Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
meta-digi/meta-digi-arm/classes/fip-utils-stm32mp2.bbclass

568 lines
31 KiB
Plaintext
Raw Blame History

inherit sign-stm32mp2
DEPENDS += "tf-a-tools-native util-linux-native"
# Configure new package to provide fiptool wrapper for SDK usage
PACKAGES =+ "${FIPTOOL_WRAPPER}"
BBCLASSEXTEND:append = " nativesdk"
RRECOMMENDS:${FIPTOOL_WRAPPER}:append:class-nativesdk = " nativesdk-tf-a-tools"
# Define default TF-A FIP namings
FIP_BASENAME ?= "fip"
FIP_SUFFIX ?= "bin"
# Set default TF-A FIP config
FIP_CONFIG ?= ""
# Default FIP config:
# There are two options implemented to select two different firmware and each
# FIP_CONFIG should configure one: 'tfa' or 'optee'
FIP_CONFIG_FW_TFA = "tfa"
FIP_CONFIG_FW_TEE = "optee"
# Init BL31 config
FIP_BL31_ENABLE ?= ""
# Set CERTTOOL binary name to use
CERTTOOL ?= "cert_create"
# Set ENCTOOL binary name to use
ENCTOOL ?= "encrypt_fw"
# Set FIPTOOL binary name to use
FIPTOOL ?= "fiptool"
# Set STM32MP fiptool wrapper
FIPTOOL_WRAPPER ?= "fiptool-stm32mp"
# Default FIP file names and suffixes
FIP_BL31 ?= "tf-a-bl31"
FIP_BL31_SUFFIX ?= "bin"
FIP_BL31_DTB ?= "bl31"
FIP_BL31_DTB_SUFFIX ?= "dtb"
FIP_TFA ?= "tf-a-bl32"
FIP_TFA_SUFFIX ?= "bin"
FIP_TFA_DTB ?= "bl32"
FIP_TFA_DTB_SUFFIX ?= "dtb"
FIP_FW_CONFIG ?= "fw-config"
FIP_FW_CONFIG_SUFFIX ?= "dtb"
FIP_FW_DDR ?= "ddr_pmu"
FIP_FW_DDR_SUFFIX ?= "bin"
FIP_OPTEE_HEADER ?= "tee-header_v2"
FIP_OPTEE_PAGER ?= "tee-pager_v2"
FIP_OPTEE_PAGEABLE ?= "tee-pageable_v2"
FIP_OPTEE_SUFFIX ?= "bin"
FIP_UBOOT ?= "u-boot-nodtb"
FIP_UBOOT_SUFFIX ?= "bin"
FIP_UBOOT_DTB ?= "u-boot"
FIP_UBOOT_DTB_SUFFIX ?= "dtb"
# Configure default folder path for binaries to package
FIP_DEPLOYDIR_FIP ?= "${DEPLOYDIR}/fip"
FIP_DEPLOYDIR_BL31 ?= "${DEPLOYDIR}/arm-trusted-firmware/bl31"
FIP_DEPLOYDIR_TFA ?= "${DEPLOYDIR}/arm-trusted-firmware/bl32"
FIP_DEPLOYDIR_FWCONF ?= "${DEPLOYDIR}/arm-trusted-firmware/fwconfig"
FIP_DEPLOYDIR_FWDDR ?= "${DEPLOYDIR}/arm-trusted-firmware/ddr"
FIP_DEPLOYDIR_OPTEE ?= "${DEPLOY_DIR}/images/${MACHINE}/optee"
FIP_DEPLOYDIR_UBOOT ?= "${DEPLOY_DIR}/images/${MACHINE}/u-boot"
# Set default configuration to allow FIP signing
FIP_ENCRYPT_SUFFIX ??= "${@bb.utils.contains('ENCRYPT_ENABLE', '1', '${ENCRYPT_SUFFIX}', '', d)}"
FIP_ENCRYPT_NONCE ??= "1234567890abcdef12345678"
FIP_SIGN_SUFFIX ??= "${@bb.utils.contains('SIGN_ENABLE', '1', '${SIGN_SUFFIX}', '', d)}"
# Define FIP dependency build
FIP_DEPENDS += "virtual/bootloader"
FIP_DEPENDS += "${@bb.utils.contains('MACHINE_FEATURES', 'optee', 'virtual/optee-os', '', d)}"
FIP_DEPENDS:class-nativesdk = ""
# -----------------------------------------------
# Handle FIP config and set internal vars
# FIP_BL32_CONF
python () {
import re
# Make sure that deploy class is configured
if not bb.data.inherits_class('deploy', d):
bb.fatal("The st-fip-utils class needs the deploy class to be configured on recipe side.")
# Manage FIP binary dependencies
fip_depends = (d.getVar('FIP_DEPENDS') or "").split()
if len(fip_depends) > 0:
for depend in fip_depends:
d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % depend)
# Manage FIP config settings
fipconfigflags = d.getVarFlags('FIP_CONFIG')
if fipconfigflags is not None:
# The "doc" varflag is special, we don't want to see it here
fipconfigflags.pop('doc', None)
fipconfig = (d.getVar('FIP_CONFIG') or "").split()
if not fipconfig:
raise bb.parse.SkipRecipe("FIP_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE"))
if (d.getVar('FIP_BL32_CONF') or "").split():
raise bb.parse.SkipRecipe("You cannot use FIP_BL32_CONF as it is internal to FIP_CONFIG var expansion.")
if (d.getVar('FIP_DEVICETREE') or "").split():
raise bb.parse.SkipRecipe("You cannot use FIP_DEVICETREE as it is internal to FIP_CONFIG var expansion.")
if len(fipconfig) > 0:
# Init internal fip firmware config
fip_config_fw_tfa = d.getVar('FIP_CONFIG_FW_TFA') or ""
fip_config_fw_tee = d.getVar('FIP_CONFIG_FW_TEE') or ""
for config in fipconfig:
for f, v in fipconfigflags.items():
if config == f:
# Make sure to get var flag properly expanded
v = d.getVarFlag('FIP_CONFIG', config)
if not v.strip():
bb.fatal('[FIP_CONFIG] Missing configuration for %s config' % config)
items = v.split(',')
if items[0] and len(items) > 2:
raise bb.parse.SkipRecipe('Only <BL32_CONF> and <DT_CONFIG> can be specified!')
# Set internal vars
if items[0] == fip_config_fw_tfa or items[0] == fip_config_fw_tee:
bb.debug(1, "Appending '%s' to FIP_BL32_CONF" % items[0])
d.appendVar('FIP_BL32_CONF', items[0] + ',')
else:
bb.fatal('[FIP_CONFIG] Wrong configuration for %s config: %s should be one of %s or %s' % (config,items[0],fip_config_fw_tfa,fip_config_fw_tee))
bb.debug(1, "Appending '%s' to FIP_DEVICETREE" % items[1])
d.appendVar('FIP_DEVICETREE', items[1] + ',')
break
}
# Deploy the fip binary for current target
do_deploy:append:class-target() {
install -d ${DEPLOYDIR}
install -d ${FIP_DEPLOYDIR_FIP}
unset i
for config in ${FIP_CONFIG}; do
i=$(expr $i + 1)
bl32_conf=$(echo ${FIP_BL32_CONF} | cut -d',' -f${i})
dt_config=$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})
for dt in ${dt_config}; do
# Init soc suffix
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}"
done
fi
# Init FIP fw-config settings
[ -f "${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: ${FIP_DEPLOYDIR_FWCONF}"
FIP_FWCONFIG="--fw-config ${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}"
# Init FIP hw-config settings
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_HWCONFIG="--hw-config ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}"
# Init FIP nt-fw config
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_NTFW="--nt-fw ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}"
# Init FIP bl31 settings
if [ "${FIP_BL31_ENABLE}" = "1" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing ${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}"
[ -f "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}"
# Set CERT_BL31CONF
CERT_BL31CONF=" \
--soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} \
--soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \
"
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
# encrypt bl31 binary
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" \
--out "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}"
# encrypt bl31 devicetree
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" \
--out "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX}"
fi
# Set FIP_BL31CONF
FIP_BL31CONF="\
--soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX} \
--soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \
"
else
CERT_BL31CONF=""
FIP_BL31CONF=""
fi
# Init FIP extra conf settings
if [ "${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}"
[ -f "${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} \
--tos-fw-config ${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \
"
elif [ "${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then
# Check for files
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
[ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}"
# Set CERT_EXTRACONF
CERT_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} \
"
if [ "${ENCRYPT_ENABLE}" = "1" ]; then
encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}"
if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
# encrypt optee header
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
# encrypt optee pager
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
# encrypt optee pageable
bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}\" \
--out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" "
${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \
--in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" \
--out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}"
fi
# Set FIP_EXTRACONF
FIP_EXTRACONF="\
--tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
--tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \
"
else
bbfatal "Wrong configuration '${bl32_conf}' found in FIP_CONFIG for ${config} config."
fi
# Init FIP DDR config settings
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
FIP_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}"
CERT_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}"
else
FIP_DDRCONF=""
CERT_DDRCONF=""
fi
# Init certificate settings
if [ "${SIGN_ENABLE}" = "1" ]; then
sign_key="${SIGN_KEY_PATH_LIST}"
if [ $(echo ${SIGN_KEY_PASS} | wc -w) -gt 1 ]; then
sign_single_key_pass=$(echo ${SIGN_KEY_PASS} | cut -d' ' -f1)
else
sign_single_key_pass="${SIGN_KEY_PASS}"
fi
if [ -n "${STM32MP_SOC_NAME}" ]; then
unset k
for soc in ${STM32MP_SOC_NAME}; do
k=$(expr $k + 1)
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k})
done
fi
mkdir -p ${B}/${config}-${dt}
FIP_CERTCONF="\
--tb-fw-cert ${B}/${config}-${dt}/tb_fw.crt \
--trusted-key-cert ${B}/${config}-${dt}/trusted_key.crt \
--nt-fw-cert ${B}/${config}-${dt}/nt_fw_content.crt \
--nt-fw-key-cert ${B}/${config}-${dt}/nt_fw_key.crt \
--tos-fw-cert ${B}/${config}-${dt}/tos_fw_content.crt \
--tos-fw-key-cert ${B}/${config}-${dt}/tos_fw_key.crt \
--stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert.crt \
"
if [ "${FIP_BL31_ENABLE}" = "1" ]; then
FIP_CERTCONF="${FIP_CERTCONF} \
--soc-fw-cert ${B}/${config}-${dt}/soc_fw_content.crt \
--soc-fw-key-cert ${B}/${config}-${dt}/soc_fw_key.crt \
"
fi
# Need fake bl2 binary to generate certificates
touch ${WORKDIR}/bl2-fake.bin
# Generate certificates
bbnote "${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_CERTCONF} \
${CERT_EXTRACONF} \
${CERT_DDRCONF} \
${CERT_BL31CONF} \
--tb-fw ${WORKDIR}/bl2-fake.bin"
${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_CERTCONF} \
${CERT_EXTRACONF} \
${CERT_DDRCONF} \
${CERT_BL31CONF} \
--tb-fw ${WORKDIR}/bl2-fake.bin
# Remove fake bl2 binary
rm -f ${WORKDIR}/bl2-fake.bin
# Init FIP DDR cert settings
FIP_DDRCERTCONF="--stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert_ddr.crt"
# Generate FIP DDR certificates
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
bbnote "${CERTTOOL} -n --tfw-nvctr 0 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_DDRCERTCONF} \
${CERT_DDRCONF}"
${CERTTOOL} -n --tfw-nvctr 0 \
--rot-key ${sign_key} \
--rot-key-pwd $sign_single_key_pass \
${FIP_DDRCERTCONF} \
${CERT_DDRCONF}
fi
else
FIP_CERTCONF=""
FIP_DDRCERTCONF=""
fi
# Generate FIP binary
bbnote "${FIPTOOL} create \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_BL31CONF} \
${FIP_EXTRACONF} \
${FIP_DDRCONF} \
${FIP_CERTCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}"
${FIPTOOL} create \
${FIP_FWCONFIG} \
${FIP_HWCONFIG} \
${FIP_NTFW} \
${FIP_BL31CONF} \
${FIP_EXTRACONF} \
${FIP_DDRCONF} \
${FIP_CERTCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}
# Generate FIP DDR binary
if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
bbnote "${FIPTOOL} create \
${FIP_DDRCERTCONF} \
${FIP_DDRCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}"
${FIPTOOL} create \
${FIP_DDRCERTCONF} \
${FIP_DDRCONF} \
${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}
fi
done
done
}
# Stub do_compile for nativesdk use case as we only expect to provide FIPTOOL_WRAPPER
do_compile:class-nativesdk() {
return
}
do_install:class-nativesdk() {
# Create the FIPTOOL_WRAPPER script to use on sdk side
cat << EOF > ${WORKDIR}/${FIPTOOL_WRAPPER}
#!/bin/bash -
function bbfatal() { echo "\$*" ; exit 1 ; }
# Set default TF-A FIP config
FIP_CONFIG="\${FIP_CONFIG:-${FIP_CONFIG}}"
FIP_BL31_ENABLE="\${FIP_BL31_ENABLE:-${FIP_BL31_ENABLE}}"
FIP_BL32_CONF=""
FIP_DEVICETREE="\${FIP_DEVICETREE:-}"
# Set default supported configuration for devicetree and bl32 configuration
declare -A FIP_BL32_CONF_ARRAY
declare -A FIP_DEVICETREE_ARRAY
EOF
for config in ${FIP_CONFIG}; do
i=$(expr $i + 1)
cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER}
FIP_BL32_CONF_ARRAY[${config}]="$(echo ${FIP_BL32_CONF} | cut -d',' -f${i})"
FIP_DEVICETREE_ARRAY[${config}]="$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})"
EOF
done
unset i
cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER}
# Make sure about FIP_CONFIG value
if [ -z "\$FIP_CONFIG" ]; then
bbfatal "Wrong configuration 'FIP_CONFIG' is empty."
else
# Check that configuration match any of the supported ones
for config in \$FIP_CONFIG; do
CONFIG_FOUND=NO
for fip_config in ${FIP_CONFIG}; do
[ "\${config}" = "\${fip_config}" ] && { CONFIG_FOUND="YES" ; break; }
done
[ "\${CONFIG_FOUND}" = "NO" ] && bbfatal "Wrong 'FIP_CONFIG' configuration : \${config} is not one of the supported one (${FIP_CONFIG})"
done
fi
# Manage FIP_BL32_CONF default init
if [ -z "\$FIP_BL32_CONF" ]; then
# Assigned default supported value
for config in \$FIP_CONFIG; do
FIP_BL32_CONF+="\${FIP_BL32_CONF_ARRAY[\${config}]},"
done
fi
# Manage FIP_DEVICETREE default init
if [ -z "\$FIP_DEVICETREE" ]; then
# Assigned default supported value
for config in \$FIP_CONFIG; do
FIP_DEVICETREE+="\${FIP_DEVICETREE_ARRAY[\${config}]},"
done
fi
# Configure default folder path for binaries to package
FIP_DEPLOYDIR_ROOT="\${FIP_DEPLOYDIR_ROOT:-}"
FIP_DEPLOYDIR_FIP="\${FIP_DEPLOYDIR_FIP:-\$FIP_DEPLOYDIR_ROOT/fip}"
FIP_DEPLOYDIR_TFA="\${FIP_DEPLOYDIR_TFA:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32}"
FIP_DEPLOYDIR_BL31="\${FIP_DEPLOYDIR_BL31:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31}"
FIP_DEPLOYDIR_FWDDR="\${FIP_DEPLOYDIR_FWDDR:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/ddr}"
FIP_DEPLOYDIR_FWCONF="\${FIP_DEPLOYDIR_FWCONF:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig}"
FIP_DEPLOYDIR_OPTEE="\${FIP_DEPLOYDIR_OPTEE:-\$FIP_DEPLOYDIR_ROOT/optee}"
FIP_DEPLOYDIR_UBOOT="\${FIP_DEPLOYDIR_UBOOT:-\$FIP_DEPLOYDIR_ROOT/u-boot}"
echo ""
echo "${FIPTOOL_WRAPPER} config:"
for config in \$FIP_CONFIG; do
i=\$(expr \$i + 1)
bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i)
dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i)
echo " \${config}:" ; \\
echo " bl32 config value: \${bl32_conf}"
echo " devicetree config: \${dt_config}"
done
echo ""
echo "Switch configuration:"
echo " FIP_BL31_ENABLE : \$FIP_BL31_ENABLE"
echo ""
echo "Output folders:"
echo " FIP_DEPLOYDIR_ROOT : \$FIP_DEPLOYDIR_ROOT"
echo " FIP_DEPLOYDIR_FIP : \$FIP_DEPLOYDIR_FIP"
echo " FIP_DEPLOYDIR_TFA : \$FIP_DEPLOYDIR_TFA"
echo " FIP_DEPLOYDIR_BL31 : \$FIP_DEPLOYDIR_BL31"
echo " FIP_DEPLOYDIR_FWCONF: \$FIP_DEPLOYDIR_FWCONF"
echo " FIP_DEPLOYDIR_OPTEE : \$FIP_DEPLOYDIR_OPTEE"
echo " FIP_DEPLOYDIR_UBOOT : \$FIP_DEPLOYDIR_UBOOT"
echo ""
unset i
for config in \$FIP_CONFIG; do
i=\$(expr \$i + 1)
bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i)
dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i)
for dt in \${dt_config}; do
# Init soc suffix
soc_suffix=""
if [ -n "${STM32MP_SOC_NAME}" ]; then
for soc in ${STM32MP_SOC_NAME}; do
[ "\$(echo \${dt} | grep -c \${soc})" -eq 1 ] && soc_suffix="-\${soc}"
done
fi
# Init FIP fw-config settings
[ -f "\$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: \\\$FIP_DEPLOYDIR_FWCONF or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig'"
FIP_FWCONFIG="--fw-config \$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}"
# Init FIP hw-config settings
[ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'"
FIP_HWCONFIG="--hw-config \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}"
# Init FIP nt-fw config
[ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'"
FIP_NTFW="--nt-fw \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}"
# Init FIP bl31 settings
if [ "\$FIP_BL31_ENABLE" = "1" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'"
[ -f "\$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'"
# Set FIP_BL31CONF
FIP_BL31CONF="\\
--soc-fw \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} \\
--soc-fw-config \$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \\
"
else
FIP_BL31CONF=""
fi
# Init FIP extra conf settings
if [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'"
[ -f "\$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\\
--tos-fw \$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} \\
--tos-fw-config \$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \\
"
elif [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then
# Check for files
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
[ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'"
# Set FIP_EXTRACONF
FIP_EXTRACONF="\\
--tos-fw \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} \\
--tos-fw-extra1 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} \\
--tos-fw-extra2 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} \\
"
else
bbfatal "Wrong configuration '\${bl32_conf}' found in FIP_CONFIG for \${config} config."
fi
# DRR FW
if [ -f "\$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX}" ]; then
FIP_EXTRACONF="\$FIP_EXTRACONF --ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} "
${FIPTOOL} create \\
--ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} \\
\$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-ddr.${FIP_SUFFIX}
echo "[${FIPTOOL}] DDR FW created"
fi
# Generate FIP binary
echo "[${FIPTOOL}] Create ${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX} fip binary into 'FIP_DEPLOYDIR_FIP' folder..."
[ -d "\$FIP_DEPLOYDIR_FIP" ] || mkdir -p "\$FIP_DEPLOYDIR_FIP"
${FIPTOOL} create \\
\$FIP_FWCONFIG \\
\$FIP_HWCONFIG \\
\$FIP_NTFW \\
\$FIP_BL31CONF \\
\$FIP_EXTRACONF \\
\$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX}
echo "[${FIPTOOL}] Done"
done
done
EOF
# Install the FIPTOOL_WRAPPER
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/${FIPTOOL_WRAPPER} ${D}${bindir}/
}
# Feed package for sdk with our fiptool wrapper
FILES:${FIPTOOL_WRAPPER}:class-nativesdk = "${bindir}/${FIPTOOL_WRAPPER}"
Reference in New Issue View Git Blame Copy Permalink