ref-manual: uboot-sign: Add how to enable ATF, TEE and User defined snippet ITS for U-Boot FIT image

Add how to enable ATF, TEE and User defined ITS for U-Boot FIT image generation. (From yocto-docs rev: ee6b3698da044e290dbc4fbb852f3cc37638e689) Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jamin Lin <jamin_lin@aspeedtech.com> 2025-03-18 11:10:40 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-03-24 17:32:34 +0000
commit: 3bc048c01ae372c73b30414bdca6b3ec86a40701 (patch)
tree: ec1b525ddaf2d49bfbd204c525aa6246211bbc85 /documentation
parent: 869c4f3adbddaf20b456c396a56872d83e9dffb4 (diff)
download: poky-3bc048c01ae372c73b30414bdca6b3ec86a40701.tar.gz
2 files changed, 151 insertions, 0 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index b93279ff63..6797927fe8 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -3401,6 +3401,19 @@ The variables used by this class are:
 -  :term:`UBOOT_FITIMAGE_ENABLE`: enable the generation of a U-Boot FIT image.
 -  :term:`UBOOT_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when
   rebuilding the FIT image containing the kernel.
+-  :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE`: include the Trusted Firmware-A
+   (TF-A) binary in the U-Boot FIT image.
+-  :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE`: specifies the path to the
+   Trusted Firmware-A (TF-A) binary.
+-  :term:`UBOOT_FIT_TEE`: include the Trusted Execution Environment (TEE)
+   binary in the U-Boot FIT image.
+-  :term:`UBOOT_FIT_TEE_IMAGE`: specifies the path to the Trusted Execution
+   Environment (TEE) binary.
+-  :term:`UBOOT_FIT_USER_SETTINGS`: adds a user-specific snippet to the U-Boot
+   Image Tree Source (ITS). Users can include their custom U-Boot Image Tree
+   Source (ITS) snippet in this variable.
+-  :term:`UBOOT_FIT_CONF_USER_LOADABLES`: adds one or more user-defined images
+   to the ``loadables`` property of the configuration node.
 See U-Boot's documentation for details about `verified boot
 <https://source.denx.de/u-boot/u-boot/-/blob/master/doc/uImage.FIT/verified-boot.txt>`__
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 5b5eaccc2a..41bda5d0d6 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -9971,6 +9971,45 @@ system and gives an overview of their function and contents.
      See `more details about #address-cells <https://elinux.org/Device_Tree_Usage#How_Addressing_Works>`__.
+   :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE`
+      `Trusted Firmware-A (TF-A) <https://www.trustedfirmware.org/projects/tf-a>`__
+      is a reference implementation of secure world software for Arm A-Profile
+      architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3)
+      Secure Monitor. This variable enables the generation of a U-Boot FIT
+      image with a Trusted Firmware-A (TF-A) binary.
+      Its default value is "0", so set it to "1" to enable this functionality::
+         UBOOT_FIT_ARM_TRUSTED_FIRMWARE = "1"
+   :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE`
+      Specifies the path to the Trusted Firmware-A (TF-A) binary. Its default
+      value is "bl31.bin"::
+         UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
+      If a relative path is provided, the file is expected to be relative to
+      U-Boot's :term:`B` directory. An absolute path can be provided too,
+      e.g.::
+         UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "${DEPLOY_DIR_IMAGE}/bl31.bin"
+      If the Trusted Firmware-A (TF-A) binary is built in a separate recipe,
+      you must add the necessary dependency in a U-Boot ``.bbappend`` file. The
+      recipe name for Trusted Firmware-A (TF-A) binary is
+      ``trusted-firmware-a``, which comes from the
+      :yocto_git:`meta-arm </meta-arm>` layer::
+         do_compile[depends] += "trusted-firmware-a:do_deploy"
+   :term:`UBOOT_FIT_CONF_USER_LOADABLES`
+      Adds one or more user-defined images to the ``loadables`` property of the
+      configuration node of the U-Boot Image Tree Source (ITS). This variable
+      is handled by the local shell in the recipe so appropriate escaping
+      should be done, e.g. escaping quotes.::
+         UBOOT_FIT_CONF_USER_LOADABLES = '\"fwa\", \"fwb\"'
   :term:`UBOOT_FIT_DESC`
      Specifies the description string encoded into a U-Boot fitImage. The default
      value is set by the :ref:`ref-classes-uboot-sign` class as follows::
@@ -10019,6 +10058,105 @@ system and gives an overview of their function and contents.
      of bits. The default value for this variable is set to "2048"
      by the :ref:`ref-classes-uboot-sign` class.
+   :term:`UBOOT_FIT_TEE`
+      A Trusted Execution Environment (TEE) is a secure environment for
+      executing code, ensuring high levels of trust in asset management within
+      the surrounding system. This variable enables the generation of a U-Boot
+      FIT image with a Trusted Execution Environment (TEE) binary.
+      Its default value is "0", so set it to "1" to enable this functionality::
+         UBOOT_FIT_TEE = "1"
+   :term:`UBOOT_FIT_TEE_IMAGE`
+      Specifies the path to the Trusted Execution Environment (TEE) binary. Its
+      default value is "tee-raw.bin"::
+         UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
+      If a relative path is provided, the file is expected to be relative to 
+      U-Boot's :term:`B` directory. An absolute path can be provided too,
+      e.g.::
+         UBOOT_FIT_TEE_IMAGE ?= "${DEPLOY_DIR_IMAGE}/tee-raw.bin"
+      If the Trusted Execution Environment (TEE) binary is built in a separate
+      recipe, you must add the necessary dependency in a U-Boot ``.bbappend``
+      file. The recipe name for Trusted Execution Environment (TEE) binary is
+      ``optee-os``, which comes from the :yocto_git:`meta-arm </meta-arm>`
+      layer::
+         do_compile[depends] += "optee-os:do_deploy"
+   :term:`UBOOT_FIT_USER_SETTINGS`
+      Add a user-specific snippet to the U-Boot Image Tree Source (ITS). This
+      variable allows the user to add one or more user-defined ``/images`` node
+      to the U-Boot Image Tree Source (ITS). For more details, please refer to
+      https://fitspec.osfw.foundation/\ .
+      The original content of the U-Boot Image Tree Source (ITS) is as
+      follows::
+         images {
+             uboot {
+                 description = "U-Boot image";
+                 data = /incbin/("u-boot-nodtb.bin");
+                 type = "standalone";
+                 os = "u-boot";
+                 arch = "";
+                 compression = "none";
+                 load = <0x80000000>;
+                 entry = <0x80000000>;
+             };
+         };
+      Users can include their custom ITS snippet in this variable, e.g.::
+         UBOOT_FIT_FWA_ITS = '\
+             fwa {\n\
+                 description = \"FW A\";\n\
+                 data = /incbin/(\"fwa.bin\");\n\
+                 type = \"firmware\";\n\
+                 arch = \"\";\n\
+                 os = \"\";\n\
+                 load = <0xb2000000>;\n\
+                 entry = <0xb2000000>;\n\
+                 compression = \"none\";\n\
+             };\n\
+         '
+         UBOOT_FIT_USER_SETTINGS = "${UBOOT_FIT_FWA_ITS}"
+      This variable is handled by the local shell in the recipe so appropriate
+      escaping should be done, e.g. escaping quotes and adding newlines with
+      ``\n``.
+      The generated content of the U-Boot Image Tree Source (ITS) is as
+      follows::
+         images {
+             uboot {
+                 description = "U-Boot image";
+                 data = /incbin/("u-boot-nodtb.bin");
+                 type = "standalone";
+                 os = "u-boot";
+                 arch = "";
+                 compression = "none";
+                 load = <0x80000000>;
+                 entry = <0x80000000>;
+             };
+             fwa {
+                 description = "FW A";
+                 data = /incbin/("fwa.bin");
+                 type = "firmware";
+                 arch = "";
+                 os = "";
+                 load = <0xb2000000>;
+                 entry = <0xb2000000>;
+                 compression = "none";
+             };
+         };
   :term:`UBOOT_FITIMAGE_ENABLE`
      This variable allows to generate a FIT image for U-Boot, which is one
      of the ways to implement a verified boot process.
author	Jamin Lin <jamin_lin@aspeedtech.com>	2025-03-18 11:10:40 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-03-24 17:32:34 +0000
commit	3bc048c01ae372c73b30414bdca6b3ec86a40701 (patch)
tree	ec1b525ddaf2d49bfbd204c525aa6246211bbc85 /documentation
parent	869c4f3adbddaf20b456c396a56872d83e9dffb4 (diff)
download	poky-3bc048c01ae372c73b30414bdca6b3ec86a40701.tar.gz

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index b93279ff63..6797927fe8 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -3401,6 +3401,19 @@ The variables used by this class are:
3401	- :term:`UBOOT_FITIMAGE_ENABLE`: enable the generation of a U-Boot FIT image.	3401	- :term:`UBOOT_FITIMAGE_ENABLE`: enable the generation of a U-Boot FIT image.
3402	- :term:`UBOOT_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when	3402	- :term:`UBOOT_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when
3403	rebuilding the FIT image containing the kernel.	3403	rebuilding the FIT image containing the kernel.
		3404	- :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE`: include the Trusted Firmware-A
		3405	(TF-A) binary in the U-Boot FIT image.
		3406	- :term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE`: specifies the path to the
		3407	Trusted Firmware-A (TF-A) binary.
		3408	- :term:`UBOOT_FIT_TEE`: include the Trusted Execution Environment (TEE)
		3409	binary in the U-Boot FIT image.
		3410	- :term:`UBOOT_FIT_TEE_IMAGE`: specifies the path to the Trusted Execution
		3411	Environment (TEE) binary.
		3412	- :term:`UBOOT_FIT_USER_SETTINGS`: adds a user-specific snippet to the U-Boot
		3413	Image Tree Source (ITS). Users can include their custom U-Boot Image Tree
		3414	Source (ITS) snippet in this variable.
		3415	- :term:`UBOOT_FIT_CONF_USER_LOADABLES`: adds one or more user-defined images
		3416	to the ``loadables`` property of the configuration node.
3404		3417
3405	See U-Boot's documentation for details about `verified boot	3418	See U-Boot's documentation for details about `verified boot
3406	<https://source.denx.de/u-boot/u-boot/-/blob/master/doc/uImage.FIT/verified-boot.txt>`__	3419	<https://source.denx.de/u-boot/u-boot/-/blob/master/doc/uImage.FIT/verified-boot.txt>`__


diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 5b5eaccc2a..41bda5d0d6 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -9971,6 +9971,45 @@ system and gives an overview of their function and contents.
9971		9971
9972	See `more details about #address-cells <https://elinux.org/Device_Tree_Usage#How_Addressing_Works>`__.	9972	See `more details about #address-cells <https://elinux.org/Device_Tree_Usage#How_Addressing_Works>`__.
9973		9973
		9974	:term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE`
		9975	`Trusted Firmware-A (TF-A) <https://www.trustedfirmware.org/projects/tf-a>`__
		9976	is a reference implementation of secure world software for Arm A-Profile
		9977	architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3)
		9978	Secure Monitor. This variable enables the generation of a U-Boot FIT
		9979	image with a Trusted Firmware-A (TF-A) binary.
		9980
		9981	Its default value is "0", so set it to "1" to enable this functionality::
		9982
		9983	UBOOT_FIT_ARM_TRUSTED_FIRMWARE = "1"
		9984
		9985	:term:`UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE`
		9986	Specifies the path to the Trusted Firmware-A (TF-A) binary. Its default
		9987	value is "bl31.bin"::
		9988
		9989	UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
		9990
		9991	If a relative path is provided, the file is expected to be relative to
		9992	U-Boot's :term:`B` directory. An absolute path can be provided too,
		9993	e.g.::
		9994
		9995	UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "${DEPLOY_DIR_IMAGE}/bl31.bin"
		9996
		9997	If the Trusted Firmware-A (TF-A) binary is built in a separate recipe,
		9998	you must add the necessary dependency in a U-Boot ``.bbappend`` file. The
		9999	recipe name for Trusted Firmware-A (TF-A) binary is
		10000	``trusted-firmware-a``, which comes from the
		10001	:yocto_git:`meta-arm </meta-arm>` layer::
		10002
		10003	do_compile[depends] += "trusted-firmware-a:do_deploy"
		10004
		10005	:term:`UBOOT_FIT_CONF_USER_LOADABLES`
		10006	Adds one or more user-defined images to the ``loadables`` property of the
		10007	configuration node of the U-Boot Image Tree Source (ITS). This variable
		10008	is handled by the local shell in the recipe so appropriate escaping
		10009	should be done, e.g. escaping quotes.::
		10010
		10011	UBOOT_FIT_CONF_USER_LOADABLES = '\"fwa\", \"fwb\"'
		10012
9974	:term:`UBOOT_FIT_DESC`	10013	:term:`UBOOT_FIT_DESC`
9975	Specifies the description string encoded into a U-Boot fitImage. The default	10014	Specifies the description string encoded into a U-Boot fitImage. The default
9976	value is set by the :ref:`ref-classes-uboot-sign` class as follows::	10015	value is set by the :ref:`ref-classes-uboot-sign` class as follows::
@@ -10019,6 +10058,105 @@ system and gives an overview of their function and contents.
10019	of bits. The default value for this variable is set to "2048"	10058	of bits. The default value for this variable is set to "2048"
10020	by the :ref:`ref-classes-uboot-sign` class.	10059	by the :ref:`ref-classes-uboot-sign` class.
10021		10060
		10061	:term:`UBOOT_FIT_TEE`
		10062	A Trusted Execution Environment (TEE) is a secure environment for
		10063	executing code, ensuring high levels of trust in asset management within
		10064	the surrounding system. This variable enables the generation of a U-Boot
		10065	FIT image with a Trusted Execution Environment (TEE) binary.
		10066
		10067	Its default value is "0", so set it to "1" to enable this functionality::
		10068
		10069	UBOOT_FIT_TEE = "1"
		10070
		10071	:term:`UBOOT_FIT_TEE_IMAGE`
		10072	Specifies the path to the Trusted Execution Environment (TEE) binary. Its
		10073	default value is "tee-raw.bin"::
		10074
		10075	UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
		10076
		10077	If a relative path is provided, the file is expected to be relative to
		10078	U-Boot's :term:`B` directory. An absolute path can be provided too,
		10079	e.g.::
		10080
		10081	UBOOT_FIT_TEE_IMAGE ?= "${DEPLOY_DIR_IMAGE}/tee-raw.bin"
		10082
		10083	If the Trusted Execution Environment (TEE) binary is built in a separate
		10084	recipe, you must add the necessary dependency in a U-Boot ``.bbappend``
		10085	file. The recipe name for Trusted Execution Environment (TEE) binary is
		10086	``optee-os``, which comes from the :yocto_git:`meta-arm </meta-arm>`
		10087	layer::
		10088
		10089	do_compile[depends] += "optee-os:do_deploy"
		10090
		10091	:term:`UBOOT_FIT_USER_SETTINGS`
		10092	Add a user-specific snippet to the U-Boot Image Tree Source (ITS). This
		10093	variable allows the user to add one or more user-defined ``/images`` node
		10094	to the U-Boot Image Tree Source (ITS). For more details, please refer to
		10095	https://fitspec.osfw.foundation/\ .
		10096
		10097	The original content of the U-Boot Image Tree Source (ITS) is as
		10098	follows::
		10099
		10100	images {
		10101	uboot {
		10102	description = "U-Boot image";
		10103	data = /incbin/("u-boot-nodtb.bin");
		10104	type = "standalone";
		10105	os = "u-boot";
		10106	arch = "";
		10107	compression = "none";
		10108	load = <0x80000000>;
		10109	entry = <0x80000000>;
		10110	};
		10111	};
		10112
		10113	Users can include their custom ITS snippet in this variable, e.g.::
		10114
		10115	UBOOT_FIT_FWA_ITS = '\
		10116	fwa {\n\
		10117	description = \"FW A\";\n\
		10118	data = /incbin/(\"fwa.bin\");\n\
		10119	type = \"firmware\";\n\
		10120	arch = \"\";\n\
		10121	os = \"\";\n\
		10122	load = <0xb2000000>;\n\
		10123	entry = <0xb2000000>;\n\
		10124	compression = \"none\";\n\
		10125	};\n\
		10126	'
		10127
		10128	UBOOT_FIT_USER_SETTINGS = "${UBOOT_FIT_FWA_ITS}"
		10129
		10130	This variable is handled by the local shell in the recipe so appropriate
		10131	escaping should be done, e.g. escaping quotes and adding newlines with
		10132	``\n``.
		10133
		10134	The generated content of the U-Boot Image Tree Source (ITS) is as
		10135	follows::
		10136
		10137	images {
		10138	uboot {
		10139	description = "U-Boot image";
		10140	data = /incbin/("u-boot-nodtb.bin");
		10141	type = "standalone";
		10142	os = "u-boot";
		10143	arch = "";
		10144	compression = "none";
		10145	load = <0x80000000>;
		10146	entry = <0x80000000>;
		10147	};
		10148	fwa {
		10149	description = "FW A";
		10150	data = /incbin/("fwa.bin");
		10151	type = "firmware";
		10152	arch = "";
		10153	os = "";
		10154	load = <0xb2000000>;
		10155	entry = <0xb2000000>;
		10156	compression = "none";
		10157	};
		10158	};
		10159
10022	:term:`UBOOT_FITIMAGE_ENABLE`	10160	:term:`UBOOT_FITIMAGE_ENABLE`
10023	This variable allows to generate a FIT image for U-Boot, which is one	10161	This variable allows to generate a FIT image for U-Boot, which is one
10024	of the ways to implement a verified boot process.	10162	of the ways to implement a verified boot process.