From b5e94fc1ae9f0428ca5edc00970cd835b15a2286 Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Thu, 13 Mar 2025 17:28:18 +0100 Subject: [PATCH] stm-st-stm32mp: tf-a-stm32mp: Add custom do_compile() to fix TF-A artifact signing This commit introduces a custom do_compile() function to resolve a signing issue affecting the final TF-A artifact, where the SoC name does not match the TF-A device tree name. https://onedigi.atlassian.net/browse/DEL-9442 Signed-off-by: Arturo Buzarra --- .../tf-a-stm32mp_2.10.bbappend | 225 ++++++++++++++++++ 1 file changed, 225 insertions(+) diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend index f0d968c09..d84e689f6 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend @@ -71,6 +71,231 @@ python set_tfa_sign_key() { d.setVar('SIGN_KEY_PASS', p) } +TF_A_SOC_MATCH ?= " ${DIGI_SOM} " + +do_compile() { + unset LDFLAGS + unset CFLAGS + unset CPPFLAGS + + unset i + for config in ${TF_A_CONFIG}; do + i=$(expr $i + 1) + # Initialize devicetree list, extra make options and tf-a basename + dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i}) + extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i}) + tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i}) + tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i}) + for dt in ${dt_config}; do + # Init specific soc settings + soc_extra_opt="" + soc_suffix="" + soc_name="" + if [ -n "${STM32MP_SOC_NAME}" ]; then + for soc in ${STM32MP_SOC_NAME}; do + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then + soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1" + soc_suffix="-${soc}" + + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA}" + case ${soc} in + stm32mp13) + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp13}" + ;; + stm32mp15) + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp15}" + if echo ${config} | grep -q 'optee-'; then + soc_extra_opt="${soc_extra_opt} STM32MP1_OPTEE_IN_SYSRAM=1" + fi + ;; + stm32mp21) + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp21}" + ;; + stm32mp23) + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp23}" + ;; + stm32mp25) + SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp25}" + ;; + esac + fi + done + fi + mkdir -p ${B}/${config}${soc_suffix}-${dt} + if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then + rm -rf "${B}/${config}${soc_suffix}-${dt}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + ${TF_A_METADATA_TOOL} ${TF_A_METADATA_TOOL_ARGS} "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + fi + + # generate dt to check the content + oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} dtbs + + # check which pmic1l is present on dtb + pcmi1_present=$(${STAGING_BINDIR_NATIVE}/fdtdump ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb 2>/dev/null | grep -c "st,stpmic1l" || ${HOSTTOOLS_DIR}/true) + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then + if [ $pcmi1_present -gt 0 ]; then + # st pmic1l is present, need to force to compilation with specific pcmi1l optionn + soc_extra_opt="${soc_extra_opt} STM32MP_STPMIC1L=1" + fi + fi + + # Init specific ddr settings + ddr_extra_opt="" + if [ "${TF_A_FWDDR}" = "1" ]; then + # Detect ddr type if it's present + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then + ddr_dtb_node=$(${STAGING_BINDIR_NATIVE}/fdtget -l ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc | grep ddr | head -n 1) + ddr_propertie=$(${STAGING_BINDIR_NATIVE}/fdtget ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc/${ddr_dtb_node} st,mem-name || echo "none") + ddr_target="" + # potentials value of ddr_propertie: + # DDR3 16bits + # DDR4 32bits + # DDR4 8Gbits + # LPDDR4 32bits + case ${ddr_propertie} in + DDR3*) + ddr_extra_opt=" STM32MP_DDR3_TYPE=1 " + ddr_target="ddr3" + ;; + DDR4*) + ddr_extra_opt=" STM32MP_DDR4_TYPE=1 " + ddr_target="ddr4" + ;; + LPDDR4*) + ddr_extra_opt=" STM32MP_LPDDR4_TYPE=1 " + ddr_target="lpddr4" + ;; + *) + bbfatal "Missing st,mem-name information for ${dt}" + ;; + esac + bbnote "${dt}: ${tf_a_make_target} -> ${ddr_extra_opt}" + # Copy TF-A ddr binary with explicit devicetree filename + if [ -s "${FWDDR_DIR}/${ddr_target}_pmu_train.bin" ]; then + install -m 644 "${FWDDR_DIR}/${ddr_target}_pmu_train.bin" "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}-${config}.${FWDDR_SUFFIX}" + else + bbfatal "Missing ddr firmware file ${ddr_target}_pmu_train.bin for ${dt}" + fi + fi + fi + + encrypt_extra_opt="" + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + if [ "$(file "${encrypt_key}" | sed 's#.*: \(.*\)$#\1#')" = "ASCII text" ]; then + # The encryption key is already available in hexadecimal format, so just extract it from file + encrypt_key="$(cat ${encrypt_key})" + else + encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})" + fi + encrypt_extra_opt="ENC_KEY=${encrypt_key}" + fi + + oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${ddr_extra_opt} ${encrypt_extra_opt} ${tf_a_make_target} + if [ -f "${B}/${config}${soc_suffix}-${dt}/bl2.bin" ]; then + cp "${B}/${config}${soc_suffix}-${dt}/bl2.bin" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.bin" + fi + # Copy TF-A binary with explicit devicetree filename + if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then + cp "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + stm32wrapper4dbg -s "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" + fi + + if [ "${SIGN_ENABLE}" = "1" ]; then + # Init sign key for signing tools + sign_key="${SIGN_KEY_PATH_LIST}" + if [ -n "${STM32MP_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_SOC_NAME}; do + k=$(expr $k + 1) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then + sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k}) + fi + done + fi + # Init default encryption options for signing tool + tf_a_encrypt_opts="" + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + # Init encrypt key for signing tools + encrypt_key="${ENCRYPT_FSBL_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + # Set encryption options for signing tools + tf_a_encrypt_opts="\ + --enc-key ${encrypt_key} \ + --enc-dc ${TF_A_ENCRYPT_DC} \ + --image-version ${TF_A_ENCRYPT_IMGVER} \ + " + fi + # Sign tf-a binary + bbnote "${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA_soc} \ + ${tf_a_encrypt_opts} " + + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA_soc} \ + ${tf_a_encrypt_opts} + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + bbnote "${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key "${sign_key}" \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA_soc} \ + ${tf_a_encrypt_opts}" + + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key "${sign_key}" \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA_soc} \ + ${tf_a_encrypt_opts} + fi + fi + fi + done + done + + if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then + rm -rf "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + ${TF_A_METADATA_TOOL} ${TF_A_METADATA_TOOL_ARGS} "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + fi +} + # This runs after 'tf_a_sysroot_populate()' which populates all # TF-A artifacts on the image deploy dir. # The purpose of this function is to create symlinks to the files needed