Message ID | 20230330212440.19437-3-reatmon@ti.com |
---|---|
State | Accepted |
Delegated to: | Ryan Eatmon |
Headers | show |
Series | Sync up from dunfell | expand |
On Thu, Mar 30, 2023 at 04:24:38PM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: > We are seeing some testing issues where the new code that signs all of > the files at all times is causing issues. So rollback the logic and > only sign for platforms that support it. This is unfortunate that am65x GP has a bug/feature and fails to boot with signed images. Hopefully this can be resolved soon, otherwise it will block combining GP and HS-SE/HS-FS builds into one platform with multiconfig. Especially this one, ironically: https://patchwork.yoctoproject.org/project/ti/patch/20230321110742.26379-1-p-bhagat@ti.com/ As we discussed offline, I'm fine with this as a temporary workaround for now. > Signed-off-by: Ryan Eatmon <reatmon@ti.com> > --- > .../trusted-firmware-a_%.bbappend | 40 ++++++++++++++++++- > 1 file changed, 38 insertions(+), 2 deletions(-) > > diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > index 9b8dd142..c65ecd9c 100644 > --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > @@ -12,12 +12,48 @@ inherit ti-secdev > EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" > > -# Signing procedure for K3 devices > -do_compile:append:k3() { > +# Signing procedure for K3 HS devices > +tfa_sign_k3hs() { > mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned > ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin > } > > +do_compile:append:am65xx-hs-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:am64xx-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:am62xx-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:am62xx-lp-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:am62axx-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:j721e-hs-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:j7200-hs-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:j721s2-hs-evm() { > + tfa_sign_k3hs > +} > + > +do_compile:append:j784s4-hs-evm() { > + tfa_sign_k3hs > +} > + > do_install:append:k3() { > if [ -f ${BUILD_DIR}/bl31.bin.unsigned ]; then > echo "Install bl31.bin.unsigned" > -- > 2.17.1
On Thu, Mar 30, 2023 at 08:12:10PM -0400, Denys Dmytriyenko wrote: > On Thu, Mar 30, 2023 at 04:24:38PM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: > > We are seeing some testing issues where the new code that signs all of > > the files at all times is causing issues. So rollback the logic and > > only sign for platforms that support it. > > This is unfortunate that am65x GP has a bug/feature and fails to boot with > signed images. Hopefully this can be resolved soon, otherwise it will block > combining GP and HS-SE/HS-FS builds into one platform with multiconfig. > Especially this one, ironically: > https://patchwork.yoctoproject.org/project/ti/patch/20230321110742.26379-1-p-bhagat@ti.com/ > > As we discussed offline, I'm fine with this as a temporary workaround for now. And forgot to ack, d'oh :facepalm: > > Signed-off-by: Ryan Eatmon <reatmon@ti.com> Acked-by: Denys Dmytriyenko <denys@konsulko.com> > > --- > > .../trusted-firmware-a_%.bbappend | 40 ++++++++++++++++++- > > 1 file changed, 38 insertions(+), 2 deletions(-) > > > > diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > > index 9b8dd142..c65ecd9c 100644 > > --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > > +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > > @@ -12,12 +12,48 @@ inherit ti-secdev > > EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" > > EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" > > > > -# Signing procedure for K3 devices > > -do_compile:append:k3() { > > +# Signing procedure for K3 HS devices > > +tfa_sign_k3hs() { > > mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned > > ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin > > } > > > > +do_compile:append:am65xx-hs-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:am64xx-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:am62xx-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:am62xx-lp-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:am62axx-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:j721e-hs-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:j7200-hs-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:j721s2-hs-evm() { > > + tfa_sign_k3hs > > +} > > + > > +do_compile:append:j784s4-hs-evm() { > > + tfa_sign_k3hs > > +} > > + > > do_install:append:k3() { > > if [ -f ${BUILD_DIR}/bl31.bin.unsigned ]; then > > echo "Install bl31.bin.unsigned" > > -- > > 2.17.1
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 9b8dd142..c65ecd9c 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -12,12 +12,48 @@ inherit ti-secdev EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" -# Signing procedure for K3 devices -do_compile:append:k3() { +# Signing procedure for K3 HS devices +tfa_sign_k3hs() { mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin } +do_compile:append:am65xx-hs-evm() { + tfa_sign_k3hs +} + +do_compile:append:am64xx-evm() { + tfa_sign_k3hs +} + +do_compile:append:am62xx-evm() { + tfa_sign_k3hs +} + +do_compile:append:am62xx-lp-evm() { + tfa_sign_k3hs +} + +do_compile:append:am62axx-evm() { + tfa_sign_k3hs +} + +do_compile:append:j721e-hs-evm() { + tfa_sign_k3hs +} + +do_compile:append:j7200-hs-evm() { + tfa_sign_k3hs +} + +do_compile:append:j721s2-hs-evm() { + tfa_sign_k3hs +} + +do_compile:append:j784s4-hs-evm() { + tfa_sign_k3hs +} + do_install:append:k3() { if [ -f ${BUILD_DIR}/bl31.bin.unsigned ]; then echo "Install bl31.bin.unsigned"
We are seeing some testing issues where the new code that signs all of the files at all times is causing issues. So rollback the logic and only sign for platforms that support it. Signed-off-by: Ryan Eatmon <reatmon@ti.com> --- .../trusted-firmware-a_%.bbappend | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-)