On 7/18/23 13:53, lukas.funke-oss@weidmueller.com wrote:
From: Lukas Funke lukas.funke@weidmueller.com
This series adds two etypes to create a verified boot chain for Xilinx ZynqMP devices. The first etype 'xilinx-fsbl-auth' is used to create a bootable, signed image for ZynqMP boards using the Xilinx Bootgen tool. The second etype 'u-boot-spl-pubkey-dtb' is used to add a '/signature' node to the SPL. The public key in the signature is read from a certificate file and added using the 'fdt_add_pubkey' tool. The series also contains the corresponding btool for calling 'bootgen' and 'fdt_add_pubkey'.
The following block shows an example on how to use this functionality:
spl { filename = "boot.signed.bin"; xilinx-fsbl-auth { psk-key-name-hint = "psk0"; ssk-key-name-hint = "ssk0"; auth-params = "ppk_select=0", "spk_id=0x00000000"; u-boot-spl-nodtb { }; u-boot-spl-pubkey-dtb { algo = "sha384,rsa4096"; required = "conf"; key-name-hint = "dev"; }; }; };
I was looking at binman couple of times in past but never had time to do any development with it. Maybe it is good opportunity to look at it now with this series. Is there a way to see more verbose output?
I expect that keys should be generated as is described here.
https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Key-Generation?toc...
Anyway I tried to use u-boot-spl-nodtb like this.
&binman { spl { filename = "boot.signed.bin"; xilinx-fsbl-auth { psk-key-name-hint = "/tmp/ddd/psk0"; ssk-key-name-hint = "/tmp/ddd/ssk0"; auth-params = "ppk_select=0", "spk_id=0x00000000"; pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
u-boot-spl-nodtb { }; }; }; };
but getting error BINMAN .binman_stamp Using input directories ['.', '.', './board/xilinx/zynqmp', 'arch/arm/dts'] Using output directory '.' Processing entry args: of-list = avnet-ultra96-rev1 zynqmp-a2197-revA zynqmp-e-a2197-00-revA zynqmp-g-a2197-00-revA zynqmp-m-a2197-01-revA zynqmp-m-a2197-02-revA zynqmp-m-a2197-03-revA zynqmp-p-a2197-00-revA zynqmp-zc1232-revA zynqmp-zc1254-revA zynqmp-zc1751-xm015-dc1 zynqmp-zc1751-xm016-dc2 zynqmp-zc1751-xm017-dc3 zynqmp-zc1751-xm018-dc4 zynqmp-zc1751-xm019-dc5 zynqmp-zcu100-revC zynqmp-zcu102-rev1.1 zynqmp-zcu102-rev1.0 zynqmp-zcu102-revA zynqmp-zcu102-revB zynqmp-zcu104-revA zynqmp-zcu104-revC zynqmp-zcu106-revA zynqmp-zcu106-rev1.0 zynqmp-zcu111-revA zynqmp-zcu1275-revA zynqmp-zcu1275-revB zynqmp-zcu1285-revA zynqmp-zcu208-revA zynqmp-zcu216-revA zynqmp-topic-miamimp-xilinx-xdp-v1r1 zynqmp-sm-k26-revA zynqmp-smk-k26-revA zynqmp-dlc21-revA atf-bl31-path = /tftpboot/bl31.bin tee-os-path = /tftpboot/tee.bin opensbi-path = default-dt = zynqmp-zcu100-revC scp-path = rockchip-tpl-path = spl-bss-pad = tpl-bss-pad = 1 spl-dtb = y tpl-dtb = pre-load-key-path = Processing entry args done Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Packing: offset=None, size=None, content_size=240d8 Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': - packed: offset=0x0, size=0x240d8, content_size=0x240d8, next_offset=240d8 Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8 Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size None Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8 bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o ./boot.spl.xilinx-fsbl-auth.bin
****** Xilinx Bootgen v2022.2.0 **** Build date : Oct 13 2022-12:22:43 ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and above. The image generated will NOT work for 1.0(ES1). Use '-zynqmpes1' to generate image for 1.0(ES1)
[INFO] : Bootimage generated successfully
Node '/binman/spl': GetPaddedDataForEntry: size None Node '/binman/spl/xilinx-fsbl-auth': Packing: offset=None, size=0x47280, content_size=47280 Node '/binman/spl/xilinx-fsbl-auth': - packed: offset=0x0, size=0x47280, content_size=0x47280, next_offset=47280 Node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': GetData: size 0x240d8 Node '/binman/spl/xilinx-fsbl-auth': GetPaddedDataForEntry: size 0x47280 Node '/binman/spl/xilinx-fsbl-auth': GetData: 1 entries, total size 0x240d8 bintool: bootgen -arch zynqmp -image ./bootgen-in.sign.bif -w -o ./boot.spl.xilinx-fsbl-auth.bin
****** Xilinx Bootgen v2022.2.0 **** Build date : Oct 13 2022-12:22:43 ** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
[WARNING]: Authentication padding scheme will be as per silicon 2.0(ES2) and above. The image generated will NOT work for 1.0(ES1). Use '-zynqmpes1' to generate image for 1.0(ES1)
[INFO] : Bootimage generated successfully
Node '/binman/spl': GetPaddedDataForEntry: size None Node '/binman/spl': GetData: 1 entries, total size 0x47280 Node '/binman/spl': GetPaddedDataForEntry: size 0x47280 Node '/binman/spl': Packing: offset=None, size=0x47280, content_size=47280 Node '/binman/spl': - packed: offset=0x0, size=0x47280, content_size=0x47280, next_offset=47280 File ./u-boot.dtb.out: Update node '/binman/spl' prop 'offset' to 0x0 File ./u-boot.dtb.out: Update node '/binman/spl' prop 'size' to 0x47280 File ./u-boot.dtb.out: Update node '/binman/spl' prop 'image-pos' to 0x0 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'offset' to 0x0 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'size' to 0x47280 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth' prop 'image-pos' to 0x0 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'offset' to 0x0 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'size' to 0x240d8 File ./u-boot.dtb.out: Update node '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb' prop 'image-pos' to 0x0 Section '/binman/spl': Symbol '_binman_sym_magic' in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': insert _binman_sym_magic, offset 22f80, value 4d595342, length 8 binman: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos' in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl)
Traceback (most recent call last): File "/home/monstr/data/disk/u-boot/./tools/binman/binman", line 134, in RunBinman ret_code = control.Binman(args) File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 787, in Binman invalid |= ProcessImage(image, args.update_fdt, args.map, File "/home/monstr/data/disk/u-boot/tools/binman/control.py", line 616, in ProcessImage image.WriteSymbols() File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 172, in WriteSymbols super().WriteSymbols(self) File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, in WriteSymbols entry.WriteSymbols(self) File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 499, in WriteSymbols entry.WriteSymbols(self) File "/home/monstr/data/disk/u-boot/tools/binman/entry.py", line 701, in WriteSymbols elf.LookupAndWriteSymbols(self.elf_fname, self, section.GetImage(), File "/home/monstr/data/disk/u-boot/tools/binman/elf.py", line 298, in LookupAndWriteSymbols value = section.GetImage().LookupImageSymbol(name, sym.weak, File "/home/monstr/data/disk/u-boot/tools/binman/image.py", line 404, in LookupImageSymbol return self.LookupSymbol(sym_name, optional, msg, base_addr, File "/home/monstr/data/disk/u-boot/tools/binman/etype/section.py", line 650, in LookupSymbol raise ValueError(err) ValueError: Section '/binman/spl': Symbol '_binman_u_boot_any_prop_image_pos' in entry '/binman/spl/xilinx-fsbl-auth/u-boot-spl-nodtb': Entry 'u-boot-any' not found in list (u-boot-spl-nodtb,xilinx-fsbl-auth,spl) make: *** [Makefile:1115: .binman_stamp] Error 1
with u-boot-spl-dtb it works fine.
Anyway kind of curious if that support can be more generalized that bif can be generated for other configurations too. It means
xilinx-bootgen { pmufw-filename = "/mnt/disk/u-boot-bins/zynqmp/zynqmp-zcu102-revA/pmufw.elf";
u-boot-spl-dtb { }; };
you will get boot.bin which images you defined.
And regarding name "xilinx-fsbl-auth". That authentication is done by bootrom not by FSBL that's why you should maybe consider to rename it. And as you wrote "arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is supported." then I expect in future this can be extended for on other SOCs which don't have FSBL unless you will use it as generic name first stage bootloader.
That's why I would say xilinx-bootgen would be maybe better name even if it has tool name there.
Thanks, Michal