From: Madan Srinivas madans@ti.com
Modify the SPL build procedure for AM437x high-security (HS) device variants to create a secure u-boot_HS.img FIT blob that contains U-Boot and DTB artifacts signed (and optionally encrypted) with a TI-specific process based on the CONFIG_TI_SECURE_DEVICE config option and the externally-provided image signing tool.
Also populate the corresponding FIT image post processing call to be performed during SPL runtime.
Signed-off-by: Madan Srinivas madans@ti.com Signed-off-by: Andreas Dannenberg dannenberg@ti.com Reviewed-by: Tom Rini trini@konsulko.com --- arch/arm/cpu/armv7/am33xx/config.mk | 1 + board/ti/am43xx/board.c | 8 ++++++++ configs/am43xx_hs_evm_defconfig | 1 + 3 files changed, 10 insertions(+)
diff --git a/arch/arm/cpu/armv7/am33xx/config.mk b/arch/arm/cpu/armv7/am33xx/config.mk index 6d95d32..ab94708 100644 --- a/arch/arm/cpu/armv7/am33xx/config.mk +++ b/arch/arm/cpu/armv7/am33xx/config.mk @@ -26,6 +26,7 @@ endif else ifeq ($(CONFIG_TI_SECURE_DEVICE),y) ALL-$(CONFIG_QSPI_BOOT) += u-boot_HS_XIP_X-LOADER +ALL-y += u-boot_HS.img endif ALL-y += u-boot.img endif diff --git a/board/ti/am43xx/board.c b/board/ti/am43xx/board.c index f005762..27c311e 100644 --- a/board/ti/am43xx/board.c +++ b/board/ti/am43xx/board.c @@ -13,6 +13,7 @@ #include <asm/errno.h> #include <spl.h> #include <usb.h> +#include <asm/omap_sec_common.h> #include <asm/arch/clock.h> #include <asm/arch/sys_proto.h> #include <asm/arch/mux.h> @@ -862,3 +863,10 @@ int board_fit_config_name_match(const char *name) return -1; } #endif + +#ifdef CONFIG_TI_SECURE_DEVICE +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + secure_boot_verify_image(p_image, p_size); +} +#endif diff --git a/configs/am43xx_hs_evm_defconfig b/configs/am43xx_hs_evm_defconfig index 4856a19..68dfb6c 100644 --- a/configs/am43xx_hs_evm_defconfig +++ b/configs/am43xx_hs_evm_defconfig @@ -13,6 +13,7 @@ CONFIG_SPL_STACK_R=y CONFIG_FIT=y CONFIG_SYS_EXTRA_OPTIONS="CONS_INDEX=1, NAND" CONFIG_SPL_LOAD_FIT=y +CONFIG_SPL_FIT_IMAGE_POST_PROCESS=y CONFIG_HUSH_PARSER=y CONFIG_CMD_BOOTZ=y # CONFIG_CMD_IMLS is not set