Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stm-st-stm32mp: tf-a: add support to ConnectCore MP25 DVK platform 

Add support based on v2.8 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.

https://onedigi.atlassian.net/browse/DEL-8995

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra 2024-07-04 16:24:34 +02:00
parent 7d660349e8
commit 0ad2b42f93
11 changed files with 1636 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

567
meta-digi-arm/classes/fip-utils-stm32mp2.bbclass Normal file
View File

@ -0,0 +1,567 @@
inherit sign-stm32mp2
DEPENDS += "tf-a-tools-native util-linux-native"
# Configure new package to provide fiptool wrapper for SDK usage
PACKAGES =+ "${FIPTOOL_WRAPPER}"
BBCLASSEXTEND:append = " nativesdk"
RRECOMMENDS:${FIPTOOL_WRAPPER}:append:class-nativesdk = " nativesdk-tf-a-tools"
# Define default TF-A FIP namings
FIP_BASENAME ?= "fip"
FIP_SUFFIX ?= "bin"
# Set default TF-A FIP config
FIP_CONFIG ?= ""
# Default FIP config:
# There are two options implemented to select two different firmware and each
# FIP_CONFIG should configure one: 'tfa' or 'optee'
FIP_CONFIG_FW_TFA = "tfa"
FIP_CONFIG_FW_TEE = "optee"
# Init BL31 config
FIP_BL31_ENABLE ?= ""
# Set CERTTOOL binary name to use
CERTTOOL ?= "cert_create"
# Set ENCTOOL binary name to use
ENCTOOL ?= "encrypt_fw"
# Set FIPTOOL binary name to use
FIPTOOL ?= "fiptool"
# Set STM32MP fiptool wrapper
FIPTOOL_WRAPPER ?= "fiptool-stm32mp"
# Default FIP file names and suffixes
FIP_BL31 ?= "tf-a-bl31"
FIP_BL31_SUFFIX ?= "bin"
FIP_BL31_DTB ?= "bl31"
FIP_BL31_DTB_SUFFIX ?= "dtb"
FIP_TFA ?= "tf-a-bl32"
FIP_TFA_SUFFIX ?= "bin"
FIP_TFA_DTB ?= "bl32"
FIP_TFA_DTB_SUFFIX ?= "dtb"
FIP_FW_CONFIG ?= "fw-config"
FIP_FW_CONFIG_SUFFIX ?= "dtb"
FIP_FW_DDR ?= "ddr_pmu"
FIP_FW_DDR_SUFFIX ?= "bin"
FIP_OPTEE_HEADER ?= "tee-header_v2"
FIP_OPTEE_PAGER ?= "tee-pager_v2"
FIP_OPTEE_PAGEABLE ?= "tee-pageable_v2"
FIP_OPTEE_SUFFIX ?= "bin"
FIP_UBOOT ?= "u-boot-nodtb"
FIP_UBOOT_SUFFIX ?= "bin"
FIP_UBOOT_DTB ?= "u-boot"
FIP_UBOOT_DTB_SUFFIX ?= "dtb"
# Configure default folder path for binaries to package
FIP_DEPLOYDIR_FIP ?= "${DEPLOYDIR}/fip"
FIP_DEPLOYDIR_BL31 ?= "${DEPLOYDIR}/arm-trusted-firmware/bl31"
FIP_DEPLOYDIR_TFA ?= "${DEPLOYDIR}/arm-trusted-firmware/bl32"
FIP_DEPLOYDIR_FWCONF ?= "${DEPLOYDIR}/arm-trusted-firmware/fwconfig"
FIP_DEPLOYDIR_FWDDR ?= "${DEPLOYDIR}/arm-trusted-firmware/ddr"
FIP_DEPLOYDIR_OPTEE ?= "${DEPLOY_DIR}/images/${MACHINE}/optee"
FIP_DEPLOYDIR_UBOOT ?= "${DEPLOY_DIR}/images/${MACHINE}/u-boot"
# Set default configuration to allow FIP signing
FIP_ENCRYPT_SUFFIX ??= "${@bb.utils.contains('ENCRYPT_ENABLE', '1', '${ENCRYPT_SUFFIX}', '', d)}"
FIP_ENCRYPT_NONCE ??= "1234567890abcdef12345678"
FIP_SIGN_SUFFIX ??= "${@bb.utils.contains('SIGN_ENABLE', '1', '${SIGN_SUFFIX}', '', d)}"
# Define FIP dependency build
FIP_DEPENDS += "virtual/bootloader"
FIP_DEPENDS += "${@bb.utils.contains('MACHINE_FEATURES', 'optee', 'virtual/optee-os', '', d)}"
FIP_DEPENDS:class-nativesdk = ""
# -----------------------------------------------
# Handle FIP config and set internal vars
# FIP_BL32_CONF
python () {
import re
# Make sure that deploy class is configured
if not bb.data.inherits_class('deploy', d):
bb.fatal("The st-fip-utils class needs the deploy class to be configured on recipe side.")
# Manage FIP binary dependencies
fip_depends = (d.getVar('FIP_DEPENDS') or "").split()
if len(fip_depends) > 0:
for depend in fip_depends:
d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % depend)
# Manage FIP config settings
fipconfigflags = d.getVarFlags('FIP_CONFIG')
if fipconfigflags is not None:
# The "doc" varflag is special, we don't want to see it here
fipconfigflags.pop('doc', None)
fipconfig = (d.getVar('FIP_CONFIG') or "").split()
if not fipconfig:
raise bb.parse.SkipRecipe("FIP_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE"))
if (d.getVar('FIP_BL32_CONF') or "").split():
raise bb.parse.SkipRecipe("You cannot use FIP_BL32_CONF as it is internal to FIP_CONFIG var expansion.")
if (d.getVar('FIP_DEVICETREE') or "").split():
raise bb.parse.SkipRecipe("You cannot use FIP_DEVICETREE as it is internal to FIP_CONFIG var expansion.")
if len(fipconfig) > 0:
# Init internal fip firmware config
fip_config_fw_tfa = d.getVar('FIP_CONFIG_FW_TFA') or ""
fip_config_fw_tee = d.getVar('FIP_CONFIG_FW_TEE') or ""
for config in fipconfig:
for f, v in fipconfigflags.items():
if config == f:
# Make sure to get var flag properly expanded
v = d.getVarFlag('FIP_CONFIG', config)
if not v.strip():
bb.fatal('[FIP_CONFIG] Missing configuration for %s config' % config)
items = v.split(',')
if items[0] and len(items) > 2:
raise bb.parse.SkipRecipe('Only <BL32_CONF> and <DT_CONFIG> can be specified!')
# Set internal vars
if items[0] == fip_config_fw_tfa or items[0] == fip_config_fw_tee:
bb.debug(1, "Appending '%s' to FIP_BL32_CONF" % items[0])
d.appendVar('FIP_BL32_CONF', items[0] + ',')
else:
bb.fatal('[FIP_CONFIG] Wrong configuration for %s config: %s should be one of %s or %s' % (config,items[0],fip_config_fw_tfa,fip_config_fw_tee))
bb.debug(1, "Appending '%s' to FIP_DEVICETREE" % items[1])
d.appendVar('FIP_DEVICETREE', items[1] + ',')
break
}
# Deploy the fip binary for current target
do_deploy:append:class-target() {
install -d ${DEPLOYDIR}
install -d ${FIP_DEPLOYDIR_FIP}
unset i
for config in ${FIP_CONFIG}; do
i=$(expr $i + 1)
bl32_conf=$(echo ${FIP_BL32_CONF} | cut -d',' -f${i})
dt_config=$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})
for dt in ${dt_config}; do
# Init soc suffix
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}"
done
fi
# Init FIP fw-config settings
[ -f "${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: ${FIP_DEPLOYDIR_FWCONF}"
FIP_FWCONFIG="--fw-config ${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}"
# Init FIP hw-config settings
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_HWCONFIG="--hw-config ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}"
# Init FIP nt-fw config
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_NTFW="--nt-fw ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}"
# Init FIP bl31 settings
if [ "${FIP_BL31_ENABLE}" = "1" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing ${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}"
[ -f "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}"
# Set CERT_BL31CONF
CERT_BL31CONF=" \
--soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} \
--soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \
"
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
# encrypt bl31 binary
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" \
--out "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}"
# encrypt bl31 devicetree
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" \
--out "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX}"
fi
# Set FIP_BL31CONF
FIP_BL31CONF="\
--soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX} \
--soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \
"
else
CERT_BL31CONF=""
FIP_BL31CONF=""
fi
# Init FIP extra conf settings
if [ "${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}"
[ -f "${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} \
--tos-fw-config ${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \
"
elif [ "${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
# Set CERT_EXTRACONF
CERT_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} \
"
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
# encrypt optee header
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
# encrypt optee pager
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
# encrypt optee pageable
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
fi
# Set FIP_EXTRACONF
FIP_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
"
else
bbfatal "Wrong configuration '${bl32_conf}' found in FIP_CONFIG for ${config} config."
fi
# Init FIP DDR config settings
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
FIP_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}"
CERT_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}"
else
FIP_DDRCONF=""
CERT_DDRCONF=""
fi
# Init certificate settings
if [ "${SIGN_ENABLE}" = "1" ]; then
sign_key="${SIGN_KEY_PATH_LIST}"
if [ $(echo ${SIGN_KEY_PASS} | wc -w) -gt 1 ]; then
sign_single_key_pass=$(echo ${SIGN_KEY_PASS} | cut -d' ' -f1)
else
sign_single_key_pass="${SIGN_KEY_PASS}"
fi
if [ -n "${STM32MP_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
mkdir -p ${B}/${config}-${dt}
FIP_CERTCONF="\
--tb-fw-cert ${B}/${config}-${dt}/tb_fw.crt \
--trusted-key-cert ${B}/${config}-${dt}/trusted_key.crt \
--nt-fw-cert ${B}/${config}-${dt}/nt_fw_content.crt \
--nt-fw-key-cert ${B}/${config}-${dt}/nt_fw_key.crt \
--tos-fw-cert ${B}/${config}-${dt}/tos_fw_content.crt \
--tos-fw-key-cert ${B}/${config}-${dt}/tos_fw_key.crt \
--stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert.crt \
"
if [ "${FIP_BL31_ENABLE}" = "1" ]; then
FIP_CERTCONF="${FIP_CERTCONF} \
--soc-fw-cert ${B}/${config}-${dt}/soc_fw_content.crt \
--soc-fw-key-cert ${B}/${config}-${dt}/soc_fw_key.crt \
"
fi
# Need fake bl2 binary to generate certificates
touch ${WORKDIR}/bl2-fake.bin
# Generate certificates
bbnote "${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_CERTCONF} \
${CERT_EXTRACONF} \
${CERT_DDRCONF} \
${CERT_BL31CONF} \
--tb-fw ${WORKDIR}/bl2-fake.bin"
${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_CERTCONF} \
${CERT_EXTRACONF} \
${CERT_DDRCONF} \
${CERT_BL31CONF} \
--tb-fw ${WORKDIR}/bl2-fake.bin
# Remove fake bl2 binary
rm -f ${WORKDIR}/bl2-fake.bin
# Init FIP DDR cert settings
FIP_DDRCERTCONF="--stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert_ddr.crt"
# Generate FIP DDR certificates
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
bbnote "${CERTTOOL} -n --tfw-nvctr 0 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_DDRCERTCONF} \
${CERT_DDRCONF}"
${CERTTOOL} -n --tfw-nvctr 0 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_DDRCERTCONF} \
${CERT_DDRCONF}
fi
else
FIP_CERTCONF=""
FIP_DDRCERTCONF=""
fi
# Generate FIP binary
bbnote "${FIPTOOL} create \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_BL31CONF} \
${FIP_EXTRACONF} \
${FIP_DDRCONF} \
${FIP_CERTCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}"
${FIPTOOL} create \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_BL31CONF} \
${FIP_EXTRACONF} \
${FIP_DDRCONF} \
${FIP_CERTCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}
# Generate FIP DDR binary
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
bbnote "${FIPTOOL} create \
${FIP_DDRCERTCONF} \
${FIP_DDRCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}"
${FIPTOOL} create \
${FIP_DDRCERTCONF} \
${FIP_DDRCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}
fi
done
done
}
# Stub do_compile for nativesdk use case as we only expect to provide FIPTOOL_WRAPPER
do_compile:class-nativesdk() {
return
}
do_install:class-nativesdk() {
# Create the FIPTOOL_WRAPPER script to use on sdk side
cat << EOF > ${WORKDIR}/${FIPTOOL_WRAPPER}
#!/bin/bash -
function bbfatal() { echo "\$*" ; exit 1 ; }
# Set default TF-A FIP config
FIP_CONFIG="\${FIP_CONFIG:-${FIP_CONFIG}}"
FIP_BL31_ENABLE="\${FIP_BL31_ENABLE:-${FIP_BL31_ENABLE}}"
FIP_BL32_CONF=""
FIP_DEVICETREE="\${FIP_DEVICETREE:-}"
# Set default supported configuration for devicetree and bl32 configuration
declare -A FIP_BL32_CONF_ARRAY
declare -A FIP_DEVICETREE_ARRAY
EOF
for config in ${FIP_CONFIG}; do
i=$(expr $i + 1)
cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER}
FIP_BL32_CONF_ARRAY[${config}]="$(echo ${FIP_BL32_CONF} | cut -d',' -f${i})"
FIP_DEVICETREE_ARRAY[${config}]="$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})"
EOF
done
unset i
cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER}
# Make sure about FIP_CONFIG value
if [ -z "\$FIP_CONFIG" ]; then
bbfatal "Wrong configuration 'FIP_CONFIG' is empty."
else
# Check that configuration match any of the supported ones
for config in \$FIP_CONFIG; do
CONFIG_FOUND=NO
for fip_config in ${FIP_CONFIG}; do
[ "\${config}" = "\${fip_config}" ] && { CONFIG_FOUND="YES" ; break; }
done
[ "\${CONFIG_FOUND}" = "NO" ] && bbfatal "Wrong 'FIP_CONFIG' configuration : \${config} is not one of the supported one (${FIP_CONFIG})"
done
fi
# Manage FIP_BL32_CONF default init
if [ -z "\$FIP_BL32_CONF" ]; then
# Assigned default supported value
for config in \$FIP_CONFIG; do
FIP_BL32_CONF+="\${FIP_BL32_CONF_ARRAY[\${config}]},"
done
fi
# Manage FIP_DEVICETREE default init
if [ -z "\$FIP_DEVICETREE" ]; then
# Assigned default supported value
for config in \$FIP_CONFIG; do
FIP_DEVICETREE+="\${FIP_DEVICETREE_ARRAY[\${config}]},"
done
fi
# Configure default folder path for binaries to package
FIP_DEPLOYDIR_ROOT="\${FIP_DEPLOYDIR_ROOT:-}"
FIP_DEPLOYDIR_FIP="\${FIP_DEPLOYDIR_FIP:-\$FIP_DEPLOYDIR_ROOT/fip}"
FIP_DEPLOYDIR_TFA="\${FIP_DEPLOYDIR_TFA:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32}"
FIP_DEPLOYDIR_BL31="\${FIP_DEPLOYDIR_BL31:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31}"
FIP_DEPLOYDIR_FWDDR="\${FIP_DEPLOYDIR_FWDDR:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/ddr}"
FIP_DEPLOYDIR_FWCONF="\${FIP_DEPLOYDIR_FWCONF:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig}"
FIP_DEPLOYDIR_OPTEE="\${FIP_DEPLOYDIR_OPTEE:-\$FIP_DEPLOYDIR_ROOT/optee}"
FIP_DEPLOYDIR_UBOOT="\${FIP_DEPLOYDIR_UBOOT:-\$FIP_DEPLOYDIR_ROOT/u-boot}"
echo ""
echo "${FIPTOOL_WRAPPER} config:"
for config in \$FIP_CONFIG; do
i=\$(expr \$i + 1)
bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i)
dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i)
echo " \${config}:" ; \\
echo " bl32 config value: \${bl32_conf}"
echo " devicetree config: \${dt_config}"
done
echo ""
echo "Switch configuration:"
echo " FIP_BL31_ENABLE : \$FIP_BL31_ENABLE"
echo ""
echo "Output folders:"
echo " FIP_DEPLOYDIR_ROOT : \$FIP_DEPLOYDIR_ROOT"
echo " FIP_DEPLOYDIR_FIP : \$FIP_DEPLOYDIR_FIP"
echo " FIP_DEPLOYDIR_TFA : \$FIP_DEPLOYDIR_TFA"
echo " FIP_DEPLOYDIR_BL31 : \$FIP_DEPLOYDIR_BL31"
echo " FIP_DEPLOYDIR_FWCONF: \$FIP_DEPLOYDIR_FWCONF"
echo " FIP_DEPLOYDIR_OPTEE : \$FIP_DEPLOYDIR_OPTEE"
echo " FIP_DEPLOYDIR_UBOOT : \$FIP_DEPLOYDIR_UBOOT"
echo ""
unset i
for config in \$FIP_CONFIG; do
i=\$(expr \$i + 1)
bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i)
dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i)
for dt in \${dt_config}; do
# Init soc suffix
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
[ "\$(echo \${dt} | grep -c \${soc})" -eq 1 ] && soc_suffix="-\${soc}"
done
fi
# Init FIP fw-config settings
[ -f "\$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: \\\$FIP_DEPLOYDIR_FWCONF or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig'"
FIP_FWCONFIG="--fw-config \$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}"
# Init FIP hw-config settings
[ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'"
FIP_HWCONFIG="--hw-config \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}"
# Init FIP nt-fw config
[ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'"
FIP_NTFW="--nt-fw \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}"
# Init FIP bl31 settings
if [ "\$FIP_BL31_ENABLE" = "1" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'"
[ -f "\$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'"
# Set FIP_BL31CONF
FIP_BL31CONF="\\
--soc-fw \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} \\
--soc-fw-config \$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \\
"
else
FIP_BL31CONF=""
fi
# Init FIP extra conf settings
if [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'"
[ -f "\$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\\
--tos-fw \$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} \\
--tos-fw-config \$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \\
"
elif [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\\
--tos-fw \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} \\
--tos-fw-extra1 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} \\
--tos-fw-extra2 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} \\
"
else
bbfatal "Wrong configuration '\${bl32_conf}' found in FIP_CONFIG for \${config} config."
fi
# DRR FW
if [ -f "\$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
FIP_EXTRACONF="\$FIP_EXTRACONF --ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} "
${FIPTOOL} create \\
--ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} \\
\$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-ddr.${FIP_SUFFIX}
echo "[${FIPTOOL}] DDR FW created"
fi
# Generate FIP binary
echo "[${FIPTOOL}] Create ${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX} fip binary into 'FIP_DEPLOYDIR_FIP' folder..."
[ -d "\$FIP_DEPLOYDIR_FIP" ] || mkdir -p "\$FIP_DEPLOYDIR_FIP"
${FIPTOOL} create \\
\$FIP_FWCONFIG \\
\$FIP_HWCONFIG \\
\$FIP_NTFW \\
\$FIP_BL31CONF \\
\$FIP_EXTRACONF \\
\$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX}
echo "[${FIPTOOL}] Done"
done
done
EOF
# Install the FIPTOOL_WRAPPER
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/${FIPTOOL_WRAPPER} ${D}${bindir}/
}
# Feed package for sdk with our fiptool wrapper
FILES:${FIPTOOL_WRAPPER}:class-nativesdk = "${bindir}/${FIPTOOL_WRAPPER}"

125
meta-digi-arm/classes/sign-stm32mp2.bbclass Normal file
View File

@ -0,0 +1,125 @@
EXTERNAL_KEY_CONF ??= "0"
ENCRYPT_ENABLE ??= "0"
ENCRYPT_FIP_KEY ??= ""
ENCRYPT_FSBL_KEY ??= ""
ENCRYPT_SUFFIX ??= "_Encrypted"
SIGN_ENABLE ??= "0"
SIGN_KEY ??=""
SIGN_KEY_PASS ??= ""
SIGN_SUFFIX ??= "_Signed"
SIGN_TOOL ??= ""
def search_path(file_search, d):
"""
Check for <file_search> path availability from BBPATH
And return the <file_search> absolute path
"""
search_path = d.getVar("BBPATH").split(":")
for p in search_path:
file_path = os.path.join(p, file_search)
if os.path.isfile(file_path):
return file_path
bbpaths = d.getVar('BBPATH').replace(':','\n\t')
bb.fatal('\n[sign-stm32mp] Not able to find "%s" path from current BBPATH var:\n\t%s.' % (file_search, bbpaths))
def init_keylist_from(keylist, keyinput, soclist, d):
"""
Build the <keylist> var as a coma separated list of values,
Using either the default <keyinput> var value
or any defined <keyinput>_socname var value
(with 'socname' item comming from <soclist> var value list)
"""
# Init soc name list
socname_list = (d.getVar(soclist) or "").split()
# Init key from keyinput var value
key = d.getVar(keyinput) or ""
if key:
# Check first if keyinput_<soc> is defined to use it
if len(socname_list) > 0:
# Configure keylist according to STM32MP_SOC_NAME list
d.setVar(keylist, '')
for socname in socname_list:
key = d.getVar(keyinput + '_' + socname) or ""
if key:
if d.getVar('EXTERNAL_KEY_CONF') == '1':
key = search_path(key, d)
bb.debug(1, "[sign-stm32mp] Append '%s' path to %s (socname %s)." % (key, keylist, socname))
d.appendVar(keylist, key + ',')
else:
bb.fatal("[sign-stm32mp] Please make sure to configure \"%s_%s\" var to key file." % (keyinput, socname))
else:
# Default to keyinput value setting
if d.getVar('EXTERNAL_KEY_CONF') == '1':
key = search_path(key, d)
bb.debug(1, "[sign-stm32mp] Set %s to '%s' path." % (keylist, key))
d.setVar(keylist, key)
else:
bb.debug(1, "[sign-stm32mp] Set %s to '%s' path." % (keylist, key))
d.setVar(keylist, key)
else:
# Check first if keyinput_<soc> is defined to use it
if len(socname_list) > 0:
# Configure keylist according to STM32MP_SOC_NAME list
d.setVar(keylist, '')
for socname in socname_list:
key = d.getVar(keyinput + '_' + socname)
if key:
if d.getVar('EXTERNAL_KEY_CONF') == '1':
key = search_path(key, d)
bb.debug(1, "[sign-stm32mp] Append '%s' path to %s (socname %s)." % (key, keylist, socname))
d.appendVar(keylist, key + ',')
else:
bb.fatal("[sign-stm32mp] Please make sure to configure \"%s_%s\" var to key file." % (keyinput, socname))
else:
bb.fatal("[sign-stm32mp] Please make sure to configure \"%s\" var to key file." % keyinput)
python __anonymous() {
if d.getVar('SIGN_ENABLE') == "1" or d.getVar('ENCRYPT_ENABLE') == "1":
# Signing process is dedicated to "target" recipe only:
# Make sure to discard native and nativesdk
for native_class in ['native', 'nativesdk']:
if bb.data.inherits_class(native_class, d):
return
# Check for SIGN_TOOL configuration
signtool = d.getVar('SIGN_TOOL') or ""
if not signtool:
bb.fatal("[sign-stm32mp] Please make sure to configure \"SIGN_TOOL\" var to signing tool.")
# Check for SIGN_TOOL is present in PATH environment variable
if not bb.utils.which(d.getVar('PATH'), signtool):
bb.debug(1, "[sign-stm32mp] %s binary is not found in PATH." % signtool)
signtool_path = search_path(signtool, d)
bb.debug(1, "[sign-stm32mp] Set SIGN_TOOL to '%s' path." % signtool_path)
d.setVar('SIGN_TOOL', signtool_path)
if d.getVar('SIGN_ENABLE') == "1":
# Check for internal use of SIGN_KEY_PATH_LIST
signingkey_list = d.getVar('SIGN_KEY_PATH_LIST')
if signingkey_list:
raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use SIGN_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.")
# Init SIGN_KEY_PATH_LIST from SIGN_KEY settings
init_keylist_from('SIGN_KEY_PATH_LIST', 'SIGN_KEY', 'STM32MP_SOC_NAME', d)
if d.getVar('ENCRYPT_ENABLE') == "1":
if d.getVar('SIGN_ENABLE') == "0":
bb.fatal("[sign-stm32mp] You need to set 'SIGN_ENABLE = 1' to encrypt and sign binaries at once.")
# Check for internal use of ENCRYPT_FSBL_KEY_PATH_LIST
fsbl_encryptkey_list = d.getVar('ENCRYPT_FSBL_KEY_PATH_LIST')
if fsbl_encryptkey_list:
raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use ENCRYPT_FSBL_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.")
# Init ENCRYPT_KEY_PATH_LIST from ENCRYPT_KEY settings
init_keylist_from('ENCRYPT_FSBL_KEY_PATH_LIST', 'ENCRYPT_FSBL_KEY', 'STM32MP_ENCRYPT_SOC_NAME', d)
# Check for internal use of ENCRYPT_FIP_KEY_PATH_LIST
fip_encryptkey_list = d.getVar('ENCRYPT_FIP_KEY_PATH_LIST')
if fip_encryptkey_list:
raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use ENCRYPT_FIP_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.")
# Init ENCRYPT_KEY_PATH_LIST from ENCRYPT_KEY settings
init_keylist_from('ENCRYPT_FIP_KEY_PATH_LIST', 'ENCRYPT_FIP_KEY', 'STM32MP_ENCRYPT_SOC_NAME', d)
}

36
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-common.inc Normal file
View File

@ -0,0 +1,36 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:"
SECTION = "bootloaders"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://license.rst;md5=1dd070c98a281d18d9eefd938729b031"
CVE_PRODUCT = "arm:trusted_firmware-a"
SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=http;branch=lts-v2.8"
SRCREV = "f94d6db9b101d3d4cd053e54edd5b876f1cc84ec"
SRC_URI += " \
file://tf-a-st-ddr.tar.gz;subdir=git;name=fw \
file://0001-v2.8-stm32mp25-beta.patch \
"
SRC_URI[fw.sha256sum] = "c87d8a03a8feab1f8a51818a7942deade5d31abb7f4afaa6d6dfa922383e9805"
TF_A_VERSION = "v2.8.12"
TF_A_SUBVERSION = "stm32mp"
TF_A_RELEASE = "beta-r1"
PV = "${TF_A_VERSION}-${TF_A_SUBVERSION}-${TF_A_RELEASE}"
ARCHIVER_ST_BRANCH = "${TF_A_VERSION}-${TF_A_SUBVERSION}"
ARCHIVER_ST_REVISION = "${PV}"
ARCHIVER_COMMUNITY_BRANCH = "master"
ARCHIVER_COMMUNITY_REVISION = "${TF_A_VERSION}"
S = "${WORKDIR}/git"
# ---------------------------------
# Configure default preference to manage dynamic selection between tarball and github
# ---------------------------------
STM32MP_SOURCE_SELECTION ?= "tarball"
DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}"

19
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-config.inc Normal file
View File

@ -0,0 +1,19 @@
# Define config for each TF_A_CONFIG
# TF_A_CONFIG[config] ?= "<list of devicetree>,<extra opt flags>,<binary basename (default: 'tf-a')>,<make target (default: 'all')>,<type of binary to deploy: [bl2 bl31 bl32 fwconfig] (default 'bl2')>"
TF_A_OPTEE_param:stm32mp1common = "AARCH32_SP=optee"
TF_A_OPTEE_param:stm32mp2common = "SPD=opteed"
TF_A_CONFIG[optee] ?= "${STM32MP_DEVICETREE},${TF_A_OPTEE_param},,${@bb.utils.contains('FIP_BL31_ENABLE', '1', 'bl31 dtbs', 'dtbs', d)},${@bb.utils.contains('FIP_BL31_ENABLE', '1', 'bl31 fwconfig', 'fwconfig', d)}"
TF_A_CONFIG[emmc] ?= "${DEVICE_BOARD_ENABLE:EMMC},STM32MP_EMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}"
TF_A_CONFIG[nand] ?= "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''}"
TF_A_CONFIG[nor] ?= "${DEVICE_BOARD_ENABLE:NOR},STM32MP_SPI_NOR=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NOR}' if ${TF_A_MTD_START_OFFSET_NOR} else ''}"
TF_A_CONFIG[sdcard] ?= "${DEVICE_BOARD_ENABLE:SDCARD},STM32MP_SDMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}"
TF_A_CONFIG[spinand] ?= "${DEVICE_BOARD_ENABLE:SPINAND},STM32MP_SPI_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_SPINAND}' if ${TF_A_MTD_START_OFFSET_SPINAND} else ''}"
TF_A_CONFIG[uart] ?= "${STM32MP_DEVICETREE},STM32MP_UART_PROGRAMMER=1"
TF_A_CONFIG[usb] ?= "${STM32MP_DEVICETREE},STM32MP_USB_PROGRAMMER=1"
# Define configuration for SSP
TF_A_CONFIG[uart-ssp] ?= "${STM32MP_DEVICETREE},STM32MP_UART_PROGRAMMER=1 STM32MP_SSP=1,tf-a-ssp"
TF_A_CONFIG[usb-ssp] ?= "${STM32MP_DEVICETREE},STM32MP_USB_PROGRAMMER=1 STM32MP_SSP=1,tf-a-ssp"

603
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2.inc Normal file
View File

@ -0,0 +1,603 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:"
PROVIDES += "virtual/trusted-firmware-a"
PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit deploy
#inherit sign-stm32mp
inherit fip-utils-stm32mp2
#inherit external-dt
STAGING_EXTDT_DIR = "${TMPDIR}/work-shared/${MACHINE}/external-dt"
# Include TF-A config definitions
require tf-a-stm32mp2-config.inc
# ------------------------------------
# Set MBEDTLS support
TFA_MBEDTLS_DIR ?= "mbedtls"
# MBEDTLS v2.28.5
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;destsuffix=git/${TFA_MBEDTLS_DIR};branch=mbedtls-2.28;name=mbedtls"
SRCREV_mbedtls = "47e8cc9db2e469d902b0e3093ae9e482c3d87188"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
LICENSE_MBEDTLS = "Apache-2.0"
# Add MBEDTLS to our sources
SRC_URI:append = " ${@bb.utils.contains('SIGN_ENABLE', '1', '${SRC_URI_MBEDTLS}', '', d)}"
# Update license variables
LICENSE:append = "${@bb.utils.contains('SIGN_ENABLE', '1', ' & ${LICENSE_MBEDTLS}', '', d)}"
LIC_FILES_CHKSUM:append = "${@bb.utils.contains('SIGN_ENABLE', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
# Add mbed TLS to version
SRCREV_FORMAT:append = "${@bb.utils.contains('SIGN_ENABLE', '1', '_mbedtls', '', d)}"
# ------------------------------------
B = "${WORKDIR}/build"
# Configure build dir for externalsrc class usage through devtool
EXTERNALSRC_BUILD:pn-${PN} = "${WORKDIR}/build"
DEPENDS += "dtc-native openssl-native"
DEPENDS:append = " ${@bb.utils.contains('TF_A_ENABLE_DEBUG_WRAPPER', '1', 'stm32wrapper4dbg-native', '', d)}"
# Default log level
ST_TF_A_DEBUG ??= "1"
ST_TF_A_DEBUG_TRACE ??= "0"
ST_TF_A_LOG_LEVEL_RELEASE ??= "20"
ST_TF_A_LOG_LEVEL_DEBUG ??= "40"
# Configure make settings
EXTRA_OEMAKE += 'PLAT=${TFA_PLATFORM}'
EXTRA_OEMAKE += 'ARCH=${TFA_ARM_ARCH}'
EXTRA_OEMAKE += 'ARM_ARCH_MAJOR=${TFA_ARM_MAJOR}'
EXTRA_OEMAKE += 'CROSS_COMPILE=${TARGET_PREFIX}'
# Debug support
EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'DEBUG=${ST_TF_A_DEBUG}', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_DEBUG}', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_RELEASE}', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('EXTERNAL_DT_ENABLED', '1', 'TFA_EXTERNAL_DT=${STAGING_EXTDT_DIR}/tf-a', '', d)}"
# OPTEE in sysram
EXTRA_OEMAKE:append:stm32mp1common = " ${@bb.utils.contains('ST_OPTEE_IN_SYSRAM', '1', 'STM32MP1_OPTEE_IN_SYSRAM=1', '', d)}"
# Define default TF-A namings
TF_A_BASENAME ?= "tf-a"
TF_A_SUFFIX ?= "stm32"
# Output the ELF generated
ELF_DEBUG_ENABLE ?= ""
TF_A_ELF_SUFFIX = "elf"
BL1_NAME ?= "bl1/bl1"
BL1_ELF = "${BL1_NAME}.${TF_A_ELF_SUFFIX}"
BL1_BASENAME = "${@os.path.basename(d.getVar("BL1_NAME"))}"
BL1_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL1_NAME"))}"
BL2_NAME ?= "bl2/bl2"
BL2_ELF = "${BL2_NAME}.${TF_A_ELF_SUFFIX}"
BL2_BASENAME = "${@os.path.basename(d.getVar("BL2_NAME"))}"
BL2_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL2_NAME"))}"
BL31_NAME ?= "bl31/bl31"
BL31_ELF = "${BL31_NAME}.${TF_A_ELF_SUFFIX}"
BL31_BASENAME = "${@os.path.basename(d.getVar("BL31_NAME"))}"
BL31_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL31_NAME"))}"
BL31_SUFFIX ?= "bin"
BL32_NAME ?= "bl32/bl32"
BL32_ELF = "${BL32_NAME}.${TF_A_ELF_SUFFIX}"
BL32_BASENAME = "${@os.path.basename(d.getVar("BL32_NAME"))}"
BL32_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL32_NAME"))}"
BL32_SUFFIX ?= "bin"
DT_SUFFIX ?= "dtb"
FWCONFIG_NAME ?= "fw-config"
# Output the firwmare ddr
TF_A_FWDDR ?= "0"
TF_A_FWDDR:stm32mp25common = "1"
FWDDR_NAME ?= "ddr_pmu"
FWDDR_SUFFIX ?= "bin"
# Set default TF-A config
TF_A_CONFIG ?= ""
# Enable the wrapper for debug
TF_A_ENABLE_DEBUG_WRAPPER ??= "1"
# Set default configuration to allow signing
TF_A_SIGN_SUFFIX ??= "${@bb.utils.contains('SIGN_ENABLE', '1', '${SIGN_SUFFIX}', '', d)}"
TF_A_SIGN_OF ?= "0x00000001"
TF_A_SIGN_OF:stm32mp1common ?= "0x00000001"
TF_A_SIGN_OF:stm32mp25common ?= "0x00000001"
TF_A_SIGN_OF:stm32mp25revabcommon ?= "0x00000001"
TF_A_ENCRYPT_SUFFIX ??= "${@bb.utils.contains('ENCRYPT_ENABLE', '1', '${ENCRYPT_SUFFIX}', '', d)}"
TF_A_ENCRYPT_DC ?= "0x0E5F2025"
TF_A_ENCRYPT_DC:stm32mp1common ?= "0x0E5F2025"
TF_A_ENCRYPT_DC:stm32mp25common ?= "0x25205f0e"
TF_A_ENCRYPT_DC:stm32mp25revabcommon ?= "0x25205f0e"
TF_A_ENCRYPT_IMGVER ?= "0"
TF_A_ENCRYPT_OF ?= "0x80000003"
TF_A_ENCRYPT_OF:stm32mp1common ?= "0x80000003"
TF_A_ENCRYPT_OF:stm32mp2common ?= "0x10000003"
# Set metadata generation
TF_A_ENABLE_METADATA ??= "${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', '1', '0', d)}"
TF_A_METADATA_NAME ?= "metadata"
TF_A_METADATA_SUFFIX ?= "bin"
TF_A_METADATA_BINARY ??= "${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
TF_A_METADATA_TOOL ?= "tools/fwu_gen_metadata/fwumd_tool.py"
TF_A_METADATA_JSON ?= "plat/st/common/default_metadata.json"
# Configure specific build flags
EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
EXTRA_OEMAKE:append:stm32mp2common = " ${@bb.utils.contains('SIGN_ENABLE', '1', 'BRANCH_PROTECTION=0', '', d)} "
EXTRA_OEMAKE += "${@bb.utils.contains('ENCRYPT_ENABLE', '1', 'DECRYPTION_SUPPORT=aes_gcm ENCRYPT_BL32=1', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('ENCRYPT_ENABLE', '1', bb.utils.contains('FIP_BL31_ENABLE', '1', 'ENCRYPT_BL31=1', '', d), '', d)} "
# Addons parameters for SIGN_TOOL
SIGN_TOOL_EXTRA ?= ""
SIGN_TOOL_EXTRA:stm32mp25common = "--header-version 2"
SIGN_TOOL_EXTRA:stm32mp25revabcommon = "--header-version 2"
# Specific for revA board
EXTRA_OEMAKE:append:stm32mp25revabcommon = " CONFIG_STM32MP25X_REVA=1 "
# -----------------------------------------------
# Handle TF-A config and set internal vars
# TF_A_DEVICETREE
# TF_A_EXTRA_OPTFLAGS
python () {
import re
tfaconfigflags = d.getVarFlags('TF_A_CONFIG')
# The "doc" varflag is special, we don't want to see it here
tfaconfigflags.pop('doc', None)
tfaconfig = (d.getVar('TF_A_CONFIG') or "").split()
tfabasename = d.getVar('TF_A_BASENAME')
if not tfaconfig:
raise bb.parse.SkipRecipe("TF_A_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE"))
if (d.getVar('TF_A_DEVICETREE') or "").split():
raise bb.parse.SkipRecipe("You cannot use TF_A_DEVICETREE as it is internal to TF_A_CONFIG var expansion.")
if (d.getVar('TF_A_EXTRA_OPTFLAGS') or "").split():
raise bb.parse.SkipRecipe("You cannot use TF_A_EXTRA_OPTFLAGS as it is internal to TF_A_CONFIG var expansion.")
if (d.getVar('TF_A_BINARIES') or "").split():
raise bb.parse.SkipRecipe("You cannot use TF_A_BINARIES as it is internal to TF_A_CONFIG var expansion.")
if (d.getVar('TF_A_MAKE_TARGET') or "").split():
raise bb.parse.SkipRecipe("You cannot use TF_A_MAKE_TARGET as it is internal to TF_A_CONFIG var expansion.")
if (d.getVar('TF_A_FILES') or "").split():
raise bb.parse.SkipRecipe("You cannot use TF_A_FILES as it is internal to TF_A_CONFIG var expansion.")
if len(tfaconfig) > 0:
for config in tfaconfig:
for f, v in tfaconfigflags.items():
if config == f:
# Make sure to get var flag properly expanded
v = d.getVarFlag('TF_A_CONFIG', config)
if not v.strip():
bb.fatal('[TF_A_CONFIG] Missing configuration for %s config' % config)
items = v.split(',')
if items[0] and len(items) > 5:
raise bb.parse.SkipRecipe('Only <DEVICETREE>,<EXTRA_OPTFLAGS>,<BINARY_BASENAME>,<MAKE_TARGET>,<FILES TYPE> can be specified!')
# Set internal vars
bb.debug(1, "Appending '%s' to TF_A_DEVICETREE" % items[0])
d.appendVar('TF_A_DEVICETREE', items[0] + ',')
if len(items) > 1 and items[1]:
bb.debug(1, "Appending '%s' to TF_A_EXTRA_OPTFLAGS." % items[1])
d.appendVar('TF_A_EXTRA_OPTFLAGS', items[1] + ',')
else:
d.appendVar('TF_A_EXTRA_OPTFLAGS', '' + ',')
if len(items) > 2 and items[2]:
bb.debug(1, "Appending '%s' to TF_A_BINARIES." % items[2])
d.appendVar('TF_A_BINARIES', items[2] + ',')
else:
bb.debug(1, "Appending '%s' to TF_A_BINARIES." % tfabasename)
d.appendVar('TF_A_BINARIES', tfabasename + ',')
if len(items) > 3 and items[3]:
bb.debug(1, "Appending '%s' to TF_A_MAKE_TARGET." % items[3])
d.appendVar('TF_A_MAKE_TARGET', items[3] + ',')
else:
d.appendVar('TF_A_MAKE_TARGET', 'all' + ',')
if len(items) > 4 and items[4]:
bb.debug(1, "Appending '%s' to TF_A_FILES." % items[4])
d.appendVar('TF_A_FILES', items[4] + ',')
else:
d.appendVar('TF_A_FILES', 'bl2' + ',')
break
# Manage case of signature:
if d.getVar('SIGN_ENABLE') == "1":
# If signature are activated, for winning space, the debug parameter will be remove and level of trace decrease
if d.getVar('ST_TF_A_DEBUG_TRACE') == '1':
bb.warn("TF-A SIGNATURE: force ST_TF_A_DEBUG_TRACE to '0' to disable DEBUG and decrease log level")
d.setVar('ST_TF_A_DEBUG_TRACE', "0")
}
# -----------------------------------------------
# Enable use of work-shared folder
TFA_SHARED_SOURCES ??= "1"
STAGING_TFA_DIR = "${TMPDIR}/work-shared/${MACHINE}/tfa-source"
# Make sure to move ${S} to STAGING_TFA_DIR. We can't just
# create the symlink in advance as the git fetcher can't cope with
# the symlink.
do_unpack[cleandirs] += "${S}"
do_unpack[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
do_clean[cleandirs] += "${S}"
do_clean[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
base_do_unpack:append () {
# Specific part to update devtool-source class
if bb.data.inherits_class('devtool-source', d):
# We don't want to move the source to STAGING_TFA_DIR here
if d.getVar('STAGING_TFA_DIR', d):
d.setVar('STAGING_TFA_DIR', '${S}')
shared = d.getVar("TFA_SHARED_SOURCES")
if shared and oe.types.boolean(shared):
# Copy/Paste from kernel class with adaptation to TFA var
s = d.getVar("S")
if s[-1] == '/':
# drop trailing slash, so that os.symlink(tfasrc, s) doesn't use s as directory name and fail
s=s[:-1]
tfasrc = d.getVar("STAGING_TFA_DIR")
if s != tfasrc:
bb.utils.mkdirhier(tfasrc)
bb.utils.remove(tfasrc, recurse=True)
if d.getVar("EXTERNALSRC"):
# With EXTERNALSRC S will not be wiped so we can symlink to it
os.symlink(s, tfasrc)
else:
import shutil
shutil.move(s, tfasrc)
os.symlink(tfasrc, s)
}
do_compile() {
unset LDFLAGS
unset CFLAGS
unset CPPFLAGS
unset i
for config in ${TF_A_CONFIG}; do
i=$(expr $i + 1)
# Initialize devicetree list, extra make options and tf-a basename
dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i})
tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i})
for dt in ${dt_config}; do
# Init specific soc settings
soc_extra_opt=""
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then
soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1"
soc_suffix="-${soc}"
fi
done
fi
mkdir -p ${B}/${config}${soc_suffix}
if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${config}${soc_suffix}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
fi
# Init specific ddr settings
ddr_extra_opt=""
if [ "${TF_A_FWDDR}" = "1" ]; then
# Detect ddr type if it's present
oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} dtbs
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then
ddr_dtb_node=$(${STAGING_BINDIR_NATIVE}/fdtget -l ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc | grep ddr | head -n 1)
ddr_propertie=$(${STAGING_BINDIR_NATIVE}/fdtget ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc/${ddr_dtb_node} st,mem-name || echo "none")
ddr_target=""
# potentials value of ddr_propertie:
# DDR3 16bits
# DDR4 32bits
# DDR4 8Gbits
# LPDDR4 32bits
case ${ddr_propertie} in
DDR3*)
ddr_extra_opt=" STM32MP_DDR3_TYPE=1 "
ddr_target="ddr3"
;;
DDR4*)
ddr_extra_opt=" STM32MP_DDR4_TYPE=1 "
ddr_target="ddr4"
;;
LPDDR4*)
ddr_extra_opt=" STM32MP_LPDDR4_TYPE=1 "
ddr_target="lpddr4"
;;
*)
bbwarn "Missing st,mem-name information for ${dt}"
;;
esac
bbnote "${dt}: ${tf_a_make_target} -> ${ddr_extra_opt}"
# Copy TF-A ddr binary with explicit devicetree filename
if [ -n "${ddr_target}" ]; then
if [ -s "${S}/drivers/st/ddr/phy/firmware/bin/${ddr_target}_pmu_train.bin" ]; then
cp "${S}/drivers/st/ddr/phy/firmware/bin/${ddr_target}_pmu_train.bin" "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}"
else
bbwarn "Missing ddr firmware file ${ddr_target}_pmu_train.bin for ${dt}"
fi
fi
fi
fi
encrypt_extra_opt=""
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
encrypt_extra_opt="ENC_KEY=$(hexdump -e '/1 "%02x"' ${encrypt_key})"
fi
oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${ddr_extra_opt} ${encrypt_extra_opt} ${tf_a_make_target}
# Copy TF-A binary with explicit devicetree filename
if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then
cp "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
stm32wrapper4dbg -s "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
fi
if [ "${SIGN_ENABLE}" = "1" ]; then
# Init sign key for signing tools
sign_key="${SIGN_KEY_PATH_LIST}"
if [ -n "${STM32MP_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
# Init default '-of' option for signing case
tf_a_sign_of_opt=""
dd if="${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" of=header.dump bs=1 count=4 skip=72 > /dev/null 2> /dev/null
temp_version=$(od -A o -t dI header.dump | head -n 1 | cut -d' ' -f2- | sed "s/ //g")
rm -f header.dump
[ "$(expr $temp_version / 65536)" = "2" ] && tf_a_sign_of_opt="-of ${TF_A_SIGN_OF}"
# Sign tf-a binary
echo "${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA} \
${tf_a_sign_of_opt}"
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA} \
${tf_a_sign_of_opt}
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
echo "${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key "${sign_key}" \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA} \
${tf_a_sign_of_opt}"
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key "${sign_key}" \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA} \
${tf_a_sign_of_opt}
fi
fi
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
# Init encrypt key for signing tools
encrypt_key="${ENCRYPT_FSBL_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
# Init default '-of' option for signing case
tf_a_sign_of_opt=""
dd if="${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" of=header.dump bs=1 count=4 skip=72 > /dev/null 2> /dev/null
temp_version=$(od -A o -t dI header.dump | head -n 1 | cut -d' ' -f2- | sed "s/ //g")
rm -f header.dump
[ "$(expr $temp_version / 65536)" = "2" ] && tf_a_sign_of_opt="-hv 2"
# Encrypt tf-a binary
echo '${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
--enc-key ${encrypt_key} \
--enc-dc "${TF_A_ENCRYPT_DC}" \
--image-version "${TF_A_ENCRYPT_IMGVER}" \
-of "${TF_A_ENCRYPT_OF}" \
${tf_a_sign_of_opt} '
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
--enc-key ${encrypt_key} \
--enc-dc "${TF_A_ENCRYPT_DC}" \
--image-version "${TF_A_ENCRYPT_IMGVER}" \
-of "${TF_A_ENCRYPT_OF}" \
${tf_a_sign_of_opt}
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
echo '${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
--enc-key ${encrypt_key} \
--enc-dc "${TF_A_ENCRYPT_DC}" \
--image-version "${TF_A_ENCRYPT_IMGVER}" \
-of "${TF_A_ENCRYPT_OF}" \
${tf_a_sign_of_opt}'
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
--enc-key ${encrypt_key} \
--enc-dc "${TF_A_ENCRYPT_DC}" \
--image-version "${TF_A_ENCRYPT_IMGVER}" \
-of "${TF_A_ENCRYPT_OF}"\
${tf_a_sign_of_opt}
fi
fi
fi
done
done
if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
fi
}
do_deploy() {
install -d ${DEPLOYDIR}
install -d ${DEPLOYDIR}/arm-trusted-firmware
unset i
for config in ${TF_A_CONFIG}; do
i=$(expr $i + 1)
# Initialize devicetree list and tf-a basename
dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
tfa_file_type=$(echo ${TF_A_FILES} | cut -d',' -f${i})
for dt in ${dt_config}; do
# Init soc suffix
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}"
done
fi
for file_type in ${tfa_file_type}; do
case "${file_type}" in
bl2)
# Install TF-A binary
if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/"
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
install -m 644 "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/debug/"
fi
fi
if [ -n "${ELF_DEBUG_ENABLE}" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL2_ELF}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL2_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL2_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}"
fi
fi
if [ "${TF_A_FWDDR}" = "1" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/ddr"
# Install DDR firmware binary
if [ -f "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" ]; then
if [ ! -s "${DEPLOYDIR}/arm-trusted-firmware/ddr/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/ddr/"
fi
fi
fi
;;
bl31)
# Install BL31 files
install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31"
# Install BL31 binary
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL31_BASENAME}.${BL31_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL31_BASENAME}.${BL31_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${BL31_SUFFIX}"
fi
# Install BL31 devicetree
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL31_BASENAME}.${DT_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL31_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${dt}-${BL31_BASENAME}.${DT_SUFFIX}"
fi
if [ -n "${ELF_DEBUG_ENABLE}" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug"
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL31_ELF}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL31_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}"
fi
fi
;;
bl32)
# Install BL32 files
install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32"
# Install BL32 binary
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL32_BASENAME}.${BL32_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL32_BASENAME}.${BL32_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${BL32_SUFFIX}"
fi
# Install BL32 devicetree
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${dt}-${BL32_BASENAME}.${DT_SUFFIX}"
fi
if [ -n "${ELF_DEBUG_ENABLE}" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug"
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL32_ELF}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL32_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}"
fi
fi
;;
fwconfig)
# Install fwconfig
install -d "${DEPLOYDIR}/arm-trusted-firmware/fwconfig"
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/fwconfig/${dt}-${FWCONFIG_NAME}-${config}.${DT_SUFFIX}"
fi
;;
esac
done # for file_type in ${tfa_file_type}
done # for dt in ${dt_config}
if [ -n "${ELF_DEBUG_ENABLE}" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL1_ELF}" ]; then
install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL1_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL1_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
fi
fi
done # for config in ${TF_A_CONFIG}
if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
install -d "${DEPLOYDIR}/arm-trusted-firmware"
if [ -f "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" ]; then
install -m 644 "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_METADATA_BIN}"
fi
fi
}
addtask deploy before do_build after do_compile

0
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend → meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bbappend
View File

42
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb Normal file
View File

@ -0,0 +1,42 @@
#
# Copyright (C) 2024 Digi International Inc.
#
require tf-a-stm32mp2-common.inc
require tf-a-stm32mp2.inc
SUMMARY = "Trusted Firmware-A for STM32MP1"
LICENSE = "BSD-3-Clause"
# Select internal or Github TF-A repo
TFA_URI_STASH = "${DIGI_MTK_GIT}/emp/arm-trusted-firmware.git;protocol=ssh"
TFA_URI_GITHUB = "${DIGI_GITHUB_GIT}/arm-trusted-firmware.git;protocol=https"
TFA_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${TFA_URI_STASH}', '${TFA_URI_GITHUB}', d)}"
SRCBRANCH = "v2.8/stm32mp/master"
SRCREV = "${AUTOREV}"
SRC_URI = " \
${TFA_GIT_URI};branch=${SRCBRANCH} \
"
TF_A_VERSION = "v2.8.12"
TF_A_RELEASE = "beta-r1"
# Configure settings
TFA_PLATFORM = "stm32mp1"
TFA_ARM_MAJOR = "7"
TFA_ARM_ARCH = "aarch32"
TFA_PLATFORM:aarch64 = "stm32mp2"
TFA_ARM_MAJOR:aarch64 = "8"
TFA_ARM_ARCH:aarch64 = "aarch64"
# Enable the wrapper for debug
TF_A_ENABLE_DEBUG_WRAPPER ?= "1"
# ---------------------------------
# Configure archiver use
# ---------------------------------
include ${@oe.utils.ifelse(d.getVar('ST_ARCHIVER_ENABLE') == '1', 'tf-a-stm32mp-archiver.inc','')}
COMPATIBLE_MACHINE = "(ccmp2)"

48
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools.inc Normal file
View File

@ -0,0 +1,48 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-tools:"
SRC_URI:append = " \
file://0001-FIX-GCC-tools-overwrite.patch \
file://0001-tools-allow-to-use-a-root-key-password-from-command-.patch \
"
DEPENDS += "dtc-native openssl"
COMPATIBLE_HOST:class-target = "null"
HOSTCC:class-native = "${BUILD_CC}"
HOSTCC:class-nativesdk = "${CC}"
EXTRA_OEMAKE += "HOSTCC='${HOSTCC}' OPENSSL_DIR='${STAGING_EXECPREFIXDIR}'"
EXTRA_OEMAKE += "certtool enctool fiptool"
EXTRA_OEMAKE += "PLAT=${TFA_PLATFORM}"
do_configure[noexec] = "1"
do_compile:prepend:class-native () {
# This is still needed to have the native fiptool executing properly by
# setting the RPATH
sed -e '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' \
-e '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' \
-i ${S}/tools/fiptool/Makefile
# This is still needed to have the native cert_create executing properly by
# setting the RPATH
sed -e '/^LIB_DIR/ s,$, \$\{BUILD_LDFLAGS},' \
-e '/^INC_DIR/ s,$, \$\{BUILD_CFLAGS},' \
-i ${S}/tools/cert_create/Makefile
# This is still needed to have the native fiptool executing properly by
# setting the RPATH
sed -e '/^LIB_DIR/ s,$, \$\{BUILD_LDFLAGS},' \
-e '/^INC_DIR/ s,$, \$\{BUILD_CFLAGS},' \
-i ${S}/tools/encrypt_fw/Makefile
}
do_install() {
install -d ${D}${bindir}
install -m 0755 \
${B}/tools/fiptool/fiptool \
${B}/tools/cert_create/cert_create \
${B}/tools/encrypt_fw/encrypt_fw \
${D}${bindir}
}
BBCLASSEXTEND += "native nativesdk"

48
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-FIX-GCC-tools-overwrite.patch Normal file
View File

@ -0,0 +1,48 @@
From 68a2098a3035b8374d0ce0b1feead650dadbce64 Mon Sep 17 00:00:00 2001
From: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
Date: Thu, 24 Nov 2022 16:18:27 +0100
Subject: [PATCH] FIX GCC tools overwrite
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
---
Makefile | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/Makefile b/Makefile
index 1ddb7b844..d6583dfe9 100644
--- a/Makefile
+++ b/Makefile
@@ -183,19 +183,19 @@ endif
# Toolchain
################################################################################
-HOSTCC := gcc
+HOSTCC ?= gcc
export HOSTCC
-CC := ${CROSS_COMPILE}gcc
-CPP := ${CROSS_COMPILE}cpp
-AS := ${CROSS_COMPILE}gcc
-AR := ${CROSS_COMPILE}ar
-LINKER := ${CROSS_COMPILE}ld
-OC := ${CROSS_COMPILE}objcopy
-OD := ${CROSS_COMPILE}objdump
-NM := ${CROSS_COMPILE}nm
-PP := ${CROSS_COMPILE}gcc -E
-DTC := dtc
+#CC := ${CROSS_COMPILE}gcc
+#CPP := ${CROSS_COMPILE}cpp
+#AS := ${CROSS_COMPILE}gcc
+#AR := ${CROSS_COMPILE}ar
+#LINKER := ${CROSS_COMPILE}ld
+#OC := ${CROSS_COMPILE}objcopy
+#OD := ${CROSS_COMPILE}objdump
+#NM := ${CROSS_COMPILE}nm
+#PP := ${CROSS_COMPILE}gcc -E
+#DTC := dtc
# Use ${LD}.bfd instead if it exists (as absolute path or together with $PATH).
ifneq ($(strip $(wildcard ${LD}.bfd) \
--
2.25.1

126
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-root-key-password-from-command-.patch Normal file
View File

@ -0,0 +1,126 @@
From 204cde3bd45f634e3699a42ed8f865a8385743a5 Mon Sep 17 00:00:00 2001
From: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
Date: Mon, 28 Nov 2022 12:16:38 +0100
Subject: [PATCH] tools: allow to use a root key password from command line
By defining the ROT_KEY_PWD, user is able to define the private
root key password. Useful for build system management.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
---
make_helpers/tbbr/tbbr_tools.mk | 2 ++
tools/cert_create/include/key.h | 2 +-
tools/cert_create/src/key.c | 4 ++--
tools/cert_create/src/main.c | 13 +++++++++++--
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index 5ef2d852e..147159b1a 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -25,6 +25,7 @@
# KEY_SIZE
# ROT_KEY
# PROT_KEY
+# ROT_KEY_PWD
# PLAT_KEY
# SWD_ROT_KEY
# CORE_SWD_KEY
@@ -74,6 +75,7 @@ $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,FWU_)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_)))
$(if ${PROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PROT_KEY},--prot-key)))
+$(if ${ROT_KEY_PWD},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY_PWD},--rot-key-pwd)))
$(if ${PLAT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PLAT_KEY},--plat-key)))
$(if ${SWD_ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${SWD_ROT_KEY},--swd-rot-key)))
$(if ${CORE_SWD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${CORE_SWD_KEY},--core-swd-key)))
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 312575b44..ed3654b08 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -74,7 +74,7 @@ key_t *key_get_by_opt(const char *opt);
int key_new(key_t *key);
#endif
int key_create(key_t *key, int type, int key_bits);
-int key_load(key_t *key, unsigned int *err_code);
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code);
int key_store(key_t *key);
void key_cleanup(void);
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index 487777b67..c8f5357be 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -189,7 +189,7 @@ int key_create(key_t *key, int type, int key_bits)
return 0;
}
-int key_load(key_t *key, unsigned int *err_code)
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code)
{
FILE *fp;
EVP_PKEY *k;
@@ -198,7 +198,7 @@ int key_load(key_t *key, unsigned int *err_code)
/* Load key from file */
fp = fopen(key->fn, "r");
if (fp) {
- k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
+ k = PEM_read_PrivateKey(fp, &key->key, NULL, rot_key_pwd);
fclose(fp);
if (k) {
*err_code = KEY_ERR_NONE;
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 2ab6bcfd9..90bb82ba8 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -292,6 +292,10 @@ static const cmd_opt_t common_cmd_opt[] = {
{ "print-cert", no_argument, NULL, 'p' },
"Print the certificates in the standard output"
}
+ ,{
+ { "rot-key-pwd", required_argument, NULL, 'r' },
+ "Password for the root key"
+ },
};
int main(int argc, char *argv[])
@@ -310,6 +314,7 @@ int main(int argc, char *argv[])
unsigned char md[SHA512_DIGEST_LENGTH];
unsigned int md_len;
const EVP_MD *md_info;
+ char *rot_key_pw = NULL;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
@@ -347,7 +352,7 @@ int main(int argc, char *argv[])
while (1) {
/* getopt_long stores the option index here. */
- c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx);
+ c = getopt_long(argc, argv, "a:b:hknpr:s:", cmd_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
@@ -381,6 +386,10 @@ int main(int argc, char *argv[])
case 'p':
print_cert = 1;
break;
+ case 'r':
+ rot_key_pw = malloc(sizeof(char) * strlen(optarg));
+ strncpy(rot_key_pw, optarg, strlen(optarg));
+ break;
case 's':
hash_alg = get_hash_alg(optarg);
if (hash_alg < 0) {
@@ -441,7 +450,7 @@ int main(int argc, char *argv[])
#endif
/* First try to load the key from disk */
- if (key_load(&keys[i], &err_code)) {
+ if (key_load(&keys[i], rot_key_pw, &err_code)) {
/* Key loaded successfully */
continue;
}
--
2.25.1

22
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools_2.8.bb Normal file
View File

@ -0,0 +1,22 @@
require tf-a-stm32mp2-common.inc
require tf-a-tools.inc
SUMMARY = "Cert_create & Fiptool for fip generation for Trusted Firmware-A"
LICENSE = "BSD-3-Clause"
# Select internal or Github TF-A repo
TFA_URI_STASH = "${DIGI_MTK_GIT}/emp/arm-trusted-firmware.git;protocol=ssh"
TFA_URI_GITHUB = "${DIGI_GITHUB_GIT}/arm-trusted-firmware.git;protocol=https"
TFA_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${TFA_URI_STASH}', '${TFA_URI_GITHUB}', d)}"
SRCBRANCH = "v2.8/stm32mp/master"
SRCREV = "${AUTOREV}"
SRC_URI = " \
${TFA_GIT_URI};branch=${SRCBRANCH} \
"
# Configure settings
TFA_PLATFORM = "stm32mp1"
TFA_PLATFORM:class-native = "stm32mp2"
TFA_PLATFORM:class-nativesdk = "stm32mp2"