Hi Andreas,
On 15 June 2016 at 13:26, Andreas Dannenberg dannenberg@ti.com wrote:
From: Daniel Allred d-allred@ti.com
Adds commands so that when a secure device is in use and the SPL is built to load a FIT image (with combined u-boot binary and various DTBs), these components that get fed into the FIT are all processed to be signed/encrypted/etc. as per the operations performed by the secure-binary-image script of the TI SECDEV package.
Signed-off-by: Daniel Allred d-allred@ti.com Signed-off-by: Andreas Dannenberg dannenberg@ti.com
arch/arm/cpu/armv7/omap-common/config_secure.mk | 57 ++++++++++++++++++++++++- arch/arm/cpu/armv7/omap5/config.mk | 3 ++ 2 files changed, 58 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
But please can you add a README for this somewhere?
Also, can this tool be added to U-Boot instead of being external?
diff --git a/arch/arm/cpu/armv7/omap-common/config_secure.mk b/arch/arm/cpu/armv7/omap-common/config_secure.mk index c7bb101..c4514ad 100644 --- a/arch/arm/cpu/armv7/omap-common/config_secure.mk +++ b/arch/arm/cpu/armv7/omap-common/config_secure.mk @@ -12,8 +12,8 @@ cmd_mkomapsecimg = $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \ $(if $(KBUILD_VERBOSE:1=), >/dev/null) else cmd_mkomapsecimg = $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \
- $(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \
- $(if $(KBUILD_VERBOSE:1=), >/dev/null)
$(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \$(if $(KBUILD_VERBOSE:1=), >/dev/null)endif else cmd_mkomapsecimg = echo "WARNING:" \ @@ -25,6 +25,26 @@ cmd_mkomapsecimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ "variable must be defined for TI secure devices. $@ was NOT created!" endif
+ifdef CONFIG_SPL_LOAD_FIT +quiet_cmd_omapsecureimg = SECURE $@ +ifneq ($(TI_SECURE_DEV_PKG),) +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) +cmd_omapsecureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
$< $@ \$(if $(KBUILD_VERBOSE:1=), >/dev/null)+else +cmd_omapsecureimg = echo "WARNING:" \
"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \"$@ was NOT created!"; cp $< $@+endif +else +cmd_omapsecureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
"variable must be defined for TI secure devices." \"$@ was NOT created!"; cp $< $@+endif +endif
# Standard X-LOADER target (QPSI, NOR flash) u-boot-spl_HS_X-LOADER: $(obj)/u-boot-spl.bin $(call if_changed,mkomapsecimg) @@ -64,3 +84,36 @@ u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin # the mkomapsecimg command looks for a u-boot-HS_* prefix u-boot_HS_XIP_X-LOADER: $(obj)/u-boot.bin $(call if_changed,mkomapsecimg)
+# For supporting the SPL loading and interpreting +# of FIT images whose components are pre-processed +# before being integrated into the FIT image in order +# to secure them in some way +ifdef CONFIG_SPL_LOAD_FIT
+MKIMAGEFLAGS_u-boot_HS.img = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \$(patsubst %,-b arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))+OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) +$(OF_LIST_TARGETS): dtbs
+%_HS.dtb: %.dtb
$(call if_changed,omapsecureimg)$(Q)if [ -f $@ ]; then \cp -f $@ $<; \fi+u-boot-nodtb_HS.bin: u-boot-nodtb.bin
$(call if_changed,omapsecureimg)+u-boot_HS.img: u-boot-nodtb_HS.bin u-boot.img $(patsubst %.dtb,%_HS.dtb,$(OF_LIST_TARGETS))
$(call if_changed,mkimage)$(Q)if [ -f $@ ]; then \cp -f $@ u-boot.img; \fi+.NOTPARALLEL: dtbs
Why is that needed?
+endif diff --git a/arch/arm/cpu/armv7/omap5/config.mk b/arch/arm/cpu/armv7/omap5/config.mk index a7e55a5..503f31c 100644 --- a/arch/arm/cpu/armv7/omap5/config.mk +++ b/arch/arm/cpu/armv7/omap5/config.mk @@ -15,5 +15,8 @@ else ALL-y += MLO endif else +ifeq ($(CONFIG_TI_SECURE_DEVICE)$(CONFIG_SECURE_BOOT),yy) +ALL-y += u-boot_HS.img +endif ALL-y += u-boot.img endif -- 2.6.4
Regards, Simon