diff mbox series

uboot-sign: support to load optee-os and TFA images

Message ID 20240115075416.393025-1-jamin_lin@aspeedtech.com
State New
Headers show
Series uboot-sign: support to load optee-os and TFA images | expand

Commit Message

Jamin Lin Jan. 15, 2024, 7:54 a.m. UTC 
Currently, u-boot FIT image only support to load u-boot image.
To support optee-os and trusted-firmware-a, update ITS file generation
scripts, so users are able to use u-boot FIT image to load
u-boot, optee-os and treustred-firmware-a images

Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
enable trusted-firmware-a image and it is disable by default.

Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
and it is disable by default.

The ITS file creation loos like as following.
1. Both optee-os and trusted-firmware-a are disabled.
'''
/dts-v1/;

/ {
    images {
        uboot {

        };
        fdt {
        };
    };

    configurations {
        default = "conf";
        conf {
            loadables = "uboot";
            fdt = "fdt";
        };
    };
};
'''

2. Only enable optee-os
'''
/dts-v1/;

/ {
    images {
        uboot {
        };
        fdt {
        };
        optee {
        };
    };

    configurations {
        default = "conf";
        conf {
            firmware = "optee";
            loadables = "uboot";
            fdt = "fdt";
        };
    };
};
'''

3: Both optee-os and trusted-firmware-a are enabled
'''
/dts-v1/;

/ {
    images {
        uboot {
        };
        fdt {
        };
        atf {
        };
        optee {
        };
    };

    configurations {
        default = "conf";
        conf {
            firmware = "atf";
            loadables = "uboot", "optee";
            fdt = "fdt";
        };
    };
};
'''

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 1 deletion(-)

Comments

Sverdlin, Alexander Jan. 16, 2024, 7:54 a.m. UTC | #1 
Hello Jamin!

On Mon, 2024-01-15 at 15:54 +0800, Jamin Lin via lists.openembedded.org wrote:
> Currently, u-boot FIT image only support to load u-boot image.
> To support optee-os and trusted-firmware-a, update ITS file generation
> scripts, so users are able to use u-boot FIT image to load
> u-boot, optee-os and treustred-firmware-a images
> 
> Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> enable trusted-firmware-a image and it is disable by default.
> 
> Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> and it is disable by default.

Have you considered leveraging the existing binman infrastructure in the recent
U-Boot for TF-A and OPTEE?

Which platform are you testing on?

There is TI K3 documentation already [1], but many parts of the new infrastructure
are not TI specific as I understand...

> The ITS file creation loos like as following.

[]

[1] Link: https://source.denx.de/u-boot/u-boot/-/blob/master/doc/board/ti/k3.rst?ref_type=heads&plain=1

-- 
Alexander Sverdlin
Siemens AG
www.siemens.com
Jörg Sommer Jan. 16, 2024, 12:18 p.m. UTC | #2 
On 15.01.24 08:54, Jamin Lin via lists.openembedded.org wrote:
> Currently, u-boot FIT image only support to load u-boot image.
> To support optee-os and trusted-firmware-a, update ITS file generation
> scripts, so users are able to use u-boot FIT image to load
> u-boot, optee-os and treustred-firmware-a images
> 
> Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> enable trusted-firmware-a image and it is disable by default.
> 
> Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> and it is disable by default.
> 
> The ITS file creation loos like as following.
                        ^^^^

Is here a K missing?


Kind regards

Jörg Sommer
Jamin Lin Jan. 17, 2024, 1:54 a.m. UTC | #3 
Hi Alexander,

Thanks for review.

I tested it in ASPEED AST2600 and AST2700 SOCs. Yoc can see our Github repository here.

https://github.com/AspeedTech-BMC

You are right the latest version of u-boot(2024.01) support binman python tool to create FIT image and support optee-os and trusted-firmware-a.

However, “the old version of u-boot binman python tool” did not support to add optee-os and trusted-firmware-a in the FIT image.

For example, our AST2600 is production and its u-boot version was 2019.04 and binman python tools did not support optee-os image format.

That was why I changed ITS file creation scripts to support all u-boot version.

Finally, users are able to use the “makeimage” tool to crate FIT image with optee-os and trusted-firmware-a.

Thanks-Jamin
Jamin Lin Jan. 17, 2024, 1:55 a.m. UTC | #4 
Yes, it is a typo and will fix it.
Thanks-Jamin
Jamin Lin Jan. 17, 2024, 3:37 a.m. UTC | #5 
Hi Alexander,

One more thing, So far, bitman only support hash 256.

Thanks
Tom Rini Jan. 17, 2024, 2:37 p.m. UTC | #6 
On Tue, Jan 16, 2024 at 07:37:04PM -0800, Jamin Lin wrote:

> Hi Alexander,
> 
> One more thing, So far, bitman only support hash 256.

What hashing algorithm would you like to be using instead? We can always
include more and better options with configuration as needed.
Jamin Lin Jan. 18, 2024, 2:19 a.m. UTC | #7 
> -----Original Message-----
> From: Tom Rini <trini@konsulko.com>
> Sent: Wednesday, January 17, 2024 10:37 PM
> To: Jamin Lin <jamin_lin@aspeedtech.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [PATCH] uboot-sign: support to load optee-os and TFA images
> 
> On Tue, Jan 16, 2024 at 07:37:04PM -0800, Jamin Lin wrote:
> 
> > Hi Alexander,
> >
> > One more thing, So far, bitman only support hash 256.
> 
> What hashing algorithm would you like to be using instead? We can always
> include more and better options with configuration as needed.
> 
> --
> Tom

Hi Tom
At present, makeimage tool support hash 256, 384 and 512. It also support rsa 2038, 3072 and 4096.
It would be better if binman support these algorithms.

I patched uboot-sign.bbclass the original goal is to make yocto support optee-os and tfa in the old version of u-boot.
Thanks
Tom Rini Jan. 18, 2024, 3:24 a.m. UTC | #8 
On Thu, Jan 18, 2024 at 02:19:09AM +0000, Jamin Lin wrote:
> > -----Original Message-----
> > From: Tom Rini <trini@konsulko.com>
> > Sent: Wednesday, January 17, 2024 10:37 PM
> > To: Jamin Lin <jamin_lin@aspeedtech.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [PATCH] uboot-sign: support to load optee-os and TFA images
> > 
> > On Tue, Jan 16, 2024 at 07:37:04PM -0800, Jamin Lin wrote:
> > 
> > > Hi Alexander,
> > >
> > > One more thing, So far, bitman only support hash 256.
> > 
> > What hashing algorithm would you like to be using instead? We can always
> > include more and better options with configuration as needed.
> > 
> > --
> > Tom
> 
> Hi Tom
> At present, makeimage tool support hash 256, 384 and 512. It also support rsa 2038, 3072 and 4096.
> It would be better if binman support these algorithms.
> 
> I patched uboot-sign.bbclass the original goal is to make yocto support optee-os and tfa in the old version of u-boot.

Right, but it would be best if OE leveraged binman I believe and in turn
you made binman support taking the hash algorithm as an input as needed.
Sverdlin, Alexander Feb. 14, 2024, 11:57 a.m. UTC | #9 
Hello Jamin,

On Tue, 2024-01-16 at 08:54 +0100, Alexander Sverdlin wrote:
> On Mon, 2024-01-15 at 15:54 +0800, Jamin Lin via lists.openembedded.org wrote:
> > Currently, u-boot FIT image only support to load u-boot image.
> > To support optee-os and trusted-firmware-a, update ITS file generation
> > scripts, so users are able to use u-boot FIT image to load
> > u-boot, optee-os and treustred-firmware-a images
> > 
> > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
> > enable trusted-firmware-a image and it is disable by default.
> > 
> > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
> > and it is disable by default.
> 
> Have you considered leveraging the existing binman infrastructure in the recent
> U-Boot for TF-A and OPTEE?

BTW, there has been a recent FOSDEM talk on
"Standardizing the generation and signing of boot images":

https://fosdem.org/2024/schedule/event/fosdem-2024-3067-standardizing-the-generation-and-signing-of-boot-images/

> Which platform are you testing on?
> 
> There is TI K3 documentation already [1], but many parts of the new infrastructure
> are not TI specific as I understand...
> 
> > The ITS file creation loos like as following.
> 
> []
> 
> [1] Link: https://source.denx.de/u-boot/u-boot/-/blob/master/doc/board/ti/k3.rst?ref_type=heads&plain=1

-- 
Alexander Sverdlin
Siemens AG
www.siemens.com
Jamin Lin Feb. 15, 2024, 1:56 a.m. UTC | #10 
> -----Original Message-----
> From: Sverdlin, Alexander <alexander.sverdlin@siemens.com>
> Sent: Wednesday, February 14, 2024 7:58 PM
> To: openembedded-core@lists.openembedded.org; Jamin Lin
> <jamin_lin@aspeedtech.com>
> Subject: Re: [OE-core] [PATCH] uboot-sign: support to load optee-os and TFA
> images
> 
> Hello Jamin,
> 
> On Tue, 2024-01-16 at 08:54 +0100, Alexander Sverdlin wrote:
> > On Mon, 2024-01-15 at 15:54 +0800, Jamin Lin via lists.openembedded.org
> wrote:
> > > Currently, u-boot FIT image only support to load u-boot image.
> > > To support optee-os and trusted-firmware-a, update ITS file
> > > generation scripts, so users are able to use u-boot FIT image to
> > > load u-boot, optee-os and treustred-firmware-a images
> > >
> > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable
> > > trusted-firmware-a image and it is disable by default.
> > >
> > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it
> > > is disable by default.
> >
> > Have you considered leveraging the existing binman infrastructure in
> > the recent U-Boot for TF-A and OPTEE?
> 
> BTW, there has been a recent FOSDEM talk on "Standardizing the generation
> and signing of boot images":
> 
Thanks for notification.
Jamin
> https://fosdem.org/2024/schedule/event/fosdem-2024-3067-standardizing-the
> -generation-and-signing-of-boot-images/
> 
> > Which platform are you testing on?
> >
> > There is TI K3 documentation already [1], but many parts of the new
> > infrastructure are not TI specific as I understand...
> >
> > > The ITS file creation loos like as following.
> >
> > []
> >
> > [1] Link:
> > https://source.denx.de/u-boot/u-boot/-/blob/master/doc/board/ti/k3.rst
> > ?ref_type=heads&plain=1
> 
> --
> Alexander Sverdlin
> Siemens AG
> www.siemens.com
diff mbox series

Patch

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index ad04c82378..b874eb84db 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -88,6 +88,18 @@  UBOOT_FIT_ADDRESS_CELLS ?= "1"
 # This is only necessary for determining the signing configuration
 KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
 
+# Trusted Firmware-A (TF-A) provides a reference implementation of
+# secure world software for Armv7-A and Armv8-A,
+# including a Secure Monitor executing at Exception Level 3 (EL3)
+# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
+
+# OP-TEE is a Trusted Execution Environment (TEE) designed as
+# companion to a non-secure Linux kernel running on Arm
+UBOOT_FIT_OPTEE_OS ?= "0"
+UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
+
 python() {
     # We need u-boot-tools-native if we're creating a U-Boot fitImage
     sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
@@ -230,6 +242,20 @@  addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi
 # Create a ITS file for the U-boot FIT, for use when
 # we want to sign it so that the SPL can verify it
 uboot_fitimage_assemble() {
+	conf_loadables="\"uboot\""
+	conf_firmware=""
+
+	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
+		conf_firmware="\"atf\""
+		if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+			conf_loadables="\"uboot\", \"optee\""
+		fi
+	else
+		if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+			conf_firmware="\"optee\""
+		fi
+	fi
+
 	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
 
 	# First we create the ITS script
@@ -282,13 +308,76 @@  EOF
 
 	cat << EOF >> ${UBOOT_ITS}
         };
+EOF
+	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+        atf {
+            description = "ARM Trusted Firmware-A";
+            data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
+            type = "firmware";
+            arch = "${UBOOT_ARCH}";
+            os = "arm-trusted-firmware";
+            load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
+            compression = "none";
+EOF
+
+		if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+			cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+		fi
+
+	cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+	fi
+
+	if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+        optee {
+            description = "OPTEE OS Image";
+            data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
+            type = "tee";
+            arch = "${UBOOT_ARCH}";
+            os = "tee";
+            load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
+            compression = "none";
+EOF
+
+		if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+			cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+		fi
+
+	cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+	fi
+
+	cat << EOF >> ${UBOOT_ITS}
     };
 
     configurations {
         default = "conf";
         conf {
             description = "Boot with signed U-Boot FIT";
-            loadables = "uboot";
+EOF
+	if [ -n "${conf_firmware}" ]; then
+	cat << EOF >> ${UBOOT_ITS}
+            firmware = ${conf_firmware};
+EOF
+	fi
+	cat << EOF >> ${UBOOT_ITS}
+            loadables = ${conf_loadables};
             fdt = "fdt";
         };
     };