Re: [U-Boot] [PATCH 5/7] arm: mach-k3: Add secure device build support

15 Feb 2019

On 2/15/2019 4:25 AM, Andrew F. Davis wrote:
...
On 2/13/19 9:46 PM, Lokesh Vutla wrote:
...
On 14/02/19 12:07 AM, Andrew F. Davis wrote:
...
K3 HS devices require signed binaries for boot, use the SECDEV tools
to sign the boot artifacts during build.
Signed-off-by: Andrew F. Davis afd@ti.com
MAINTAINERS                       |  1 +
 arch/arm/mach-k3/config.mk        | 25 ++++++++++++++++++
 arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
 tools/k3_fit_atf.sh               |  8 ++++--
 4 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 arch/arm/mach-k3/config_secure.mk

diff --git a/MAINTAINERS b/MAINTAINERS
index 18cdca9447..ac6bd8cfca 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -717,6 +717,7 @@ F:	arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
 F:	arch/arm/mach-omap2/sec-common.c
 F:	arch/arm/mach-omap2/config_secure.mk
 F:	arch/arm/mach-k3/security.c
+F:	arch/arm/mach-k3/config_secure.mk
 F:	configs/am335x_hs_evm_defconfig
 F:	configs/am335x_hs_evm_uart_defconfig
 F:	configs/am43xx_hs_evm_defconfig
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index be00d79fb0..2d8f61f9db 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
 # If external key is not provided, generate key using openssl.
 ifeq ($(CONFIG_SYS_K3_KEY), "")
 KEY=u-boot-spl-eckey.pem
+# On HS use real key or warn if not available
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
+KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
+else
+$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
+endif
+endif
 else
 KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
 endif
@@ -65,6 +73,15 @@ ALL-y	+= tiboot3.bin
 endif
ifdef CONFIG_ARM64
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+SPL_ITS := u-boot-spl-k3_HS.its
+$(SPL_ITS): FORCE

IS_HS=1 \
$(srctree)/tools/k3_fit_atf.sh \
$(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@


+ALL-y	+= tispl.bin_HS
+else
 SPL_ITS := u-boot-spl-k3.its
 $(SPL_ITS): FORCE
   $(srctree)/tools/k3_fit_atf.sh \
@@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
ALL-y	+= tispl.bin
 endif
+endif



+else
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ALL-y	+= u-boot.img_HS
 else
 ALL-y	+= u-boot.img
 endif
+endif



+include $(srctree)/arch/arm/mach-k3/config_secure.mk
diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
new file mode 100644
index 0000000000..6d63c57665
--- /dev/null
+++ b/arch/arm/mach-k3/config_secure.mk
@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
+#	Andrew F. Davis afd@ti.com



+quiet_cmd_k3secureimg = SECURE  $@
+ifneq ($(TI_SECURE_DEV_PKG),)
+ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
+cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \

$< $@ \
$(if $(KBUILD_VERBOSE:1=), >/dev/null)

+else
+cmd_k3secureimg = echo "WARNING:" \

"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
"$@ was NOT secured!"; cp $< $@

+endif
+else
+cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \

"variable must be defined for TI secure devices." \
"$@ was NOT secured!"; cp $< $@

+endif



+%.dtb_HS: %.dtb FORCE

$(call if_changed,k3secureimg)


+$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE

$(call if_changed,k3secureimg)


+tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE

$(call if_changed,mkfitimage)


+MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \

-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
$(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))

I guess these HS postfixed dtbs will never get cleaned. I see the same issue
with other TI secure devices as well. Can you update the clean rules as well?
tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried
Yeah, these should be cleaned as well.
...
adding them to clean-files and CLEAN_FILES, neither worked. Outside of
looks like clean-files is relative to the current directory. You can
update arch/arm/dts/Makefile but it might be very generic.
Tom, any suggestions to clean files in this case?
Thanks and regards,
Lokesh
...
manually deleting them on an appended clean rule I don't know what the
recommended trick is for this.
...
Thanks and regards,
Lokesh
...



+OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
+$(OF_LIST_TARGETS): dtbs



+u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE

$(call if_changed,k3secureimg)


+u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE

$(call if_changed,mkimage)

diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
index 430b5ca616..4e9f69c087 100755
--- a/tools/k3_fit_atf.sh
+++ b/tools/k3_fit_atf.sh
@@ -21,6 +21,10 @@ if [ ! -f $TEE ]; then
   TEE=/dev/null
 fi
+if [ ! -z "$IS_HS" ]; then

HS_APPEND=_HS

+fi



cat << __HEADER_EOF
 /dts-v1/;
@@ -51,7 +55,7 @@ cat << __HEADER_EOF
   	};
   	spl {
   		description = "SPL (64-bit)";

	data = /incbin/("spl/u-boot-spl-nodtb.bin");




	data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
type = "standalone";
os = "U-Boot";
arch = "arm64";



@@ -66,7 +70,7 @@ do
   cat << __FDT_IMAGE_EOF
   	$(basename $dtname) {
   		description = "$(basename $dtname .dtb)";

	data = /incbin/("$dtname");




	data = /incbin/("$dtname$HS_APPEND");
type = "flat_dt";
arch = "arm";
compression = "none";





    