Hi again,
On Sat, 22 Jul 2023 at 21:48, Simon Glass sjg@chromium.org wrote:
Hi Michal,
On Fri, 21 Jul 2023 at 08:41, Michal Simek michal.simek@amd.com wrote:
On 7/18/23 13:53, lukas.funke-oss@weidmueller.com wrote:
From: Lukas Funke lukas.funke@weidmueller.com
This series adds two etypes to create a verified boot chain for Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to create a bootable, signed image for ZynqMP boards using the Xilinx Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add a '/signature' node to the SPL. The public key in the signature is read from a certificate file and added using the 'fdt_add_pubkey' tool. The series also contains the corresponding btool for calling 'bootgen' and 'fdt_add_pubkey'.
The following block shows an example on how to use this functionality:
spl { filename = "boot.signed.bin"; xilinx-fsbl-auth { psk-key-name-hint = "psk0"; ssk-key-name-hint = "ssk0"; auth-params = "ppk_select=0", "spk_id=0x00000000"; u-boot-spl-nodtb { }; u-boot-spl-pubkey-dtb { algo = "sha384,rsa4096"; required = "conf"; key-name-hint = "dev"; }; }; };I was looking at binman couple of times in past but never had time to do any development with it. Maybe it is good opportunity to look at it now with this series. Is there a way to see more verbose output?
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#logging
I expect that keys should be generated as is described here.
https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?toc...
Anyway I tried to use u-boot-spl-nodtb like this.
&binman { spl { filename = "boot.signed.bin";
xilinx-fsbl-auth { psk-key-name-hint = "/tmp/ddd/psk0"; ssk-key-name-hint = "/tmp/ddd/ssk0"; auth-params = "ppk_select=0", "spk_id=0x00000000"; pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf"; u-boot-spl-nodtb { }; }; };};
but getting error BINMAN .binman_stamp Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts'] Using output directory '.' Processing entry args: of-list = avnet-ultra96-rev1 zynqmp-a2197-revA zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1 zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4 zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1 zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA zynqmp-smk-k26-revA zynqmp-dlc21-revA atf-bl31-path = /tftpboot/bl31.bin tee-os-path = /tftpboot/tee.bin opensbi-path = default-dt = zynqmp-zcu100-revC scp-path = rockchip-tpl-path = spl-bss-pad = tpl-bss-pad = 1 spl-dtb = y tpl-dtb = pre-load-key-path = Processing entry args done Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None, size=None, content_size=240d8 Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': - packed: offset=0x0, size=0x240d8, content_size=0x240d8, next_offset=240d8 Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8 Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8 bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o ./boot.spl.xilinx-fsbl-auth.bin
****** Xilinx Bootgen v2022.2.0 **** Build date : Oct 13 2022-12:22:43 ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and above. The image generated will NOT work for 1.0(ES1). Use '-zynqmpes1' to generate image for 1.0(ES1)
[INFO] : Bootimage generated successfully
BTW tools are not allowed to generate output normally, so this will need to be suppressed somehow by the binman btool.
Actually this happens automatically. I think the above was due to verbose being on.
I applied what patches I could from this series, so please rebase to master (or dm/master if before the PR is applied), and resend.
Regards, Simon