Hi, On Fri, 21 Jul 2023 at 08:20, Michal Simek <michal.si...@amd.com> wrote: > > > > On 7/18/23 13:53, lukas.funke-...@weidmueller.com wrote: > > From: Lukas Funke <lukas.fu...@weidmueller.com> > > > > Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create > > bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The > > btool creates a signed version of the SPL. Additionally to signing the > > key source for the decryption engine can be passend to the boot image. > > > > Signed-off-by: Lukas Funke <lukas.fu...@weidmueller.com> > > > > --- > > > > Changes in v3: > > - Fixed an issue where the build result was not found > > - Fixed an issue where the version string was not reported correctly > > > > Changes in v2: > > - Pass additional 'keysrc_enc' parameter to Bootgen > > - Added more information and terms to documentation > > > > tools/binman/bintools.rst | 2 +- > > tools/binman/btool/bootgen.py | 136 ++++++++++++++++++++++++++++++++++ > > 2 files changed, 137 insertions(+), 1 deletion(-) > > create mode 100644 tools/binman/btool/bootgen.py > > > > diff --git a/tools/binman/bintools.rst b/tools/binman/bintools.rst > > index c6c9a88c21..8f58aaebf7 100644 > > --- a/tools/binman/bintools.rst > > +++ b/tools/binman/bintools.rst > > @@ -197,7 +197,7 @@ Using `fdt_add_pubkey` the key can be injected to the > > SPL independent of > > > > > > Bintool: bootgen: Sign ZynqMP FSBL image > > ---------------------------------------------- > > +---------------------------------------- > > > > This bintool supports running `bootgen` in order to sign a SPL for ZynqMP > > devices. > > diff --git a/tools/binman/btool/bootgen.py b/tools/binman/btool/bootgen.py > > new file mode 100644 > > index 0000000000..83bbe124dc > > --- /dev/null > > +++ b/tools/binman/btool/bootgen.py > > @@ -0,0 +1,136 @@ > > +# SPDX-License-Identifier: GPL-2.0+ > > +# Copyright (C) 2023 Weidmüller Interface GmbH & Co. KG > > +# Lukas Funke <lukas.fu...@weidmueller.com> > > +# > > +"""Bintool implementation for bootgen > > + > > +bootgen allows creating bootable SPL for Zynq(MP) > > + > > +Documentation is available via:: > > +https://www.xilinx.com/support/documents/sw_manuals/xilinx2022_1/ug1283-bootgen-user-guide.pdf > > + > > +Source code is available at: > > + > > +https://github.com/Xilinx/bootgen > > + > > +""" > > +import tempfile > > + > > +from binman import bintool > > +from u_boot_pylib import tools > > + > > +# pylint: disable=C0103 > > +class Bintoolbootgen(bintool.Bintool): > > + """Generate bootable fsbl image for zynq/zynqmp > > + > > + This bintools supports running Xilinx "bootgen" in order > > + to generate a bootable, authenticated image form an SPL. > > + > > + """ > > + def __init__(self, name): > > + super().__init__(name, 'Xilinx Bootgen', > > + version_regex=r'^\*\*\*\*\*\* *Xilinx Bootgen > > *(.*)', > > + version_args='-help') > > + > > + # pylint: disable=R0913 > > + def sign(self, arch, spl_elf_fname, pmufw_elf_fname, > > + psk_fname, ssk_fname, fsbl_config, auth_params, keysrc_enc, > > + output_fname): > > + """ Sign SPL elf file and bundle it PMU firmware into an image > > + > > + The method bundels the SPL together with a 'Platform Management > > Unit' > > + (PMU)[1] firmware into a single bootable image. The image in turn > > is > > + signed with the provided 'secondary secret key' (ssk), which in > > turn is > > + signed with the 'primary secret key' (ppk). In order to verify the > > + authenticity of the ppk, it's hash has to be fused into the device > > + itself. > > + > > + In Xilinx terms the SPL is usually called 'FSBL' > > + (First Stage Boot Loder). The jobs of the SPL and the FSBL are > > mostly > > + the same: load bitstream, bootstrap u-boot. > > + > > + Args: > > + arch (str): Xilinx SoC architecture. Currently only 'zynqmp' is > > + supported. > > + spl_elf_fname (str): Filename of SPL ELF file. The filename > > must end > > + with '.elf' in order for bootgen to recognized it as an ELF > > + file. Otherwise the start address field is missinterpreted. > > + pmufw_elf_fname (str): Filename PMU ELF firmware. > > + psk_fname (str): Filename of the primary secret key (psk). The > > psk > > + is a .pem file which holds the RSA private key used for > > signing > > + the secondardy secret key. > > typo > > > + ssk_fname (str): Filename of the secondary secret key. The ssk > > + is a .pem file which holds the RSA private key used for > > signing > > + the aktual boot firmware. > > actual > > > + fsbl_config (str): FSBL config options. A string list of fsbl > > config > > + options. Valid values according to [2] are: > > + "bh_auth_enable": Boot Header Authentication Enable: RSA > > + authentication of the bootimage is done > > + excluding the verification of PPK hash and SPK ID. > > This is > > + useful for debugging before bricking a device. > > + "auth_only": Boot image is only RSA signed. FSBL should > > not be > > + decrypted. See the > > + Zynq UltraScale+ Device Technical Reference Manual > > (UG1085) > > + for more information. > > + There are more options which relate to PUF (physical > > unclonable > > + functions). Please refer to Xilinx manuals for fruther > > info. > > + auth_params (str): Authentication parameter. A semicolon > > separated > > + list of authentication parameters. Valid values according > > to [3] > > + are: > > + "ppk_select=<0|1>" - Select which ppk to use > > + "spk_id=<32-bit spk id>" - Specifies which SPK can be > > + used or revoked, default is 0x0 > > + "spk_select=<spk-efuse/user-efuse>" - To differentiate spk > > and > > + user efuses. > > + "auth_header" - To authenticate headers when no partition > > + is authenticated. > > + keysrc_enc (str): This specifies the Key source for encryption. > > + Valid values according to [3] are: > > + "bbram_red_key" - RED key stored in BBRAM > > + "efuse_red_key" - RED key stored in efuse > > eFUSE to be aligned with description below. > > > + "efuse_gry_key" - Grey (Obfuscated) Key stored in eFUSE. > > + "bh_gry_key" - Grey (Obfuscated) Key stored in boot header. > > + "bh_blk_key" - Black Key stored in boot header. > > + "efuse_blk_key" - Black Key stored in eFUSE. > > + "kup_key" - User Key. > > + > > + output_fname (str): Filename where bootgen should write the > > result > > + > > + [1] > > https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841724/PMU+Firmware > > + [2] > > https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/fsbl_config > > + [3] > > https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/auth_params > > + [4] > > https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/keysrc_encryption > > + """ > > + > > + _fsbl_config = f"[fsbl_config] {fsbl_config}" if fsbl_config else > > "" > > + _auth_params = f"[auth_params] {auth_params}" if auth_params else > > "" > > + _keysrc_enc = f"[keysrc_encryption] {keysrc_enc}" if keysrc_enc > > else "" > > + > > + bif_template = f"""u_boot_spl_aes_rsa: {{ > > + [pskfile] {psk_fname} > > + [sskfile] {ssk_fname} > > + {_keysrc_enc} > > + {_fsbl_config} > > + {_auth_params} > > + [ bootloader, > > + authentication = rsa, > > + destination_cpu=a53-0] {spl_elf_fname} > > + [pmufw_image] {pmufw_elf_fname} > > + }}""" > > + args = ["-arch", arch] > > + > > + bif_fname = tools.get_output_filename('bootgen-in.sign.bif') > > + tools.write_file(bif_fname, bif_template, False) > > + args += ["-image", bif_fname, '-w', '-o', output_fname] > > + self.run_cmd(*args) > > + > > + def fetch(self, method): > > + """Fetch bootgen from git""" > > + if method != bintool.FETCH_BUILD: > > + return None > > + > > + result = self.build_from_git( > > + 'https://github.com/Xilinx/bootgen', > > + 'all', > > + 'bootgen') > > + return result > > M
There is some missing test coverage in the entry type. Please make sure that 'binman test -T' produces 100% for your series. It is OK if it drops due to an intermediate patch, but the final patch must resolve that. I would like to get this in now if we can..otherwise it will have to skip the release. Regards, Simon
