On 2/16/19 4:18 PM, Tom Rini wrote: > On Fri, Feb 15, 2019 at 05:43:32PM +0530, Lokesh Vutla wrote: >> >> >> On 2/15/2019 4:25 AM, Andrew F. Davis wrote: >>> On 2/13/19 9:46 PM, Lokesh Vutla wrote: >>>> >>>> >>>> On 14/02/19 12:07 AM, Andrew F. Davis wrote: >>>>> K3 HS devices require signed binaries for boot, use the SECDEV tools >>>>> to sign the boot artifacts during build. >>>>> >>>>> Signed-off-by: Andrew F. Davis <a...@ti.com> >>>>> --- >>>>> MAINTAINERS | 1 + >>>>> arch/arm/mach-k3/config.mk | 25 ++++++++++++++++++ >>>>> arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++ >>>>> tools/k3_fit_atf.sh | 8 ++++-- >>>>> 4 files changed, 76 insertions(+), 2 deletions(-) >>>>> create mode 100644 arch/arm/mach-k3/config_secure.mk >>>>> >>>>> diff --git a/MAINTAINERS b/MAINTAINERS >>>>> index 18cdca9447..ac6bd8cfca 100644 >>>>> --- a/MAINTAINERS >>>>> +++ b/MAINTAINERS >>>>> @@ -717,6 +717,7 @@ F: arch/arm/mach-omap2/omap5/sec_entry_cpu1.S >>>>> F: arch/arm/mach-omap2/sec-common.c >>>>> F: arch/arm/mach-omap2/config_secure.mk >>>>> F: arch/arm/mach-k3/security.c >>>>> +F: arch/arm/mach-k3/config_secure.mk >>>>> F: configs/am335x_hs_evm_defconfig >>>>> F: configs/am335x_hs_evm_uart_defconfig >>>>> F: configs/am43xx_hs_evm_defconfig >>>>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk >>>>> index be00d79fb0..2d8f61f9db 100644 >>>>> --- a/arch/arm/mach-k3/config.mk >>>>> +++ b/arch/arm/mach-k3/config.mk >>>>> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt >>>>> | sed $(SED_OPTS) > u-boo >>>>> # If external key is not provided, generate key using openssl. >>>>> ifeq ($(CONFIG_SYS_K3_KEY), "") >>>>> KEY=u-boot-spl-eckey.pem >>>>> +# On HS use real key or warn if not available >>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >>>>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),) >>>>> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem >>>>> +else >>>>> +$(warning "WARNING: signing key not found. Random key will NOT work on >>>>> HS hardware!") >>>>> +endif >>>>> +endif >>>>> else >>>>> KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) >>>>> endif >>>>> @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin >>>>> endif >>>>> >>>>> ifdef CONFIG_ARM64 >>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >>>>> +SPL_ITS := u-boot-spl-k3_HS.its >>>>> +$(SPL_ITS): FORCE >>>>> + IS_HS=1 \ >>>>> + $(srctree)/tools/k3_fit_atf.sh \ >>>>> + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@ >>>>> + >>>>> +ALL-y += tispl.bin_HS >>>>> +else >>>>> SPL_ITS := u-boot-spl-k3.its >>>>> $(SPL_ITS): FORCE >>>>> $(srctree)/tools/k3_fit_atf.sh \ >>>>> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE >>>>> >>>>> ALL-y += tispl.bin >>>>> endif >>>>> +endif >>>>> + >>>>> +else >>>>> >>>>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) >>>>> +ALL-y += u-boot.img_HS >>>>> else >>>>> ALL-y += u-boot.img >>>>> endif >>>>> +endif >>>>> + >>>>> +include $(srctree)/arch/arm/mach-k3/config_secure.mk >>>>> diff --git a/arch/arm/mach-k3/config_secure.mk >>>>> b/arch/arm/mach-k3/config_secure.mk >>>>> new file mode 100644 >>>>> index 0000000000..6d63c57665 >>>>> --- /dev/null >>>>> +++ b/arch/arm/mach-k3/config_secure.mk >>>>> @@ -0,0 +1,44 @@ >>>>> +# SPDX-License-Identifier: GPL-2.0 >>>>> +# >>>>> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/ >>>>> +# Andrew F. Davis <a...@ti.com> >>>>> + >>>>> +quiet_cmd_k3secureimg = SECURE $@ >>>>> +ifneq ($(TI_SECURE_DEV_PKG),) >>>>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) >>>>> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ >>>>> + $< $@ \ >>>>> + $(if $(KBUILD_VERBOSE:1=), >/dev/null) >>>>> +else >>>>> +cmd_k3secureimg = echo "WARNING:" \ >>>>> + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ >>>>> + "$@ was NOT secured!"; cp $< $@ >>>>> +endif >>>>> +else >>>>> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ >>>>> + "variable must be defined for TI secure devices." \ >>>>> + "$@ was NOT secured!"; cp $< $@ >>>>> +endif >>>>> + >>>>> +%.dtb_HS: %.dtb FORCE >>>>> + $(call if_changed,k3secureimg) >>>>> + >>>>> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE >>>>> + $(call if_changed,k3secureimg) >>>>> + >>>>> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst >>>>> %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE >>>>> + $(call if_changed,mkfitimage) >>>>> + >>>>> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O >>>>> u-boot \ >>>>> + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ >>>>> + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ >>>>> + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST))) >>>> >>>> I guess these HS postfixed dtbs will never get cleaned. I see the same >>>> issue >>>> with other TI secure devices as well. Can you update the clean rules as >>>> well? >>>> >>> >>> tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried >> >> Yeah, these should be cleaned as well. >> >>> adding them to clean-files and CLEAN_FILES, neither worked. Outside of >> >> looks like clean-files is relative to the current directory. You can >> update arch/arm/dts/Makefile but it might be very generic. >> >> Tom, any suggestions to clean files in this case? > > I guess we need to update clean-files in arch/arm/dts/Makefile then, > yes. >
Then I will update that for all our extra artifacts in a separate patch on top of this series. Thanks, Andrew _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot