[meta-ti,master/kirkstone,v2,00/15] ti-rtos-firmware and secdev

Hello all,

This is a combined series that replaces my previous ones on
ti-rtos-firmware and SECDEV. There is now a small dependency
between them so I have merged them here.

Big change is in the SECDEV series which now uses a new bbclass
to combine the SECDEV env setup in one spot. We also remove
the ti-path.inc usage.

Thanks,
Andrew

Andrew Davis (15):
  meta-ti-bsp: Add helper class for TI Security Development Tools
  trusted-firmware-a: Use new ti-secdev class to sign the images
  optee-os: Use new ti-secdev class to sign the images
  u-boot-ti: Use new ti-secdev class to sign the images
  ti-rtos-firmware: Use new ti-secdev class to sign the images
  ti-sci-fw: Use new ti-secdev class to sign the images
  conf: machine: k3: Remove unneeded TI_SECURE_DEV_PKG_K3 assignments
  ti-k3-secdev: Remove inclusion of ti-paths.inc
  ti-rtos-firmware: Remove unneeded per-machine TARGET defines
  ti-rtos-firmware: Fix name for AM64x and AM62x firmware
  ti-rtos-firmware: Do not break the source directory by renaming files
  ti-rtos-firmware: Use defines to set firmware names
  ti-rtos-firmware: Use a table instead of a list of copy commands
  ti-rtos-firmware: Fix use of base_libdir with nonarch_base_libdir
  ti-rtos-firmware: Deploy secure firmware unconditionally

 .../classes/kernel-fitimage-legacyhs.bbclass  |   4 +-
 meta-ti-bsp/classes/ti-secdev.bbclass         |  21 +
 meta-ti-bsp/conf/machine/am335x-hs-evm.conf   |   2 -
 meta-ti-bsp/conf/machine/am437x-hs-evm.conf   |   2 -
 meta-ti-bsp/conf/machine/am57xx-hs-evm.conf   |   2 -
 .../conf/machine/beaglebone-ai64-k3r5.conf    |   2 -
 meta-ti-bsp/conf/machine/dra7xx-hs-evm.conf   |   2 -
 meta-ti-bsp/conf/machine/include/k3.inc       |   2 -
 meta-ti-bsp/conf/machine/include/k3r5.inc     |   2 -
 .../recipes-bsp/ti-sci-fw/ti-sci-fw_git.bb    |   8 +-
 .../trusted-firmware-a_%.bbappend             |  39 +-
 meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc  |   3 +-
 .../optee/optee-os_3.16%.bbappend             |  43 +-
 .../recipes-ti/secdev/ti-k3-secdev_git.bb     |   5 +-
 .../ti-rtos-bin/ti-rtos-firmware.bb           | 695 ++++++------------
 .../recipes-ti/includes/ti-paths.inc          |   2 -
 16 files changed, 269 insertions(+), 565 deletions(-)
 create mode 100644 meta-ti-bsp/classes/ti-secdev.bbclass

On Wed, Feb 15, 2023 at 01:33:40PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> Hello all,
> 
> This is a combined series that replaces my previous ones on
> ti-rtos-firmware and SECDEV. There is now a small dependency
> between them so I have merged them here.
> 
> Big change is in the SECDEV series which now uses a new bbclass
> to combine the SECDEV env setup in one spot. We also remove
> the ti-path.inc usage.

Andrew,

Overall, looks very good and I like the bbclass approach! However, I tried to 
test the series locally (started with j721e-evm) and got these:


WARNING: ti-rtos-firmware-08.02.00.04-r3.0 do_package: ti-rtos-firmware: NOT adding alternative provide /lib/firmware/j7-mcu-r5f0_1-fw: /lib/firmware/pdk-ipc/ipc_echo_test_mcu1_1_release_strip.xer5f does not exist


ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: oe_runmake failed
ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: ExecutionError('/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/run.do_compile.165613', 1, None, None)
ERROR: Logfile of failure stored in: /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/log.do_compile.165613
Log data follows:
| DEBUG: Executing shell function do_compile
| NOTE: make -j 64 CROSS_COMPILE=arm-oe-linux-gnueabi- SOC=j721e SOC_TYPE=gp CONFIG=evm SYSFW_DIR=/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw
| ./gen_its.sh j721e gp evm out/soc/j721e/evm/sysfw.bin-gp out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/pm-cfg.bin out/soc/j721e/evm/rm-cfg.bin out/soc/j721e/evm/sec-cfg.bin > out/soc/j721e/evm/sysfw-j721e-evm.its
| /bin/sh: 1: cannot create out/soc/j721e/evm/sysfw-j721e-evm.its: Directory nonexistent
| arm-oe-linux-gnueabi-gcc -fno-builtin -Wall -Iinclude/soc/j721e -Isoc/j721e/evm -Iinclude -c -o out/soc/j721e/evm/board-cfg.o-pre-validated ./soc/j721e/evm/board-cfg.c
| Signing the SYSFW release image with ti-degenerate-key.pem key...
| make: *** [Makefile:208: out/soc/j721e/evm/sysfw-j721e-evm.its] Error 2
| make: *** Waiting for unfinished jobs....
| ./gen_x509_cert.sh -c m3 -b /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw/ti-fs-firmware-j721e-gp.bin -o out/soc/j721e/evm/sysfw.bin-gp -l 0x40000 -k ti-degenerate-key.pem -r 1;
| python3 ./scripts/sysfw_boardcfg_validator.py -b out/soc/j721e/evm/board-cfg.o-pre-validated -i -o out/soc/j721e/evm/board-cfg.o -s j721e -l out/soc/j721e/evm/board-cfg.o.log
| Certificate being generated :
|       LOADADDR = 0x00040000
|       IMAGE_SIZE = 262112
|       CERT_TYPE = 2
| SUCCESS: Image out/soc/j721e/evm/sysfw.bin-gp generated.
| rm out/soc/j721e/evm/board-cfg.o
| ERROR: oe_runmake failed
| WARNING: exit code 1 from a shell command.
ERROR: Task (mc:k3r5:/OE/arago-kirkstone/sources/meta-ti/meta-ti-bsp/recipes-bsp/ti-sci-fw/ti-sci-fw_git.bb:do_compile) failed with exit code '1'

On 2/17/2023 1:09, Denys Dmytriyenko wrote:
> On Wed, Feb 15, 2023 at 01:33:40PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
>> Hello all,
>>
>> This is a combined series that replaces my previous ones on
>> ti-rtos-firmware and SECDEV. There is now a small dependency
>> between them so I have merged them here.
>>
>> Big change is in the SECDEV series which now uses a new bbclass
>> to combine the SECDEV env setup in one spot. We also remove
>> the ti-path.inc usage.
> 
> Andrew,
> 
> Overall, looks very good and I like the bbclass approach! However, I tried to
> test the series locally (started with j721e-evm) and got these:
> 
> 
> WARNING: ti-rtos-firmware-08.02.00.04-r3.0 do_package: ti-rtos-firmware: NOT adding alternative provide /lib/firmware/j7-mcu-r5f0_1-fw: /lib/firmware/pdk-ipc/ipc_echo_test_mcu1_1_release_strip.xer5f does not exist
> 
> 
> ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: oe_runmake failed
> ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: ExecutionError('/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/run.do_compile.165613', 1, None, None)
> ERROR: Logfile of failure stored in: /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/log.do_compile.165613
> Log data follows:
> | DEBUG: Executing shell function do_compile
> | NOTE: make -j 64 CROSS_COMPILE=arm-oe-linux-gnueabi- SOC=j721e SOC_TYPE=gp CONFIG=evm SYSFW_DIR=/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw
> | ./gen_its.sh j721e gp evm out/soc/j721e/evm/sysfw.bin-gp out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/pm-cfg.bin out/soc/j721e/evm/rm-cfg.bin out/soc/j721e/evm/sec-cfg.bin > out/soc/j721e/evm/sysfw-j721e-evm.its
> | /bin/sh: 1: cannot create out/soc/j721e/evm/sysfw-j721e-evm.its: Directory nonexistent
> | arm-oe-linux-gnueabi-gcc -fno-builtin -Wall -Iinclude/soc/j721e -Isoc/j721e/evm -Iinclude -c -o out/soc/j721e/evm/board-cfg.o-pre-validated ./soc/j721e/evm/board-cfg.c
> | Signing the SYSFW release image with ti-degenerate-key.pem key...
> | make: *** [Makefile:208: out/soc/j721e/evm/sysfw-j721e-evm.its] Error 2
> | make: *** Waiting for unfinished jobs....
> | ./gen_x509_cert.sh -c m3 -b /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw/ti-fs-firmware-j721e-gp.bin -o out/soc/j721e/evm/sysfw.bin-gp -l 0x40000 -k ti-degenerate-key.pem -r 1;
> | python3 ./scripts/sysfw_boardcfg_validator.py -b out/soc/j721e/evm/board-cfg.o-pre-validated -i -o out/soc/j721e/evm/board-cfg.o -s j721e -l out/soc/j721e/evm/board-cfg.o.log
> | Certificate being generated :
> |       LOADADDR = 0x00040000
> |       IMAGE_SIZE = 262112
> |       CERT_TYPE = 2
> | SUCCESS: Image out/soc/j721e/evm/sysfw.bin-gp generated.
> | rm out/soc/j721e/evm/board-cfg.o
> | ERROR: oe_runmake failed
> | WARNING: exit code 1 from a shell command.
> ERROR: Task (mc:k3r5:/OE/arago-kirkstone/sources/meta-ti/meta-ti-bsp/recipes-bsp/ti-sci-fw/ti-sci-fw_git.bb:do_compile) failed with exit code '1'
> 

Odd.  I just tested the patches and did not get those errors...

On Fri, Feb 17, 2023 at 10:09:36PM -0600, Ryan Eatmon wrote:
> 
> 
> On 2/17/2023 1:09, Denys Dmytriyenko wrote:
> >On Wed, Feb 15, 2023 at 01:33:40PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
> >>Hello all,
> >>
> >>This is a combined series that replaces my previous ones on
> >>ti-rtos-firmware and SECDEV. There is now a small dependency
> >>between them so I have merged them here.
> >>
> >>Big change is in the SECDEV series which now uses a new bbclass
> >>to combine the SECDEV env setup in one spot. We also remove
> >>the ti-path.inc usage.
> >
> >Andrew,
> >
> >Overall, looks very good and I like the bbclass approach! However, I tried to
> >test the series locally (started with j721e-evm) and got these:
> >
> >
> >WARNING: ti-rtos-firmware-08.02.00.04-r3.0 do_package: ti-rtos-firmware: NOT adding alternative provide /lib/firmware/j7-mcu-r5f0_1-fw: /lib/firmware/pdk-ipc/ipc_echo_test_mcu1_1_release_strip.xer5f does not exist
> >
> >
> >ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: oe_runmake failed
> >ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: ExecutionError('/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/run.do_compile.165613', 1, None, None)
> >ERROR: Logfile of failure stored in: /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/log.do_compile.165613
> >Log data follows:
> >| DEBUG: Executing shell function do_compile
> >| NOTE: make -j 64 CROSS_COMPILE=arm-oe-linux-gnueabi- SOC=j721e SOC_TYPE=gp CONFIG=evm SYSFW_DIR=/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw
> >| ./gen_its.sh j721e gp evm out/soc/j721e/evm/sysfw.bin-gp out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/pm-cfg.bin out/soc/j721e/evm/rm-cfg.bin out/soc/j721e/evm/sec-cfg.bin > out/soc/j721e/evm/sysfw-j721e-evm.its
> >| /bin/sh: 1: cannot create out/soc/j721e/evm/sysfw-j721e-evm.its: Directory nonexistent
> >| arm-oe-linux-gnueabi-gcc -fno-builtin -Wall -Iinclude/soc/j721e -Isoc/j721e/evm -Iinclude -c -o out/soc/j721e/evm/board-cfg.o-pre-validated ./soc/j721e/evm/board-cfg.c
> >| Signing the SYSFW release image with ti-degenerate-key.pem key...
> >| make: *** [Makefile:208: out/soc/j721e/evm/sysfw-j721e-evm.its] Error 2
> >| make: *** Waiting for unfinished jobs....
> >| ./gen_x509_cert.sh -c m3 -b /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw/ti-fs-firmware-j721e-gp.bin -o out/soc/j721e/evm/sysfw.bin-gp -l 0x40000 -k ti-degenerate-key.pem -r 1;
> >| python3 ./scripts/sysfw_boardcfg_validator.py -b out/soc/j721e/evm/board-cfg.o-pre-validated -i -o out/soc/j721e/evm/board-cfg.o -s j721e -l out/soc/j721e/evm/board-cfg.o.log
> >| Certificate being generated :
> >|       LOADADDR = 0x00040000
> >|       IMAGE_SIZE = 262112
> >|       CERT_TYPE = 2
> >| SUCCESS: Image out/soc/j721e/evm/sysfw.bin-gp generated.
> >| rm out/soc/j721e/evm/board-cfg.o
> >| ERROR: oe_runmake failed
> >| WARNING: exit code 1 from a shell command.
> >ERROR: Task (mc:k3r5:/OE/arago-kirkstone/sources/meta-ti/meta-ti-bsp/recipes-bsp/ti-sci-fw/ti-sci-fw_git.bb:do_compile) failed with exit code '1'
> >
> 
> Odd.  I just tested the patches and did not get those errors...

Hmm, I wonder if what I hit was one of those race conditions in k3-image-gen? 
Andrew, do you have any comments?

On 2/21/23 2:51 PM, Denys Dmytriyenko wrote:
> On Fri, Feb 17, 2023 at 10:09:36PM -0600, Ryan Eatmon wrote:
>>
>>
>> On 2/17/2023 1:09, Denys Dmytriyenko wrote:
>>> On Wed, Feb 15, 2023 at 01:33:40PM -0600, Andrew Davis via lists.yoctoproject.org wrote:
>>>> Hello all,
>>>>
>>>> This is a combined series that replaces my previous ones on
>>>> ti-rtos-firmware and SECDEV. There is now a small dependency
>>>> between them so I have merged them here.
>>>>
>>>> Big change is in the SECDEV series which now uses a new bbclass
>>>> to combine the SECDEV env setup in one spot. We also remove
>>>> the ti-path.inc usage.
>>>
>>> Andrew,
>>>
>>> Overall, looks very good and I like the bbclass approach! However, I tried to
>>> test the series locally (started with j721e-evm) and got these:
>>>
>>>
>>> WARNING: ti-rtos-firmware-08.02.00.04-r3.0 do_package: ti-rtos-firmware: NOT adding alternative provide /lib/firmware/j7-mcu-r5f0_1-fw: /lib/firmware/pdk-ipc/ipc_echo_test_mcu1_1_release_strip.xer5f does not exist
>>>
>>>
>>> ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: oe_runmake failed
>>> ERROR: mc:k3r5:ti-sci-fw-2022.01-r3.2 do_compile: ExecutionError('/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/run.do_compile.165613', 1, None, None)
>>> ERROR: Logfile of failure stored in: /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/temp/log.do_compile.165613
>>> Log data follows:
>>> | DEBUG: Executing shell function do_compile
>>> | NOTE: make -j 64 CROSS_COMPILE=arm-oe-linux-gnueabi- SOC=j721e SOC_TYPE=gp CONFIG=evm SYSFW_DIR=/OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw
>>> | ./gen_its.sh j721e gp evm out/soc/j721e/evm/sysfw.bin-gp out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/pm-cfg.bin out/soc/j721e/evm/rm-cfg.bin out/soc/j721e/evm/sec-cfg.bin > out/soc/j721e/evm/sysfw-j721e-evm.its
>>> | /bin/sh: 1: cannot create out/soc/j721e/evm/sysfw-j721e-evm.its: Directory nonexistent
>>> | arm-oe-linux-gnueabi-gcc -fno-builtin -Wall -Iinclude/soc/j721e -Isoc/j721e/evm -Iinclude -c -o out/soc/j721e/evm/board-cfg.o-pre-validated ./soc/j721e/evm/board-cfg.c
>>> | Signing the SYSFW release image with ti-degenerate-key.pem key...
>>> | make: *** [Makefile:208: out/soc/j721e/evm/sysfw-j721e-evm.its] Error 2
>>> | make: *** Waiting for unfinished jobs....
>>> | ./gen_x509_cert.sh -c m3 -b /OE/arago-kirkstone/build/arago-tmp-default-glibc/work/j721e_evm_k3r5-oe-linux-gnueabi/ti-sci-fw/2022.01-r3.2/git/ti-sysfw/ti-fs-firmware-j721e-gp.bin -o out/soc/j721e/evm/sysfw.bin-gp -l 0x40000 -k ti-degenerate-key.pem -r 1;
>>> | python3 ./scripts/sysfw_boardcfg_validator.py -b out/soc/j721e/evm/board-cfg.o-pre-validated -i -o out/soc/j721e/evm/board-cfg.o -s j721e -l out/soc/j721e/evm/board-cfg.o.log
>>> | Certificate being generated :
>>> |       LOADADDR = 0x00040000
>>> |       IMAGE_SIZE = 262112
>>> |       CERT_TYPE = 2
>>> | SUCCESS: Image out/soc/j721e/evm/sysfw.bin-gp generated.
>>> | rm out/soc/j721e/evm/board-cfg.o
>>> | ERROR: oe_runmake failed
>>> | WARNING: exit code 1 from a shell command.
>>> ERROR: Task (mc:k3r5:/OE/arago-kirkstone/sources/meta-ti/meta-ti-bsp/recipes-bsp/ti-sci-fw/ti-sci-fw_git.bb:do_compile) failed with exit code '1'
>>>
>>
>> Odd.  I just tested the patches and did not get those errors...
> 
> Hmm, I wonder if what I hit was one of those race conditions in k3-image-gen?
> Andrew, do you have any comments?
> 

That looks like that could be the issue, I did fix all the race conditions, but it
seems kirkstone has some old version of ti-sci-fw from back before my fixes. I'd
guess updating K3_IMAGE_GEN_SRCREV to the latest would fix this for you.

Andrew