Re: [OE-core] [PATCH v1] uboot-sign: support to load optee-os and TFA images

Jamin Lin via lists.openembedded.org Thu, 18 Jan 2024 22:30:09 -0800

> 
> Hello,
> 
> This doesn't apply on top of your previous patches. Can you send a proper
> series with what you want to be tested/applied?
> 
> Thanks!
> 
Hi Alexandre


I created a series patch here, 
https://patchwork.yoctoproject.org/project/oe-core/list/?series=21444
Thanks-Jamin

> On 17/01/2024 10:10:51+0800, Jamin Lin via lists.openembedded.org wrote:
> > Currently, u-boot FIT image only support to load u-boot image.
> > To support optee-os and trusted-firmware-a, update ITS file generation
> > scripts, so users are able to use u-boot FIT image to load u-boot,
> > optee-os and treustred-firmware-a images
> >
> > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable
> > trusted-firmware-a image and it is disable by default.
> >
> > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is
> > disable by default.
> >
> > The ITS file creation looks like as following.
> > 1. Both optee-os and trusted-firmware-a are disabled.
> > '''
> > /dts-v1/;
> >
> > / {
> >     images {
> >         uboot {
> >
> >         };
> >         fdt {
> >         };
> >     };
> >
> >     configurations {
> >         default = "conf";
> >         conf {
> >             loadables = "uboot";
> >             fdt = "fdt";
> >         };
> >     };
> > };
> > '''
> >
> > 2. Only enable optee-os
> > '''
> > /dts-v1/;
> >
> > / {
> >     images {
> >         uboot {
> >         };
> >         fdt {
> >         };
> >         optee {
> >         };
> >     };
> >
> >     configurations {
> >         default = "conf";
> >         conf {
> >             firmware = "optee";
> >             loadables = "uboot";
> >             fdt = "fdt";
> >         };
> >     };
> > };
> > '''
> >
> > 3: Both optee-os and trusted-firmware-a are enabled '''
> > /dts-v1/;
> >
> > / {
> >     images {
> >         uboot {
> >         };
> >         fdt {
> >         };
> >         atf {
> >         };
> >         optee {
> >         };
> >     };
> >
> >     configurations {
> >         default = "conf";
> >         conf {
> >             firmware = "atf";
> >             loadables = "uboot", "optee";
> >             fdt = "fdt";
> >         };
> >     };
> > };
> > '''
> >
> > Signed-off-by: Jamin Lin <jamin_...@aspeedtech.com>
> > ---
> >  meta/classes-recipe/uboot-sign.bbclass | 91
> > +++++++++++++++++++++++++-
> >  1 file changed, 90 insertions(+), 1 deletion(-)
> >
> > diff --git a/meta/classes-recipe/uboot-sign.bbclass
> > b/meta/classes-recipe/uboot-sign.bbclass
> > index ad04c82378..b874eb84db 100644
> > --- a/meta/classes-recipe/uboot-sign.bbclass
> > +++ b/meta/classes-recipe/uboot-sign.bbclass
> > @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1"
> >  # This is only necessary for determining the signing configuration
> > KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
> >
> > +# Trusted Firmware-A (TF-A) provides a reference implementation of #
> > +secure world software for Armv7-A and Armv8-A, # including a Secure
> > +Monitor executing at Exception Level 3 (EL3) # ATF is used as the
> > +initial start code on ARMv8-A cores for all K3 platforms
> > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
> > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
> > +
> > +# OP-TEE is a Trusted Execution Environment (TEE) designed as #
> > +companion to a non-secure Linux kernel running on Arm
> > +UBOOT_FIT_OPTEE_OS ?= "0"
> > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
> > +
> >  python() {
> >      # We need u-boot-tools-native if we're creating a U-Boot fitImage
> >      sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
> > @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before
> > do_uboot_assemble_fitimage after do_compi  # Create a ITS file for the
> > U-boot FIT, for use when  # we want to sign it so that the SPL can
> > verify it
> >  uboot_fitimage_assemble() {
> > +   conf_loadables="\"uboot\""
> > +   conf_firmware=""
> > +
> > +   if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
> > +           conf_firmware="\"atf\""
> > +           if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> > +                   conf_loadables="\"uboot\", \"optee\""
> > +           fi
> > +   else
> > +           if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
> > +                   conf_firmware="\"optee\""
> > +           fi
> > +   fi
> > +
> >     rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
> >
> >     # First we create the ITS script
> > @@ -282,13 +308,76 @@ EOF
> >
> >     cat << EOF >> ${UBOOT_ITS}
> >          };
> > +EOF
> > +   if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
> > +           cat << EOF >> ${UBOOT_ITS}
> > +        atf {
> > +            description = "ARM Trusted Firmware-A";
> > +            data =
> /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
> > +            type = "firmware";
> > +            arch = "${UBOOT_ARCH}";
> > +            os = "arm-trusted-firmware";
> > +            load =
> <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
> > +            entry =
> <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
> > +            compression = "none";
> > +EOF
> > +
> > +           if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> > +                   cat << EOF >> ${UBOOT_ITS}
> > +            signature {
> > +                algo =
> "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> > +                key-name-hint = "${SPL_SIGN_KEYNAME}";
> > +            };
> > +EOF
> > +           fi
> > +
> > +   cat << EOF >> ${UBOOT_ITS}
> > +        };
> > +EOF
> > +   fi
> > +
> > +   if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
> > +           cat << EOF >> ${UBOOT_ITS}
> > +        optee {
> > +            description = "OPTEE OS Image";
> > +            data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
> > +            type = "tee";
> > +            arch = "${UBOOT_ARCH}";
> > +            os = "tee";
> > +            load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
> > +            entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
> > +            compression = "none";
> > +EOF
> > +
> > +           if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
> > +                   cat << EOF >> ${UBOOT_ITS}
> > +            signature {
> > +                algo =
> "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
> > +                key-name-hint = "${SPL_SIGN_KEYNAME}";
> > +            };
> > +EOF
> > +           fi
> > +
> > +   cat << EOF >> ${UBOOT_ITS}
> > +        };
> > +EOF
> > +   fi
> > +
> > +   cat << EOF >> ${UBOOT_ITS}
> >      };
> >
> >      configurations {
> >          default = "conf";
> >          conf {
> >              description = "Boot with signed U-Boot FIT";
> > -            loadables = "uboot";
> > +EOF
> > +   if [ -n "${conf_firmware}" ]; then
> > +   cat << EOF >> ${UBOOT_ITS}
> > +            firmware = ${conf_firmware}; EOF
> > +   fi
> > +   cat << EOF >> ${UBOOT_ITS}
> > +            loadables = ${conf_loadables};
> >              fdt = "fdt";
> >          };
> >      };
> > --
> > 2.25.1
> >
> 
> >
> > 
> >
> 
> 
> --
> Alexandre Belloni, co-owner and COO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194014): 
https://lists.openembedded.org/g/openembedded-core/message/194014
Mute This Topic: https://lists.openembedded.org/mt/103778291/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH v1] uboot-sign: support to load optee-os and TFA images

Reply via email to