Add conditional nodes to sunxi-u-boot.dtsi to support building signed
SPL and U-Boot images, using the same #ifdef scheme as in the Rockchip
u-boot.dtsi. When CONFIG_SPL_FIT_SIGNATURE is enabled, the FIT image
includes hash and signature nodes for firmware, loadables, and device
trees, enabling SPL to verify U-Boot and associated binaries before
boot.
This prepares Sunxi boards for secure boot flows similar to other SoCs.
Signed-off-by: Lukas Schmid <lukas.sch...@netcube.li>
---
arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
1 file changed, 64 insertions(+), 4 deletions(-)
diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
index e1a9a7f5..bb428226 100644
--- a/arch/arm/dts/sunxi-u-boot.dtsi
+++ b/arch/arm/dts/sunxi-u-boot.dtsi
@@ -27,6 +27,38 @@
#endif
&binman {
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ spl {
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+ filename = "spl/u-boot-spl.bin";
+#else
+ filename = "spl/sunxi-spl.bin";
+#endif
+
+ u-boot-spl-nodtb {
+ };
+
+ u-boot-spl-pubkey-dtb {
+ algo = "sha256,rsa2048";
+ required = "conf";
+ key-name-hint = "dev";
+ };
+ };
+
+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
+ image {
+ filename = "spl/sunxi-spl.bin";
+
+ mkimage {
+ args = "-a 0x20060 -T sunxi_toc0";
+ data-to-imagename;
+
+ u-boot-spl {
+ };
+ };
+ };
+#endif
+#endif
u-boot-sunxi-with-spl {
filename = "u-boot-sunxi-with-spl.bin";
pad-byte = <0xff>;
@@ -45,6 +77,9 @@
description = "Configuration to load U-Boot and
firmware";
#address-cells = <1>;
fit,fdt-list = "of-list";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ fit,sign;
+#endif
images {
uboot {
@@ -60,6 +95,11 @@
u-boot-nodtb {
};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ hash {
+ algo = "sha256";
+ };
+#endif
};
#if CONFIG_SUNXI_BL31_BASE
@@ -76,6 +116,11 @@
filename = "bl31.bin";
missing-msg = "atf-bl31-sunxi";
};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ hash {
+ algo = "sha256";
+ };
+#endif
};
#endif
@@ -92,6 +137,11 @@
missing-msg = "scp-sunxi";
optional;
};
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ hash {
+ algo = "sha256";
+ };
+#endif
};
#endif
@@ -99,6 +149,11 @@
description = "NAME";
type = "flat_dt";
compression = "none";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ hash {
+ algo = "sha256";
+ };
+#endif
};
};
@@ -108,16 +163,21 @@
@config-SEQ {
description = "NAME";
#if CONFIG_SUNXI_BL31_BASE
- firmware = "atf";
+ firmware = "atf", "uboot";
#else
firmware = "uboot";
#endif
#if CONFIG_SUNXI_SCP_BASE
- loadables = "scp", "uboot";
-#else
- loadables = "uboot";
+ loadables = "scp";
#endif
fdt = "fdt-SEQ";
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+ signature {
+ algo = "sha256,rsa2048";
+ key-name-hint = "dev";
+ sign-images = "firmware",
"loadables", "fdt";
+ };
+#endif
};
};
};
--
2.39.5
