[PATCH v2 0/7] binman: ti: create binman nodes for EFI capsules
Add binman nodes for EFI capsules of firmware components so that capsules are automatically created during the UBoot builds.
This is enabled for several TI SoC based platforms: AM64, AM62, AM62p, BeaglePlay, J7, and BeagleboneAI.
Changes from v1: - on GP devices, still use signed images in capsules where available - Insert board specific capsule GUIDs into the capsule node's image-guid.
Jonathan Humphreys (7): dts: ti: binman: Add base K3 firmware capsule nodes dts: am64x: binman: Include firmware capsules binman nodes dts: j721e: binman: Include firmware capsules binman nodes dts: beagleplay: binman: Include firmware capsules binman nodes dts: am62px: binman: Include firmware capsules binman nodes dts: am62x: binman: Include firmware capsules binman nodes dts: beagleboneai64: binman: Include firmware capsules binman nodes
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 ++++++ arch/arm/dts/k3-am625-sk-binman.dtsi | 30 ++++++++++++ arch/arm/dts/k3-am62p-sk-binman.dtsi | 29 +++++++++++ arch/arm/dts/k3-am64x-binman.dtsi | 30 ++++++++++++ arch/arm/dts/k3-binman-capsule-r5.dtsi | 21 ++++++++ arch/arm/dts/k3-binman-capsule.dtsi | 38 ++++++++++++++ .../dts/k3-j721e-beagleboneai64-u-boot.dtsi | 23 +++++++++ arch/arm/dts/k3-j721e-binman.dtsi | 49 +++++++++++++++++++ arch/arm/dts/k3-j721e-r5-beagleboneai64.dts | 29 +++++++++++ 10 files changed, 291 insertions(+) create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi
Create capsule files for tiboot3.bin, tispl.bin, and u-boot.img.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-binman-capsule-r5.dtsi | 21 ++++++++++++++ arch/arm/dts/k3-binman-capsule.dtsi | 38 ++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 arch/arm/dts/k3-binman-capsule-r5.dtsi create mode 100644 arch/arm/dts/k3-binman-capsule.dtsi
diff --git a/arch/arm/dts/k3-binman-capsule-r5.dtsi b/arch/arm/dts/k3-binman-capsule-r5.dtsi new file mode 100644 index 00000000000..959ceb7479d --- /dev/null +++ b/arch/arm/dts/k3-binman-capsule-r5.dtsi @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/ + */ + +&binman { + capsule_tiboot3: capsule-tiboot3 { + filename = "tiboot3-capsule.bin"; + efi-capsule { + image-index = <0x1>; + image-guid = "00000000-0000-0000-0000-000000000000"; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "tiboot3.bin"; + }; + }; + }; +}; diff --git a/arch/arm/dts/k3-binman-capsule.dtsi b/arch/arm/dts/k3-binman-capsule.dtsi new file mode 100644 index 00000000000..17e83c9fa44 --- /dev/null +++ b/arch/arm/dts/k3-binman-capsule.dtsi @@ -0,0 +1,38 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/ + */ + +&binman { + capsule_tispl: capsule-tispl { + filename = "tispl-capsule.bin"; + efi-capsule { + image-index = <0x2>; + image-guid = "00000000-0000-0000-0000-000000000000"; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "tispl.bin"; + }; + }; + }; +}; + +&binman { + capsule_uboot: capsule-uboot { + filename = "uboot-capsule.bin"; + efi-capsule { + image-index = <0x3>; + image-guid = "00000000-0000-0000-0000-000000000000"; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "u-boot.img"; + }; + }; + }; +};
Fill in the am64x SK's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am64x-binman.dtsi | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
diff --git a/arch/arm/dts/k3-am64x-binman.dtsi b/arch/arm/dts/k3-am64x-binman.dtsi index 37817ba60d2..f768c4d946d 100644 --- a/arch/arm/dts/k3-am64x-binman.dtsi +++ b/arch/arm/dts/k3-am64x-binman.dtsi @@ -114,6 +114,17 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + +// Capsule update GUIDs in string form. See am64x_evm.h +#define AM64X_SK_TIBOOT3_IMAGE_GUID_STR "ede0a0d5-9116-4bfb-aa54-09e97b5afe1a" + +&capsule_tiboot3 { + efi-capsule { + image-guid = AM64X_SK_TIBOOT3_IMAGE_GUID_STR; + }; +}; + #endif
#ifdef CONFIG_TARGET_AM642_A53_EVM @@ -373,4 +384,23 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See am64x_evm.h +#define AM64X_SK_SPL_IMAGE_GUID_STR "77678f5c-64d4-4910-ad75-52c9d95cdb1d" +#define AM64X_SK_UBOOT_IMAGE_GUID_STR "c6ad43a9-7d31-4f5d-83e9-b8efecae05bf" + +&capsule_tispl { + efi-capsule { + image-guid = AM64X_SK_SPL_IMAGE_GUID_STR; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = AM64X_SK_UBOOT_IMAGE_GUID_STR; + }; +}; + #endif
Fill in the J721e SK's capsule GUID properties of the base binman capsule nodes. Also add it's SYSFW binman capsule node.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-j721e-binman.dtsi | 49 +++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 75a6e9599b9..32cfd545e5c 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -207,6 +207,36 @@ }; }; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsule update GUIDs in string form. See j721e_evm.h +#define J721E_SK_TIBOOT3_IMAGE_GUID_STR "e672b518-7cd7-4014-bd8d-40724d0ad4dc" +#define J721E_SK_SYSFW_IMAGE_GUID_STR "6fd10680-361b-431f-80aa-899455819e11" + +&capsule_tiboot3 { + efi-capsule { + image-guid = J721E_SK_TIBOOT3_IMAGE_GUID_STR; + }; +}; + +&binman { + capsule-sysfw { + filename = "sysfw-capsule.bin"; + efi-capsule { + image-index = <0x4>; + image-guid = J721E_SK_SYSFW_IMAGE_GUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "sysfw.itb"; + }; + }; + }; +}; + #endif
#ifdef CONFIG_TARGET_J721E_A72_EVM @@ -585,4 +615,23 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See j721e_evm.h +#define J721E_SK_SPL_IMAGE_GUID_STR "86f710ad-10cf-46ea-ac67-856ae06efad2" +#define J721E_SK_UBOOT_IMAGE_GUID_STR "81b58fb0-3b00-4add-a20a-c185bbaca1ed" + +&capsule_tispl { + efi-capsule { + image-guid = J721E_SK_SPL_IMAGE_GUID_STR; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = J721E_SK_UBOOT_IMAGE_GUID_STR; + }; +}; + #endif
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
diff --git a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi index fb2032068d1..f7c21a1f0e0 100644 --- a/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi +++ b/arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi @@ -205,4 +205,31 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See beagleplay.h +#define BEAGLEPLAY_SPL_IMAGE_GUID_STR "b2e7cc49-1a5a-4036-ae01-3387c3bef657" +#define BEAGLEPLAY_UBOOT_IMAGE_GUID_STR "92c92b11-a7ee-486f-aaa2-713d84425b0e" + +&capsule_tispl { + efi-capsule { + image-guid = BEAGLEPLAY_SPL_IMAGE_GUID_STR; + + blob { + filename = "tispl.bin_unsigned"; + }; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = BEAGLEPLAY_UBOOT_IMAGE_GUID_STR; + + blob { + filename = "u-boot.img_unsigned"; + }; + }; +}; + #endif diff --git a/arch/arm/dts/k3-am625-r5-beagleplay.dts b/arch/arm/dts/k3-am625-r5-beagleplay.dts index 9db58f093c8..162d4800b17 100644 --- a/arch/arm/dts/k3-am625-r5-beagleplay.dts +++ b/arch/arm/dts/k3-am625-r5-beagleplay.dts @@ -114,3 +114,18 @@
}; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsule update GUIDs in string form. See beagleplay.h +#define BEAGLEPLAY_TIBOOT3_IMAGE_GUID_STR "0e225a09-f720-4d57-9120-e28f737f5a5e" + +&capsule_tiboot3 { + efi-capsule { + image-guid = BEAGLEPLAY_TIBOOT3_IMAGE_GUID_STR; + + blob { + filename = "tiboot3-am62x-gp-evm.bin"; + }; + }; +};
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by: - Using the CI container - Setting up a virtualenv inside of it - pip install -r tools/buildman/requirements.txt I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
thanks Jon
-- Tom
On Tue, May 21, 2024 at 09:20:26PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
Perhaps it's a binman issue since we build mkeficapsule or at least should be? Neha?
Tom Rini trini@konsulko.com writes:
On Tue, May 21, 2024 at 09:20:26PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
Perhaps it's a binman issue since we build mkeficapsule or at least should be? Neha?
Never mind - I figured it out.
The mkeficapsule tools is built by u-boot if TOOLS_MKEFICAPSULE config is set. I didn't explicitly set it because it is implied by EFI_CAPSULE_ON_DISK config. But this is only set for the A core u-boot, as that is what would apply the capsules. SPL running on the R cores does not need this. But that then means that the R core u-boot builds don't have TOOLS_MKEFICAPSULE set and if that is all that is being built (as in the case of buildman), the mkeficapsule tool isn't built and so is missing.
So I need to explicitly set TOOLS_MKEFICAPSULE in the R core defconfigs. I'll repost the patches.
Thanks for catching the bug, Jon
-- Tom
On Wed, May 22, 2024 at 11:12:35PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Tue, May 21, 2024 at 09:20:26PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
Perhaps it's a binman issue since we build mkeficapsule or at least should be? Neha?
Never mind - I figured it out.
The mkeficapsule tools is built by u-boot if TOOLS_MKEFICAPSULE config is set. I didn't explicitly set it because it is implied by EFI_CAPSULE_ON_DISK config. But this is only set for the A core u-boot, as that is what would apply the capsules. SPL running on the R cores does not need this. But that then means that the R core u-boot builds don't have TOOLS_MKEFICAPSULE set and if that is all that is being built (as in the case of buildman), the mkeficapsule tool isn't built and so is missing.
So I need to explicitly set TOOLS_MKEFICAPSULE in the R core defconfigs. I'll repost the patches.
Interesting. My next thought here is that whatever symbol is allowing for "make a capsule" should be select'ing TOOLS_MKEFICAPSULE and so the current logic is a bit flawed. I'm just not sure off-hand where it should be instead, do you have some ideas now? Thanks.
Tom Rini trini@konsulko.com writes:
On Wed, May 22, 2024 at 11:12:35PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Tue, May 21, 2024 at 09:20:26PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
Fill in the BeaglePlay's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com
arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
Perhaps it's a binman issue since we build mkeficapsule or at least should be? Neha?
Never mind - I figured it out.
The mkeficapsule tools is built by u-boot if TOOLS_MKEFICAPSULE config is set. I didn't explicitly set it because it is implied by EFI_CAPSULE_ON_DISK config. But this is only set for the A core u-boot, as that is what would apply the capsules. SPL running on the R cores does not need this. But that then means that the R core u-boot builds don't have TOOLS_MKEFICAPSULE set and if that is all that is being built (as in the case of buildman), the mkeficapsule tool isn't built and so is missing.
So I need to explicitly set TOOLS_MKEFICAPSULE in the R core defconfigs. I'll repost the patches.
Interesting. My next thought here is that whatever symbol is allowing for "make a capsule" should be select'ing TOOLS_MKEFICAPSULE and so the current logic is a bit flawed. I'm just not sure off-hand where it should be instead, do you have some ideas now? Thanks.
There is no config that indicates that capsules will be generated for the resulting binary. The only thing I can think of is to scan the board's DTB for the presence of a capsule binman node, and then set the TOOLS_MKEFICAPSULE config. But this seems very complicated to do at build time.
Jon
-- Tom
On Thu, May 23, 2024 at 04:09:38PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Wed, May 22, 2024 at 11:12:35PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Tue, May 21, 2024 at 09:20:26PM -0500, Jon Humphreys wrote:
Tom Rini trini@konsulko.com writes:
On Fri, Apr 19, 2024 at 04:28:16PM -0500, Jonathan Humphreys wrote:
> Fill in the BeaglePlay's capsule GUID properties of the base binman capsule > nodes. > > Signed-off-by: Jonathan Humphreys j-humphreys@ti.com > --- > arch/arm/dts/k3-am625-beagleplay-u-boot.dtsi | 27 ++++++++++++++++++++ > arch/arm/dts/k3-am625-r5-beagleplay.dts | 15 +++++++++++ > 2 files changed, 42 insertions(+)
This series introduces failure to build in CI, and it's a little tricky to replicate locally, depending on your environment. You first need to NOT have BINMAN_INDIRS set and instead be using fake binaries. Second, it seems python version dependent perhaps? I don't see this on my host, but by:
- Using the CI container
- Setting up a virtualenv inside of it
- pip install -r tools/buildman/requirements.txt
I get: $ ./tools/buildman/buildman --keep-outputs --reproducible-builds -dvel --force-build -PEWM --output /tmp/am62x_beagleplay_r5 --board am62x_beagleplay_r5 Building current source for 1 boards (1 thread, 12 jobs per thread) arm: + am62x_beagleplay_r5 +(am62x_beagleplay_r5) Image 'tiboot3-am62x-gp-evm.bin' is missing optional external blobs but is still functional: ti-fs-gp.bin +(am62x_beagleplay_r5) +(am62x_beagleplay_r5) /binman/tiboot3-am62x-gp-evm.bin/ti-fs-gp.bin (ti-sysfw/ti-fs-firmware-am62x-gp.bin): +(am62x_beagleplay_r5) Missing blob +(am62x_beagleplay_r5) binman: object of type 'NoneType' has no len() +(am62x_beagleplay_r5) make[1]: *** [Makefile:1126: .binman_stamp] Error 1 +(am62x_beagleplay_r5) make: *** [Makefile:177: sub-make] Error 2 0 0 1 /1 am62x_beagleplay_r5
Tom, this is failing in the CI container because the container is missing the mkeficapsule tool.
To solve this, we just need to add it to the CI container.
My understanding of binman's handling of missing bintools is that it should gracefully continue with fake data, so that buildman can successfully test out builds for boards even when you don't have all the required bintools. If I have that correct, I can also create a patch to properly handle this when using mkeficapsule. But I want to verify this is the desired behavior, since mkeficapsule isn't a unique or vendor specific tool, so shouldn't we require it as part of the U-Boot build environment and err out if it is missing?
Perhaps it's a binman issue since we build mkeficapsule or at least should be? Neha?
Never mind - I figured it out.
The mkeficapsule tools is built by u-boot if TOOLS_MKEFICAPSULE config is set. I didn't explicitly set it because it is implied by EFI_CAPSULE_ON_DISK config. But this is only set for the A core u-boot, as that is what would apply the capsules. SPL running on the R cores does not need this. But that then means that the R core u-boot builds don't have TOOLS_MKEFICAPSULE set and if that is all that is being built (as in the case of buildman), the mkeficapsule tool isn't built and so is missing.
So I need to explicitly set TOOLS_MKEFICAPSULE in the R core defconfigs. I'll repost the patches.
Interesting. My next thought here is that whatever symbol is allowing for "make a capsule" should be select'ing TOOLS_MKEFICAPSULE and so the current logic is a bit flawed. I'm just not sure off-hand where it should be instead, do you have some ideas now? Thanks.
There is no config that indicates that capsules will be generated for the resulting binary. The only thing I can think of is to scan the board's DTB for the presence of a capsule binman node, and then set the TOOLS_MKEFICAPSULE config. But this seems very complicated to do at build time.
Yeah, that's the wrong direction I think. We should perhaps just make TOOLS_MKEFICAPSULE default y if EFI_LOADER instead.
Fill in the am62px SK's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am62p-sk-binman.dtsi | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
diff --git a/arch/arm/dts/k3-am62p-sk-binman.dtsi b/arch/arm/dts/k3-am62p-sk-binman.dtsi index dea14945bf5..3ec73022c60 100644 --- a/arch/arm/dts/k3-am62p-sk-binman.dtsi +++ b/arch/arm/dts/k3-am62p-sk-binman.dtsi @@ -59,6 +59,17 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + +// Capsule update GUIDs in string form. See am62px_evm.h +#define AM62PX_SK_TIBOOT3_IMAGE_GUID_STR "b08471b7-be2d-4489-87a1-cab28a0cf743" + +&capsule_tiboot3 { + efi-capsule { + image-guid = AM62PX_SK_TIBOOT3_IMAGE_GUID_STR; + }; +}; + #endif /* CONFIG_TARGET_AM62P5_R5_EVM */
#if IS_ENABLED(CONFIG_TARGET_AM62P5_A53_EVM) @@ -170,4 +181,22 @@ }; };
+#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See am62px_evm.h +#define AM62PX_SK_SPL_IMAGE_GUID_STR "d02ed781-6d71-4c1a-a999-3c6a41c36324" +#define AM62PX_SK_UBOOT_IMAGE_GUID_STR "7e6aea51-965c-44ab-b388-daeb03b54f66" + +&capsule_tispl { + efi-capsule { + image-guid = AM62PX_SK_SPL_IMAGE_GUID_STR; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = AM62PX_SK_UBOOT_IMAGE_GUID_STR; + }; +}; + #endif /* CONFIG_TARGET_AM62P5_A53_EVM */
Fill in the am62x SK's capsule GUID properties of the base binman capsule nodes.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- arch/arm/dts/k3-am625-sk-binman.dtsi | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi index dfd38d64f63..eadfa398fa3 100644 --- a/arch/arm/dts/k3-am625-sk-binman.dtsi +++ b/arch/arm/dts/k3-am625-sk-binman.dtsi @@ -137,6 +137,17 @@ }; };
+#include "k3-binman-capsule-r5.dtsi" + +// Capsule update GUIDs in string form. See am62x_evm.h +#define AM62X_SK_TIBOOT3_IMAGE_GUID_STR "abcb83d2-9cb6-4351-b8f1-6494bbe3700a" + +&capsule_tiboot3 { + efi-capsule { + image-guid = AM62X_SK_TIBOOT3_IMAGE_GUID_STR; + }; +}; + #endif
#ifdef CONFIG_TARGET_AM625_A53_EVM @@ -452,4 +463,23 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See am62x_evm.h +#define AM62X_SK_SPL_IMAGE_GUID_STR "aee355fc-bf97-4264-8c82-437255efdc1d" +#define AM62X_SK_UBOOT_IMAGE_GUID_STR "28ab8c6c-fca8-41d3-8ea1-5f171b7d2929" + +&capsule_tispl { + efi-capsule { + image-guid = AM62X_SK_SPL_IMAGE_GUID_STR; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = AM62X_SK_UBOOT_IMAGE_GUID_STR; + }; +}; + #endif
Fill in the BeagleBoneAI64's capsule GUID properties of the base binman capsule nodes. Also add it's SYSFW binman capsule node.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- .../dts/k3-j721e-beagleboneai64-u-boot.dtsi | 23 +++++++++++++++ arch/arm/dts/k3-j721e-r5-beagleboneai64.dts | 29 +++++++++++++++++++ 2 files changed, 52 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi index e202ae16644..884f44239e1 100644 --- a/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi +++ b/arch/arm/dts/k3-j721e-beagleboneai64-u-boot.dtsi @@ -351,4 +351,27 @@ }; }; }; + +#include "k3-binman-capsule.dtsi" + +// Capsule update GUIDs in string form. See beagleboneai64.h +#define BEAGLEBONEAI64_SPL_IMAGE_GUID_STR "83447222-1e26-40cd-a395-b7de0957e875" +#define BEAGLEBONEAI64_UBOOT_IMAGE_GUID_STR "4249ff77-c17d-4eb7-a1db-45aa9887d49e" + +&capsule_tispl { + efi-capsule { + image-guid = BEAGLEBONEAI64_SPL_IMAGE_GUID_STR; + + blob { + filename = "tispl.bin_unsigned"; + }; + }; +}; + +&capsule_uboot { + efi-capsule { + image-guid = BEAGLEBONEAI64_UBOOT_IMAGE_GUID_STR; + }; +}; + #endif diff --git a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts index 43da4dafba8..d4ef18248b0 100644 --- a/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts +++ b/arch/arm/dts/k3-j721e-r5-beagleboneai64.dts @@ -183,3 +183,32 @@ }; }; }; + +#include "k3-binman-capsule-r5.dtsi" + +// Capsue update GUIDs. See beagleboneai64.h. +#define BEAGLEBONEAI64_TIBOOT3_IMAGE_GUID_STR "772a4810-2194-4923-8754-0115870ef367" +#define BEAGLEBONEAI64_SYSFW_IMAGE_GUID_STR "dfc9c683-49b7-46bd-b3c1-3a3b2fdb135b" + +&capsule_tiboot3 { + efi-capsule { + image-guid = BEAGLEBONEAI64_TIBOOT3_IMAGE_GUID_STR; + }; +}; + +&binman { + capsule-sysfw { + filename = "sysfw-capsule.bin"; + efi-capsule { + image-index = <0x4>; + image-guid = BEAGLEBONEAI64_SYSFW_IMAGE_GUID_STR; + private-key = "arch/arm/mach-k3/keys/custMpk.pem"; + public-key-cert = "arch/arm/mach-k3/keys/custMpk.crt"; + monotonic-count = <0x1>; + + blob { + filename = "sysfw.itb"; + }; + }; + }; +};
participants (3)
-
Jon Humphreys -
Jonathan Humphreys
-
Tom Rini