| Message ID | b5690b86684a8b391e3f58e7ad0ada5fb88f8a15.1675427201.git.jan.kiszka@siemens.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | IOT2050-related enhancements | expand |
Hi, On Fri, 3 Feb 2023 13:26:38 +0100 Jan Kiszka wrote: > From: Jan Kiszka <jan.kiszka@siemens.com> > > Use external blob otpcmd.bin to replace the 0xff filled OTP programming > command block to create a firmware image that provisions the OTP on > first boot. This otpcmd.bin is generated from the customer keys using > steps described in the meta-iot2050 integration layer for the device. > > Based on original patch by Baocheng Su. > > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> > --- > arch/arm/dts/k3-am65-iot2050-boot-image.dtsi | 8 ++++++++ > board/siemens/iot2050/Kconfig | 7 +++++++ > doc/board/siemens/iot2050.rst | 8 ++++++++ > tools/binman/missing-blob-help | 8 ++++++++ > 4 files changed, 31 insertions(+) > > diff --git a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi > index 9082a79a034..25a22a7b7b8 100644 > --- a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi > +++ b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi > @@ -111,10 +111,18 @@ > }; > > /* OTP update command block */ > +#if CONFIG_IOT2050_EMBED_OTPCMD > + blob-ext@0x6c0000 { > + offset = <0x6c0000>; > + size = <0x010000>; > + filename = "otpcmd.bin"; > + missing-msg = "iot2050-otpcmd"; > +#else > fill@0x6c0000 { > offset = <0x6c0000>; > size = <0x010000>; > fill-byte = [ff]; > +#endif > }; > I would rather include the closing brace in the #if #else block... Otherwise people who might copy part of the code will have a bad experience. Lothar Waßmann
On 03.02.23 13:37, Lothar Waßmann wrote: > Hi, > > On Fri, 3 Feb 2023 13:26:38 +0100 Jan Kiszka wrote: >> From: Jan Kiszka <jan.kiszka@siemens.com> >> >> Use external blob otpcmd.bin to replace the 0xff filled OTP programming >> command block to create a firmware image that provisions the OTP on >> first boot. This otpcmd.bin is generated from the customer keys using >> steps described in the meta-iot2050 integration layer for the device. >> >> Based on original patch by Baocheng Su. >> >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> >> --- >> arch/arm/dts/k3-am65-iot2050-boot-image.dtsi | 8 ++++++++ >> board/siemens/iot2050/Kconfig | 7 +++++++ >> doc/board/siemens/iot2050.rst | 8 ++++++++ >> tools/binman/missing-blob-help | 8 ++++++++ >> 4 files changed, 31 insertions(+) >> >> diff --git a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi >> index 9082a79a034..25a22a7b7b8 100644 >> --- a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi >> +++ b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi >> @@ -111,10 +111,18 @@ >> }; >> >> /* OTP update command block */ >> +#if CONFIG_IOT2050_EMBED_OTPCMD >> + blob-ext@0x6c0000 { >> + offset = <0x6c0000>; >> + size = <0x010000>; >> + filename = "otpcmd.bin"; >> + missing-msg = "iot2050-otpcmd"; >> +#else >> fill@0x6c0000 { >> offset = <0x6c0000>; >> size = <0x010000>; >> fill-byte = [ff]; >> +#endif >> }; >> > I would rather include the closing brace in the #if #else block... > Otherwise people who might copy part of the code will have a bad > experience. > Yeah, will address if there is a need for v6, otherwise later on top. Thanks, Jan
diff --git a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi index 9082a79a034..25a22a7b7b8 100644 --- a/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi +++ b/arch/arm/dts/k3-am65-iot2050-boot-image.dtsi @@ -111,10 +111,18 @@ }; /* OTP update command block */ +#if CONFIG_IOT2050_EMBED_OTPCMD + blob-ext@0x6c0000 { + offset = <0x6c0000>; + size = <0x010000>; + filename = "otpcmd.bin"; + missing-msg = "iot2050-otpcmd"; +#else fill@0x6c0000 { offset = <0x6c0000>; size = <0x010000>; fill-byte = [ff]; +#endif }; }; }; diff --git a/board/siemens/iot2050/Kconfig b/board/siemens/iot2050/Kconfig index a2b40881d11..e66b2427d95 100644 --- a/board/siemens/iot2050/Kconfig +++ b/board/siemens/iot2050/Kconfig @@ -49,4 +49,11 @@ config IOT2050_BOOT_SWITCH bool "Disable eMMC boot via USER button (Advanced version only)" default y +config IOT2050_EMBED_OTPCMD + bool "Embed OTP programming data" + help + Embed signed OTP programming data 'otpcmd.bin' into the firmware + image. This data will be evaluated and executed on first boot of the + device. + endif diff --git a/doc/board/siemens/iot2050.rst b/doc/board/siemens/iot2050.rst index 4e0925c72c9..cb49a0e36bf 100644 --- a/doc/board/siemens/iot2050.rst +++ b/doc/board/siemens/iot2050.rst @@ -27,6 +27,14 @@ The following binaries from that source need to be present in the build folder: - seboot_pg1.bin - seboot_pg2.bin +For building an image containing the OTP key provisioning data, below binary +needs to be present in the build folder: + + - otpcmd.bin + +Regarding how to generating this otpcmd.bin, please refer to: +https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh + Building -------- diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help index 5bb8961ce03..7e88cd03954 100644 --- a/tools/binman/missing-blob-help +++ b/tools/binman/missing-blob-help @@ -23,6 +23,14 @@ See the documentation for IOT2050 board. Your image is missing SEBoot which is mandatory for board startup. Prebuilt SEBoot located at meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin. +iot2050-otpcmd: +See the documentation for IOT2050 board. Your image is missing OTP command data +block which is used for provisioning the customer keys to the board. +Please refer to +meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh +for how to generate this binary. If you are not using secure boot or do not +intend to provision the keys, disable CONFIG_IOT2050_EMBED_OTPCMD. + k3-rti-wdt-firmware: If CONFIG_WDT_K3_RTI_LOAD_FW is enabled, a firmware image is needed for the R5F core(s) to trigger the system reset. One possible source is