This entry type is used to create a secured binary for use with K3 High Security (HS) devices.
This allows us to no longer depend on k3_fit_atf.sh for A53 SPL and u-boot image generation for HS devices. We still depend on the availability of an external tool provided by the TI_SECURE_DEV_PKG environment variable to secure the binaries. Signed-off-by: Roger Quadros <rog...@kernel.org> --- Makefile | 1 + tools/binman/entries.rst | 15 ++++++++ tools/binman/etype/ti_secure.py | 59 +++++++++++++++++++++++++++++ tools/binman/ftest.py | 7 ++++ tools/binman/test/225_ti_secure.dts | 14 +++++++ 5 files changed, 96 insertions(+) create mode 100644 tools/binman/etype/ti_secure.py create mode 100644 tools/binman/test/225_ti_secure.dts diff --git a/Makefile b/Makefile index ad83d60dc3..d9aac41d60 100644 --- a/Makefile +++ b/Makefile @@ -1328,6 +1328,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \ $(foreach f,$(BINMAN_INDIRS),-I $(f)) \ -a atf-bl31-path=${BL31} \ -a tee-os-path=${TEE} \ + -a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \ -a opensbi-path=${OPENSBI} \ -a default-dt=$(default_dt) \ -a scp-path=$(SCP) \ diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst index 484cde5c80..c9faad51b6 100644 --- a/tools/binman/entries.rst +++ b/tools/binman/entries.rst @@ -1788,3 +1788,18 @@ may be used instead. +Entry: ti-secure: Entry containing a Secured binary blob +-------------------------------------------------------- + +Properties / Entry arguments: + - filename: Filename of file to sign and read into entry + +Texas Instruments High-Security (HS) devices need secure binaries to be +provided. This entry uses an external tool to append a x509 certificate +to the file provided in the filename property and places it in the entry. + +The path for the external tool is fetched from TI_SECURE_DEV_PKG +environment variable. + + + diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py new file mode 100644 index 0000000000..86772994bc --- /dev/null +++ b/tools/binman/etype/ti_secure.py @@ -0,0 +1,59 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/ +# + +# Support for secure binaries for TI K3 platform + +from collections import OrderedDict +import os + +from binman.entry import Entry, EntryArg + +from dtoc import fdt_util +from patman import tools + +class Entry_ti_secure(Entry): + """An entry which contains a secure binary for High-Security (HS) device use. + + Properties / Entry arguments: + - filename: filename of binary file to be secured + + Output files: + - filename_HS - output file generated by secure uility (which is + used as the entry contents) + + """ + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.filename = fdt_util.GetString(self._node, 'filename') + self.toolpresent = False + if not self.filename: + self.Raise("ti_secure must have a 'filename' property") + self.toolspath, = self.GetEntryArgsOrProps( + [EntryArg('ti-secure-dev-pkg-path', str)]) + if not self.toolspath: + print("WARNING: TI_SECURE_DEV_PKG environment " \ + "variable must be defined for TI secure devices. " + + self.filename + " was NOT secured!") + return + + self.tool = self.toolspath + "/scripts/secure-binary-image.sh" + self.toolpresent = os.path.exists(self.tool) + if not self.toolpresent: + print(self.tool + " not found. " + + self.filename + " was NOT secured!") + + def ObtainContents(self): + input_fname = self.filename + output_fname = input_fname + "_HS" + args = [ + input_fname, output_fname, + ] + if self.toolpresent: + stdout = tools.Run(self.tool, *args) + else: + stdout = tools.Run('cp', *args) + print(output_fname + ' not secured!') + + self.SetContents(tools.ReadFile(output_fname)) + return True diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 8f00db6945..996e4d9aa6 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -91,6 +91,7 @@ SCP_DATA = b'scp' TEST_FDT1_DATA = b'fdt1' TEST_FDT2_DATA = b'test-fdt2' ENV_DATA = b'var1=1\nvar2="2"' +TI_UNSECURE_DATA = b'this is some unsecure data' # Subdirectory of the input dir to use to put test FDTs TEST_FDT_SUBDIR = 'fdts' @@ -201,6 +202,7 @@ class TestFunctional(unittest.TestCase): TEST_FDT2_DATA) TestFunctional._MakeInputFile('env.txt', ENV_DATA) + TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA) cls.have_lz4 = comp_util.HAVE_LZ4 @@ -5321,6 +5323,11 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self.assertIn("Node '/binman/fit': Unknown operation 'unknown'", str(exc.exception)) + def testPackTisecure(self): + """Test that an image with a TI secured binary can be created""" + data = self._DoReadFile('225_ti_secure.dts') + securedata = tools.ReadFile('ti_unsecure.bin_HS') + self.assertGreater(len(securedata), len(data)) if __name__ == "__main__": unittest.main() diff --git a/tools/binman/test/225_ti_secure.dts b/tools/binman/test/225_ti_secure.dts new file mode 100644 index 0000000000..1a9f4374f9 --- /dev/null +++ b/tools/binman/test/225_ti_secure.dts @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + ti-secure { + filename = "ti_unsecure.bin"; + }; + }; +}; -- 2.17.1