| Message ID | 20230208231031.16363-1-afd@ti.com |
|---|---|
| State | Superseded |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,master/kirkstone,1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined | expand |
On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > Use the new ti-k3-secdev package to pull in the signing tools if they are > not provided by the environment. This allows us to use these tools > unconditionally. Remove the checks for the script and do the signing > for all K3 machines. The signature is automatically stripped from > the binaries on non-HS devices at boot time as needed so this change > is harmless for GP devices. > > Signed-off-by: Andrew Davis <afd@ti.com> > --- > .../trusted-firmware-a_%.bbappend | 43 ++++++------------- > 1 file changed, 12 insertions(+), 31 deletions(-) > > diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > index 5acc5c2e..95f1d2d9 100644 > --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" > TFA_INSTALL_TARGET:k3 = "bl31" > TFA_SPD:k3 = "opteed" > > +# Use default package TI SECDEV is one is not provided typo - *if* one is not provided > +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" > + > +# Set a default value for TI_K3_SECDEV_INSTALL_DIR > +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" > +include recipes-ti/includes/ti-paths.inc If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include ti-paths.inc here? > +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" > + > EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" > > -# Signing procedure for K3 HS devices > -tfa_sign_k3hs() { > +# Signing procedure for K3 devices > +do_compile:append:k3() { > export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > - ( cd ${BUILD_DIR}; \ > - mv bl31.bin bl31.bin.unsigned; \ > - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ > - else \ > - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ > - cp bl31.bin.unsigned bl31.bin; \ > - fi; \ > - ) > -} > - > -do_compile:append:am65xx-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:am64xx-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j721e-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j7200-hs-evm() { > - tfa_sign_k3hs > -} > - > -do_compile:append:j721s2-hs-evm() { > - tfa_sign_k3hs > + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin > } > -- > 2.39.1
On 2/10/23 12:51 PM, Denys Dmytriyenko wrote: > On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote: >> Use the new ti-k3-secdev package to pull in the signing tools if they are >> not provided by the environment. This allows us to use these tools >> unconditionally. Remove the checks for the script and do the signing >> for all K3 machines. The signature is automatically stripped from >> the binaries on non-HS devices at boot time as needed so this change >> is harmless for GP devices. >> >> Signed-off-by: Andrew Davis <afd@ti.com> >> --- >> .../trusted-firmware-a_%.bbappend | 43 ++++++------------- >> 1 file changed, 12 insertions(+), 31 deletions(-) >> >> diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >> index 5acc5c2e..95f1d2d9 100644 >> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >> @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" >> TFA_INSTALL_TARGET:k3 = "bl31" >> TFA_SPD:k3 = "opteed" >> >> +# Use default package TI SECDEV is one is not provided > > typo - *if* one is not provided > Good catch > >> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" >> + >> +# Set a default value for TI_K3_SECDEV_INSTALL_DIR >> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" >> +include recipes-ti/includes/ti-paths.inc > > If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include > ti-paths.inc here? > ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack. If not, this is a sane default, but ti-paths.inc can still override that path if available. Andrew > >> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" >> + >> EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" >> EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" >> >> -# Signing procedure for K3 HS devices >> -tfa_sign_k3hs() { >> +# Signing procedure for K3 devices >> +do_compile:append:k3() { >> export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} >> - ( cd ${BUILD_DIR}; \ >> - mv bl31.bin bl31.bin.unsigned; \ >> - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ >> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ >> - else \ >> - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ >> - cp bl31.bin.unsigned bl31.bin; \ >> - fi; \ >> - ) >> -} >> - >> -do_compile:append:am65xx-hs-evm() { >> - tfa_sign_k3hs >> -} >> - >> -do_compile:append:am64xx-evm() { >> - tfa_sign_k3hs >> -} >> - >> -do_compile:append:j721e-hs-evm() { >> - tfa_sign_k3hs >> -} >> - >> -do_compile:append:j7200-hs-evm() { >> - tfa_sign_k3hs >> -} >> - >> -do_compile:append:j721s2-hs-evm() { >> - tfa_sign_k3hs >> + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned >> + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin >> } >> -- >> 2.39.1
On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote: > On 2/10/23 12:51 PM, Denys Dmytriyenko wrote: > >On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > >>Use the new ti-k3-secdev package to pull in the signing tools if they are > >>not provided by the environment. This allows us to use these tools > >>unconditionally. Remove the checks for the script and do the signing > >>for all K3 machines. The signature is automatically stripped from > >>the binaries on non-HS devices at boot time as needed so this change > >>is harmless for GP devices. > >> > >>Signed-off-by: Andrew Davis <afd@ti.com> > >>--- > >> .../trusted-firmware-a_%.bbappend | 43 ++++++------------- > >> 1 file changed, 12 insertions(+), 31 deletions(-) > >> > >>diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>index 5acc5c2e..95f1d2d9 100644 > >>--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>@@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" > >> TFA_INSTALL_TARGET:k3 = "bl31" > >> TFA_SPD:k3 = "opteed" > >>+# Use default package TI SECDEV is one is not provided > > > >typo - *if* one is not provided > > > > Good catch > > > > >>+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" > >>+ > >>+# Set a default value for TI_K3_SECDEV_INSTALL_DIR > >>+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" > >>+include recipes-ti/includes/ti-paths.inc > > > >If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include > >ti-paths.inc here? > > > > ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack. > If not, this is a sane default, but ti-paths.inc can still override that path if available. No, we shouldn't be using ti-paths.inc here at all. The file was mostly used by RTOS components back when they were built from sources. That is now only used on some legacy platforms. Eventually it will be removed, no reason to start using the file for K3 SECDEV. Just come up with the proper default (something other than ${datadir}...) and be done with it, right? > >>+TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" > >>+ > >> EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" > >> EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" > >>-# Signing procedure for K3 HS devices > >>-tfa_sign_k3hs() { > >>+# Signing procedure for K3 devices > >>+do_compile:append:k3() { > >> export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > >>- ( cd ${BUILD_DIR}; \ > >>- mv bl31.bin bl31.bin.unsigned; \ > >>- if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > >>- ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ > >>- else \ > >>- echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ > >>- cp bl31.bin.unsigned bl31.bin; \ > >>- fi; \ > >>- ) > >>-} > >>- > >>-do_compile:append:am65xx-hs-evm() { > >>- tfa_sign_k3hs > >>-} > >>- > >>-do_compile:append:am64xx-evm() { > >>- tfa_sign_k3hs > >>-} > >>- > >>-do_compile:append:j721e-hs-evm() { > >>- tfa_sign_k3hs > >>-} > >>- > >>-do_compile:append:j7200-hs-evm() { > >>- tfa_sign_k3hs > >>-} > >>- > >>-do_compile:append:j721s2-hs-evm() { > >>- tfa_sign_k3hs > >>+ mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned > >>+ ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin > >> } > >>-- > >>2.39.1
On 2/10/23 1:05 PM, Denys Dmytriyenko wrote: > On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote: >> On 2/10/23 12:51 PM, Denys Dmytriyenko wrote: >>> On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote: >>>> Use the new ti-k3-secdev package to pull in the signing tools if they are >>>> not provided by the environment. This allows us to use these tools >>>> unconditionally. Remove the checks for the script and do the signing >>>> for all K3 machines. The signature is automatically stripped from >>>> the binaries on non-HS devices at boot time as needed so this change >>>> is harmless for GP devices. >>>> >>>> Signed-off-by: Andrew Davis <afd@ti.com> >>>> --- >>>> .../trusted-firmware-a_%.bbappend | 43 ++++++------------- >>>> 1 file changed, 12 insertions(+), 31 deletions(-) >>>> >>>> diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >>>> index 5acc5c2e..95f1d2d9 100644 >>>> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >>>> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend >>>> @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" >>>> TFA_INSTALL_TARGET:k3 = "bl31" >>>> TFA_SPD:k3 = "opteed" >>>> +# Use default package TI SECDEV is one is not provided >>> >>> typo - *if* one is not provided >>> >> >> Good catch >> >>> >>>> +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" >>>> + >>>> +# Set a default value for TI_K3_SECDEV_INSTALL_DIR >>>> +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" >>>> +include recipes-ti/includes/ti-paths.inc >>> >>> If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include >>> ti-paths.inc here? >>> >> >> ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack. >> If not, this is a sane default, but ti-paths.inc can still override that path if available. > > No, we shouldn't be using ti-paths.inc here at all. The file was mostly used > by RTOS components back when they were built from sources. That is now only > used on some legacy platforms. Eventually it will be removed, no reason to > start using the file for K3 SECDEV. Just come up with the proper default > (something other than ${datadir}...) and be done with it, right? > I'm thinking ${datadir} is the right spot, do you have another spot in mind? Once we agree on a spot, then I'll go drop out the ti-paths.inc everywhere in a follow up patch. Andrew > >>>> +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" >>>> + >>>> EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" >>>> EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" >>>> -# Signing procedure for K3 HS devices >>>> -tfa_sign_k3hs() { >>>> +# Signing procedure for K3 devices >>>> +do_compile:append:k3() { >>>> export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} >>>> - ( cd ${BUILD_DIR}; \ >>>> - mv bl31.bin bl31.bin.unsigned; \ >>>> - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ >>>> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ >>>> - else \ >>>> - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ >>>> - cp bl31.bin.unsigned bl31.bin; \ >>>> - fi; \ >>>> - ) >>>> -} >>>> - >>>> -do_compile:append:am65xx-hs-evm() { >>>> - tfa_sign_k3hs >>>> -} >>>> - >>>> -do_compile:append:am64xx-evm() { >>>> - tfa_sign_k3hs >>>> -} >>>> - >>>> -do_compile:append:j721e-hs-evm() { >>>> - tfa_sign_k3hs >>>> -} >>>> - >>>> -do_compile:append:j7200-hs-evm() { >>>> - tfa_sign_k3hs >>>> -} >>>> - >>>> -do_compile:append:j721s2-hs-evm() { >>>> - tfa_sign_k3hs >>>> + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned >>>> + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin >>>> } >>>> -- >>>> 2.39.1
On Fri, Feb 10, 2023 at 01:55:24PM -0600, Andrew Davis wrote: > On 2/10/23 1:05 PM, Denys Dmytriyenko wrote: > >On Fri, Feb 10, 2023 at 12:56:20PM -0600, Andrew Davis wrote: > >>On 2/10/23 12:51 PM, Denys Dmytriyenko wrote: > >>>On Wed, Feb 08, 2023 at 05:10:28PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > >>>>Use the new ti-k3-secdev package to pull in the signing tools if they are > >>>>not provided by the environment. This allows us to use these tools > >>>>unconditionally. Remove the checks for the script and do the signing > >>>>for all K3 machines. The signature is automatically stripped from > >>>>the binaries on non-HS devices at boot time as needed so this change > >>>>is harmless for GP devices. > >>>> > >>>>Signed-off-by: Andrew Davis <afd@ti.com> > >>>>--- > >>>> .../trusted-firmware-a_%.bbappend | 43 ++++++------------- > >>>> 1 file changed, 12 insertions(+), 31 deletions(-) > >>>> > >>>>diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>>>index 5acc5c2e..95f1d2d9 100644 > >>>>--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>>>+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > >>>>@@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" > >>>> TFA_INSTALL_TARGET:k3 = "bl31" > >>>> TFA_SPD:k3 = "opteed" > >>>>+# Use default package TI SECDEV is one is not provided > >>> > >>>typo - *if* one is not provided > >>> > >> > >>Good catch > >> > >>> > >>>>+DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" > >>>>+ > >>>>+# Set a default value for TI_K3_SECDEV_INSTALL_DIR > >>>>+export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" > >>>>+include recipes-ti/includes/ti-paths.inc > >>> > >>>If you set TI_K3_SECDEV_INSTALL_DIR explicitly, why do you need to include > >>>ti-paths.inc here? > >>> > >> > >>ti-paths.inc is part of meta-ti-extras which might not be included in one's layer stack. > >>If not, this is a sane default, but ti-paths.inc can still override that path if available. > > > >No, we shouldn't be using ti-paths.inc here at all. The file was mostly used > >by RTOS components back when they were built from sources. That is now only > >used on some legacy platforms. Eventually it will be removed, no reason to > >start using the file for K3 SECDEV. Just come up with the proper default > >(something other than ${datadir}...) and be done with it, right? > > > > I'm thinking ${datadir} is the right spot, do you have another spot in mind? Hmm, I don't oppose that heavily against ${datadir}... I guess if we were introducing SECDEV for the first time, I'd argue we should install scripts into ${bindir} and everything else into ${datadir} or something more FHS complieant? But I guess in order to keep the legacy setup of TI_SECURE_DEV_PKG passed through environment working as is, changing directory structure is out of the question now.
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 5acc5c2e..95f1d2d9 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -6,39 +6,20 @@ TFA_BUILD_TARGET:k3 = "all" TFA_INSTALL_TARGET:k3 = "bl31" TFA_SPD:k3 = "opteed" +# Use default package TI SECDEV is one is not provided +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" + +# Set a default value for TI_K3_SECDEV_INSTALL_DIR +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" +include recipes-ti/includes/ti-paths.inc +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" + EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}" EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" -# Signing procedure for K3 HS devices -tfa_sign_k3hs() { +# Signing procedure for K3 devices +do_compile:append:k3() { export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} - ( cd ${BUILD_DIR}; \ - mv bl31.bin bl31.bin.unsigned; \ - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \ - else \ - echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \ - cp bl31.bin.unsigned bl31.bin; \ - fi; \ - ) -} - -do_compile:append:am65xx-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:am64xx-evm() { - tfa_sign_k3hs -} - -do_compile:append:j721e-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:j7200-hs-evm() { - tfa_sign_k3hs -} - -do_compile:append:j721s2-hs-evm() { - tfa_sign_k3hs + mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin }
Use the new ti-k3-secdev package to pull in the signing tools if they are not provided by the environment. This allows us to use these tools unconditionally. Remove the checks for the script and do the signing for all K3 machines. The signature is automatically stripped from the binaries on non-HS devices at boot time as needed so this change is harmless for GP devices. Signed-off-by: Andrew Davis <afd@ti.com> --- .../trusted-firmware-a_%.bbappend | 43 ++++++------------- 1 file changed, 12 insertions(+), 31 deletions(-)