
>> +
>> +#include "k3-binman-capsule.dtsi"
>> +&tispl_name {
>> +	filename = "tispl.bin_unsigned";
>
> Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
> but both GP and HS devices *can* boot the normal signed images (GP just strips
> the signatures off). So no need to use the _unsigned images anymore (I'm
> planning to just remove them at some point to prevent this confusion).
>
I can do that.

Note that you will then see warnings on GP devices during boot:

  Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted

Jon

> Andrew
>
>> +};
>> +&uboot_name {
>> +	filename = "u-boot.img_unsigned";
>> +};
>> +
>>   #endif

On 4/10/24 1:24 PM, Jon Humphreys wrote:
> Andrew Davis <afd@ti.com> writes:
> 
>> On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
>>> Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
>>> ---
>>>    arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++
>>>    1 file changed, 32 insertions(+)
>>>
>>> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
>>> index 75a6e9599b9..9169551c422 100644
>>> --- a/arch/arm/dts/k3-j721e-binman.dtsi
>>> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
>>> @@ -207,6 +207,29 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule-r5.dtsi"
>>> +
>>> +// Capsue update GUIDs.  See ti_armv7_common.h.
>>> +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
>>> +
>>> +&binman {
>>> +	capsule-sysfw {
>>> +		filename = "sysfw-capsule.bin";
>>> +		efi-capsule {
>>> +			image-index = <0x4>;
>>> +			image-guid = K3_SYSFW_IMAGE_UUID_STR;
>>> +			private-key = "arch/arm/mach-k3/keys/custMpk.pem";
>>> +			public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";
>>> +			monotonic-count = <0x1>;
>>> +
>>> +			blob {
>>> +				filename = "sysfw.itb";
>>> +			};
>>> +		};
>>> +	};
>>> +};
>>> +
>>>    #endif
>>>    
>>>    #ifdef CONFIG_TARGET_J721E_A72_EVM
>>> @@ -585,4 +608,13 @@
>>>    		};
>>>    	};
>>>    };
>>> +
>>> +#include "k3-binman-capsule.dtsi"
>>> +&tispl_name {
>>> +	filename = "tispl.bin_unsigned";
>>
>> Why use the _unsigned images here? HS devices cannot boot unsigned GP images,
>> but both GP and HS devices *can* boot the normal signed images (GP just strips
>> the signatures off). So no need to use the _unsigned images anymore (I'm
>> planning to just remove them at some point to prevent this confusion).
>>
> I can do that.
> 
> Note that you will then see warnings on GP devices during boot:
> 
>    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
> 

True, I'll send a fix for that.

Andrew

> Jon
> 
>> Andrew
>>
>>> +};
>>> +&uboot_name {
>>> +	filename = "u-boot.img_unsigned";
>>> +};
>>> +
>>>    #endif