On Tue, 18 Jul 2023 at 05:53, <lukas.funke-...@weidmueller.com> wrote:
>
> From: Lukas Funke <lukas.fu...@weidmueller.com>
>
> This adds a new etype 'xilinx-fsbl-auth'. By using this etype it is
> possible to created an authenticated SPL (FSBL in Xilinx terms) for
> ZynqMP boards.
>
> The etype uses Xilinx Bootgen tools in order to transform the SPL into
> a bootable image and sign the image with a given primary and secondary
> public key. For more information to signing the FSBL please refer to the
> Xilinx Bootgen documentation.
>
> Here is an example of the etype in use:
>
> spl {
> filename = "boot.signed.bin";
>
> xilinx-fsbl-auth {
> psk-key-name-hint = "psk0";
> ssk-key-name-hint = "ssk0";
> auth-params = "ppk_select=0", "spk_id=0x00000000";
>
> u-boot-spl-nodtb {
> };
> u-boot-spl-dtb {
> };
> };
> };
>
> For this to work the hash of the primary public key has to be fused
> into the ZynqMP device and authentication (RSA_EN) has to be set.
>
> For testing purposes: if ppk hash check should be skipped one can add
> the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
> this should only be used for testing(!).
>
> Signed-off-by: Lukas Funke <lukas.fu...@weidmueller.com>
>
> ---
>
> Changes in v3:
> - Changed etype from entry to section
> - Changed property name "psk-filename" to "psk-key-name-hint"
> - Changed property name "ssk-filename" to "ssk-key-name-hint"
> - Decode spl elf file instead of reading start symbol
> - Improved test coverage
> - Improved documentation
>
> Changes in v2:
> - Add 'keysrc-enc' property to pass down to Bootgen
> - Improved documentation
> - Use predictable output names for intermediated results
>
> tools/binman/entries.rst | 71 ++++++++
> tools/binman/etype/xilinx_fsbl_auth.py | 221 +++++++++++++++++++++++++
> 2 files changed, 292 insertions(+)
> create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
Reviewed-by: Simon Glass <s...@chromium.org>
