Hi Andreas, On 15 June 2016 at 13:26, Andreas Dannenberg <dannenb...@ti.com> wrote: > From: Daniel Allred <d-all...@ti.com> > > Adds commands so that when a secure device is in use and the SPL is > built to load a FIT image (with combined u-boot binary and various > DTBs), these components that get fed into the FIT are all processed to > be signed/encrypted/etc. as per the operations performed by the > secure-binary-image script of the TI SECDEV package. > > Signed-off-by: Daniel Allred <d-all...@ti.com> > Signed-off-by: Andreas Dannenberg <dannenb...@ti.com> > --- > arch/arm/cpu/armv7/omap-common/config_secure.mk | 57 > ++++++++++++++++++++++++- > arch/arm/cpu/armv7/omap5/config.mk | 3 ++ > 2 files changed, 58 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass <s...@chromium.org> But please can you add a README for this somewhere? Also, can this tool be added to U-Boot instead of being external? > > diff --git a/arch/arm/cpu/armv7/omap-common/config_secure.mk > b/arch/arm/cpu/armv7/omap-common/config_secure.mk > index c7bb101..c4514ad 100644 > --- a/arch/arm/cpu/armv7/omap-common/config_secure.mk > +++ b/arch/arm/cpu/armv7/omap-common/config_secure.mk > @@ -12,8 +12,8 @@ cmd_mkomapsecimg = > $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \ > $(if $(KBUILD_VERBOSE:1=), >/dev/null) > else > cmd_mkomapsecimg = $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh \ > - $(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \ > - $(if $(KBUILD_VERBOSE:1=), >/dev/null) > + $(patsubst u-boot_HS_%,%,$(@F)) $< $@ $(CONFIG_ISW_ENTRY_ADDR) \ > + $(if $(KBUILD_VERBOSE:1=), >/dev/null) > endif > else > cmd_mkomapsecimg = echo "WARNING:" \ > @@ -25,6 +25,26 @@ cmd_mkomapsecimg = echo "WARNING: TI_SECURE_DEV_PKG > environment" \ > "variable must be defined for TI secure devices. $@ was NOT created!" > endif > > +ifdef CONFIG_SPL_LOAD_FIT > +quiet_cmd_omapsecureimg = SECURE $@ > +ifneq ($(TI_SECURE_DEV_PKG),) > +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) > +cmd_omapsecureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ > + $< $@ \ > + $(if $(KBUILD_VERBOSE:1=), >/dev/null) > +else > +cmd_omapsecureimg = echo "WARNING:" \ > + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ > + "$@ was NOT created!"; cp $< $@ > +endif > +else > +cmd_omapsecureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ > + "variable must be defined for TI secure devices." \ > + "$@ was NOT created!"; cp $< $@ > +endif > +endif > + > + > # Standard X-LOADER target (QPSI, NOR flash) > u-boot-spl_HS_X-LOADER: $(obj)/u-boot-spl.bin > $(call if_changed,mkomapsecimg) > @@ -64,3 +84,36 @@ u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin > # the mkomapsecimg command looks for a u-boot-HS_* prefix > u-boot_HS_XIP_X-LOADER: $(obj)/u-boot.bin > $(call if_changed,mkomapsecimg) > + > +# For supporting the SPL loading and interpreting > +# of FIT images whose components are pre-processed > +# before being integrated into the FIT image in order > +# to secure them in some way > +ifdef CONFIG_SPL_LOAD_FIT > + > +MKIMAGEFLAGS_u-boot_HS.img = -f auto -A $(ARCH) -T firmware -C none -O > u-boot \ > + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ > + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ > + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) > + > +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst > ",,$(CONFIG_OF_LIST))) > +$(OF_LIST_TARGETS): dtbs > + > +%_HS.dtb: %.dtb > + $(call if_changed,omapsecureimg) > + $(Q)if [ -f $@ ]; then \ > + cp -f $@ $<; \ > + fi > + > +u-boot-nodtb_HS.bin: u-boot-nodtb.bin > + $(call if_changed,omapsecureimg) > + > +u-boot_HS.img: u-boot-nodtb_HS.bin u-boot.img $(patsubst > %.dtb,%_HS.dtb,$(OF_LIST_TARGETS)) > + $(call if_changed,mkimage) > + $(Q)if [ -f $@ ]; then \ > + cp -f $@ u-boot.img; \ > + fi > + > +.NOTPARALLEL: dtbs Why is that needed? > + > +endif > diff --git a/arch/arm/cpu/armv7/omap5/config.mk > b/arch/arm/cpu/armv7/omap5/config.mk > index a7e55a5..503f31c 100644 > --- a/arch/arm/cpu/armv7/omap5/config.mk > +++ b/arch/arm/cpu/armv7/omap5/config.mk > @@ -15,5 +15,8 @@ else > ALL-y += MLO > endif > else > +ifeq ($(CONFIG_TI_SECURE_DEVICE)$(CONFIG_SECURE_BOOT),yy) > +ALL-y += u-boot_HS.img > +endif > ALL-y += u-boot.img > endif > -- > 2.6.4 > Regards, Simon _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot