Re: [PATCH v3 00/11] Sign Xilinx ZynqMP SPL/FSBL boot images using binman

Hi,

On Tue, 18 Jul 2023 at 05:53, lukas.funke-oss@weidmueller.com wrote:

From: Lukas Funke lukas.funke@weidmueller.com

This series adds two etypes to create a verified boot chain for Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to create a bootable, signed image for ZynqMP boards using the Xilinx Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add a '/signature' node to the SPL. The public key in the signature is read from a certificate file and added using the 'fdt_add_pubkey' tool. The series also contains the corresponding btool for calling 'bootgen' and 'fdt_add_pubkey'.

The following block shows an example on how to use this functionality:

spl {
    filename = "boot.signed.bin";

    xilinx-fsbl-auth {
        psk-key-name-hint = "psk0";
        ssk-key-name-hint = "ssk0";
        auth-params = "ppk_select=0", "spk_id=0x00000000";

        u-boot-spl-nodtb {
        };
        u-boot-spl-pubkey-dtb {
            algo = "sha384,rsa4096";
            required = "conf";
            key-name-hint = "dev";
        };
    };
};

Changes in v3:

• Improved test coverage regarding missing libelf
• Align error message
• Fix rst headline length
• Add newline before main
• Adapted test due to property renaming
• Fixed minor python doc typo in u-boot-spl-pubkey-dtb etype
• Renamed key property from 'key-name' to 'key-name-hint'
• Fixed an issue where the build result was not found
• Fixed an issue where the version string was not reported correctly
• Improved test coverage for xilinx-fsbl-auth etype
• Changed etype from entry to section
• Changed property name "psk-filename" to "psk-key-name-hint"
• Changed property name "ssk-filename" to "ssk-key-name-hint"
• Decode spl elf file instead of reading start symbol
• Improved test coverage
• Improved documentation

Changes in v2:

• Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb
• Improved rst/python documentation
• Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb in example
• Pass additional 'keysrc_enc' parameter to Bootgen
• Added more information and terms to documentation
• Fixed typo in dts name
• Add 'keysrc-enc' property to pass down to Bootgen
• Improved documentation
• Use predictable output names for intermediated results

Lukas Funke (11): binman: elf: Check for ELF_TOOLS availability and remove extra semicolon binman: Don't decompress data while signing binman: blob_dtb: Add fake_size argument to ObtainContents() binman: doc: Add documentation for fdt_add_pubkey bintool binman: ftest: Add test for u_boot_spl_pubkey_dtb binman: btool: Add fdt_add_pubkey as btool binman: etype: Add u-boot-spl-pubkey-dtb etype binman: doc: Add documentation for Xilinx Bootgen bintool binman: btool: Add Xilinx Bootgen btool binman: ftest: Add test for xilinx_fsbl_auth etype binman: etype: Add xilinx_fsbl_auth etype

tools/binman/bintools.rst | 22 ++ tools/binman/btool/bootgen.py | 136 +++++++++++ tools/binman/btool/fdt_add_pubkey.py | 67 ++++++ tools/binman/control.py | 2 +- tools/binman/elf.py | 14 +- tools/binman/elf_test.py | 11 + tools/binman/entries.rst | 110 +++++++++ tools/binman/etype/blob_dtb.py | 2 +- tools/binman/etype/u_boot_spl_pubkey_dtb.py | 109 +++++++++ tools/binman/etype/xilinx_fsbl_auth.py | 221 ++++++++++++++++++ tools/binman/ftest.py | 94 ++++++++ tools/binman/test/280_xilinx_fsbl_auth.dts | 21 ++ .../binman/test/280_xilinx_fsbl_auth_enc.dts | 23 ++ tools/binman/test/281_spl_pubkey_dtb.dts | 16 ++ 14 files changed, 839 insertions(+), 9 deletions(-) create mode 100644 tools/binman/btool/bootgen.py create mode 100644 tools/binman/btool/fdt_add_pubkey.py create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py create mode 100644 tools/binman/test/280_xilinx_fsbl_auth.dts create mode 100644 tools/binman/test/280_xilinx_fsbl_auth_enc.dts create mode 100644 tools/binman/test/281_spl_pubkey_dtb.dts

-- 2.30.2

With this I get test failures:

====================================================================== ERROR: binman.ftest.TestFunctional.testXilinxFsblAuthAndEncryption (subunit.RemotedTestCase) binman.ftest.TestFunctional.testXilinxFsblAuthAndEncryption ---------------------------------------------------------------------- testtools.testresult.real._StringException: Traceback (most recent call last): File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 6932, in testXilinxFsblAuthAndEncryption self._DoReadFileRealDtb('280_xilinx_fsbl_auth_enc.dts') File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 561, in _DoReadFileRealDtb return self._DoReadFileDtb(fname, use_real_dtb=True, update_dtb=True)[0] File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 528, in _DoReadFileDtb retcode = self._DoTestFile(fname, map=map, update_dtb=update_dtb, File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 427, in _DoTestFile return self._DoBinman(*args) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 343, in _DoBinman return control.Binman(args) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py", line 815, in Binman invalid |= ProcessImage(image, args.update_fdt, args.map, File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py", line 632, in ProcessImage image.PackEntries() File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/image.py", line 154, in PackEntries super().Pack(0) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 433, in Pack self._PackEntries() File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 454, in _PackEntries offset = entry.Pack(offset) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 441, in Pack data = self.BuildSectionData(True) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/xilinx_fsbl_auth.py", line 213, in BuildSectionData data = tools.read_file(bootbin_fname) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/u_boot_pylib/tools.py", line 467, in read_file with open(filename(fname), binary and 'rb' or 'r') as fd: FileNotFoundError: [Errno 2] No such file or directory: '/tmp/binman.q0wccwnl/boot.xilinx-fsbl-auth.bin'

====================================================================== ERROR: binman.ftest.TestFunctional.testXilinxFsblAuth (subunit.RemotedTestCase) binman.ftest.TestFunctional.testXilinxFsblAuth ---------------------------------------------------------------------- testtools.testresult.real._StringException: Traceback (most recent call last): File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 6904, in testXilinxFsblAuth self._DoReadFileRealDtb('280_xilinx_fsbl_auth.dts') File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 561, in _DoReadFileRealDtb return self._DoReadFileDtb(fname, use_real_dtb=True, update_dtb=True)[0] File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 528, in _DoReadFileDtb retcode = self._DoTestFile(fname, map=map, update_dtb=update_dtb, File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 427, in _DoTestFile return self._DoBinman(*args) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 343, in _DoBinman return control.Binman(args) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py", line 815, in Binman invalid |= ProcessImage(image, args.update_fdt, args.map, File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/control.py", line 632, in ProcessImage image.PackEntries() File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/image.py", line 154, in PackEntries super().Pack(0) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 433, in Pack self._PackEntries() File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 454, in _PackEntries offset = entry.Pack(offset) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/section.py", line 441, in Pack data = self.BuildSectionData(True) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/etype/xilinx_fsbl_auth.py", line 213, in BuildSectionData data = tools.read_file(bootbin_fname) File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/u_boot_pylib/tools.py", line 467, in read_file with open(filename(fname), binary and 'rb' or 'r') as fd: FileNotFoundError: [Errno 2] No such file or directory: '/tmp/binman.k7fg_p9o/boot.xilinx-fsbl-auth.bin'

====================================================================== FAIL: binman.ftest.TestFunctional.testSymbolsElfBad (subunit.RemotedTestCase) binman.ftest.TestFunctional.testSymbolsElfBad ---------------------------------------------------------------------- testtools.testresult.real._StringException: Traceback (most recent call last): File "/scratch/sglass/cosarm/src/third_party/u-boot/files/tools/binman/ftest.py", line 6242, in testSymbolsElfBad self.assertIn( File "/usr/lib/python3.10/unittest/case.py", line 1112, in assertIn self.fail(self._formatMessage(msg, standardMsg)) File "/usr/lib/python3.10/unittest/case.py", line 675, in fail raise self.failureException(msg) AssertionError: "Section '/binman': entry '/binman/u-boot-spl-elf': Cannot write symbols to an ELF file without Python elftools" not found in "Python: No module named 'elftools'"

Regards, Simon