Re: [PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

Fri, 21 Jul 2023 07:42:00 -0700 



On 7/18/23 13:53, lukas.funke-...@weidmueller.com wrote:

From: Lukas Funke <lukas.fu...@weidmueller.com>


This series adds two etypes to create a verified boot chain for
Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to
create a bootable, signed image for ZynqMP boards using the Xilinx
Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add
a '/signature' node to the SPL. The public key in the signature is read
from a certificate file and added using the 'fdt_add_pubkey' tool. The
series also contains the corresponding btool for calling 'bootgen' and
'fdt_add_pubkey'.

The following block shows an example on how to use this functionality:

     spl {
         filename = "boot.signed.bin";

         xilinx-fsbl-auth {
             psk-key-name-hint = "psk0";
             ssk-key-name-hint = "ssk0";
             auth-params = "ppk_select=0", "spk_id=0x00000000";

             u-boot-spl-nodtb {
             };
             u-boot-spl-pubkey-dtb {
                 algo = "sha384,rsa4096";
                 required = "conf";
                 key-name-hint = "dev";
             };
         };
     };




I was looking at binman couple of times in past but never had time to do any 
development with it. Maybe it is good opportunity to look at it now with this 
series.

Is there a way to see more verbose output?

I expect that keys should be generated as is described here.

https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?tocId=yf_PWbWVciRyrDMi2g1H1w

Anyway I tried to use u-boot-spl-nodtb like this.

&binman {
        spl {
                filename = "boot.signed.bin";
        
                xilinx-fsbl-auth {
                        psk-key-name-hint = "/tmp/ddd/psk0";
                        ssk-key-name-hint = "/tmp/ddd/ssk0";
                        auth-params = "ppk_select=0", "spk_id=0x00000000";
                        pmufw-filename = 
"/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";

                        u-boot-spl-nodtb {
                        };
                };
        };
};

but getting error
  BINMAN  .binman_stamp
Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts']
Using output directory '.'
Processing entry args:

                of-list = avnet-ultra96-rev1 zynqmp-a2197-revA 
zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA 
zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA 
zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1 
zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4 
zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1 
zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA 
zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA 
zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA 
zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA 
zynqmp-smk-k26-revA zynqmp-dlc21-revA

          atf-bl31-path = /tftpboot/bl31.bin
            tee-os-path = /tftpboot/tee.bin
           opensbi-path =
             default-dt = zynqmp-zcu100-revC
               scp-path =
      rockchip-tpl-path =
            spl-bss-pad =
            tpl-bss-pad = 1
                spl-dtb = y
                tpl-dtb =
      pre-load-key-path =
Processing entry args done

Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None, 
size=None, content_size=240d8
Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':    - packed: offset=0x0, 
size=0x240d8, content_size=0x240d8, next_offset=240d8

Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8

bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o 
./boot.spl.xilinx-fsbl-auth.bin



****** Xilinx Bootgen v2022.2.0
  **** Build date : Oct 13 2022-12:22:43
    ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.


[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and 
above. The image generated will NOT work for 1.0(ES1).

           Use '-zynqmpes1' to generate image for 1.0(ES1)

[INFO]   : Bootimage generated successfully


            Node '/binman/spl': GetPaddedDataForEntry: size None

Node '/binman/spl/xilinx-fsbl-auth': Packing: offset=None, size=0x47280, 
content_size=47280
Node '/binman/spl/xilinx-fsbl-auth':    - packed: offset=0x0, size=0x47280, 
content_size=0x47280, next_offset=47280

Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8
Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size 0x47280
Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8

bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o 
./boot.spl.xilinx-fsbl-auth.bin



****** Xilinx Bootgen v2022.2.0
  **** Build date : Oct 13 2022-12:22:43
    ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.


[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and 
above. The image generated will NOT work for 1.0(ES1).

           Use '-zynqmpes1' to generate image for 1.0(ES1)

[INFO]   : Bootimage generated successfully


            Node '/binman/spl': GetPaddedDataForEntry: size None
            Node '/binman/spl': GetData: 1 entries, total size 0x47280
            Node '/binman/spl': GetPaddedDataForEntry: size 0x47280

            Node '/binman/spl': Packing: offset=None, size=0x47280, 
content_size=47280
            Node '/binman/spl':    - packed: offset=0x0, size=0x47280, 
content_size=0x47280, next_offset=47280

File ./u-boot.dtb.out: Update node '/binman/spl' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'size' to 0x47280
File ./u-boot.dtb.out: Update node '/binman/spl' prop 'image-pos' to 0x0

File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'offset' 
to 0x0
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'size' to 
0x47280
File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 
'image-pos' to 0x0
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'offset' to 0x0
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'size' to 0x240d8
File ./u-boot.dtb.out: Update node 
'/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'image-pos' to 0x0

Section '/binman/spl': Symbol '_binman_sym_magic'
   in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb':
   insert _binman_sym_magic, offset 22f80, value 4d595342, length 8
binman: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'

   in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' 
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)


Traceback (most recent call last):

  File "/home/monstr/data/disk/u-boot/./tools/binman/binman", line 134, in 
RunBinman

    ret_code = control.Binman(args)
  File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 787, in 
Binman
    invalid |= ProcessImage(image, args.update_fdt, args.map,

  File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 616, in 
ProcessImage

    image.WriteSymbols()

  File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 172, in 
WriteSymbols

    super().WriteSymbols(self)

  File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, 
in WriteSymbols

    entry.WriteSymbols(self)

  File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, 
in WriteSymbols

    entry.WriteSymbols(self)

  File "/home/monstr/data/disk/u-boot/tools/binman/entry.py", line 701, in 
WriteSymbols

    elf.LookupAndWriteSymbols(self.elf_fname, self, section.GetImage(),

  File "/home/monstr/data/disk/u-boot/tools/binman/elf.py", line 298, in 
LookupAndWriteSymbols

    value = section.GetImage().LookupImageSymbol(name, sym.weak,

  File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 404, in 
LookupImageSymbol

    return self.LookupSymbol(sym_name, optional, msg, base_addr,

  File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 650, 
in LookupSymbol

    raise ValueError(err)
ValueError: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos'

   in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' 
not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)

make: *** [Makefile:1115: .binman_stamp] Error 1



with u-boot-spl-dtb it works fine.


Anyway kind of curious if that support can be more generalized that bif can be 
generated for other configurations too. It means


                xilinx-bootgen {
                        pmufw-filename = 
"/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";

                        u-boot-spl-dtb {
                        };
                };

you will get boot.bin which images you defined.



And regarding name "xilinx-fsbl-auth". That authentication is done by bootrom 
not by FSBL that's why you should maybe consider to rename it. And as you wrote

"arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is supported."

then I expect in future this can be extended for on other SOCs which don't have 
FSBL unless you will use it as generic name first stage bootloader.



That's why I would say xilinx-bootgen would be maybe better name even if it has 
tool name there.


Thanks,
Michal

























					Reply via email to