Message ID | 20230215193355.9676-3-afd@ti.com |
---|---|
State | Accepted |
Delegated to: | Ryan Eatmon |
Headers | show |
Series | ti-rtos-firmware and secdev | expand |
On Wed, Feb 15, 2023 at 01:33:42PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > Use the new ti-k3-secdev package to pull in the signing tools if they are > not provided by the environment. This allows us to use these tools > unconditionally. Remove the checks for the script and do the signing > for all K3 machines. The signature is automatically stripped from > the binaries on non-HS devices at boot time as needed so this change > is harmless for GP devices. > > Signed-off-by: Andrew Davis <afd@ti.com> Tested-by: Denys Dmytriyenko <denys@konsulko.com> > --- > .../trusted-firmware-a_%.bbappend | 39 ++++--------------- > 1 file changed, 7 insertions(+), 32 deletions(-) > > diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > index 5acc5c2e..be601e62 100644 > --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > @@ -6,39 +6,14 @@ TFA_BUILD_TARGET:k3 = "all" > TFA_INSTALL_TARGET:k3 = "bl31" > TFA_SPD:k3 = "opteed" > > +# Use TI SECDEV for signing > +inherit ti-secdev > + > EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" > > -# Signing procedure for K3 HS devices > -tfa_sign_k3hs() { > - export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > - ( cd ${BUILD_DIR}; \ > - mv bl31.bin bl31.bin.unsigned; \ > - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ > - else \ > - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ > - cp bl31.bin.unsigned bl31.bin; \ > - fi; \ > - ) > -} > - > -do_compile:append:am65xx-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:am64xx-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j721e-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j7200-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j721s2-hs-evm() { > - tfa_sign_k3hs > +# Signing procedure for K3 devices > +do_compile:append:k3() { > + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin > } > -- > 2.39.1
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 5acc5c2e..be601e62 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -6,39 +6,14 @@ TFA_BUILD_TARGET:k3 = "all" TFA_INSTALL_TARGET:k3 = "bl31" TFA_SPD:k3 = "opteed" +# Use TI SECDEV for signing +inherit ti-secdev + EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" -# Signing procedure for K3 HS devices -tfa_sign_k3hs() { - export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} - ( cd ${BUILD_DIR}; \ - mv bl31.bin bl31.bin.unsigned; \ - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ - else \ - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ - cp bl31.bin.unsigned bl31.bin; \ - fi; \ - ) -} - -do_compile:append:am65xx-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:am64xx-evm() { - tfa_sign_k3hs -} - -do_compile:append:j721e-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:j7200-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:j721s2-hs-evm() { - tfa_sign_k3hs +# Signing procedure for K3 devices +do_compile:append:k3() { + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin }
Use the new ti-k3-secdev package to pull in the signing tools if they are not provided by the environment. This allows us to use these tools unconditionally. Remove the checks for the script and do the signing for all K3 machines. The signature is automatically stripped from the binaries on non-HS devices at boot time as needed so this change is harmless for GP devices. Signed-off-by: Andrew Davis <afd@ti.com> --- .../trusted-firmware-a_%.bbappend | 39 ++++--------------- 1 file changed, 7 insertions(+), 32 deletions(-)