Re: [PATCH v3 09/11] binman: btool: Add Xilinx Bootgen btool

On 7/18/23 13:53, lukas.funke-oss@weidmueller.com wrote:

From: Lukas Funke lukas.funke@weidmueller.com

Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The btool creates a signed version of the SPL. Additionally to signing the key source for the decryption engine can be passend to the boot image.

Signed-off-by: Lukas Funke lukas.funke@weidmueller.com

---

Changes in v3:

• Fixed an issue where the build result was not found
• Fixed an issue where the version string was not reported correctly

Changes in v2:

• Pass additional 'keysrc_enc' parameter to Bootgen

• Added more information and terms to documentation

  tools/binman/bintools.rst | 2 +- tools/binman/btool/bootgen.py | 136 ++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 tools/binman/btool/bootgen.py

diff --git a/tools/binman/bintools.rst b/tools/binman/bintools.rst index c6c9a88c21..8f58aaebf7 100644 --- a/tools/binman/bintools.rst +++ b/tools/binman/bintools.rst @@ -197,7 +197,7 @@ Using `fdt_add_pubkey` the key can be injected to the SPL independent of

Bintool: bootgen: Sign ZynqMP FSBL image

+----------------------------------------

This bintool supports running `bootgen` in order to sign a SPL for ZynqMP devices. diff --git a/tools/binman/btool/bootgen.py b/tools/binman/btool/bootgen.py new file mode 100644 index 0000000000..83bbe124dc --- /dev/null +++ b/tools/binman/btool/bootgen.py @@ -0,0 +1,136 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (C) 2023 Weidmüller Interface GmbH & Co. KG +# Lukas Funke lukas.funke@weidmueller.com +# +"""Bintool implementation for bootgen

+bootgen allows creating bootable SPL for Zynq(MP)

+Documentation is available via:: +https://www.xilinx.com/support/documents/sw_manuals/xilinx2022_1/ug1283-boot...

+Source code is available at:

+https://github.com/Xilinx/bootgen

+""" +import tempfile

+from binman import bintool +from u_boot_pylib import tools

+# pylint: disable=C0103 +class Bintoolbootgen(bintool.Bintool):

• """Generate bootable fsbl image for zynq/zynqmp
• This bintools supports running Xilinx "bootgen" in order
• to generate a bootable, authenticated image form an SPL.
• """
• def __init__(self, name):

•    super().__init__(name, 'Xilinx Bootgen',
  

•                     version_regex=r'^\*\*\*\*\*\* *Xilinx Bootgen *(.*)',
  

•                     version_args='-help')
  

• # pylint: disable=R0913
• def sign(self, arch, spl_elf_fname, pmufw_elf_fname,

•         psk_fname, ssk_fname, fsbl_config, auth_params, keysrc_enc,
  

•         output_fname):
  

•    """ Sign SPL elf file and bundle it PMU firmware into an image
  

•    The method bundels the SPL together with a 'Platform Management Unit'
  

•    (PMU)[1] firmware into a single bootable image. The image in turn is
  

•    signed with the provided 'secondary secret key' (ssk), which in turn is
  

•    signed with the 'primary secret key' (ppk). In order to verify the
  

•    authenticity of the ppk, it's hash has to be fused into the device
  

•    itself.
  

•    In Xilinx terms the SPL is usually called 'FSBL'
  

•    (First Stage Boot Loder). The jobs of the SPL and the FSBL are mostly
  

•    the same: load bitstream, bootstrap u-boot.
  

•    Args:
  

•        arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is
  

•            supported.
  

•        spl_elf_fname (str): Filename of SPL ELF file. The filename must end
  

•            with '.elf' in order for bootgen to recognized it as an ELF
  

•            file. Otherwise the start address field is missinterpreted.
  

•        pmufw_elf_fname (str): Filename PMU ELF firmware.
  

•        psk_fname (str): Filename of the primary secret key (psk). The psk
  

•            is a .pem file which holds the RSA private key used for signing
  

•            the secondardy secret key.
  

typo

•        ssk_fname (str): Filename of the secondary secret key. The ssk
  

•            is a .pem file which holds the RSA private key used for signing
  

•            the aktual boot firmware.
  

actual

•        fsbl_config (str): FSBL config options. A string list of fsbl config
  

•            options. Valid values according to [2] are:
  

•            "bh_auth_enable": Boot Header Authentication Enable: RSA
  

•                authentication of the bootimage is done
  

•                excluding the verification of PPK hash and SPK ID. This is
  

•                useful for debugging before bricking a device.
  

•            "auth_only": Boot image is only RSA signed. FSBL should not be
  

•                decrypted. See the
  

•                Zynq UltraScale+ Device Technical Reference Manual (UG1085)
  

•                for more information.
  

•            There are more options which relate to PUF (physical unclonable
  

•            functions). Please refer to Xilinx manuals for fruther info.
  

•        auth_params (str): Authentication parameter. A semicolon separated
  

•            list of authentication parameters. Valid values according to [3]
  

•            are:
  

•            "ppk_select=<0|1>" - Select which ppk to use
  

•            "spk_id=<32-bit spk id>" - Specifies which SPK can be
  

•                used or revoked, default is 0x0
  

•            "spk_select=<spk-efuse/user-efuse>" - To differentiate spk and
  

•                user efuses.
  

•            "auth_header" - To authenticate headers when no partition
  

•                is authenticated.
  

•        keysrc_enc (str): This specifies the Key source for encryption.
  

•            Valid values according to [3] are:
  

•            "bbram_red_key" - RED key stored in BBRAM
  

•            "efuse_red_key" - RED key stored in efuse
  

eFUSE to be aligned with description below.

•            "efuse_gry_key" - Grey (Obfuscated) Key stored in eFUSE.
  

•            "bh_gry_key" - Grey (Obfuscated) Key stored in boot header.
  

•            "bh_blk_key" - Black Key stored in boot header.
  

•            "efuse_blk_key" - Black Key stored in eFUSE.
  

•            "kup_key" - User Key.
  

•        output_fname (str): Filename where bootgen should write the result
  

•    [1] https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841724/PMU+Firmware
  

•    [2] https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/fsbl_config
  

•    [3] https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/auth_params
  

•    [4] https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/keysrc_encryption
  

•    """
  

•    _fsbl_config = f"[fsbl_config] {fsbl_config}" if fsbl_config else ""
  

•    _auth_params = f"[auth_params] {auth_params}" if auth_params else ""
  

•    _keysrc_enc  = f"[keysrc_encryption] {keysrc_enc}" if keysrc_enc else ""
  

•    bif_template = f"""u_boot_spl_aes_rsa: {{
  

•        [pskfile] {psk_fname}
  

•        [sskfile] {ssk_fname}
  

•        {_keysrc_enc}
  

•        {_fsbl_config}
  

•        {_auth_params}
  

•        [ bootloader,
  

•          authentication = rsa,
  

•          destination_cpu=a53-0] {spl_elf_fname}
  

•        [pmufw_image] {pmufw_elf_fname}
  

•    }}"""
  

•    args = ["-arch", arch]
  

•    bif_fname = tools.get_output_filename('bootgen-in.sign.bif')
  

•    tools.write_file(bif_fname, bif_template, False)
  

•    args += ["-image", bif_fname, '-w', '-o', output_fname]
  

•    self.run_cmd(*args)
  

• def fetch(self, method):

•    """Fetch bootgen from git"""
  

•    if method != bintool.FETCH_BUILD:
  

•        return None
  

•    result = self.build_from_git(
  

•        'https://github.com/Xilinx/bootgen',
  

•        'all',
  

•        'bootgen')
  

•    return result
  

M