Re: [meta-ti][master/kirkstone][PATCH v2 02/15] trusted-firmware-a: Use new ti-secdev class to sign the images

[Denys Dmytriyenko]

On Wed, Feb 15, 2023 at 01:33:42PM -0600, Andrew Davis via 
lists.yoctoproject.org wrote:
> Use the new ti-k3-secdev package to pull in the signing tools if they are
> not provided by the environment. This allows us to use these tools
> unconditionally. Remove the checks for the script and do the signing
> for all K3 machines. The signature is automatically stripped from
> the binaries on non-HS devices at boot time as needed so this change
> is harmless for GP devices.
> 
> Signed-off-by: Andrew Davis <a...@ti.com>

Tested-by: Denys Dmytriyenko <de...@konsulko.com>


> ---
>  .../trusted-firmware-a_%.bbappend             | 39 ++++---------------
>  1 file changed, 7 insertions(+), 32 deletions(-)
> 
> diff --git 
> a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend 
> b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> index 5acc5c2e..be601e62 100644
> --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
> @@ -6,39 +6,14 @@ TFA_BUILD_TARGET:k3 = "all"
>  TFA_INSTALL_TARGET:k3 = "bl31"
>  TFA_SPD:k3 = "opteed"
>  
> +# Use TI SECDEV for signing
> +inherit ti-secdev
> +
>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if 
> d.getVar('TFA_K3_USART') else ''}"
>  EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + 
> d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else 
> ''}"
>  
> -# Signing procedure for K3 HS devices
> -tfa_sign_k3hs() {
> -     export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
> -     ( cd ${BUILD_DIR}; \
> -             mv bl31.bin bl31.bin.unsigned; \
> -             if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; 
> then \
> -                     ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh 
> bl31.bin.unsigned bl31.bin; \
> -             else \
> -                     echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not 
> signed."; \
> -                     cp bl31.bin.unsigned bl31.bin; \
> -             fi; \
> -     )
> -}
> -
> -do_compile:append:am65xx-hs-evm() {
> -     tfa_sign_k3hs
> -}
> -
> -do_compile:append:am64xx-evm() {
> -     tfa_sign_k3hs
> -}
> -
> -do_compile:append:j721e-hs-evm() {
> -     tfa_sign_k3hs
> -}
> -
> -do_compile:append:j7200-hs-evm() {
> -     tfa_sign_k3hs
> -}
> -
> -do_compile:append:j721s2-hs-evm() {
> -     tfa_sign_k3hs
> +# Signing procedure for K3 devices
> +do_compile:append:k3() {
> +     mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
> +     ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh 
> ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
>  }
> -- 
> 2.39.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#15908): 
https://lists.yoctoproject.org/g/meta-ti/message/15908
Mute This Topic: https://lists.yoctoproject.org/mt/96991002/21656
Group Owner: meta-ti+ow...@lists.yoctoproject.org
Unsubscribe: 
https://lists.yoctoproject.org/g/meta-ti/leave/6695321/21656/1393940836/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-