Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stm-st-stm32mp: tf-a-stm32mp: Add custom do_compile() to fix TF-A artifact signing 

This commit introduces a custom do_compile() function to resolve a signing
issue affecting the final TF-A artifact, where the SoC name does not match the
TF-A device tree name.

https://onedigi.atlassian.net/browse/DEL-9442

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra 2025-03-13 17:28:18 +01:00
parent dc19078620
commit b5e94fc1ae
1 changed files with 225 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend
View File

@ -71,6 +71,231 @@ python set_tfa_sign_key() {
d.setVar('SIGN_KEY_PASS', p)
}
TF_A_SOC_MATCH ?= " ${DIGI_SOM} "
do_compile() {
unset LDFLAGS
unset CFLAGS
unset CPPFLAGS
unset i
for config in ${TF_A_CONFIG}; do
i=$(expr $i + 1)
# Initialize devicetree list, extra make options and tf-a basename
dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i})
tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i})
for dt in ${dt_config}; do
# Init specific soc settings
soc_extra_opt=""
soc_suffix=""
soc_name=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then
soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1"
soc_suffix="-${soc}"
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA}"
case ${soc} in
stm32mp13)
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp13}"
;;
stm32mp15)
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp15}"
if echo ${config} | grep -q 'optee-'; then
soc_extra_opt="${soc_extra_opt} STM32MP1_OPTEE_IN_SYSRAM=1"
fi
;;
stm32mp21)
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp21}"
;;
stm32mp23)
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp23}"
;;
stm32mp25)
SIGN_TOOL_EXTRA_soc="${SIGN_TOOL_EXTRA_stm32mp25}"
;;
esac
fi
done
fi
mkdir -p ${B}/${config}${soc_suffix}-${dt}
if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
rm -rf "${B}/${config}${soc_suffix}-${dt}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
${TF_A_METADATA_TOOL} ${TF_A_METADATA_TOOL_ARGS} "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
fi
# generate dt to check the content
oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} dtbs
# check which pmic1l is present on dtb
pcmi1_present=$(${STAGING_BINDIR_NATIVE}/fdtdump ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb 2>/dev/null | grep -c "st,stpmic1l" || ${HOSTTOOLS_DIR}/true)
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then
if [ $pcmi1_present -gt 0 ]; then
# st pmic1l is present, need to force to compilation with specific pcmi1l optionn
soc_extra_opt="${soc_extra_opt} STM32MP_STPMIC1L=1"
fi
fi
# Init specific ddr settings
ddr_extra_opt=""
if [ "${TF_A_FWDDR}" = "1" ]; then
# Detect ddr type if it's present
if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then
ddr_dtb_node=$(${STAGING_BINDIR_NATIVE}/fdtget -l ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc | grep ddr | head -n 1)
ddr_propertie=$(${STAGING_BINDIR_NATIVE}/fdtget ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc/${ddr_dtb_node} st,mem-name || echo "none")
ddr_target=""
# potentials value of ddr_propertie:
# DDR3 16bits
# DDR4 32bits
# DDR4 8Gbits
# LPDDR4 32bits
case ${ddr_propertie} in
DDR3*)
ddr_extra_opt=" STM32MP_DDR3_TYPE=1 "
ddr_target="ddr3"
;;
DDR4*)
ddr_extra_opt=" STM32MP_DDR4_TYPE=1 "
ddr_target="ddr4"
;;
LPDDR4*)
ddr_extra_opt=" STM32MP_LPDDR4_TYPE=1 "
ddr_target="lpddr4"
;;
*)
bbfatal "Missing st,mem-name information for ${dt}"
;;
esac
bbnote "${dt}: ${tf_a_make_target} -> ${ddr_extra_opt}"
# Copy TF-A ddr binary with explicit devicetree filename
if [ -s "${FWDDR_DIR}/${ddr_target}_pmu_train.bin" ]; then
install -m 644 "${FWDDR_DIR}/${ddr_target}_pmu_train.bin" "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}-${config}.${FWDDR_SUFFIX}"
else
bbfatal "Missing ddr firmware file ${ddr_target}_pmu_train.bin for ${dt}"
fi
fi
fi
encrypt_extra_opt=""
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
if [ "$(file "${encrypt_key}" | sed 's#.*: \(.*\)$#\1#')" = "ASCII text" ]; then
# The encryption key is already available in hexadecimal format, so just extract it from file
encrypt_key="$(cat ${encrypt_key})"
else
encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
fi
encrypt_extra_opt="ENC_KEY=${encrypt_key}"
fi
oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${ddr_extra_opt} ${encrypt_extra_opt} ${tf_a_make_target}
if [ -f "${B}/${config}${soc_suffix}-${dt}/bl2.bin" ]; then
cp "${B}/${config}${soc_suffix}-${dt}/bl2.bin" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.bin"
fi
# Copy TF-A binary with explicit devicetree filename
if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then
cp "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
stm32wrapper4dbg -s "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
fi
if [ "${SIGN_ENABLE}" = "1" ]; then
# Init sign key for signing tools
sign_key="${SIGN_KEY_PATH_LIST}"
if [ -n "${STM32MP_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_SOC_NAME}; do
k=$(expr $k + 1)
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then
sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k})
fi
done
fi
# Init default encryption options for signing tool
tf_a_encrypt_opts=""
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
# Init encrypt key for signing tools
encrypt_key="${ENCRYPT_FSBL_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
# Set encryption options for signing tools
tf_a_encrypt_opts="\
--enc-key ${encrypt_key} \
--enc-dc ${TF_A_ENCRYPT_DC} \
--image-version ${TF_A_ENCRYPT_IMGVER} \
"
fi
# Sign tf-a binary
bbnote "${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA_soc} \
${tf_a_encrypt_opts} "
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key ${sign_key} \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA_soc} \
${tf_a_encrypt_opts}
if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
bbnote "${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key "${sign_key}" \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA_soc} \
${tf_a_encrypt_opts}"
${SIGN_TOOL} \
-bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \
-o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \
--password ${SIGN_KEY_PASS} \
--public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \
--private-key "${sign_key}" \
--type fsbl \
--silent \
${SIGN_TOOL_EXTRA_soc} \
${tf_a_encrypt_opts}
fi
fi
fi
done
done
if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
rm -rf "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
${TF_A_METADATA_TOOL} ${TF_A_METADATA_TOOL_ARGS} "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
fi
}
# This runs after 'tf_a_sysroot_populate()' which populates all
# TF-A artifacts on the image deploy dir.
# The purpose of this function is to create symlinks to the files needed