imx-boot: add trustfence support for ccimx8m
https://onedigi.atlassian.net/browse/DEL-8362 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera
parent
3f9c93ecdf
commit
24f0f6ff79
|
|
@ -0,0 +1,45 @@
|
|||
From: Javier Viguera <javier.viguera@digi.com>
|
||||
Date: Thu, 9 Feb 2023 11:15:54 +0100
|
||||
Subject: [PATCH] imx8m: soc.mak: capture commands output into a log file
|
||||
|
||||
This is later used to get the needed information for the signing of the
|
||||
boot artifacts.
|
||||
|
||||
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
|
||||
---
|
||||
iMX8M/soc.mak | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/iMX8M/soc.mak b/iMX8M/soc.mak
|
||||
index 4a0cd4e59360..6b3a01f2b790 100644
|
||||
--- a/iMX8M/soc.mak
|
||||
+++ b/iMX8M/soc.mak
|
||||
@@ -1,5 +1,6 @@
|
||||
MKIMG = mkimage_imx8
|
||||
OUTIMG = flash.bin
|
||||
+MKIMAGE_LOG = "mkimage-$(firstword $(MAKECMDGOALS)).log"
|
||||
|
||||
CC ?= gcc
|
||||
CFLAGS ?= -O2 -Wall -std=c99 -static
|
||||
@@ -274,7 +275,7 @@ endif
|
||||
|
||||
|
||||
flash_evk_no_hdmi: $(MKIMG) u-boot-spl-ddr.bin u-boot.itb
|
||||
- ./mkimage_imx8 -version $(VERSION) -fit -loader u-boot-spl-ddr.bin $(SPL_LOAD_ADDR) -second_loader u-boot.itb 0x40200000 0x60000 -out $(OUTIMG)
|
||||
+ ./mkimage_imx8 -version $(VERSION) -fit -loader u-boot-spl-ddr.bin $(SPL_LOAD_ADDR) -second_loader u-boot.itb 0x40200000 0x60000 -out $(OUTIMG) 2>&1 | tee $(MKIMAGE_LOG)
|
||||
|
||||
flash_evk_no_hdmi_dual_bootloader: $(MKIMG) u-boot-spl-ddr.bin u-boot.itb
|
||||
./mkimage_imx8 -version $(VERSION) -fit -loader u-boot-spl-ddr.bin $(SPL_LOAD_ADDR) -out $(OUTIMG)
|
||||
@@ -318,10 +319,10 @@ flash_dp_spl_uboot: flash_dp_evk
|
||||
flash_spl_uboot: flash_evk_no_hdmi
|
||||
|
||||
print_fit_hab: u-boot-nodtb.bin bl31.bin $(dtb)
|
||||
- ./$(PAD_IMAGE) $(TEE)
|
||||
+ ./$(PAD_IMAGE) $(TEE) 2>&1 | tee $(MKIMAGE_LOG)
|
||||
./$(PAD_IMAGE) bl31.bin
|
||||
./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb)
|
||||
- TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb)
|
||||
+ { echo $@; TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb) 2>&1; } | tee -a $(MKIMAGE_LOG)
|
||||
|
||||
print_fit_hab_ddr4: u-boot-nodtb.bin bl31.bin $(dtb_ddr4_evk)
|
||||
./$(PAD_IMAGE) $(TEE)
|
||||
|
|
@ -4,14 +4,24 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
|||
|
||||
SRC_URI:append = " \
|
||||
file://0001-imx8m-soc.mak-preserve-dtbs-after-build.patch \
|
||||
file://0002-imx8m-soc.mak-capture-commands-output-into-a-log-fil.patch \
|
||||
"
|
||||
|
||||
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
|
||||
|
||||
SOC_FAMILY:mx9-nxp-bsp = "mx93"
|
||||
|
||||
# Do not tag imx-boot
|
||||
UUU_BOOTLOADER = ""
|
||||
UUU_BOOTLOADER_TAGGED = ""
|
||||
|
||||
compile_mx8m:append:ccimx8m() {
|
||||
# Create dummy DEK blob to support building with encrypted u-boot
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
dd if=/dev/zero of=${BOOT_STAGING}/dek_blob_fit_dummy.bin bs=96 count=1 oflag=sync
|
||||
fi
|
||||
}
|
||||
|
||||
compile_mx93() {
|
||||
bbnote "i.MX 93 boot binary build"
|
||||
for ddr_firmware in ${DDR_FIRMWARE_NAME}; do
|
||||
|
|
@ -27,6 +37,11 @@ compile_mx93() {
|
|||
fi
|
||||
}
|
||||
|
||||
do_compile:append:ccimx8m() {
|
||||
bbnote "building ${IMX_BOOT_SOC_TARGET} - print_fit_hab"
|
||||
make SOC=${IMX_BOOT_SOC_TARGET} dtbs=${UBOOT_DTB_NAME} print_fit_hab
|
||||
}
|
||||
|
||||
deploy_mx93() {
|
||||
install -d ${DEPLOYDIR}/${BOOT_TOOLS}
|
||||
for ddr_firmware in ${DDR_FIRMWARE_NAME}; do
|
||||
|
|
@ -41,12 +56,42 @@ deploy_mx93() {
|
|||
}
|
||||
|
||||
do_deploy:append() {
|
||||
# The boot-artifacts.bbclass expects "imx-boot-<UBOOT_CONFIG>.bin" symlinks, so add them.
|
||||
if [ -n "${UBOOT_CONFIG}" ]; then
|
||||
for type in ${UBOOT_CONFIG}; do
|
||||
ln -sf ${BOOT_NAME}-${MACHINE}-${type}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${BOOT_NAME}-${type}.bin
|
||||
done
|
||||
fi
|
||||
# imx-boot recipe in meta-freescale assumes only *one* build configuration
|
||||
# (otherwise variable BOOT_CONFIG_MACHINE would expand to something incorrect)
|
||||
for target in ${IMXBOOT_TARGETS}; do
|
||||
mv ${DEPLOYDIR}/${BOOT_CONFIG_MACHINE}-${target} ${DEPLOYDIR}/${BOOT_NAME}-${MACHINE}.bin-${target}
|
||||
done
|
||||
ln -sf ${BOOT_NAME}-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${BOOT_NAME}-${MACHINE}.bin
|
||||
ln -sf ${BOOT_NAME}-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${BOOT_NAME}
|
||||
}
|
||||
|
||||
do_deploy:append:ccimx8m() {
|
||||
for target in ${IMXBOOT_TARGETS}; do
|
||||
install -m 0644 ${BOOT_STAGING}/mkimage-${target}.log ${DEPLOYDIR}/${BOOT_TOOLS}
|
||||
done
|
||||
install -m 0644 ${BOOT_STAGING}/mkimage-print_fit_hab.log ${DEPLOYDIR}/${BOOT_TOOLS}
|
||||
}
|
||||
|
||||
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign_imxboot', '', d)}"
|
||||
trustfence_sign_imxboot() {
|
||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_FIT_HAB_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-print_fit_hab.log"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && TF_SIGN_ENV="$TF_SIGN_ENV SRK_REVOKE_MASK=${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||
[ -n "${TRUSTFENCE_UNLOCK_KEY_REVOCATION}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_UNLOCK_SRK_REVOKE=${TRUSTFENCE_UNLOCK_KEY_REVOCATION}"
|
||||
|
||||
# Sign/encrypt boot image
|
||||
for target in ${IMXBOOT_TARGETS}; do
|
||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${target}.log"
|
||||
env $TF_SIGN_ENV trustfence-sign-uboot.sh ${BOOT_NAME}-${MACHINE}.bin-${target} ${BOOT_NAME}-signed-${MACHINE}.bin-${target}
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y"
|
||||
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh ${BOOT_NAME}-${MACHINE}.bin-${target} ${BOOT_NAME}-encrypted-${MACHINE}.bin-${target}
|
||||
fi
|
||||
done
|
||||
}
|
||||
trustfence_sign_imxboot[dirs] = "${DEPLOYDIR}"
|
||||
trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION"
|
||||
|
||||
COMPATIBLE_MACHINE = "(mx8-generic-bsp|mx9-generic-bsp)"
|
||||
|
|
|
|||
Loading…
Reference in New Issue