On Fri, Feb 15, 2019 at 05:43:32PM +0530, Lokesh Vutla wrote: > > > On 2/15/2019 4:25 AM, Andrew F. Davis wrote: > > On 2/13/19 9:46 PM, Lokesh Vutla wrote: > >> > >> > >> On 14/02/19 12:07 AM, Andrew F. Davis wrote: > >>> K3 HS devices require signed binaries for boot, use the SECDEV tools > >>> to sign the boot artifacts during build. > >>> > >>> Signed-off-by: Andrew F. Davis <a...@ti.com> > >>> --- > >>> MAINTAINERS | 1 + > >>> arch/arm/mach-k3/config.mk | 25 ++++++++++++++++++ > >>> arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++ > >>> tools/k3_fit_atf.sh | 8 ++++-- > >>> 4 files changed, 76 insertions(+), 2 deletions(-) > >>> create mode 100644 arch/arm/mach-k3/config_secure.mk > >>> > >>> diff --git a/MAINTAINERS b/MAINTAINERS > >>> index 18cdca9447..ac6bd8cfca 100644 > >>> --- a/MAINTAINERS > >>> +++ b/MAINTAINERS > >>> @@ -717,6 +717,7 @@ F: arch/arm/mach-omap2/omap5/sec_entry_cpu1.S > >>> F: arch/arm/mach-omap2/sec-common.c > >>> F: arch/arm/mach-omap2/config_secure.mk > >>> F: arch/arm/mach-k3/security.c > >>> +F: arch/arm/mach-k3/config_secure.mk > >>> F: configs/am335x_hs_evm_defconfig > >>> F: configs/am335x_hs_evm_uart_defconfig > >>> F: configs/am43xx_hs_evm_defconfig > >>> diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk > >>> index be00d79fb0..2d8f61f9db 100644 > >>> --- a/arch/arm/mach-k3/config.mk > >>> +++ b/arch/arm/mach-k3/config.mk > >>> @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt > >>> | sed $(SED_OPTS) > u-boo > >>> # If external key is not provided, generate key using openssl. > >>> ifeq ($(CONFIG_SYS_K3_KEY), "") > >>> KEY=u-boot-spl-eckey.pem > >>> +# On HS use real key or warn if not available > >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > >>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),) > >>> +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem > >>> +else > >>> +$(warning "WARNING: signing key not found. Random key will NOT work on > >>> HS hardware!") > >>> +endif > >>> +endif > >>> else > >>> KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) > >>> endif > >>> @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin > >>> endif > >>> > >>> ifdef CONFIG_ARM64 > >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > >>> +SPL_ITS := u-boot-spl-k3_HS.its > >>> +$(SPL_ITS): FORCE > >>> + IS_HS=1 \ > >>> + $(srctree)/tools/k3_fit_atf.sh \ > >>> + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@ > >>> + > >>> +ALL-y += tispl.bin_HS > >>> +else > >>> SPL_ITS := u-boot-spl-k3.its > >>> $(SPL_ITS): FORCE > >>> $(srctree)/tools/k3_fit_atf.sh \ > >>> @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE > >>> > >>> ALL-y += tispl.bin > >>> endif > >>> +endif > >>> + > >>> +else > >>> > >>> +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) > >>> +ALL-y += u-boot.img_HS > >>> else > >>> ALL-y += u-boot.img > >>> endif > >>> +endif > >>> + > >>> +include $(srctree)/arch/arm/mach-k3/config_secure.mk > >>> diff --git a/arch/arm/mach-k3/config_secure.mk > >>> b/arch/arm/mach-k3/config_secure.mk > >>> new file mode 100644 > >>> index 0000000000..6d63c57665 > >>> --- /dev/null > >>> +++ b/arch/arm/mach-k3/config_secure.mk > >>> @@ -0,0 +1,44 @@ > >>> +# SPDX-License-Identifier: GPL-2.0 > >>> +# > >>> +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/ > >>> +# Andrew F. Davis <a...@ti.com> > >>> + > >>> +quiet_cmd_k3secureimg = SECURE $@ > >>> +ifneq ($(TI_SECURE_DEV_PKG),) > >>> +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) > >>> +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ > >>> + $< $@ \ > >>> + $(if $(KBUILD_VERBOSE:1=), >/dev/null) > >>> +else > >>> +cmd_k3secureimg = echo "WARNING:" \ > >>> + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ > >>> + "$@ was NOT secured!"; cp $< $@ > >>> +endif > >>> +else > >>> +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ > >>> + "variable must be defined for TI secure devices." \ > >>> + "$@ was NOT secured!"; cp $< $@ > >>> +endif > >>> + > >>> +%.dtb_HS: %.dtb FORCE > >>> + $(call if_changed,k3secureimg) > >>> + > >>> +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE > >>> + $(call if_changed,k3secureimg) > >>> + > >>> +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst > >>> %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE > >>> + $(call if_changed,mkfitimage) > >>> + > >>> +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O > >>> u-boot \ > >>> + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ > >>> + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ > >>> + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST))) > >> > >> I guess these HS postfixed dtbs will never get cleaned. I see the same > >> issue > >> with other TI secure devices as well. Can you update the clean rules as > >> well? > >> > > > > tiboot3.bin and tispl.bin also don't seem to be getting cleaned. I tried > > Yeah, these should be cleaned as well. > > > adding them to clean-files and CLEAN_FILES, neither worked. Outside of > > looks like clean-files is relative to the current directory. You can > update arch/arm/dts/Makefile but it might be very generic. > > Tom, any suggestions to clean files in this case?
I guess we need to update clean-files in arch/arm/dts/Makefile then, yes. -- Tom
signature.asc
Description: PGP signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
