Re: [OE-core] [PATCH v1] uboot-sign: support to load optee-os and TFA images
> > Hello, > > This doesn't apply on top of your previous patches. Can you send a proper > series with what you want to be tested/applied? > > Thanks! > Hi Alexandre I created a series patch here, https://patchwork.yoctoproject.org/project/oe-core/list/?series=21444 Thanks-Jamin > On 17/01/2024 10:10:51+0800, Jamin Lin via lists.openembedded.org wrote: > > Currently, u-boot FIT image only support to load u-boot image. > > To support optee-os and trusted-firmware-a, update ITS file generation > > scripts, so users are able to use u-boot FIT image to load u-boot, > > optee-os and treustred-firmware-a images > > > > Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable > > trusted-firmware-a image and it is disable by default. > > > > Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is > > disable by default. > > > > The ITS file creation looks like as following. > > 1. Both optee-os and trusted-firmware-a are disabled. > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > > > }; > > fdt { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 2. Only enable optee-os > > ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "optee"; > > loadables = "uboot"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > 3: Both optee-os and trusted-firmware-a are enabled ''' > > /dts-v1/; > > > > / { > > images { > > uboot { > > }; > > fdt { > > }; > > atf { > > }; > > optee { > > }; > > }; > > > > configurations { > > default = "conf"; > > conf { > > firmware = "atf"; > > loadables = "uboot", "optee"; > > fdt = "fdt"; > > }; > > }; > > }; > > ''' > > > > Signed-off-by: Jamin Lin > > --- > > meta/classes-recipe/uboot-sign.bbclass | 91 > > +- > > 1 file changed, 90 insertions(+), 1 deletion(-) > > > > diff --git a/meta/classes-recipe/uboot-sign.bbclass > > b/meta/classes-recipe/uboot-sign.bbclass > > index ad04c82378..b874eb84db 100644 > > --- a/meta/classes-recipe/uboot-sign.bbclass > > +++ b/meta/classes-recipe/uboot-sign.bbclass > > @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" > > # This is only necessary for determining the signing configuration > > KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" > > > > +# Trusted Firmware-A (TF-A) provides a reference implementation of # > > +secure world software for Armv7-A and Armv8-A, # including a Secure > > +Monitor executing at Exception Level 3 (EL3) # ATF is used as the > > +initial start code on ARMv8-A cores for all K3 platforms > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" > > +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" > > + > > +# OP-TEE is a Trusted Execution Environment (TEE) designed as # > > +companion to a non-secure Linux kernel running on Arm > > +UBOOT_FIT_OPTEE_OS ?= "0" > > +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" > > + > > python() { > > # We need u-boot-tools-native if we're creating a U-Boot fitImage > > sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' > > @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before > > do_uboot_assemble_fitimage after do_compi # Create a ITS file for the > > U-boot FIT, for use when # we want to sign it so that the SPL can > > verify it > > uboot_fitimage_assemble() { > > + conf_loadables="\"uboot\"" > > + conf_firmware="" > > + > > + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then > > + conf_firmware="
[OE-core] [PATCH v2 4/4] uboot-sign: support to load optee-os and TFA images
Currently, u-boot FIT image only support to load u-boot image. To support optee-os and trusted-firmware-a, update ITS file generation scripts, so users are able to use u-boot FIT image to load u-boot, optee-os and treustred-firmware-a images Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable trusted-firmware-a image and it is disable by default. Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is disable by default. The ITS file creation looks like as following. 1. Both optee-os and trusted-firmware-a are disabled. ''' /dts-v1/; / { images { uboot { }; fdt { }; }; configurations { default = "conf"; conf { loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 2. Only enable optee-os ''' /dts-v1/; / { images { uboot { }; fdt { }; optee { }; }; configurations { default = "conf"; conf { firmware = "optee"; loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 3. Both optee-os and trusted-firmware-a are enabled ''' /dts-v1/; / { images { uboot { }; fdt { }; atf { }; optee { }; }; configurations { default = "conf"; conf { firmware = "atf"; loadables = "uboot", "optee"; fdt = "fdt"; }; }; }; ''' Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 91 +- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 7a0b8047e4..d2b1013b93 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -91,6 +91,18 @@ KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" +# Trusted Firmware-A (TF-A) provides a reference implementation of +# secure world software for Armv7-A and Armv8-A, +# including a Secure Monitor executing at Exception Level 3 (EL3) +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" + +# OP-TEE is a Trusted Execution Environment (TEE) designed as +# companion to a non-secure Linux kernel running on Arm +UBOOT_FIT_OPTEE_OS ?= "0" +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -237,6 +249,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" + conf_firmware="" + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then + conf_firmware="\"atf\"" + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_loadables="\"uboot\", \"optee\"" + fi + else + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_firmware="\"optee\"" + fi + fi + rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -289,13 +315,76 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +atf { +description = "ARM Trusted Firmware-A"; +data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); +type = "firmware"; +arch = "${UBOOT_ARCH}"; +os = "arm-trusted-firmware"; +load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; +entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; +compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +signature { +algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; +key-name-hint = "${SPL_SIGN_KEYNAME}"; +}; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} +}; +EOF + fi + + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +optee { +description = "OPTEE OS Image"; +data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); +type = "tee"; +arch = "${UBOOT_ARCH}"; +os = "tee"; +load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; +entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; +compression = "none"; +EOF + + if
[OE-core] [PATCH v2 2/4] uboot-sign: Fix to install nonexistent dtb file
Add to check dtb file exist, then install it. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index abde0bc61c..4b462698f9 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -318,7 +318,9 @@ EOF ${SPL_MKIMAGE_SIGN_ARGS} fi - cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then + cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + fi } uboot_assemble_fitimage_helper() { -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194011): https://lists.openembedded.org/g/openembedded-core/message/194011 Mute This Topic: https://lists.openembedded.org/mt/103825448/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2 3/4] u-boot-sign:uboot-config: support to verify signed FIT image
It does not verify the signed FIT image of kernel and uboot. To catch the unexpected errors as far as possible at the build time, add uboot-fit-check-sign tool which is provided by u-boot to verify the signed FIT image. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-config.bbclass | 3 +++ meta/classes-recipe/uboot-sign.bbclass | 10 ++ 2 files changed, 13 insertions(+) diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass index 9be1d64d3e..0c579e8861 100644 --- a/meta/classes-recipe/uboot-config.bbclass +++ b/meta/classes-recipe/uboot-config.bbclass @@ -94,6 +94,9 @@ SPL_MKIMAGE_SIGN_ARGS ?= "" UBOOT_DTB ?= "" UBOOT_DTB_BINARY ??= "" +# uboot-fit_check_sign command +UBOOT_FIT_CHECK_SIGN ?= "uboot-fit_check_sign" + python () { ubootmachine = d.getVar("UBOOT_MACHINE") ubootconfigflags = d.getVarFlags('UBOOT_CONFIG') diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 4b462698f9..7a0b8047e4 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -112,6 +112,10 @@ concat_dtb() { -K "${UBOOT_DTB_BINARY}" \ -r ${B}/fitImage-linux \ ${UBOOT_MKIMAGE_SIGN_ARGS} + # Verify the kernel image and u-boot dtb + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${UBOOT_DTB_BINARY}" \ + -f ${B}/fitImage-linux cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi @@ -316,6 +320,12 @@ EOF -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ -r ${UBOOT_FITIMAGE_BINARY} \ ${SPL_MKIMAGE_SIGN_ARGS} + # + # Verify the U-boot FIT image and SPL dtb + # + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -f ${UBOOT_FITIMAGE_BINARY} fi if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194012): https://lists.openembedded.org/g/openembedded-core/message/194012 Mute This Topic: https://lists.openembedded.org/mt/103825449/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2 1/4] uboot-sign: set load address and entrypoint
According to the design of uboot-sign.bbclass and kernel-fitimage.bbclass, both of them use an UBOOT_LOADADDRESS variable to set the load address of kernel and u-boot image and use an UBOOT_ENTRYPOINT variable to set the entry address of kernel and u-boot image. However, users may want to set the different load address of u-boot and kernel image. Therefore, adds UBOOT_FIT_UBOOT_LOADADDRESS and UBOOT_FIT_UBOOT_ENTRYPOINT variables to set the load address and entry point of u-boot image, respectively. The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_LOADADDRESS by default. The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_ENTRYPOINT by default. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..abde0bc61c 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -88,6 +88,9 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" # This is only necessary for determining the signing configuration KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" +UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" +UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -248,8 +251,8 @@ uboot_fitimage_assemble() { os = "u-boot"; arch = "${UBOOT_ARCH}"; compression = "none"; -load = <${UBOOT_LOADADDRESS}>; -entry = <${UBOOT_ENTRYPOINT}>; +load = <${UBOOT_FIT_UBOOT_LOADADDRESS}>; +entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>; EOF if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194010): https://lists.openembedded.org/g/openembedded-core/message/194010 Mute This Topic: https://lists.openembedded.org/mt/103825447/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] uboot-sign: support to load optee-os and TFA images
> -Original Message- > From: Tom Rini > Sent: Wednesday, January 17, 2024 10:37 PM > To: Jamin Lin > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [PATCH] uboot-sign: support to load optee-os and TFA images > > On Tue, Jan 16, 2024 at 07:37:04PM -0800, Jamin Lin wrote: > > > Hi Alexander, > > > > One more thing, So far, bitman only support hash 256. > > What hashing algorithm would you like to be using instead? We can always > include more and better options with configuration as needed. > > -- > Tom Hi Tom At present, makeimage tool support hash 256, 384 and 512. It also support rsa 2038, 3072 and 4096. It would be better if binman support these algorithms. I patched uboot-sign.bbclass the original goal is to make yocto support optee-os and tfa in the old version of u-boot. Thanks -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193954): https://lists.openembedded.org/g/openembedded-core/message/193954 Mute This Topic: https://lists.openembedded.org/mt/103734859/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] uboot-sign: support to load optee-os and TFA images
Hi Alexander, One more thing, So far, bitman only support hash 256. Thanks -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193885): https://lists.openembedded.org/g/openembedded-core/message/193885 Mute This Topic: https://lists.openembedded.org/mt/103734859/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v1] uboot-sign: support to load optee-os and TFA images
Currently, u-boot FIT image only support to load u-boot image. To support optee-os and trusted-firmware-a, update ITS file generation scripts, so users are able to use u-boot FIT image to load u-boot, optee-os and treustred-firmware-a images Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable trusted-firmware-a image and it is disable by default. Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is disable by default. The ITS file creation looks like as following. 1. Both optee-os and trusted-firmware-a are disabled. ''' /dts-v1/; / { images { uboot { }; fdt { }; }; configurations { default = "conf"; conf { loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 2. Only enable optee-os ''' /dts-v1/; / { images { uboot { }; fdt { }; optee { }; }; configurations { default = "conf"; conf { firmware = "optee"; loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 3: Both optee-os and trusted-firmware-a are enabled ''' /dts-v1/; / { images { uboot { }; fdt { }; atf { }; optee { }; }; configurations { default = "conf"; conf { firmware = "atf"; loadables = "uboot", "optee"; fdt = "fdt"; }; }; }; ''' Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 91 +- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..b874eb84db 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" # This is only necessary for determining the signing configuration KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" +# Trusted Firmware-A (TF-A) provides a reference implementation of +# secure world software for Armv7-A and Armv8-A, +# including a Secure Monitor executing at Exception Level 3 (EL3) +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" + +# OP-TEE is a Trusted Execution Environment (TEE) designed as +# companion to a non-secure Linux kernel running on Arm +UBOOT_FIT_OPTEE_OS ?= "0" +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" + conf_firmware="" + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then + conf_firmware="\"atf\"" + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_loadables="\"uboot\", \"optee\"" + fi + else + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_firmware="\"optee\"" + fi + fi + rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -282,13 +308,76 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +atf { +description = "ARM Trusted Firmware-A"; +data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); +type = "firmware"; +arch = "${UBOOT_ARCH}"; +os = "arm-trusted-firmware"; +load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; +entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; +compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +signature { +algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; +key-name-hint = "${SPL_SIGN_KEYNAME}"; +}; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} +}; +EOF + fi + + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +optee { +description = "OPTEE OS Image"; +data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); +type = "tee"; +arch = "${UBOOT_ARCH}"; +os = "tee"; +load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; +entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; +compression = "none"; +EOF + + if [
Re: [OE-core] [PATCH] uboot-sign: support to load optee-os and TFA images
Yes, it is a typo and will fix it. Thanks-Jamin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193882): https://lists.openembedded.org/g/openembedded-core/message/193882 Mute This Topic: https://lists.openembedded.org/mt/103734859/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] uboot-sign: support to load optee-os and TFA images
Hi Alexander, Thanks for review. I tested it in ASPEED AST2600 and AST2700 SOCs. Yoc can see our Github repository here. https://github.com/AspeedTech-BMC You are right the latest version of u-boot(2024.01) support binman python tool to create FIT image and support optee-os and trusted-firmware-a. However, “the old version of u-boot binman python tool” did not support to add optee-os and trusted-firmware-a in the FIT image. For example, our AST2600 is production and its u-boot version was 2019.04 and binman python tools did not support optee-os image format. That was why I changed ITS file creation scripts to support all u-boot version. Finally, users are able to use the “makeimage” tool to crate FIT image with optee-os and trusted-firmware-a. Thanks-Jamin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193881): https://lists.openembedded.org/g/openembedded-core/message/193881 Mute This Topic: https://lists.openembedded.org/mt/103734859/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] uboot-sign: support to load optee-os and TFA images
Currently, u-boot FIT image only support to load u-boot image. To support optee-os and trusted-firmware-a, update ITS file generation scripts, so users are able to use u-boot FIT image to load u-boot, optee-os and treustred-firmware-a images Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A" to enable trusted-firmware-a image and it is disable by default. Add a variable "UBOOT_FIT_OPTEE_OS" to enable optee-os image and it is disable by default. The ITS file creation loos like as following. 1. Both optee-os and trusted-firmware-a are disabled. ''' /dts-v1/; / { images { uboot { }; fdt { }; }; configurations { default = "conf"; conf { loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 2. Only enable optee-os ''' /dts-v1/; / { images { uboot { }; fdt { }; optee { }; }; configurations { default = "conf"; conf { firmware = "optee"; loadables = "uboot"; fdt = "fdt"; }; }; }; ''' 3: Both optee-os and trusted-firmware-a are enabled ''' /dts-v1/; / { images { uboot { }; fdt { }; atf { }; optee { }; }; configurations { default = "conf"; conf { firmware = "atf"; loadables = "uboot", "optee"; fdt = "fdt"; }; }; }; ''' Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 91 +- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..b874eb84db 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -88,6 +88,18 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" # This is only necessary for determining the signing configuration KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" +# Trusted Firmware-A (TF-A) provides a reference implementation of +# secure world software for Armv7-A and Armv8-A, +# including a Secure Monitor executing at Exception Level 3 (EL3) +# ATF is used as the initial start code on ARMv8-A cores for all K3 platforms +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A ?= "0" +UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE ?= "bl31.bin" + +# OP-TEE is a Trusted Execution Environment (TEE) designed as +# companion to a non-secure Linux kernel running on Arm +UBOOT_FIT_OPTEE_OS ?= "0" +UBOOT_FIT_OPTEE_OS_IMAGE ?= "tee-raw.bin" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -230,6 +242,20 @@ addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compi # Create a ITS file for the U-boot FIT, for use when # we want to sign it so that the SPL can verify it uboot_fitimage_assemble() { + conf_loadables="\"uboot\"" + conf_firmware="" + + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ]; then + conf_firmware="\"atf\"" + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_loadables="\"uboot\", \"optee\"" + fi + else + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ]; then + conf_firmware="\"optee\"" + fi + fi + rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY} # First we create the ITS script @@ -282,13 +308,76 @@ EOF cat << EOF >> ${UBOOT_ITS} }; +EOF + if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +atf { +description = "ARM Trusted Firmware-A"; +data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_IMAGE}"); +type = "firmware"; +arch = "${UBOOT_ARCH}"; +os = "arm-trusted-firmware"; +load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_LOADADDRESS}>; +entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_A_ENTRYPOINT}>; +compression = "none"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +signature { +algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; +key-name-hint = "${SPL_SIGN_KEYNAME}"; +}; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} +}; +EOF + fi + + if [ "${UBOOT_FIT_OPTEE_OS}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} +optee { +description = "OPTEE OS Image"; +data = /incbin/("${UBOOT_FIT_OPTEE_OS_IMAGE}"); +type = "tee"; +arch = "${UBOOT_ARCH}"; +os = "tee"; +load = <${UBOOT_FIT_OPTEE_OS_LOADADDRESS}>; +entry = <${UBOOT_FIT_OPTEE_OS_ENTRYPOINT}>; +compression = "none"; +EOF + + if [
[OE-core] [PATCH v1] u-boot-sign.bbclass: support to verify signed FIT image
It does not verify the signed FIT image of kernel and uboot. To catch the unexpected errors as far as possible at the build time, add uboot-fit-check-sign tool which is provided by u-boot tools to verify the signed FIT image. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-config.bbclass | 3 +++ meta/classes-recipe/uboot-sign.bbclass | 10 ++ 2 files changed, 13 insertions(+) diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass index 9be1d64d3e..0c579e8861 100644 --- a/meta/classes-recipe/uboot-config.bbclass +++ b/meta/classes-recipe/uboot-config.bbclass @@ -94,6 +94,9 @@ SPL_MKIMAGE_SIGN_ARGS ?= "" UBOOT_DTB ?= "" UBOOT_DTB_BINARY ??= "" +# uboot-fit_check_sign command +UBOOT_FIT_CHECK_SIGN ?= "uboot-fit_check_sign" + python () { ubootmachine = d.getVar("UBOOT_MACHINE") ubootconfigflags = d.getVarFlags('UBOOT_CONFIG') diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..741d2216b9 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -109,6 +109,10 @@ concat_dtb() { -K "${UBOOT_DTB_BINARY}" \ -r ${B}/fitImage-linux \ ${UBOOT_MKIMAGE_SIGN_ARGS} + # Verify the kernel image and u-boot dtb + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${UBOOT_DTB_BINARY}" \ + -f ${B}/fitImage-linux cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi @@ -313,6 +317,12 @@ EOF -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ -r ${UBOOT_FITIMAGE_BINARY} \ ${SPL_MKIMAGE_SIGN_ARGS} + # + # Verify the U-boot FIT image and SPL dtb + # + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -f ${UBOOT_FITIMAGE_BINARY} fi cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193635): https://lists.openembedded.org/g/openembedded-core/message/193635 Mute This Topic: https://lists.openembedded.org/mt/103734382/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] uboot-sign: Fix to install nonexistent dtb file
Add to check dtb file is exist, then install it. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..26d75995a6 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -315,7 +315,9 @@ EOF ${SPL_MKIMAGE_SIGN_ARGS} fi - cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then + cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + fi } uboot_assemble_fitimage_helper() { -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193630): https://lists.openembedded.org/g/openembedded-core/message/193630 Mute This Topic: https://lists.openembedded.org/mt/103733783/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] uboot-sign: add variables to set load address and entrypoint
According to the design of uboot-sign.bbclass and kernel-fitimage.bbclass, both of them use an UBOOT_LOADADDRESS variable to set the load address of kernel and u-boot image and use an UBOOT_ENTRYPOINT to set the entry address of kernel and u-boot image. However, users may set the different load address of u-boot and kernel image. Therefore, adds UBOOT_FIT_UBOOT_LOADADDRESS and UBOOT_FIT_UBOOT_ENTRYPOINT to set the load address and entry point of u-boot image, respectively. The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_LOADADDRESS by default. The value of UBOOT_FIT_UBOOT_ENTRYPOINT is UBOOT_ENTRYPOINT by default. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index ad04c82378..abde0bc61c 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -88,6 +88,9 @@ UBOOT_FIT_ADDRESS_CELLS ?= "1" # This is only necessary for determining the signing configuration KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" +UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" +UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' @@ -248,8 +251,8 @@ uboot_fitimage_assemble() { os = "u-boot"; arch = "${UBOOT_ARCH}"; compression = "none"; -load = <${UBOOT_LOADADDRESS}>; -entry = <${UBOOT_ENTRYPOINT}>; +load = <${UBOOT_FIT_UBOOT_LOADADDRESS}>; +entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>; EOF if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193629): https://lists.openembedded.org/g/openembedded-core/message/193629 Mute This Topic: https://lists.openembedded.org/mt/103732073/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] create-spdx-2.2.bbclass issue
Hi all, I encountered the issue about do_create_spdx task and my descriptions as following. 1. I have two target machines whcih are ast2700-default and ast2700-emmc, respectively. 2. I have an appliction package call phosphor-logging. I succesfully to build ast2700-emmc target machine and created spdx files from tmp/deploy/spdx directory. Howerver, I changed machine name to ast2700-default to build the whole image again. I noticed do_create_spdx failed and it trited to search file "sstate:base-files:ast2700_emmc-openbmc-linux:3.0.14:r0:ast2700_emmc" but I changed my machine to "ast2700-default". It searched the wrong base-files and it caused this build error. Do you have any suggestion about how to fix it? Thanks-Jamin [['base-files', 'False sstate:base-files:ast2700_emmc-openbmc-linux:3.0.14:r0:ast2700_emmc:11: sstate:base-files::3.0.14:r0::11:'] fatal_error_here: https://github.com/openembedded/openembedded-core/blob/master/meta/classes/create-spdx-2.2.bbclass#L1135 Build Configuration: BB_VERSION = "2.6.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "ubuntu-20.04" TARGET_SYS = "aarch64-openbmc-linux" MACHINE = "ast2700-default" DISTRO = "openbmc-phosphor" DISTRO_VERSION = "nodistro.0" TUNE_FEATURES = "aarch64 armv8a crc cortexa35" TARGET_FPU = "" meta meta-poky meta-oe meta-networking meta-perl meta-python meta-phosphor meta-arm meta-arm-toolchain meta-security meta-aspeed-sdk meta-ast2700-sdk = "aspeed-dev:a56e2eb3f529ed117af0312cef7fd257478ea59a" ERROR: phosphor-logging-1.0+git-r1 do_create_spdx: Cannot find any SPDX file for recipe base-files, False sstate:base-files:ast2700_emmc-openbmc-linux:3.0.14:r0:ast2700_emmc:11: sstate:base-files::3.0.14:r0::11: ERROR: Logfile of failure stored in: /home/jamin_lin/openbmc-ast2700/0111/build-ast2700/tmp/work/cortexa35-openbmc-linux/phosphor-logging/1.0+git/temp/log.do_create_spdx.2905089 ERROR: Task (/home/jamin_lin/openbmc-ast2700/0111/openbmc/meta-phosphor/recipes-phosphor/logging/phosphor-logging_git.bb:do_create_spdx) failed with exit code '1' Log: DEBUG: Executing python function extend_recipe_sysroot NOTE: Direct dependencies are ['/home/jamin_lin/openbmc-ast2700/0111/openbmc/meta/recipes-devtools/quilt/quilt-native_0.67.bb:do_populate_sysroot', 'virtual:native:/home/jamin_lin/openbmc-ast2700/0111/openbmc/meta/recipes-devtools/patch/patch_2.7.6.bb:do_populate_sysroot'] NOTE: Installed into sysroot: [] NOTE: Skipping as already exists in sysroot: ['gettext-minimal-native', 'libtool-native', 'quilt-native', 'texinfo-dummy-native', 'patch-native', 'attr-native'] DEBUG: Python function extend_recipe_sysroot finished DEBUG: Executing python function sstate_task_prefunc DEBUG: Python function sstate_task_prefunc finished DEBUG: Executing python function do_create_spdx DEBUG: Looking for patches that solves CVEs for phosphor-logging ERROR: Cannot find any SPDX file for recipe base-files, False sstate:base-files:ast2700_emmc-openbmc-linux:3.0.14:r0:ast2700_emmc:11: sstate:base-files::3.0.14:r0::11: jamin debug0 ['x86_64', 'x86_64_ubuntu-20.04', 'x86_64_x86_64_linux', 'x86_64_linux', 'x86_64_x86_64-nativesdk', 'allarch', 'cortexa35', 'aarch64', 'armv8a', 'armv8a-crc', 'cortexa35', 'ast2700_default'] jamin debug0 reverse ['ast2700_default', 'cortexa35', 'armv8a-crc', 'armv8a', 'aarch64', 'cortexa35', 'allarch', 'x86_64_x86_64-nativesdk', 'x86_64_linux', 'x86_64_x86_64_linux', 'x86_64_ubuntu-20.04', 'x86_64'] jamin debug1 [['base-files', 'False sstate:base-files:ast2700_emmc-openbmc-linux:3.0.14:r0:ast2700_emmc:11: sstate:base-files::3.0.14:r0::11:'], ['base-passwd', 'False sstate:base-passwd:cortexa35-openbmc-linux:3.6.2:r0:cortexa35:11: sstate:base-passwd::3.6.2:r0::11:'], ['dbus', 'False sstate:dbus:cortexa35-openbmc-linux:1.14.10:r0:cortexa35:11: sstate:dbus::1.14.10:r0::11:'], ['gcc-cross-aarch64', 'True sstate:gcc-cross-aarch64:x86_64-openbmc-linux:13.2.0:r0:x86_64:11: sstate:gcc-cross-aarch64::13.2.0:r0::11:'], ['gcc-runtime', 'False sstate:gcc-runtime:cortexa35-openbmc-linux:13.2.0:r0:cortexa35:11: sstate:gcc-runtime::13.2.0:r0::11:'], ['glibc', 'False sstate:glibc:cortexa35-openbmc-linux:2.38+git:r0:cortexa35:11: sstate:glibc::2.38+git:r0::11:'], ['libcereal', 'False sstate:libcereal:cortexa35-openbmc-linux:1.3.2+git:r0:cortexa35:11: sstate:libcereal::1.3.2+git:r0::11:'], ['meson-native', 'True sstate:meson-native:x86_64-linux:1.3.0:r0:x86_64:11: sstate:meson-native::1.3.0:r0::11:'], ['ninja-native', 'True sstate:ninja-native:x86_64-linux:1.11.1:r0:x86_64:11: sstate:ninja-native::1.11.1:r0::11:'], ['packagegroup-obmc-yaml-providers', 'False sstate:packagegroup-obmc-yaml-providers:cortexa35-openbmc-linux:1.0:r1:cortexa35:11: sstate:packagegroup-obmc-yaml-providers::1.0:r1::11:'], ['phosphor-dbus-interfaces', 'False sstate:phosphor-dbus-interfaces:cortexa35-openbmc-linux:1.0+git:r1:cortexa35:11:
[OE-core] [PATCH] devtool: modify: fix exception
Root Cause: initial_revs is an empty dictionary and do not have "." key. Traceback (most recent call last): File "scripts/devtool", line 349, in ret = main() File "scripts/devtool", line 336, in main ret = args.func(args, config, basepath, workspace) File "scripts/lib/devtool/standard.py", line 922, in modify if not initial_revs["."]: KeyError: '.' Solution: check key exists, then get its value. Signed-off-by: Jamin Lin --- scripts/lib/devtool/standard.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py index 559fd45676..2e56cd3050 100644 --- a/scripts/lib/devtool/standard.py +++ b/scripts/lib/devtool/standard.py @@ -921,7 +921,7 @@ def modify(args, config, basepath, workspace): if line.startswith('*'): (stdout, _) = bb.process.run('git rev-parse devtool-base', cwd=srctree) initial_revs["."] = stdout.rstrip() -if not initial_revs["."]: +if "." not in initial_revs: # Otherwise, just grab the head revision (stdout, _) = bb.process.run('git rev-parse HEAD', cwd=srctree) initial_revs["."] = stdout.rstrip() -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193279): https://lists.openembedded.org/g/openembedded-core/message/193279 Mute This Topic: https://lists.openembedded.org/mt/103499394/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-