trusted-firmware-a: Use new ti-secdev class to sign the images

Use the new ti-k3-secdev package to pull in the signing tools if they are not provided by the environment. This allows us to use these tools unconditionally. Remove the checks for the script and do the signing for all K3 machines. The signature is automatically stripped from the binaries on non-HS devices at boot time as needed so this change is harmless for GP devices. Signed-off-by: Andrew Davis <afd@ti.com> Signed-off-by: Ryan Eatmon <reatmon@ti.com>
author: Andrew Davis <afd@ti.com> 2023-02-15 13:33:42 -0600
committer: Ryan Eatmon <reatmon@ti.com> 2023-03-01 09:20:15 -0600
commit: 95e768255193ceadbc2ebcf7beebf299a374b360 (patch)
tree: 9fe61df806eff432de3b70094c3f702c82f3342c /meta-ti-bsp/recipes-bsp
parent: ede16ed8de92e2c8c87356c370e96018b39e0006 (diff)
download: meta-ti-95e768255193ceadbc2ebcf7beebf299a374b360.tar.gz
1 files changed, 7 insertions, 32 deletions
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
index 3ccad86b..01d3f7d5 100644
--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -9,39 +9,14 @@ TFA_SPD:k3 = "opteed"
 SRC_URI:append:k3 = " file://rwx-segments-ti.patch"
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+# Use TI SECDEV for signing
+inherit ti-secdev
 EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
 EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
-# Signing procedure for K3 HS devices
+# Signing procedure for K3 devices
-tfa_sign_k3hs() {
+do_compile:append:k3() {
-        export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}
+        mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
-        ( cd ${BUILD_DIR}; \
+        ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
-                mv bl31.bin bl31.bin.unsigned; \
-                if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
-                        ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
-                else \
-                        echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
-                        cp bl31.bin.unsigned bl31.bin; \
-                fi; \
-        )
-}
-do_compile:append:am65xx-hs-evm() {
-        tfa_sign_k3hs
-}
-do_compile:append:am64xx-evm() {
-        tfa_sign_k3hs
-}
-do_compile:append:j721e-hs-evm() {
-        tfa_sign_k3hs
-}
-do_compile:append:j7200-hs-evm() {
-        tfa_sign_k3hs
-}
-do_compile:append:j721s2-hs-evm() {
-        tfa_sign_k3hs
 }
author	Andrew Davis <afd@ti.com>	2023-02-15 13:33:42 -0600
committer	Ryan Eatmon <reatmon@ti.com>	2023-03-01 09:20:15 -0600
commit	95e768255193ceadbc2ebcf7beebf299a374b360 (patch)
tree	9fe61df806eff432de3b70094c3f702c82f3342c /meta-ti-bsp/recipes-bsp
parent	ede16ed8de92e2c8c87356c370e96018b39e0006 (diff)
download	meta-ti-95e768255193ceadbc2ebcf7beebf299a374b360.tar.gz

diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 3ccad86b..01d3f7d5 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -9,39 +9,14 @@ TFA_SPD:k3 = "opteed"
9	SRC_URI:append:k3 = " file://rwx-segments-ti.patch"	9	SRC_URI:append:k3 = " file://rwx-segments-ti.patch"
10	FILESEXTRAPATHS:prepend := "${THISDIR}/files:"	10	FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
11		11
		12	# Use TI SECDEV for signing
		13	inherit ti-secdev
		14
12	EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"	15	EXTRA_OEMAKE:append:k3 = "${@ ' K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
13	EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"	16	EXTRA_OEMAKE:append:k3 = "${@ ' K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
14		17
15	# Signing procedure for K3 HS devices	18	# Signing procedure for K3 devices
16	tfa_sign_k3hs() {	19	do_compile:append:k3() {
17	export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG}	20	mv ${BUILD_DIR}/bl31.bin ${BUILD_DIR}/bl31.bin.unsigned
18	( cd ${BUILD_DIR}; \	21	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${BUILD_DIR}/bl31.bin.unsigned ${BUILD_DIR}/bl31.bin
19	mv bl31.bin bl31.bin.unsigned; \
20	if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \
21	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh bl31.bin.unsigned bl31.bin; \
22	else \
23	echo "Warning: TI_SECURE_DEV_PKG not set, TF-A not signed."; \
24	cp bl31.bin.unsigned bl31.bin; \
25	fi; \
26	)
27	}
28
29	do_compile:append:am65xx-hs-evm() {
30	tfa_sign_k3hs
31	}
32
33	do_compile:append:am64xx-evm() {
34	tfa_sign_k3hs
35	}
36
37	do_compile:append:j721e-hs-evm() {
38	tfa_sign_k3hs
39	}
40
41	do_compile:append:j7200-hs-evm() {
42	tfa_sign_k3hs
43	}
44
45	do_compile:append:j721s2-hs-evm() {
46	tfa_sign_k3hs
47	}	22	}