Hi Siew Chin,
On Thu, 7 Jan 2021 at 22:19, Lim, Elly Siew Chin elly.siew.chin.lim@intel.com wrote:
Hi Simon,
-----Original Message----- From: Simon Glass sjg@chromium.org Sent: Friday, January 8, 2021 11:24 AM To: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Cc: U-Boot Mailing List u-boot@lists.denx.de; Marek Vasut marex@denx.de; Tan, Ley Foon ley.foon.tan@intel.com; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Gan, Yau Wai yau.wai.gan@intel.com Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support
Hi Slew Elly,
On Thu, 7 Jan 2021 at 17:57, Lim, Elly Siew Chin elly.siew.chin.lim@intel.com wrote:
Hi Simon,
-----Original Message----- From: Simon Glass sjg@chromium.org Sent: Friday, January 8, 2021 12:22 AM To: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Cc: U-Boot Mailing List u-boot@lists.denx.de; Marek Vasut marex@denx.de; Tan, Ley Foon ley.foon.tan@intel.com; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Gan, Yau Wai yau.wai.gan@intel.com Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support
Hi Siew Chin,
On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin elly.siew.chin.lim@intel.com wrote:
Hi Simon,
-----Original Message----- From: Simon Glass sjg@chromium.org Sent: Thursday, January 7, 2021 8:37 PM To: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Cc: U-Boot Mailing List u-boot@lists.denx.de; Marek Vasut marex@denx.de; Tan, Ley Foon ley.foon.tan@intel.com; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Gan, Yau Wai yau.wai.gan@intel.com Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support
On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim elly.siew.chin.lim@intel.com wrote: > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > Signed-off-by: Siew Chin Lim elly.siew.chin.lim@intel.com > --- > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) >
I'm not quite sure what is happening here, but consider using two separate files rather than what looks like a patch over an existing
one.
There are two boot flow will use binman (socfpga_soc64_fit-u-boot.dtsi) to
generate u-boot.fit and kernel.fit:
1. socfpga_agilex_atf_defconfig (boot via ATF) 2. socfpga_agilex_vab_defconfig (boot via ATF with VABenabled, support authentication on bl31, u-boot, Linux images)
The binman node settings are the same for both flows. With VAB enabled, all
inputs file need to be signed before generate FIT image. We would like to use different input file name to remind user that they need to sign all bl31, u-boot, Linux images when using binman to generate FIT
image.
Due to the binman node settings are identical and only the file name need to
be different, so we prefer to share the same socfpga_soc64_fit-u-boot.dtsi for both flows.
Reviewed-by: Simon Glass sjg@chromium.org
OK I see.
Who does the signing of the inputs? Is that something binman could/should
do?
In our case, we will provide user Intel proprietary tools to sign the image, and
we have our signature format.
User need to follow the steps and sign the Images, and call binman to convert
into FIT image.
I think maybe it is not suitable to incorporate any external proprietary tools
into binman.
Possibly, although we already have quite a few. Is the tool secret or can it be downloaded from somewhere? If the latter, see how cbfstool is handled.
It is licensed software.
I suggest releasing an open-source, command-line tool as has happened with various other Intel innovations. It is hard for people to include private binary tools in their automated build flow. If it is required to actually boot on the device, then it will be hard for people to incorporate the hardware in test labs.
Regards, Simon