Message ID | 20240119061937.1368163-4-jamin_lin@aspeedtech.com |
---|---|
State | New |
Headers | show |
Series | [v2,1/4] uboot-sign: set load address and entrypoint | expand |
On Fri, 2024-01-19 at 14:19 +0800, Jamin Lin via lists.openembedded.org wrote: > Currently, u-boot FIT image only support to load u-boot image. > To support optee-os and trusted-firmware-a, update ITS file generation > scripts, so users are able to use u-boot FIT image to load > u-boot, optee-os and treustred-firmware-a images > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to > enable trusted-firmware-a image and it is disable by default. > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image > and it is disable by default. > > The ITS file creation looks like as following. > 1. Both optee-os and trusted-firmware-a are disabled. > ''' > /dts-v1/; > > / { > images { > uboot { > }; > fdt { > }; > }; > > configurations { > default = "conf"; > conf { > loadables = "uboot"; > fdt = "fdt"; > }; > }; > }; > ''' > > 2. Only enable optee-os > ''' > /dts-v1/; > > / { > images { > uboot { > }; > fdt { > }; > optee { > }; > }; > > configurations { > default = "conf"; > conf { > firmware = "optee"; > loadables = "uboot"; > fdt = "fdt"; > }; > }; > }; > ''' > > 3. Both optee-os and trusted-firmware-a are enabled > ''' > /dts-v1/; > > / { > images { > uboot { > }; > fdt { > }; > atf { > }; > optee { > }; > }; > > configurations { > default = "conf"; > conf { > firmware = "atf"; > loadables = "uboot", "optee"; > fdt = "fdt"; > }; > }; > }; > ''' > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> > --- > meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++- > 1 file changed, 90 insertions(+), 1 deletion(-) > > diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass > index 7a0b8047e4..d2b1013b93 100644 > --- a/meta/classes-recipe/uboot-sign.bbclass > +++ b/meta/classes-recipe/uboot-sign.bbclass > @@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" > UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" > UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" > > +# Trusted Firmware-A (TF-A) provides a reference implementation of > +# secure world software for Armv7-A and Armv8-A, > +# including a Secure Monitor executing at Exception Level 3 (EL3) > +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" > + > +# OP-TEE is a Trusted Execution Environment (TEE) designed as > +# companion to a non-secure Linux kernel running on Arm > +UBOOT_FIT_OPTEE_OS ?= "0" > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" > + > python() { > # We need u-boot-tools-native if we're creating a U-Boot fitImage > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' > @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi > # Create a ITS file for the U-boot FIT, for use when > # we want to sign it so that the SPL can verify it > uboot_fitimage_assemble() { > + conf_loadables="\"uboot\"" > + conf_firmware="" > + > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then > + conf_firmware="\"atf\"" > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > + conf_loadables="\"uboot\", \"optee\"" > + fi > + else > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > + conf_firmware="\"optee\"" > + fi > + fi > + > rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} > > # First we create the ITS script > @@ -289,13 +315,76 @@ EOF > > cat << EOF >> ${UBOOT_ITS} > }; > +EOF > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + atf { > + description = "ARM Trusted Firmware-A"; > + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); > + type = "firmware"; > + arch = "${UBOOT_ARCH}"; > + os = "arm-trusted-firmware"; > + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; > + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; > + compression = "none"; > +EOF > + > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + signature { > + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > + }; > +EOF > + fi > + > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + optee { > + description = "OPTEE OS Image"; > + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); > + type = "tee"; > + arch = "${UBOOT_ARCH}"; > + os = "tee"; > + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; > + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; > + compression = "none"; > +EOF > + > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + signature { > + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > }; > > configurations { > default = "conf"; > conf { > description = "Boot with signed U-Boot FIT"; > - loadables = "uboot"; > +EOF > + if [ -n "${conf_firmware}" ]; then > + cat << EOF >> ${UBOOT_ITS} > + firmware = ${conf_firmware}; > +EOF > + fi > + cat << EOF >> ${UBOOT_ITS} > + loadables = ${conf_loadables}; > fdt = "fdt"; > }; > }; These changes look good thanks. I'm just a bit worried they don't have any test coverage so they're easily going to regress? There are also no documentation patches? Cheers, Richard
> -----Original Message----- > From: Richard Purdie <richard.purdie@linuxfoundation.org> > Sent: Saturday, January 27, 2024 1:05 AM > To: Jamin Lin <jamin_lin@aspeedtech.com>; > openembedded-core@lists.openembedded.org > Subject: Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and > TFA images > > On Fri, 2024-01-19 at 14:19 +0800, Jamin Lin via lists.openembedded.org > wrote: > > Currently, u-boot FIT image only support to load u-boot image. > > To support optee-os and trusted-firmware-a, update ITS file generation > > scripts, so users are able to use u-boot FIT image to load u-boot, > > optee-os and treustred-firmware-a images > > > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable > > trusted-firmware-a image and it is disable by default. > > > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is > > disable by default. > > > > The ITS file creation looks like as following. > > 1. Both optee-os and trusted-firmware-a are disabled. > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 2. Only enable optee-os > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "optee"; > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 3. Both optee-os and trusted-firmware-a are enabled ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > atf { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "atf"; > > loadables = "uboot", "optee"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> > > --- > > meta/classes-recipe/uboot-sign.bbclass | 91 > > +++++++++++++++++++++++++- > > 1 file changed, 90 insertions(+), 1 deletion(-) > > > > diff --git a/meta/classes-recipe/uboot-sign.bbclass > > b/meta/classes-recipe/uboot-sign.bbclass > > index 7a0b8047e4..d2b1013b93 100644 > > --- a/meta/classes-recipe/uboot-sign.bbclass > > +++ b/meta/classes-recipe/uboot-sign.bbclass > > @@ -91,6 +91,18 @@ KERNEL_PN = > "${PREFERRED_PROVIDER_virtual/kernel}" > > UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" > > UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" > > > > +# Trusted Firmware-A (TF-A) provides a reference implementation of # > > +secure world software for Armv7-A and Armv8-A, # including a Secure > > +Monitor executing at Exception Level 3 (EL3) # ATF is used as the > > +initial start code on ARMv8-A cores for all K3 platforms > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" > > + > > +# OP-TEE is a Trusted Execution Environment (TEE) designed as # > > +companion to a non-secure Linux kernel running on Arm > > +UBOOT_FIT_OPTEE_OS ?= "0" > > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" > > + > > python() { > > # We need u-boot-tools-native if we're creating a U-Boot fitImage > > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' > > @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before > > do_uboot_assemble_fitimage after do_compi # Create a ITS file for the > > U-boot FIT, for use when # we want to sign it so that the SPL can > > verify it > > uboot_fitimage_assemble() { > > + conf_loadables="\"uboot\"" > > + conf_firmware="" > > + > > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then > > + conf_firmware="\"atf\"" > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > > + conf_loadables="\"uboot\", \"optee\"" > > + fi > > + else > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > > + conf_firmware="\"optee\"" > > + fi > > + fi > > + > > rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} > > > > # First we create the ITS script > > @@ -289,13 +315,76 @@ EOF > > > > cat << EOF >> ${UBOOT_ITS} > > }; > > +EOF > > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + atf { > > + description = "ARM Trusted Firmware-A"; > > + data = > /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); > > + type = "firmware"; > > + arch = "${UBOOT_ARCH}"; > > + os = "arm-trusted-firmware"; > > + load = > <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; > > + entry = > <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; > > + compression = "none"; > > +EOF > > + > > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + signature { > > + algo = > "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > + }; > > +EOF > > + fi > > + > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + optee { > > + description = "OPTEE OS Image"; > > + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); > > + type = "tee"; > > + arch = "${UBOOT_ARCH}"; > > + os = "tee"; > > + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; > > + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; > > + compression = "none"; > > +EOF > > + > > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + signature { > > + algo = > "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > }; > > > > configurations { > > default = "conf"; > > conf { > > description = "Boot with signed U-Boot FIT"; > > - loadables = "uboot"; > > +EOF > > + if [ -n "${conf_firmware}" ]; then > > + cat << EOF >> ${UBOOT_ITS} > > + firmware = ${conf_firmware}; EOF > > + fi > > + cat << EOF >> ${UBOOT_ITS} > > + loadables = ${conf_loadables}; > > fdt = "fdt"; > > }; > > }; > > These changes look good thanks. I'm just a bit worried they don't have any test > coverage so they're easily going to regress? > > There are also no documentation patches? > > Cheers, > > Richard Hi Richard, Thanks for your review and sorry reply you late. Did you mean I should create a new patch to add test case for fitimage of oe-selftest in this series patch? After I read this document https://docs.yoctoproject.org/test-manual/index.html, it seems oe-selftest support to test the generated u-boot FIT image and the generated u-boot.its here, meta/lib/oeqa/selftest/cases/fitimage.py Do I need to add more test case to test u-boot.its and u-boot FIT image for my modifications such as optee-os and trusted-firmware-a supported FIT image? According to the design of optee-os and trusted-firmware-a, both recipes were placed in meta-arm meta layer, https://git.yoctoproject.org/meta-arm/tree Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and meta/lib/oeqa/selftest/cases/fitimage.py. One more question, " There are also no documentation patches?", Did you mean to update Yocto document? If yes, could you please tell me which document I need to update? Thanks-Jamin
On Wed, 2024-01-31 at 08:54 +0000, Jamin Lin wrote: > > Thanks for your review and sorry reply you late. > > Did you mean I should create a new patch to add test case for fitimage of oe-selftest in this series patch? Ideally, yes please, we should really have test coverage for new things we're adding. > After I read this document https://docs.yoctoproject.org/test-manual/index.html, it seems > oe-selftest support to test the generated u-boot FIT image and the generated u-boot.its here, > meta/lib/oeqa/selftest/cases/fitimage.py > > Do I need to add more test case to test u-boot.its and u-boot FIT image for my modifications such as optee-os and trusted-firmware-a supported FIT image? > According to the design of optee-os and trusted-firmware-a, both recipes were placed in meta-arm meta layer, https://git.yoctoproject.org/meta-arm/tree > Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and meta/lib/oeqa/selftest/cases/fitimage.py. For this I'm wondering if meta-arm would accept the test case and be able to run it there? I've copied Ross/Jon who might be able to help with ideas on that. > > One more question, " There are also no documentation patches?", Did you mean to update Yocto document? > If yes, could you please tell me which document I need to update? > Where you add new variables we need to define them in the manual: https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/variables.rst Also, the classes are documented: https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/classes.rst so if the variables are class specific, they should probably be referenced from the class documentation itself. Cheers, Richard
> On Wed, 2024-01-31 at 08:54 +0000, Jamin Lin wrote: > > > > Thanks for your review and sorry reply you late. > > > > Did you mean I should create a new patch to add test case for fitimage of > oe-selftest in this series patch? > > Ideally, yes please, we should really have test coverage for new things we're > adding. > > > After I read this document > > https://docs.yoctoproject.org/test-manual/index.html, it seems > > oe-selftest support to test the generated u-boot FIT image and the > > generated u-boot.its here, meta/lib/oeqa/selftest/cases/fitimage.py > > > > Do I need to add more test case to test u-boot.its and u-boot FIT image for > my modifications such as optee-os and trusted-firmware-a supported FIT > image? > > According to the design of optee-os and trusted-firmware-a, both > > recipes were placed in meta-arm meta layer, > > https://git.yoctoproject.org/meta-arm/tree > > Can I add dependencies in both meta/classes-recipe/uboot-sign.bbclass and > meta/lib/oeqa/selftest/cases/fitimage.py. > > For this I'm wondering if meta-arm would accept the test case and be able to > run it there? I've copied Ross/Jon who might be able to help with ideas on that. > Richard, Ross and Jon, It seems that I can refer/modify openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test case to test u-boot fit image for optee-os and trustred-firmware-a) and Copy this file into meta-arm layer in this directory, https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/tests. Regarding the u-boot fit image generation dependency, can I add optee-os and tructred-firmeare dependency in meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of u-boot_%.bbappend as following. do_compile[depends] += " \ ${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy', '', d)} \ ${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1', 'trusted-firmware-a:do_deploy', '', d)} \ " Any suggestion will be appreciated. > > > > One more question, " There are also no documentation patches?", Did you > mean to update Yocto document? > > If yes, could you please tell me which document I need to update? > > > > Where you add new variables we need to define them in the manual: > > https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/variabl > es.rst > > Also, the classes are documented: > > https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/classes > .rst > > so if the variables are class specific, they should probably be referenced from > the class documentation itself. > Will update Yocto ref-manual. Thanks-Jamin > Cheers, > > Richard
On 1 Feb 2024, at 02:00, Jamin Lin <jamin_lin@aspeedtech.com> wrote: > It seems that I can refer/modify openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test case to test u-boot fit image for optee-os and trustred-firmware-a) and > Copy this file into meta-arm layer in this directory, https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/tests. > > Regarding the u-boot fit image generation dependency, can I add optee-os and tructred-firmeare dependency in meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of u-boot_%.bbappend as following. > > do_compile[depends] += " \ > ${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy', '', d)} \ > ${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1', 'trusted-firmware-a:do_deploy', '', d)} \ > “ It feels to me that we’re slowly creating two parallel generalised fit image classes, one called “uboot_sign” and the other called “kernel-fitimage”... Surely there should be just _one_ fit image creation class that can do everything in a generalised way? Ross
> -----Original Message----- > From: Ross Burton <Ross.Burton@arm.com> > Sent: Friday, February 9, 2024 2:03 AM > To: Jamin Lin <jamin_lin@aspeedtech.com> > Cc: Richard Purdie <richard.purdie@linuxfoundation.org>; > openembedded-core@lists.openembedded.org; Jon Mason > <Jon.Mason@arm.com> > Subject: Re: [OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and > TFA images > > On 1 Feb 2024, at 02:00, Jamin Lin <jamin_lin@aspeedtech.com> wrote: > > It seems that I can refer/modify > > openembedded-core/meta/lib/oeqa/selftest/cases/fitimage.py(only add test > case to test u-boot fit image for optee-os and trustred-firmware-a) and Copy > this file into meta-arm layer in this directory, > https://git.yoctoproject.org/meta-arm/tree/meta-arm/lib/oeqa/selftest/cases/ > tests. > > > > Regarding the u-boot fit image generation dependency, can I add optee-os > and tructred-firmeare dependency in > meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend and the contents of > u-boot_%.bbappend as following. > > > > do_compile[depends] += " \ > > ${@bb.utils.contains('UBOOT_FIT_OPTEE_OS', '1', 'optee-os:do_deploy', > '', d)} \ > > ${@bb.utils.contains('UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A', '1', > 'trusted-firmware-a:do_deploy', '', d)} \ > > “ > > It feels to me that we’re slowly creating two parallel generalised fit image > classes, one called “uboot_sign” and the other called “kernel-fitimage”... > Surely there should be just _one_ fit image creation class that can do > everything in a generalised way? > Hi Ross, I am not the maintainer of uboot-sign.bbcalss and kernel-fitimage.bbclass. I don't know whether the only one .bbclass for u-boot and kernel fit image generation is a good solution or not. It seems that a single .bbclass to create two fit image is too complicate. 1. only u-boot fit image has TFA 2. only kernel fit image has ramdisc Thanks-Jamin > Ross
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 7a0b8047e4..d2b1013b93 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" +# Trusted Firmware-A (TF-A) provides a reference implementation of +# secure world software for Armv7-A and Armv8-A, +# including a Secure Monitor executing at Exception Level 3 (EL3) +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" + +# OP-TEE is a Trusted Execution Environment (TEE) designed as +# companion to a non-secure Linux kernel running on Arm +UBOOT_FIT_OPTEE_OS ?= "0" +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" + conf_firmware="" + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then + conf_firmware="\"atf\"" + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_loadables="\"uboot\", \"optee\"" + fi + else + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_firmware="\"optee\"" + fi + fi + rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -289,13 +315,76 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + atf { + description = "ARM Trusted Firmware-A"; + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); + type = "firmware"; + arch = "${UBOOT_ARCH}"; + os = "arm-trusted-firmware"; + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; + compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF + fi + + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + optee { + description = "OPTEE OS Image"; + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); + type = "tee"; + arch = "${UBOOT_ARCH}"; + os = "tee"; + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; + compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} }; configurations { default = "conf"; conf { description = "Boot with signed U-Boot FIT"; - loadables = "uboot"; +EOF + if [ -n "${conf_firmware}" ]; then + cat << EOF >> ${UBOOT_ITS} + firmware = ${conf_firmware}; +EOF + fi + cat << EOF >> ${UBOOT_ITS} + loadables = ${conf_loadables}; fdt = "fdt"; }; };
Currently, u-boot FIT image only support to load u-boot image. To support optee-os and trusted-firmware-a, update ITS file generation scripts, so users are able to use u-boot FIT image to load u-boot, optee-os and treustred-firmware-a images Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable trusted-firmware-a image and it is disable by default. Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is disable by default. The ITS file creation looks like as following. 1. Both optee-os and trusted-firmware-a are disabled. ''' /dts-v1/; / { images { uboot { }; fdt { }; }; configurations { default = "conf"; conf { loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 2. Only enable optee-os ''' /dts-v1/; / { images { uboot { }; fdt { }; optee { }; }; configurations { default = "conf"; conf { firmware = "optee"; loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 3. Both optee-os and trusted-firmware-a are enabled ''' /dts-v1/; / { images { uboot { }; fdt { }; atf { }; optee { }; }; configurations { default = "conf"; conf { firmware = "atf"; loadables = "uboot", "optee"; fdt = "fdt"; }; }; }; ''' Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> --- meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++- 1 file changed, 90 insertions(+), 1 deletion(-)