Message ID | 20240117021051.2102450-1-jamin_lin@aspeedtech.com |
---|---|
State | New |
Headers | show |
Series | [v1] uboot-sign: support to load optee-os and TFA images | expand |
Hello, This doesn't apply on top of your previous patches. Can you send a proper series with what you want to be tested/applied? Thanks! On 17/01/2024 10:10:51+0800, Jamin Lin via lists.openembedded.org wrote: > Currently, u-boot FIT image only support to load u-boot image. > To support optee-os and trusted-firmware-a, update ITS file generation > scripts, so users are able to use u-boot FIT image to load > u-boot, optee-os and treustred-firmware-a images > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to > enable trusted-firmware-a image and it is disable by default. > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image > and it is disable by default. > > The ITS file creation looks like as following. > 1. Both optee-os and trusted-firmware-a are disabled. > ''' > /dts-v1/; > > / { > images { > uboot { > > }; > fdt { > }; > }; > > configurations { > default = "conf"; > conf { > loadables = "uboot"; > fdt = "fdt"; > }; > }; > }; > ''' > > 2. Only enable optee-os > ''' > /dts-v1/; > > / { > images { > uboot { > }; > fdt { > }; > optee { > }; > }; > > configurations { > default = "conf"; > conf { > firmware = "optee"; > loadables = "uboot"; > fdt = "fdt"; > }; > }; > }; > ''' > > 3: Both optee-os and trusted-firmware-a are enabled > ''' > /dts-v1/; > > / { > images { > uboot { > }; > fdt { > }; > atf { > }; > optee { > }; > }; > > configurations { > default = "conf"; > conf { > firmware = "atf"; > loadables = "uboot", "optee"; > fdt = "fdt"; > }; > }; > }; > ''' > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> > --- > meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++- > 1 file changed, 90 insertions(+), 1 deletion(-) > > diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass > index ad04c82378..b874eb84db 100644 > --- a/meta/classes-recipe/uboot-sign.bbclass > +++ b/meta/classes-recipe/uboot-sign.bbclass > @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" > # This is only necessary for determining the signing configuration > KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" > > +# Trusted Firmware-A (TF-A) provides a reference implementation of > +# secure world software for Armv7-A and Armv8-A, > +# including a Secure Monitor executing at Exception Level 3 (EL3) > +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" > + > +# OP-TEE is a Trusted Execution Environment (TEE) designed as > +# companion to a non-secure Linux kernel running on Arm > +UBOOT_FIT_OPTEE_OS ?= "0" > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" > + > python() { > # We need u-boot-tools-native if we're creating a U-Boot fitImage > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' > @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi > # Create a ITS file for the U-boot FIT, for use when > # we want to sign it so that the SPL can verify it > uboot_fitimage_assemble() { > + conf_loadables="\"uboot\"" > + conf_firmware="" > + > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then > + conf_firmware="\"atf\"" > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > + conf_loadables="\"uboot\", \"optee\"" > + fi > + else > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > + conf_firmware="\"optee\"" > + fi > + fi > + > rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} > > # First we create the ITS script > @@ -282,13 +308,76 @@ EOF > > cat << EOF >> ${UBOOT_ITS} > }; > +EOF > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + atf { > + description = "ARM Trusted Firmware-A"; > + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); > + type = "firmware"; > + arch = "${UBOOT_ARCH}"; > + os = "arm-trusted-firmware"; > + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; > + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; > + compression = "none"; > +EOF > + > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + signature { > + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > + }; > +EOF > + fi > + > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + optee { > + description = "OPTEE OS Image"; > + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); > + type = "tee"; > + arch = "${UBOOT_ARCH}"; > + os = "tee"; > + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; > + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; > + compression = "none"; > +EOF > + > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > + cat << EOF >> ${UBOOT_ITS} > + signature { > + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > + }; > +EOF > + fi > + > + cat << EOF >> ${UBOOT_ITS} > }; > > configurations { > default = "conf"; > conf { > description = "Boot with signed U-Boot FIT"; > - loadables = "uboot"; > +EOF > + if [ -n "${conf_firmware}" ]; then > + cat << EOF >> ${UBOOT_ITS} > + firmware = ${conf_firmware}; > +EOF > + fi > + cat << EOF >> ${UBOOT_ITS} > + loadables = ${conf_loadables}; > fdt = "fdt"; > }; > }; > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#193883): https://lists.openembedded.org/g/openembedded-core/message/193883 > Mute This Topic: https://lists.openembedded.org/mt/103778291/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> > Hello, > > This doesn't apply on top of your previous patches. Can you send a proper > series with what you want to be tested/applied? > > Thanks! > Hi Alexandre I created a series patch here, https://patchwork.yoctoproject.org/project/oe-core/list/?series=21444 Thanks-Jamin > On 17/01/2024 10:10:51+0800, Jamin Lin via lists.openembedded.org wrote: > > Currently, u-boot FIT image only support to load u-boot image. > > To support optee-os and trusted-firmware-a, update ITS file generation > > scripts, so users are able to use u-boot FIT image to load u-boot, > > optee-os and treustred-firmware-a images > > > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable > > trusted-firmware-a image and it is disable by default. > > > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is > > disable by default. > > > > The ITS file creation looks like as following. > > 1. Both optee-os and trusted-firmware-a are disabled. > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > > > }; > > fdt { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 2. Only enable optee-os > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "optee"; > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 3: Both optee-os and trusted-firmware-a are enabled ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > atf { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "atf"; > > loadables = "uboot", "optee"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> > > --- > > meta/classes-recipe/uboot-sign.bbclass | 91 > > +++++++++++++++++++++++++- > > 1 file changed, 90 insertions(+), 1 deletion(-) > > > > diff --git a/meta/classes-recipe/uboot-sign.bbclass > > b/meta/classes-recipe/uboot-sign.bbclass > > index ad04c82378..b874eb84db 100644 > > --- a/meta/classes-recipe/uboot-sign.bbclass > > +++ b/meta/classes-recipe/uboot-sign.bbclass > > @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" > > # This is only necessary for determining the signing configuration > > KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" > > > > +# Trusted Firmware-A (TF-A) provides a reference implementation of # > > +secure world software for Armv7-A and Armv8-A, # including a Secure > > +Monitor executing at Exception Level 3 (EL3) # ATF is used as the > > +initial start code on ARMv8-A cores for all K3 platforms > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" > > + > > +# OP-TEE is a Trusted Execution Environment (TEE) designed as # > > +companion to a non-secure Linux kernel running on Arm > > +UBOOT_FIT_OPTEE_OS ?= "0" > > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" > > + > > python() { > > # We need u-boot-tools-native if we're creating a U-Boot fitImage > > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' > > @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before > > do_uboot_assemble_fitimage after do_compi # Create a ITS file for the > > U-boot FIT, for use when # we want to sign it so that the SPL can > > verify it > > uboot_fitimage_assemble() { > > + conf_loadables="\"uboot\"" > > + conf_firmware="" > > + > > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then > > + conf_firmware="\"atf\"" > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > > + conf_loadables="\"uboot\", \"optee\"" > > + fi > > + else > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then > > + conf_firmware="\"optee\"" > > + fi > > + fi > > + > > rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} > > > > # First we create the ITS script > > @@ -282,13 +308,76 @@ EOF > > > > cat << EOF >> ${UBOOT_ITS} > > }; > > +EOF > > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + atf { > > + description = "ARM Trusted Firmware-A"; > > + data = > /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); > > + type = "firmware"; > > + arch = "${UBOOT_ARCH}"; > > + os = "arm-trusted-firmware"; > > + load = > <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; > > + entry = > <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; > > + compression = "none"; > > +EOF > > + > > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + signature { > > + algo = > "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > + }; > > +EOF > > + fi > > + > > + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + optee { > > + description = "OPTEE OS Image"; > > + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); > > + type = "tee"; > > + arch = "${UBOOT_ARCH}"; > > + os = "tee"; > > + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; > > + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; > > + compression = "none"; > > +EOF > > + > > + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then > > + cat << EOF >> ${UBOOT_ITS} > > + signature { > > + algo = > "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; > > + key-name-hint = "${SPL_SIGN_KEYNAME}"; > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > + }; > > +EOF > > + fi > > + > > + cat << EOF >> ${UBOOT_ITS} > > }; > > > > configurations { > > default = "conf"; > > conf { > > description = "Boot with signed U-Boot FIT"; > > - loadables = "uboot"; > > +EOF > > + if [ -n "${conf_firmware}" ]; then > > + cat << EOF >> ${UBOOT_ITS} > > + firmware = ${conf_firmware}; EOF > > + fi > > + cat << EOF >> ${UBOOT_ITS} > > + loadables = ${conf_loadables}; > > fdt = "fdt"; > > }; > > }; > > -- > > 2.25.1 > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#193883): > https://lists.openembedded.org/g/openembedded-core/message/193883 > > Mute This Topic: https://lists.openembedded.org/mt/103778291/3617179 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [alexandre.belloni@bootlin.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Alexandre Belloni, co-owner and COO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..b874eb84db 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" # This is only necessary for determining the signing configuration KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" +# Trusted Firmware-A (TF-A) provides a reference implementation of +# secure world software for Armv7-A and Armv8-A, +# including a Secure Monitor executing at Exception Level 3 (EL3) +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" + +# OP-TEE is a Trusted Execution Environment (TEE) designed as +# companion to a non-secure Linux kernel running on Arm +UBOOT_FIT_OPTEE_OS ?= "0" +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" + conf_firmware="" + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then + conf_firmware="\"atf\"" + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_loadables="\"uboot\", \"optee\"" + fi + else + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_firmware="\"optee\"" + fi + fi + rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -282,13 +308,76 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + atf { + description = "ARM Trusted Firmware-A"; + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); + type = "firmware"; + arch = "${UBOOT_ARCH}"; + os = "arm-trusted-firmware"; + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; + compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF + fi + + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + optee { + description = "OPTEE OS Image"; + data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); + type = "tee"; + arch = "${UBOOT_ARCH}"; + os = "tee"; + load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; + entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; + compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} }; configurations { default = "conf"; conf { description = "Boot with signed U-Boot FIT"; - loadables = "uboot"; +EOF + if [ -n "${conf_firmware}" ]; then + cat << EOF >> ${UBOOT_ITS} + firmware = ${conf_firmware}; +EOF + fi + cat << EOF >> ${UBOOT_ITS} + loadables = ${conf_loadables}; fdt = "fdt"; }; };
Currently, u-boot FIT image only support to load u-boot image. To support optee-os and trusted-firmware-a, update ITS file generation scripts, so users are able to use u-boot FIT image to load u-boot, optee-os and treustred-firmware-a images Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable trusted-firmware-a image and it is disable by default. Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is disable by default. The ITS file creation looks like as following. 1. Both optee-os and trusted-firmware-a are disabled. ''' /dts-v1/; / { images { uboot { }; fdt { }; }; configurations { default = "conf"; conf { loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 2. Only enable optee-os ''' /dts-v1/; / { images { uboot { }; fdt { }; optee { }; }; configurations { default = "conf"; conf { firmware = "optee"; loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 3: Both optee-os and trusted-firmware-a are enabled ''' /dts-v1/; / { images { uboot { }; fdt { }; atf { }; optee { }; }; configurations { default = "conf"; conf { firmware = "atf"; loadables = "uboot", "optee"; fdt = "fdt"; }; }; }; ''' Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> --- meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++- 1 file changed, 90 insertions(+), 1 deletion(-)