Add signature with crc32 value for all images in binman node for FIT image in device tree. And, enable FIT signature checking for Stratix10 and Agilex ATF and VAB sdmmc boot.

Signed-off-by: Siew Chin Lim elly.siew.chin.lim@intel.com --- arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 30 +++++++++++++++++++++++++----- configs/socfpga_agilex_atf_defconfig | 4 ++++ configs/socfpga_agilex_vab_defconfig | 4 ++++ configs/socfpga_stratix10_atf_defconfig | 4 ++++ 4 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi index 4b30473743..84b91e8df0 100644 --- a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi +++ b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi @@ -29,10 +29,12 @@ arch = "arm64"; compression = "none"; load = <0x00200000>; - uboot_blob: blob-ext { filename = "u-boot-nodtb.bin"; }; + hash { + algo = "crc32"; + }; };

atf { @@ -43,20 +45,24 @@ compression = "none"; load = <0x00001000>; entry = <0x00001000>; - atf_blob: blob-ext { filename = "bl31.bin"; }; + hash { + algo = "crc32"; + }; };

fdt { description = "U-Boot SoC64 flat device-tree"; type = "flat_dt"; compression = "none"; - uboot_fdt_blob: blob-ext { filename = "u-boot.dtb"; }; + hash { + algo = "crc32"; + }; }; };

@@ -67,6 +73,11 @@ firmware = "atf"; loadables = "uboot"; fdt = "fdt"; + signature { + algo = "crc32"; + key-name-hint = "dev"; + sign-images = "atf", "fdt", "uboot"; + }; }; }; }; @@ -87,10 +98,12 @@ compression = "none"; load = <0x4080000>; entry = <0x4080000>; - kernel_blob: blob-ext { filename = "Image"; }; + hash { + algo = "crc32"; + }; };

fdt { @@ -98,10 +111,12 @@ type = "flat_dt"; arch = "arm64"; compression = "none"; - kernel_fdt_blob: blob-ext { filename = "linux.dtb"; }; + hash { + algo = "crc32"; + }; }; };

@@ -111,6 +126,11 @@ description = "Intel SoC64 FPGA"; kernel = "kernel"; fdt = "fdt"; + signature { + algo = "crc32"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; }; }; }; diff --git a/configs/socfpga_agilex_atf_defconfig b/configs/socfpga_agilex_atf_defconfig index 7adda02b00..e5b7f4b52a 100644 --- a/configs/socfpga_agilex_atf_defconfig +++ b/configs/socfpga_agilex_atf_defconfig @@ -14,6 +14,10 @@ CONFIG_IDENT_STRING="socfpga_agilex" CONFIG_SPL_FS_FAT=y CONFIG_DEFAULT_DEVICE_TREE="socfpga_agilex_socdk" CONFIG_FIT=y +CONFIG_FIT_SIGNATURE=y +CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000 +CONFIG_SPL_FIT_SIGNATURE=y +CONFIG_SPL_CRC32_SUPPORT=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 # CONFIG_USE_SPL_FIT_GENERATOR is not set diff --git a/configs/socfpga_agilex_vab_defconfig b/configs/socfpga_agilex_vab_defconfig index bca663ed61..fac9cf72e5 100644 --- a/configs/socfpga_agilex_vab_defconfig +++ b/configs/socfpga_agilex_vab_defconfig @@ -15,6 +15,10 @@ CONFIG_IDENT_STRING="socfpga_agilex" CONFIG_SPL_FS_FAT=y CONFIG_DEFAULT_DEVICE_TREE="socfpga_agilex_socdk" CONFIG_FIT=y +CONFIG_FIT_SIGNATURE=y +CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000 +CONFIG_SPL_FIT_SIGNATURE=y +CONFIG_SPL_CRC32_SUPPORT=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 # CONFIG_USE_SPL_FIT_GENERATOR is not set diff --git a/configs/socfpga_stratix10_atf_defconfig b/configs/socfpga_stratix10_atf_defconfig index 8dbb7424ba..7466025bc0 100644 --- a/configs/socfpga_stratix10_atf_defconfig +++ b/configs/socfpga_stratix10_atf_defconfig @@ -14,6 +14,10 @@ CONFIG_IDENT_STRING="socfpga_stratix10" CONFIG_SPL_FS_FAT=y CONFIG_DEFAULT_DEVICE_TREE="socfpga_stratix10_socdk" CONFIG_FIT=y +CONFIG_FIT_SIGNATURE=y +CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000 +CONFIG_SPL_FIT_SIGNATURE=y +CONFIG_SPL_CRC32_SUPPORT=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 # CONFIG_USE_SPL_FIT_GENERATOR is not set