Currently, u-boot FIT image only support to load u-boot image.
To support optee-os and trusted-firmware-a, update ITS file generation
scripts, so users are able to use u-boot FIT image to load
u-boot, optee-os and treustred-firmware-a images
Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to
enable trusted-firmware-a image and it is disable by default.
Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image
and it is disable by default.
The ITS file creation looks like as following.
1. Both optee-os and trusted-firmware-a are disabled.
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
};
configurations {
default = "conf";
conf {
loadables = "uboot";
fdt = "fdt";
};
};
};
'''
2. Only enable optee-os
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
optee {
};
};
configurations {
default = "conf";
conf {
firmware = "optee";
loadables = "uboot";
fdt = "fdt";
};
};
};
'''
3: Both optee-os and trusted-firmware-a are enabled
'''
/dts-v1/;
/ {
images {
uboot {
};
fdt {
};
atf {
};
optee {
};
};
configurations {
default = "conf";
conf {
firmware = "atf";
loadables = "uboot", "optee";
fdt = "fdt";
};
};
};
'''
Signed-off-by: Jamin Lin <[email protected]>
---
meta/classes-recipe/uboot-sign.bbclass | 91 +++++++++++++++++++++++++-
1 file changed, 90 insertions(+), 1 deletion(-)
diff --git a/meta/classes-recipe/uboot-sign.bbclass
b/meta/classes-recipe/uboot-sign.bbclass
index ad04c82378..b874eb84db 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1"
# This is only necessary for determining the signing configuration
KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
+# Trusted Firmware-A (TF-A) provides a reference implementation of
+# secure world software for Armv7-A and Armv8-A,
+# including a Secure Monitor executing at Exception Level 3 (EL3)
+# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin"
+
+# OP-TEE is a Trusted Execution Environment (TEE) designed as
+# companion to a non-secure Linux kernel running on Arm
+UBOOT_FIT_OPTEE_OS ?= "0"
+UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin"
+
python() {
# We need u-boot-tools-native if we're creating a U-Boot fitImage
sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
@@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before
do_uboot_assemble_fitimage after do_compi
# Create a ITS file for the U-boot FIT, for use when
# we want to sign it so that the SPL can verify it
uboot_fitimage_assemble() {
+ conf_loadables="\"uboot\""
+ conf_firmware=""
+
+ if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then
+ conf_firmware="\"atf\""
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+ conf_loadables="\"uboot\", \"optee\""
+ fi
+ else
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then
+ conf_firmware="\"optee\""
+ fi
+ fi
+
rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
# First we create the ITS script
@@ -282,13 +308,76 @@ EOF
cat << EOF >> ${UBOOT_ITS}
};
+EOF
+ if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ atf {
+ description = "ARM Trusted Firmware-A";
+ data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}");
+ type = "firmware";
+ arch = "${UBOOT_ARCH}";
+ os = "arm-trusted-firmware";
+ load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>;
+ entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>;
+ compression = "none";
+EOF
+
+ if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ signature {
+ algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+ key-name-hint = "${SPL_SIGN_KEYNAME}";
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
+ };
+EOF
+ fi
+
+ if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ optee {
+ description = "OPTEE OS Image";
+ data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}");
+ type = "tee";
+ arch = "${UBOOT_ARCH}";
+ os = "tee";
+ load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>;
+ entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>;
+ compression = "none";
+EOF
+
+ if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+ cat << EOF >> ${UBOOT_ITS}
+ signature {
+ algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+ key-name-hint = "${SPL_SIGN_KEYNAME}";
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
+ };
+EOF
+ fi
+
+ cat << EOF >> ${UBOOT_ITS}
};
configurations {
default = "conf";
conf {
description = "Boot with signed U-Boot FIT";
- loadables = "uboot";
+EOF
+ if [ -n "${conf_firmware}" ]; then
+ cat << EOF >> ${UBOOT_ITS}
+ firmware = ${conf_firmware};
+EOF
+ fi
+ cat << EOF >> ${UBOOT_ITS}
+ loadables = ${conf_loadables};
fdt = "fdt";
};
};
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193883):
https://lists.openembedded.org/g/openembedded-core/message/193883
Mute This Topic: https://lists.openembedded.org/mt/103778291/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
