From patchwork Mon Feb 17 08:52:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jamin Lin X-Patchwork-Id: 57455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C50B2C021A4 for ; Mon, 17 Feb 2025 08:52:38 +0000 (UTC) Received: from TWMBX01.aspeed.com (TWMBX01.aspeed.com [211.20.114.72]) by mx.groups.io with SMTP id smtpd.web10.47204.1739782356887101503 for ; Mon, 17 Feb 2025 00:52:38 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: aspeedtech.com, ip: 211.20.114.72, mailfrom: jamin_lin@aspeedtech.com) Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.12; Mon, 17 Feb 2025 16:52:33 +0800 Received: from localhost.localdomain (192.168.10.10) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server id 15.2.1258.12 via Frontend Transport; Mon, 17 Feb 2025 16:52:33 +0800 From: Jamin Lin To: CC: , , Subject: [PATCH v6 1/3] uboot-sign: support to create TEE and ATF image tree source Date: Mon, 17 Feb 2025 16:52:31 +0800 Message-ID: <20250217085233.2201043-2-jamin_lin@aspeedtech.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250217085233.2201043-1-jamin_lin@aspeedtech.com> References: <20250217085233.2201043-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Feb 2025 08:52:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211532 Currently, uboot-sign.bbclass only supports to create Image Tree Source(ITS) for "u-boot" and "flat_dt". However, users may want to support multiple images such as ARM Trusted Firmware(ATF), Trusted Execution Environment(TEE) and users private images for specific application and purpose. To make this bbclass more flexible and support ATF and TEE, creates new functions which are "uboot_fitimage_atf" and "uboot_fitimage_tee" for ATF and TEE ITS file creation, respectively. Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE" to enable ATF ITS generation and it is disable by default. Add a variable "UBOOT_FIT_TEE" to enable TEE ITS generation and it is disable by default. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 80 +++++++++++++++++++++++++- 1 file changed, 79 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 96c47ab016..5c198324ee 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -86,6 +86,18 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" # ex: 1 32bits address, 2 64bits address UBOOT_FIT_ADDRESS_CELLS ?= "1" +# ARM Trusted Firmware(ATF) is a reference implementation of secure world +# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including +# an Exception Level 3 (EL3) Secure Monitor. +UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin" + +# A Trusted Execution Environment(TEE) is an environment for executing code, +# in which those executing the code can have high levels of trust in the asset +# management of that surrounding environment. +UBOOT_FIT_TEE ?= "0" +UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin" + UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" @@ -240,9 +252,64 @@ do_uboot_generate_rsa_keys() { addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile +# Create a ITS file for the atf +uboot_fitimage_atf() { + cat << EOF >> ${UBOOT_ITS} + atf { + description = "ARM Trusted Firmware"; + data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}"); + type = "firmware"; + arch = "${UBOOT_ARCH}"; + os = "arm-trusted-firmware"; + load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>; + entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>; + compression = "none"; +EOF + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF +} + +# Create a ITS file for the tee +uboot_fitimage_tee() { + cat << EOF >> ${UBOOT_ITS} + tee { + description = "Trusted Execution Environment"; + data = /incbin/("${UBOOT_FIT_TEE_IMAGE}"); + type = "tee"; + arch = "${UBOOT_ARCH}"; + os = "tee"; + load = <${UBOOT_FIT_TEE_LOADADDRESS}>; + entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>; + compression = "none"; +EOF + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} + }; +EOF +} + # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -295,13 +362,24 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_TEE}" = "1" ] ; then + conf_loadables="\"tee\", ${conf_loadables}" + uboot_fitimage_tee + fi + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then + conf_loadables="\"atf\", ${conf_loadables}" + uboot_fitimage_atf + fi + cat << EOF >> ${UBOOT_ITS} }; configurations { default = "conf"; conf { description = "Boot with signed U-Boot FIT"; - loadables = "uboot"; + loadables = ${conf_loadables}; fdt = "fdt"; }; };