[PATCH 0/7] binman: ti: create binman nodes for EFI capsules
Add binman nodes for EFI capsules of firmware components.
This is enabled for several TI SoC based platforms: AM64, AM62, AM62p, BeaglePlay, J7, and BeagleboneAI.
Jonathan Humphreys (7): dts: ti: binman: Add base K3 firmware capsule nodes dts: am64x: binman: Include base K3 firmware capsule binman nodes dts: j721e: binman: Include firmware capsules binman nodes dts: beagleplay: binman: Include firmware capsules binman nodes dts: am62px: binman: Include base K3 firmware capsule binman nodes dts: am62x: binman: Include base K3 firmware capsule binman nodes dts: beagleboneai64: binman: Include firmware capsules binman nodes
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 9 ++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 5 +++ arch/arm/dts/k3-am625-sk-binman.dtsi | 5 +++ arch/arm/dts/k3-am62p-sk-binman.dtsi | 4 ++ arch/arm/dts/k3-am64x-binman.dtsi | 5 +++ arch/arm/dts/k3-binman-capsule-r5.dtsi | 24 +++++++++++ arch/arm/dts/k3-binman-capsule.dtsi | 42 +++++++++++++++++++ .../dts/k3-j721e-beagleboneai64-u-boot.dtsi | 9 ++++ arch/arm/dts/k3-j721e-binman.dtsi | 32 ++++++++++++++ arch/arm/dts/k3-j721e-r5-beagleboneai64.dts | 22 ++++++++++ 10 files changed, 157 insertions(+) create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi
Create capsule files for tiboot3.bin, tispl.bin, and u-boot.img.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-binman-capsule-r5.dtsi | 24 +++++++++++++++ arch/arm/dts/k3-binman-capsule.dtsi | 42 ++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi
diff --git a/arch/arm/dts/k3-binman-capsule-r5.dtsi b/arch/arm/dts/k3-binman-capsule-r5.dtsi new file mode 100644 index 00000000000..7a20afa46aa --- /dev/null +++ b/arch/arm/dts/k3-binman-capsule-r5.dtsi @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/ + */ + +// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_TIBOOT3_IMAGE_UUID_STR "e672b518-7cd7-4014-bd8d-40724d0ad4dc" + +&binman { + capsule-tiboot3 { + filename = "tiboot3-capsule.bin"; + efi-capsule { + image-index = <0x1>; + image-guid = K3_TIBOOT3_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + tiboot3_name: blob { + filename = "tiboot3.bin"; + }; + }; + }; +}; diff --git a/arch/arm/dts/k3-binman-capsule.dtsi b/arch/arm/dts/k3-binman-capsule.dtsi new file mode 100644 index 00000000000..4f11ca6f0ef --- /dev/null +++ b/arch/arm/dts/k3-binman-capsule.dtsi @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/ + */ + +// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SPL_IMAGE_UUID_STR "86f710ad-10cf-46ea-ac67-856ae06efad2" +#define K3_UBOOT_IMAGE_UUID_STR "81b58fb0-3b00-4add-a20a-c185bbaca1ed" + +&binman { + capsule-tispl { + filename = "tispl-capsule.bin"; + efi-capsule { + image-index = <0x2>; + image-guid = K3_SPL_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + tispl_name: blob { + filename = "tispl.bin"; + }; + }; + }; +}; + +&binman { + capsule-uboot { + filename = "uboot-capsule.bin"; + efi-capsule { + image-index = <0x3>; + image-guid = K3_UBOOT_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + uboot_name: blob { + filename = "u-boot.img"; + }; + }; + }; +};
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am64x-binman.dtsi | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/dts/k3-am64x-binman.dtsi b/arch/arm/dts/k3-am64x-binman.dtsi index 37817ba60d2..89cf048db1f 100644 --- a/arch/arm/dts/k3-am64x-binman.dtsi +++ b/arch/arm/dts/k3-am64x-binman.dtsi @@ -114,6 +114,8 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + #endif
#ifdef CONFIG_TARGET_AM642_A53_EVM @@ -373,4 +375,7 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + #endif
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..9169551c422 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,29 @@ }; }; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" + +&binman { + capsule-sysfw { + filename = "sysfw-capsule.bin"; + efi-capsule { + image-index = <0x4>; + image-guid = K3_SYSFW_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "sysfw.itb"; + }; + }; + }; +}; + #endif
#ifdef CONFIG_TARGET_J721E_A72_EVM @@ -585,4 +608,13 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" +&tispl_name { + filename = "tispl.bin_unsigned"; +}; +&uboot_name { + filename = "u-boot.img_unsigned"; +}; + #endif
On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..9169551c422 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,29 @@ }; }; };
+#include "k3-binman-capsule-r5.dtsi"
+// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
+&binman {
- capsule-sysfw {
filename = "sysfw-capsule.bin";efi-capsule {image-index = <0x4>;image-guid = K3_SYSFW_IMAGE_UUID_STR;private-key = "arch/arm/mach-k3/keys/custMpk.pem";public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";monotonic-count = <0x1>;blob {filename = "sysfw.itb";};};- };
+};
#endif
#ifdef CONFIG_TARGET_J721E_A72_EVM
@@ -585,4 +608,13 @@ }; }; };
+#include "k3-binman-capsule.dtsi" +&tispl_name {
- filename = "tispl.bin_unsigned";
Why use the _unsigned images here? HS devices cannot boot unsigned GP images, but both GP and HS devices *can* boot the normal signed images (GP just strips the signatures off). So no need to use the _unsigned images anymore (I'm planning to just remove them at some point to prevent this confusion).
Andrew
+}; +&uboot_name {
- filename = "u-boot.img_unsigned";
+};
- #endif
Andrew Davis afd@ti.com writes:
On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..9169551c422 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,29 @@ }; }; };
+#include "k3-binman-capsule-r5.dtsi"
+// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
+&binman {
- capsule-sysfw {
filename = "sysfw-capsule.bin";efi-capsule {image-index = <0x4>;image-guid = K3_SYSFW_IMAGE_UUID_STR;private-key = "arch/arm/mach-k3/keys/custMpk.pem";public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";monotonic-count = <0x1>;blob {filename = "sysfw.itb";};};- };
+};
#endif
#ifdef CONFIG_TARGET_J721E_A72_EVM
@@ -585,4 +608,13 @@ }; }; };
+#include "k3-binman-capsule.dtsi" +&tispl_name {
- filename = "tispl.bin_unsigned";
Why use the _unsigned images here? HS devices cannot boot unsigned GP images, but both GP and HS devices *can* boot the normal signed images (GP just strips the signatures off). So no need to use the _unsigned images anymore (I'm planning to just remove them at some point to prevent this confusion).
I can do that.
Note that you will then see warnings on GP devices during boot:
Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
Jon
Andrew
+}; +&uboot_name {
- filename = "u-boot.img_unsigned";
+};
- #endif
On 4/10/24 1:24 PM, Jon Humphreys wrote:
Andrew Davis afd@ti.com writes:
On 4/8/24 5:17 PM, Jonathan Humphreys wrote:
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-j721e-binman.dtsi | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..9169551c422 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,29 @@ }; }; };
+#include "k3-binman-capsule-r5.dtsi"
+// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11"
+&binman {
- capsule-sysfw {
filename = "sysfw-capsule.bin";efi-capsule {image-index = <0x4>;image-guid = K3_SYSFW_IMAGE_UUID_STR;private-key = "arch/arm/mach-k3/keys/custMpk.pem";public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt";monotonic-count = <0x1>;blob {filename = "sysfw.itb";};};- };
+};
#endif
#ifdef CONFIG_TARGET_J721E_A72_EVM
@@ -585,4 +608,13 @@ }; }; };
+#include "k3-binman-capsule.dtsi" +&tispl_name {
- filename = "tispl.bin_unsigned";
Why use the _unsigned images here? HS devices cannot boot unsigned GP images, but both GP and HS devices *can* boot the normal signed images (GP just strips the signatures off). So no need to use the _unsigned images anymore (I'm planning to just remove them at some point to prevent this confusion).
I can do that.
Note that you will then see warnings on GP devices during boot:
Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
True, I'll send a fix for that.
Andrew
Jon
Andrew
+}; +&uboot_name {
- filename = "u-boot.img_unsigned";
+};
- #endif
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 9 +++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 5 +++++ 2 files changed, 14 insertions(+)
diff --git a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi index cca0f44b7d8..315f42e7464 100644 --- a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi +++ b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi @@ -212,4 +212,13 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" +&tispl_name { + filename = "tispl.bin_unsigned"; +}; +&uboot_name { + filename = "u-boot.img_unsigned"; +}; + #endif diff --git a/arch/arm/dts/k3-am625-r5-beagleplay.dts b/arch/arm/dts/k3-am625-r5-beagleplay.dts index 9db58f093c8..5ee0c2bd56d 100644 --- a/arch/arm/dts/k3-am625-r5-beagleplay.dts +++ b/arch/arm/dts/k3-am625-r5-beagleplay.dts @@ -114,3 +114,8 @@
}; }; + +#include "k3-binman-capsule-r5.dtsi" +&tiboot3_name { + filename = "tiboot3-am62x-gp-evm.bin"; +};
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am62p-sk-binman.dtsi | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/arch/arm/dts/k3-am62p-sk-binman.dtsi b/arch/arm/dts/k3-am62p-sk-binman.dtsi index dea14945bf5..9b27c879f79 100644 --- a/arch/arm/dts/k3-am62p-sk-binman.dtsi +++ b/arch/arm/dts/k3-am62p-sk-binman.dtsi @@ -59,6 +59,8 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + #endif /* CONFIG_TARGET_AM62P5_R5_EVM */
#if IS_ENABLED(CONFIG_TARGET_AM62P5_A53_EVM) @@ -170,4 +172,6 @@ }; };
+#include "k3-binman-capsule.dtsi" + #endif /* CONFIG_TARGET_AM62P5_A53_EVM */
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am625-sk-binman.dtsi | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi index 5b058bd03a0..921c2bdcc5e 100644 --- a/arch/arm/dts/k3-am625-sk-binman.dtsi +++ b/arch/arm/dts/k3-am625-sk-binman.dtsi @@ -137,6 +137,8 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + #endif
#ifdef CONFIG_TARGET_AM625_A53_EVM @@ -315,4 +317,7 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + #endif
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- .../dts/k3-j721e-beagleboneai64-u-boot.dtsi | 9 ++++++++ arch/arm/dts/k3-j721e-r5-beagleboneai64.dts | 22 +++++++++++++++++++ 2 files changed, 31 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi index 116ee373118..a3c5fa1f0b5 100644 --- a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi +++ b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi @@ -355,4 +355,13 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" +&tispl_name { + filename = "tispl.bin_unsigned"; +}; +&uboot_name { + filename = "u-boot.img_unsigned"; +}; + #endif diff --git a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts index 43da4dafba8..1a98ad9e34f 100644 --- a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts +++ b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts @@ -183,3 +183,25 @@ }; }; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsue update GUIDs. See ti_armv7_common.h. +#define K3_SYSFW_IMAGE_UUID_STR "6fd10680-361b-431f-80aa-899455819e11" + +&binman { + capsule-sysfw { + filename = "sysfw-capsule.bin"; + efi-capsule { + image-index = <0x4>; + image-guid = K3_SYSFW_IMAGE_UUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "sysfw.itb"; + }; + }; + }; +};
participants (3)
-
Andrew Davis -
Jon Humphreys -
Jonathan Humphreys