Commit graph

794 commits

Author SHA1 Message Date
Tom Rini
0d53be75c7 Merge patch series "ATF and OP-TEE Firewalling for K3 devices."
Manorit Chawdhry <m-chawdhry@ti.com> says:

K3 devices have firewalls that are used to prevent illegal accesses to
memory regions that are deemed secure. The series prevents the illegal
accesses to ATF and OP-TEE regions that are present in different K3
devices.

AM62X, AM62AX and AM64X are currently in hold due to some firewall
configurations that our System Controller (TIFS) needs to handle.
The devices that are not configured with the firewalling nodes will not
be affected and can continue to work fine until the firewall nodes are
added so will be a non-blocking merge.

Test Logs: https://gist.github.com/manorit2001/4cead2fb3a19eb5d19005b3f54682627
CICD Run: https://github.com/u-boot/u-boot/pull/442
2024-01-04 16:53:49 -05:00
Manorit Chawdhry
ba51299f60 binman: ftest: Add test for ti-secure firewall node
Add test for TI firewalling node in ti-secure.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
2024-01-04 16:48:00 -05:00
Manorit Chawdhry
a3e407bef7 binman: ti-secure: Add support for firewalling entities
We can now firewall entities while loading them through our secure
entity TIFS, the required information should be present in the
certificate that is being parsed by TIFS.

The following commit adds the support to enable the certificates to be
generated if the firewall configurations are present in the binman dtsi
nodes.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
2024-01-04 16:48:00 -05:00
Heinrich Schuchardt
69c3705be9 binman: used-before-assignment in ftest.py
Pytest 7.4.3 complains if a variable is used in a finally clause without
having been initialized before the try clause.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-12-31 07:21:02 -07:00
Heinrich Schuchardt
ace49c7df7 binman: elf: Using variable 'old_val' before assignment
old_val can only be assumed initialized in the finally block
if it is assigned a value before the try statement.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-12-13 18:39:06 -05:00
Neha Malcom Francis
23d2ef91ef binman: etype: dm: Add entry type for TI DM
K3 devices introduces the concept of centralized power, resource and
security management to System Firmware. This is to overcome challenges
by the traditional approach that implements system control functions on
each of the processing units.

The software interface for System Firmware is split into TIFS and DM. DM
(Device Manager) is responsible for resource and power management from
secure and non-secure hosts. This additional binary is necessary for
specific platforms' ROM boot images and is to be packaged into tispl.bin

Add an entry for DM. The entry can be used for the packaging of
tispl.bin by binman along with ATF and TEE.

Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Reviewed-by: Andrew Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-12-13 18:39:06 -05:00
Dario Binacchi
838447aa7b binman: doc: fix typo
s/use set/set/

Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Reviewed-By: Michael Trimarchi <michael@amarulasolutions.com>
2023-12-13 18:39:06 -05:00
Simon Glass
049ee90903 tools: Move python tools to version 0.0.6
A new release has been done with this version, so update it. Use the
version numbers in dependencies also.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-12-13 18:39:06 -05:00
Simon Glass
4c4977cbc9 doc: Update documentation URL
Update to use the new docs.u-boot.org URL for documentation.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-12-13 18:39:05 -05:00
Heinrich Schuchardt
b214e88071 doc: shorten overlong title underlines
Title underlines should match the length of the title. Unfortunately
docutils only catches underlines that are too short.

Add some missing empty lines after titles.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2023-11-11 01:44:08 +01:00
Neha Malcom Francis
a4ed4c8a51 binman: openssl: x509: ti_secure_rom: Add support for bootcore_opts
According to the TRMs of K3 platform of devices, the ROM boot image
format specifies a "Core Options Field" that provides the capability to
set the boot core in lockstep when set to 0 or to split mode when set
to 2. Add support for providing the same from the binman DTS. Also
modify existing test case for ensuring future coverage.

Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-11-02 22:38:01 -04:00
Simon Glass
ce0e9e3990 binman: Move stage header into a CBFS attribute
cbfsutil completely changed the way that stages are formatted in CBFS.
Adjust the binman implementation to do the same.

This mirrors commit 81dc20e744 in coreboot.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-11-02 22:38:01 -04:00
Simon Glass
fe35c2f011 binman: Rename TYPE_STAGE to TYPE_LEGACY_STAGE
In preparation for changing how stages are stored, rename the existing
stage tag.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-11-02 22:38:01 -04:00
Simon Glass
ab326010a9 binman: Replace FILENAME_ALIGN 16 with ATTRIBUTE_ALIGN 4
cbfsutil changed to 4-byte alignment for filenames instead of 16.
Adjust the binman implementation to do the same.

This mirrors commit 5779ca718c in coreboot.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-11-02 22:38:01 -04:00
Simon Glass
e9199a74e0 binman: Ensure attributes always come last in the metadata
cbfsutil changed to write zero bytes instead of 0xff when a small
padding must be added. Adjust the binman implementation to do the same.

Drop the code which looks for an unused attribute tag, since it is not
used. A future patch moves the attributes to the end of the header in
any case, so no data will follow the attributes.

This mirrors commit f0cc7adb2f in coreboot.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-11-02 22:38:01 -04:00
Simon Glass
bd13255a91 binman: Don't add compression attribute for uncompressed files
cbfsutil changed to skip adding a compression attribute if there is no
compression. Adjust the binman implementation to do the same.

This mirrors commit 105cdf5625 in coreboot.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Neha Malcom Francis <n-francis@ti.com>
2023-11-02 22:37:50 -04:00
Simon Glass
823f5c3a02 binman: Reset missing bintools after testing
For tests which fake bintools being missing, we need to reset the list
afterwards, to ensure that future tests do not also see the bintools as
missing.

Reset the list when processing is complete.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Neha Malcom Francis <n-francis@ti.com>
2023-11-02 09:38:54 -06:00
Sughosh Ganu
74aae507bc binman: capsule: Add support for generating EFI empty capsules
Add support in binman for generating EFI empty capsules. These
capsules are used in the FWU A/B update feature. Also add test cases
in binman for the corresponding code coverage.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-10-13 14:01:42 -06:00
Sughosh Ganu
f1c8fc5e67 btool: mkeficapsule: Add support for EFI empty capsule generation
Add a method to the mkeficapsule bintool to generate empty
capsules. These are capsules needed for the FWU A/B update feature.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-10-13 14:01:42 -06:00
Sughosh Ganu
809f28e721 binman: capsule: Use dumped capsule header contents for verification
The various fields of a generated capsule are currently verified
through hard-coded offsets. Use the dump-capsule feature for dumping
the capsule header contents and use those for capsule verification.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-10-13 14:01:42 -06:00
Sughosh Ganu
bb8f892052 binman: capsule: Remove superfluous [address, size]-cells properties
The #address-cells and #size-cells are not needed for running the
capsule generation binman tests. Remove the superfluous properties.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-10-13 14:01:42 -06:00
Lukas Funke
bff16109e3 binman: bintool: Change make target arg type from string to list
The argument type of `build_from_git` was changed from string to list
in d71e711699.

This commit adapts the argument type of all bintools using this
function.

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
2023-10-13 10:15:41 -07:00
Tom Rini
ac897385bb Merge branch 'next'
Signed-off-by: Tom Rini <trini@konsulko.com>
2023-10-02 10:55:44 -04:00
Heinrich Schuchardt
c65beebfae binman: doc: Remove incomplete sentence
This is the difference between version 1 and 2 of Massimo's patch:

binman: doc: fix reference tag placement for Logging section
v2: https://lore.kernel.org/u-boot/20230913161633.999542-1-massimo.pegorer+oss@gmail.com/
v1: https://lore.kernel.org/u-boot/20230909135235.21242-1-massimo.pegorer+oss@gmail.com/

Fixes: 0f40e23fd2 ("binman: add documentation for binman sign option")
Signed-off-by: Massimo Pegorer <massimo.pegorer+oss@gmail.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Massimo Pegorer <massimo.pegorer+oss@gmail.com>
2023-09-29 12:56:49 +02:00
Rong Tao
ba4034a504 binman: Fix SyntaxWarning: invalid escape sequence '\('
Reproduct warning:

    $ git clean -dfx
    $ make CROSS_COMPILE="" qemu-x86_64_defconfig
    $ make -j8
    ...
    u-boot/tools/binman/etype/section.py:25:
    SyntaxWarning: invalid escape sequence '\('
    """Entry that contains other entries

Signed-off-by: Rong Tao <rongtao@cestc.cn>
2023-09-23 09:00:37 -06:00
Massimo Pegorer
8bd7d08407 binman: doc: fix reference tag placement for Logging section
Move BinmanLogging reference tag after section "Signing FIT container
with private key in an image" and just before section "Logging".

Fixes: 0f40e23fd2 ("binman: add documentation for binman sign option")
Signed-off-by: Massimo Pegorer <massimo.pegorer+oss@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2023-09-16 18:17:25 +02:00
Tom Rini
ddec4cae62 Prepare v2023.10-rc4
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmT17FsACgkQFHw5/5Y0
 tywn0gwAlRs5NZ4ierzvDiLQEvYgV6E+lLccwyf8mMfJVHicrrW/ckxqJGS2mrLz
 IoA0pO1oF/HFfR/0pgx9Pb2kuIK1tkCeVNYW6t9EDbEJzrbfdvykBcSB4wgKYpgB
 ZgCga0jsPNM951Y3a3TElNEet4pVTZrDLu0E2UR6zNzr5hpKnfoQTZRfBI1MyCq4
 w4/Eo2wAnnaV1lcobg9LzM6uyDnETxWyTI7DIJYSqkEgT0WcF6zrdW55MaXtrPo5
 RZ4q5MTJQwqnTV5awsmgEt8PSC+XQcPHMPrVCwoOZAdru+5zO3AWpbqq1q6K+y9U
 FEsaJ6HGn5BdITgmIK/lb8oTekfOkDPFF3WuFp5bZ6L0A63ANu/MMWHELyyt5+0z
 TlnU94PVxiLnPMzZtfBPWRQ3jIU5qltJaoW0pKwsoa7P8iUd1WZgYyN+G9WPgwFr
 XUemGRNkgnWfRoxcKGbaYDSB0Llp6m/zqPlGfhlt0ZKXc6igLu3/egRh7/8zLR0i
 y9uBKG45
 =s9vZ
 -----END PGP SIGNATURE-----

Merge tag 'v2023.10-rc4' into next

Prepare v2023.10-rc4
2023-09-04 10:51:58 -04:00
Sughosh Ganu
b617611b27 binman: capsule: Add support for generating EFI capsules
Add support in binman for generating EFI capsules. The capsule
parameters can be specified through the capsule binman entry. Also add
test cases in binman for testing capsule generation.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-29 13:37:54 -04:00
Sughosh Ganu
3bd6fb980b btool: mkeficapsule: Add a bintool for EFI capsule generation
Add a bintool for generating EFI capsules. This calls the mkeficapsule
tool which generates the capsules.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-29 13:37:54 -04:00
Sughosh Ganu
d71e711699 binman: bintool: Build a tool from a list of commands
Add support to build a tool from source with a list of commands. This
is useful when a tool can be built with multiple commands instead of a
single command.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-29 13:37:54 -04:00
Simon Glass
bbbf04cc7d Revert "binman: Add a temporary hack for duplicate phandles"
The affected boards have been fixed, so drop this hack.

This reverts commit 288ae53cb7.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Tim Harvey <tharvey@gateworks.com>
2023-08-28 15:59:22 -04:00
Lukas Funke
d8a2d3b290 binman: ftest: Add test for xilinx-bootgen etype
Add test for the 'xilinx-bootgen' etype

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Allow missing bootgen tool; comment testXilinxBootgenMissing() comment:
Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-05 11:38:59 -06:00
Lukas Funke
7fcfa9d930 binman: etype: Add xilinx-bootgen etype
This adds a new etype 'xilinx-bootgen'. By using this etype it is
possible to created an signed SPL (FSBL in Xilinx terms) for
ZynqMP boards.

The etype uses Xilinx Bootgen tools in order to transform the SPL into
a bootable image and sign the image with a given primary and secondary
public key. For more information to signing the FSBL please refer to the
Xilinx Bootgen documentation.

Here is an example of the etype in use:

    spl {
        filename = "boot.signed.bin";

        xilinx-bootgen {
            pmufw-filename = "pmu-firmware.elf";
            psk-key-name-hint = "psk0";
            ssk-key-name-hint = "ssk0";
            auth-params = "ppk_select=0", "spk_id=0x00000000";

            u-boot-spl-nodtb {
            };
            u-boot-spl-dtb {
            };
        };
    };

For this to work the hash of the primary public key has to be fused
into the ZynqMP device and authentication (RSA_EN) has to be set.

For testing purposes: if ppk hash check should be skipped one can add
the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
this should only be used for testing(!).

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-05 11:33:18 -06:00
Lukas Funke
7f51fe5c6d binman: btool: Add Xilinx Bootgen btool
Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create
bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The
btool creates a signed version of the SPL. Additionally to signing the
key source for the decryption engine can be passend to the boot image.

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
2023-08-05 11:31:59 -06:00
Simon Glass
93a203d38b binman: Renumber 291 and 292 test files
These have ended up with the same numbers as earlier files. Fix them.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-05 11:31:59 -06:00
Simon Glass
288ae53cb7 binman: Add a temporary hack for duplicate phandles
Three boards use a phandle in a FIT generator and the maintainer is
away. For now, add a hack to allow this.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Simon Glass
d4d97661d2 binman: Support templates containing phandles
This provides support for phandles to be copied over from templates. This
is not quite safe, since if the template is instantiated twice (i.e. in
two different nodes), then duplicate phandles will be found. This will
result in an error.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Simon Glass
af41b24eba binman: Remove templates after use
It is not necessary to keep templates around after they have been
processed. They can cause confusion and potentially duplicate phandles.

Remove them.

Use the same means of detecting a template node in _ReadImageDesc so that
the two places are consistent.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Simon Glass
b2f47a599c binman: Produce a template-file after processing
This file aids debugging when binman fails to get far enough to write out
the final devicetree file. Write it immediate after template processing.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
8f452bc557 binman: Show filename in missing blob help message
Show the filename next to the node path in missing blob help messages,
also show a generic missing blob message when there was no help message
for the help tag.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
c2600155af binman: Fix blank line usage for invalid images warning text
There is no blank line between last missing blob help message and the
header line for optional blob help messages.

  Image 'simple-bin' is missing external blobs and is non-functional: atf-bl31

  /binman/simple-bin/fit/images/@atf-SEQ/atf-bl31:
     See the documentation for your board. You may need to build ARM Trusted
     Firmware and build with BL31=/path/to/bl31.bin
  Image 'simple-bin' is missing external blobs but is still functional: tee-os

  /binman/simple-bin/fit/images/@tee-SEQ/tee-os:
     See the documentation for your board. You may need to build Open Portable
     Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin

  Some images are invalid

With this a blank line is inserted to make the text more readable.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
49dcd1c0bb binman: Override CheckOptional in fit entry
Missing optional blobs was not reported for generated entries, e.g.
tee-os on rockchip targets. Implement a CheckOptional to fix this.

After this the following can be shown:

  Image 'simple-bin' is missing optional external blobs but is still functional: tee-os

  /binman/simple-bin/fit/images/@tee-SEQ/tee-os (tee-os):
     See the documentation for your board. You may need to build Open Portable
     Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
d92c4dd27d binman: Report missing external blobs using error level
Print missing external blobs using error level and missing optional
external blobs using warning level. Also change to only print the header
line in color, red for missing and yellow for optional.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
05dec37488 binman: Update missing optional external blob warning text
Make it more clear that the missing external blob is optional in the
printed warning message.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Jonas Karlman
321f256c9b binman: Update tee-os missing blob help text
Make it a little bit more clear that it is U-Boot that should be built
with TEE=/path/to/tee.bin and not OP-TEE itself.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-08-02 12:05:57 -06:00
Lukas Funke
43176ed86d binman: elf: Check for ELF_TOOLS availability and remove extra semicolon
Check if elf tools are available when running DecodeElf(). Also
remove superfuous semicolon at line ending.

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Revert part of patch to make binman test pass
Signed-off-by: Simon Glass <sjg@chromium.org>
2023-08-02 07:51:09 -06:00
Lukas Funke
8c1fbd1f60 binman: ftest: Add test for u_boot_spl_pubkey_dtb
Add test for u_boot_spl_pubkey_dtb. The test adds a public key to the
dtb and checks if the required nodes will be added to the images dtb.

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-07-24 09:34:10 -06:00
Lukas Funke
6cb6425408 binman: doc: Add documentation for Xilinx Bootgen bintool
Add documentation for the 'bootgen' bintool

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-07-24 09:34:10 -06:00
Lukas Funke
5609843b57 binman: etype: Add u-boot-spl-pubkey-dtb etype
This adds a new etype 'u-boot-spl-pubkey-dtb'. The etype adds the public
key from a certificate to the dtb. This creates a '/signature' node which
is turn contains the fields which make up the public key. Usually this
is done by 'mkimage -K'. However, 'binman sign' does not add the public
key to the SPL. This is why the pubkey is added using this etype.

The etype calls the underlying 'fdt_add_pubkey' tool.

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-07-24 09:34:10 -06:00
Lukas Funke
671bc43346 binman: btool: Add fdt_add_pubkey as btool
Add btool which calls 'fdt_add_pubkey'

Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-07-24 09:34:10 -06:00