Re: [PATCH 7/7] RFC: Move Odroid-C2 to use binman to produce the image

2021-11-25 Thread Neil Armstrong 
On 25/11/2021 01:12, Simon Glass wrote:
> Hi Neil,
> 
> On Wed, 24 Nov 2021 at 07:26, Neil Armstrong  wrote:
>>
>> Hi Simon,
>>
>> On 24/11/2021 05:09, Simon Glass wrote:
>>> This shows how binman can be used to replace the long and complicated
>>> instructions with an automated build. It is still complicated to read
>>> but users don't have to worry about the details.
>>
>> Thanks for demonstarting that !
> 
> Thanks for looking at it.
> 
>>
>> I'm really not confident about using proprietary tools from mainline u-boot
>> source tree.
> 
> Arguably people already are doing this. At least this way it is in the
> open. If people have the right tools installed it will just work, with
> no extra steps.

OK, no problem then

> 
>>
>> Will the binman step quietly fail if tools/bins aren't available ?
> 
> It handles the case where binaries are missing (that's the
> --allow-missing) but not tools. I think we can do a similar thing,
> where it just warns that the image won't work because of a missing
> tool.
> 
> When a blob is missing there are instructions to tell the user how to
> create it. For tools we could have instructions on where to download
> the tool.

Is there a easy way to bypass the binman step ? In case for example we
want to chainload the original u-boot binary, or wrap it using other
tools afterwards like for secure boot ?

> 
> Is someone working on upstreaming the tools?

There is some alternate open-source tools in C:

https://github.com/afaerber/meson-tools (GXBB, GXL & GXM only)
https://github.com/repk/gxlimg (GXBB, GXL, GXM & AXG only)
https://github.com/angerman/meson64-tools (developed for G12B, should work on 
G12A & SM1)

But no unified tool, all this should probably be rewritten in a binman plugin 
at some point.

> 
>>
>>> It needs some tidying up and only supports Odroid-C2 at present.
>>
>> --- C4
>>
>> But i get the spirit !
>>
>> Seems it should work as-is on allmost all boards except Odroid-C2 which has
>> only pre-signed binaries provided by HK.
> 
> OK. There are a lot of instructions in doc/board/amlogic - are they
> all mostly the same If so we can use a common binman description for
> all boards.
> 
>>
>> The only work will be to replace acs_tool.py for pre-G12 SoCs.
>>
>>>
>>> Signed-off-by: Simon Glass 
>>> ---
>>>
>>>  arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi | 107 
>>>  arch/arm/mach-meson/Kconfig  |   1 +
>>>  doc/board/amlogic/odroid-c4.rst  | 127 +--
>>>  scripts/pylint.base  |   1 +
>>>  tools/binman/etype/aml_encrypt.py| 124 ++
>>>  tools/binman/ftest.py|   3 +
>>>  tools/binman/missing-blob-help   |   6 +
>>>  tools/binman/test/213_aml_encrypt.dts|  38 ++
>>>  tools/binman/test/214_list_no_dtb.dts|  23 
>>>  9 files changed, 338 insertions(+), 92 deletions(-)
>>>  create mode 100644 tools/binman/etype/aml_encrypt.py
>>>  create mode 100644 tools/binman/test/213_aml_encrypt.dts
>>>  create mode 100644 tools/binman/test/214_list_no_dtb.dts
>>>
>>> diff --git a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi 
>>> b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
>>> index 963bf96b256..b221ce6920b 100644
>>> --- a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
>>> +++ b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
>>> @@ -6,6 +6,113 @@
>>>
>>>  #include "meson-sm1-u-boot.dtsi"
>>>
>>> +/{
>>> + binman {
>>> + /* run --bootmk on all the included inputs */
>>> + aml-encrypt {
>>> + missing-msg = "aml-encrypt";
>>> + aml-algo = "g12a";
>>> + aml-op = "bootmk";
>>> + aml-level = "v3";
>>> +
>>> + /* produce a bl2, containing signed bl2 binaries */
>>> + bl2 {
>>> + type = "aml-encrypt";
>>> + aml-algo = "g12a";
>>> + aml-op = "bl2sig";
>>> +
>>> + /* sign the binary contaiing bl2 and acs */
>>> + aml-input {
>>> + type = "section";
>>> + bl2 {
>>> + type = "blob-ext";
>>> + size = <0xe000>;
>>> + filename = "bl2.bin";
>>> + };
>>> + acs {
>>> + type = "blob-ext";
>>> + size = <0x1000>;
>>> + filename = "acs.bin";
>>> + };
>>> + };
>>
>> This is nice way to get rid of blx_fix.sh !
> 
> Yes that sort of thing is

Re: [PATCH 7/7] RFC: Move Odroid-C2 to use binman to produce the image

2021-11-24 Thread Simon Glass 
Hi Neil,

On Wed, 24 Nov 2021 at 07:26, Neil Armstrong  wrote:
>
> Hi Simon,
>
> On 24/11/2021 05:09, Simon Glass wrote:
> > This shows how binman can be used to replace the long and complicated
> > instructions with an automated build. It is still complicated to read
> > but users don't have to worry about the details.
>
> Thanks for demonstarting that !

Thanks for looking at it.

>
> I'm really not confident about using proprietary tools from mainline u-boot
> source tree.

Arguably people already are doing this. At least this way it is in the
open. If people have the right tools installed it will just work, with
no extra steps.

>
> Will the binman step quietly fail if tools/bins aren't available ?

It handles the case where binaries are missing (that's the
--allow-missing) but not tools. I think we can do a similar thing,
where it just warns that the image won't work because of a missing
tool.

When a blob is missing there are instructions to tell the user how to
create it. For tools we could have instructions on where to download
the tool.

Is someone working on upstreaming the tools?

>
> > It needs some tidying up and only supports Odroid-C2 at present.
>
> --- C4
>
> But i get the spirit !
>
> Seems it should work as-is on allmost all boards except Odroid-C2 which has
> only pre-signed binaries provided by HK.

OK. There are a lot of instructions in doc/board/amlogic - are they
all mostly the same If so we can use a common binman description for
all boards.

>
> The only work will be to replace acs_tool.py for pre-G12 SoCs.
>
> >
> > Signed-off-by: Simon Glass 
> > ---
> >
> >  arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi | 107 
> >  arch/arm/mach-meson/Kconfig  |   1 +
> >  doc/board/amlogic/odroid-c4.rst  | 127 +--
> >  scripts/pylint.base  |   1 +
> >  tools/binman/etype/aml_encrypt.py| 124 ++
> >  tools/binman/ftest.py|   3 +
> >  tools/binman/missing-blob-help   |   6 +
> >  tools/binman/test/213_aml_encrypt.dts|  38 ++
> >  tools/binman/test/214_list_no_dtb.dts|  23 
> >  9 files changed, 338 insertions(+), 92 deletions(-)
> >  create mode 100644 tools/binman/etype/aml_encrypt.py
> >  create mode 100644 tools/binman/test/213_aml_encrypt.dts
> >  create mode 100644 tools/binman/test/214_list_no_dtb.dts
> >
> > diff --git a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi 
> > b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> > index 963bf96b256..b221ce6920b 100644
> > --- a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> > +++ b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> > @@ -6,6 +6,113 @@
> >
> >  #include "meson-sm1-u-boot.dtsi"
> >
> > +/{
> > + binman {
> > + /* run --bootmk on all the included inputs */
> > + aml-encrypt {
> > + missing-msg = "aml-encrypt";
> > + aml-algo = "g12a";
> > + aml-op = "bootmk";
> > + aml-level = "v3";
> > +
> > + /* produce a bl2, containing signed bl2 binaries */
> > + bl2 {
> > + type = "aml-encrypt";
> > + aml-algo = "g12a";
> > + aml-op = "bl2sig";
> > +
> > + /* sign the binary contaiing bl2 and acs */
> > + aml-input {
> > + type = "section";
> > + bl2 {
> > + type = "blob-ext";
> > + size = <0xe000>;
> > + filename = "bl2.bin";
> > + };
> > + acs {
> > + type = "blob-ext";
> > + size = <0x1000>;
> > + filename = "acs.bin";
> > + };
> > + };
>
> This is nice way to get rid of blx_fix.sh !

Yes that sort of thing is easy with Binman.

>
> > + };
> > +
> > + /* produce a bl30, containing signed bl30 binaries */
> > + bl30 {
> > + type = "aml-encrypt";
> > + aml-algo = "g12a";
> > + aml-op = "bl3sig";
> > + aml-level = "v3";
> > + aml-type = "bl30";
> > +
> > + /* sign the binary contaiing bl30 and bl301 */
> > + aml-input {
> > + type = "aml-encrypt";
> > + aml-algo =

Re: [PATCH 7/7] RFC: Move Odroid-C2 to use binman to produce the image

2021-11-24 Thread Neil Armstrong 
Hi Simon,

On 24/11/2021 05:09, Simon Glass wrote:
> This shows how binman can be used to replace the long and complicated
> instructions with an automated build. It is still complicated to read
> but users don't have to worry about the details.

Thanks for demonstarting that !

I'm really not confident about using proprietary tools from mainline u-boot
source tree.

Will the binman step quietly fail if tools/bins aren't available ?

> It needs some tidying up and only supports Odroid-C2 at present.

--- C4

But i get the spirit !

Seems it should work as-is on allmost all boards except Odroid-C2 which has
only pre-signed binaries provided by HK.

The only work will be to replace acs_tool.py for pre-G12 SoCs.

> 
> Signed-off-by: Simon Glass 
> ---
> 
>  arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi | 107 
>  arch/arm/mach-meson/Kconfig  |   1 +
>  doc/board/amlogic/odroid-c4.rst  | 127 +--
>  scripts/pylint.base  |   1 +
>  tools/binman/etype/aml_encrypt.py| 124 ++
>  tools/binman/ftest.py|   3 +
>  tools/binman/missing-blob-help   |   6 +
>  tools/binman/test/213_aml_encrypt.dts|  38 ++
>  tools/binman/test/214_list_no_dtb.dts|  23 
>  9 files changed, 338 insertions(+), 92 deletions(-)
>  create mode 100644 tools/binman/etype/aml_encrypt.py
>  create mode 100644 tools/binman/test/213_aml_encrypt.dts
>  create mode 100644 tools/binman/test/214_list_no_dtb.dts
> 
> diff --git a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi 
> b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> index 963bf96b256..b221ce6920b 100644
> --- a/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> +++ b/arch/arm/dts/meson-sm1-odroid-c4-u-boot.dtsi
> @@ -6,6 +6,113 @@
>  
>  #include "meson-sm1-u-boot.dtsi"
>  
> +/{
> + binman {
> + /* run --bootmk on all the included inputs */
> + aml-encrypt {
> + missing-msg = "aml-encrypt";
> + aml-algo = "g12a";
> + aml-op = "bootmk";
> + aml-level = "v3";
> +
> + /* produce a bl2, containing signed bl2 binaries */
> + bl2 {
> + type = "aml-encrypt";
> + aml-algo = "g12a";
> + aml-op = "bl2sig";
> +
> + /* sign the binary contaiing bl2 and acs */
> + aml-input {
> + type = "section";
> + bl2 {
> + type = "blob-ext";
> + size = <0xe000>;
> + filename = "bl2.bin";
> + };
> + acs {
> + type = "blob-ext";
> + size = <0x1000>;
> + filename = "acs.bin";
> + };
> + };

This is nice way to get rid of blx_fix.sh !

> + };
> +
> + /* produce a bl30, containing signed bl30 binaries */
> + bl30 {
> + type = "aml-encrypt";
> + aml-algo = "g12a";
> + aml-op = "bl3sig";
> + aml-level = "v3";
> + aml-type = "bl30";
> +
> + /* sign the binary contaiing bl30 and bl301 */
> + aml-input {
> + type = "aml-encrypt";
> + aml-algo = "g12a";
> + aml-op = "bl30sig";
> + aml-level = "v3";
> +
> + /*
> +  * put bl30 and bl301 together, with
> +  * the necessary paddiung
> +  */
> + aml-input {
> + type = "section";
> + bl30 {
> + type = "blob-ext";
> + size = <0xa000>;
> + filename = "bl30.bin";
> + };
> + bl301 {
> + type = "blob-ext";
> + size = <0x3400>;
> +