Add test for the 'xilinx-bootgen' etype
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Allow missing bootgen tool; comment testXilinxBootgenMissing() comment:
Signed-off-by: Simon Glass <sjg@chromium.org>
This adds a new etype 'xilinx-bootgen'. By using this etype it is
possible to created an signed SPL (FSBL in Xilinx terms) for
ZynqMP boards.
The etype uses Xilinx Bootgen tools in order to transform the SPL into
a bootable image and sign the image with a given primary and secondary
public key. For more information to signing the FSBL please refer to the
Xilinx Bootgen documentation.
Here is an example of the etype in use:
spl {
filename = "boot.signed.bin";
xilinx-bootgen {
pmufw-filename = "pmu-firmware.elf";
psk-key-name-hint = "psk0";
ssk-key-name-hint = "ssk0";
auth-params = "ppk_select=0", "spk_id=0x00000000";
u-boot-spl-nodtb {
};
u-boot-spl-dtb {
};
};
};
For this to work the hash of the primary public key has to be fused
into the ZynqMP device and authentication (RSA_EN) has to be set.
For testing purposes: if ppk hash check should be skipped one can add
the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
this should only be used for testing(!).
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create
bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The
btool creates a signed version of the SPL. Additionally to signing the
key source for the decryption engine can be passend to the boot image.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Three boards use a phandle in a FIT generator and the maintainer is
away. For now, add a hack to allow this.
Signed-off-by: Simon Glass <sjg@chromium.org>
This provides support for phandles to be copied over from templates. This
is not quite safe, since if the template is instantiated twice (i.e. in
two different nodes), then duplicate phandles will be found. This will
result in an error.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is not necessary to keep templates around after they have been
processed. They can cause confusion and potentially duplicate phandles.
Remove them.
Use the same means of detecting a template node in _ReadImageDesc so that
the two places are consistent.
Signed-off-by: Simon Glass <sjg@chromium.org>
This file aids debugging when binman fails to get far enough to write out
the final devicetree file. Write it immediate after template processing.
Signed-off-by: Simon Glass <sjg@chromium.org>
Show the filename next to the node path in missing blob help messages,
also show a generic missing blob message when there was no help message
for the help tag.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
There is no blank line between last missing blob help message and the
header line for optional blob help messages.
Image 'simple-bin' is missing external blobs and is non-functional: atf-bl31
/binman/simple-bin/fit/images/@atf-SEQ/atf-bl31:
See the documentation for your board. You may need to build ARM Trusted
Firmware and build with BL31=/path/to/bl31.bin
Image 'simple-bin' is missing external blobs but is still functional: tee-os
/binman/simple-bin/fit/images/@tee-SEQ/tee-os:
See the documentation for your board. You may need to build Open Portable
Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin
Some images are invalid
With this a blank line is inserted to make the text more readable.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Missing optional blobs was not reported for generated entries, e.g.
tee-os on rockchip targets. Implement a CheckOptional to fix this.
After this the following can be shown:
Image 'simple-bin' is missing optional external blobs but is still functional: tee-os
/binman/simple-bin/fit/images/@tee-SEQ/tee-os (tee-os):
See the documentation for your board. You may need to build Open Portable
Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Print missing external blobs using error level and missing optional
external blobs using warning level. Also change to only print the header
line in color, red for missing and yellow for optional.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Make it more clear that the missing external blob is optional in the
printed warning message.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Make it a little bit more clear that it is U-Boot that should be built
with TEE=/path/to/tee.bin and not OP-TEE itself.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Check if elf tools are available when running DecodeElf(). Also
remove superfuous semicolon at line ending.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Revert part of patch to make binman test pass
Signed-off-by: Simon Glass <sjg@chromium.org>
Add test for u_boot_spl_pubkey_dtb. The test adds a public key to the
dtb and checks if the required nodes will be added to the images dtb.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds a new etype 'u-boot-spl-pubkey-dtb'. The etype adds the public
key from a certificate to the dtb. This creates a '/signature' node which
is turn contains the fields which make up the public key. Usually this
is done by 'mkimage -K'. However, 'binman sign' does not add the public
key to the SPL. This is why the pubkey is added using this etype.
The etype calls the underlying 'fdt_add_pubkey' tool.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add documentation for btool which calls 'fdt_add_pubkey'
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The method 'connect_contents_to_file()' calls ObtainsContents() with
'fake_size' argument. Without providing the argument in the blob_dtb
we are not able to call this method without error.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
While signing a fit compressed data (i.e. 'blob-ext') is decompressed,
but never compressed again. When compressed data was wrapped in a
section, decompression leads to an error because the outer section had
the original compressed size but the inner entry has the
uncompressed size now.
While singing there is no reason to decompress data. Thus, decompression
should be disabled.
Furthermore, bintools should be collected before loading the data. This
way bintools are available if processing is required on a node.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add tests to reach 100% code coverage for the added etype encrypted.
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The new encrypted etype generates a cipher node in the device tree
that should not be evaluated by binman, but still be kept in the
output device tree.
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds a new etype encrypted.
It creates a new cipher node in the related image similar to the
cipher node used by u-boot, see boot/image-cipher.c.
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop the use of a numbered key file since numbering is just for the test
devicetree files. Also adjust the tests to avoid putting a hard-coded
path to binman in the file, using the entry arg instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Without this re-building will fail with an error when trying to create
the symlink for the second time with an already exists error.
Signed-off-by: Andrew Davis <afd@ti.com>
[n-francis@ti.com: Added support for test output dir and testcase]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
The ti-secure entry contains certificate for binaries that will be
loaded or booted by system firmware whereas the ti-secure-rom entry
contains certificate for binaries that will be booted by ROM. Support
for both these types of certificates is necessary for booting of K3
devices.
Reviewed-by: Simon Glass <sjg@chromium.org>
[vigneshr@ti.com: fixed inconsist cert generation by multiple packing]
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
The ti-board-config entry loads and validates a given YAML config file
against a given schema, and generates the board config binary. K3
devices require these binaries to be packed into the final system
firmware images.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Add support for writing symbols and determining the assumed position of
binaries inside a mkimage image. This is useful as an example for other
entry types which might want to do the same thing.
Signed-off-by: Simon Glass <sjg@chromium.org>
Collections can used to collect the contents of other entries into a
single entry, but they result in a single entry, with the original entries
'left behind' in their old place.
It is useful to be able to specific a set of entries ones and have it used
in multiple images, or parts of an image.
Implement this mechanism.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fix the check for the __bss_size symbol, since it may be 0. Unfortunately
there was no test coverage for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is not needed since the linker script sets it up. Drop the variable
to avoid confusion.
Fix the prototype for main() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sometimes multiple boards are built with binman and it is useful to
specify a different FDT list for each. At present this is not possible
without providing multiple values of the of-list entryarg (which is not
supported in the U-Boot build system).
Allow a fit,fdt-list-val string-list property to be used instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is needed to handle mkimage with inner section located itself in a
section.
Signed-off-by: Marek Vasut <marex@denx.de>
Use BuildSectionData() instead of ObtainContents(), add tests and a few
other minor fixes:
Signed-off-by: Simon Glass <sjg@chromium.org>
Update the LookupAndWriteSymbols() function to return the number of
symbols written. Also add some logging for when debugging is not
enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some boards don't use symbol writing but do access the symbols in SPL.
Provide an option to work around this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some section types don't have a simple _entries list. Use the GetEntries()
method in GetEntryContents() and other places to handle this.
This makes the behaviour more consistent.
Signed-off-by: Simon Glass <sjg@chromium.org>
This should be set up in the init function, to avoid a warning about a
property not set up there. Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a pragma to deal with the code-coverage gap which drops binman down to
90% coverage.
Fixes: de65b122a2 (tools: Fall back to importlib_resources on Python 3.6)
Signed-off-by: Simon Glass <sjg@chromium.org>
Allow symbol writing in these cases so that U-Boot can find the position
and size of U-Boot at runtime.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>