uboot-sign: support to create TEE and ATF image tree source

Currently, uboot-sign.bbclass only supports to create Image Tree Source(ITS) for "u-boot" and "flat_dt". However, users may want to support multiple images such as ARM Trusted Firmware(ATF), Trusted Execution Environment(TEE) and users private images for specific application and purpose. To make this bbclass more flexible and support ATF and TEE, creates new functions which are "uboot_fitimage_atf" and "uboot_fitimage_tee" for ATF and TEE ITS file creation, respectively. Add a variable "UBOOT_FIT_ARM_TRUSTED_FIRMWARE" to enable ATF ITS generation and it is disable by default. Add a variable "UBOOT_FIT_TEE" to enable TEE ITS generation and it is disable by default. (From OE-Core rev: c14641a964b5b802e995e574a599c5b4937fb488) Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jamin Lin <jamin_lin@aspeedtech.com> 2025-02-17 16:52:31 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-27 10:55:17 +0000
commit: e6ff7089771a332779e894959855c4788a4c9720 (patch)
tree: 90162cfa5bc7f48cfce7d49497f8d4ddd7bb3be3 /meta/classes-recipe
parent: fa198a04eb709da2484d37f9bba63825d7fa8bd4 (diff)
download: poky-e6ff7089771a332779e894959855c4788a4c9720.tar.gz
1 files changed, 79 insertions, 1 deletions
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 5c579a9fb0..598a89c816 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -86,6 +86,18 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
 # ex: 1 32bits address, 2 64bits address
 UBOOT_FIT_ADDRESS_CELLS ?= "1"
+# ARM Trusted Firmware(ATF) is a reference implementation of secure world
+# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including
+# an Exception Level 3 (EL3) Secure Monitor.
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
+# A Trusted Execution Environment(TEE) is an environment for executing code,
+# in which those executing the code can have high levels of trust in the asset
+# management of that surrounding environment.
+UBOOT_FIT_TEE ?= "0"
+UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
 UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
 UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
@@ -282,9 +294,64 @@ do_uboot_generate_rsa_keys() {
 addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
+# Create a ITS file for the atf
+uboot_fitimage_atf() {
+        cat << EOF >> ${UBOOT_ITS}
+        atf {
+            description = "ARM Trusted Firmware";
+            data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}");
+            type = "firmware";
+            arch = "${UBOOT_ARCH}";
+            os = "arm-trusted-firmware";
+            load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
+            compression = "none";
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+        fi
+        cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+}
+# Create a ITS file for the tee
+uboot_fitimage_tee() {
+        cat << EOF >> ${UBOOT_ITS}
+        tee {
+            description = "Trusted Execution Environment";
+            data = /incbin/("${UBOOT_FIT_TEE_IMAGE}");
+            type = "tee";
+            arch = "${UBOOT_ARCH}";
+            os = "tee";
+            load = <${UBOOT_FIT_TEE_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
+            compression = "none";
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+        fi
+        cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+}
 # Create a ITS file for the U-boot FIT, for use when
 # we want to sign it so that the SPL can verify it
 uboot_fitimage_assemble() {
+        conf_loadables="\"uboot\""
        rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
        # First we create the ITS script
@@ -337,13 +404,24 @@ EOF
        cat << EOF >> ${UBOOT_ITS}
        };
+EOF
+        if [ "${UBOOT_FIT_TEE}" = "1" ] ; then
+                conf_loadables="\"tee\", ${conf_loadables}"
+                uboot_fitimage_tee
+        fi
+        if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then
+                conf_loadables="\"atf\", ${conf_loadables}"
+                uboot_fitimage_atf
+        fi
+        cat << EOF >> ${UBOOT_ITS}
    };
    configurations {
        default = "conf";
        conf {
            description = "Boot with signed U-Boot FIT";
-            loadables = "uboot";
+            loadables = ${conf_loadables};
            fdt = "fdt";
        };
    };
author	Jamin Lin <jamin_lin@aspeedtech.com>	2025-02-17 16:52:31 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-02-27 10:55:17 +0000
commit	e6ff7089771a332779e894959855c4788a4c9720 (patch)
tree	90162cfa5bc7f48cfce7d49497f8d4ddd7bb3be3 /meta/classes-recipe
parent	fa198a04eb709da2484d37f9bba63825d7fa8bd4 (diff)
download	poky-e6ff7089771a332779e894959855c4788a4c9720.tar.gz

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 5c579a9fb0..598a89c816 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -86,6 +86,18 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
86	# ex: 1 32bits address, 2 64bits address	86	# ex: 1 32bits address, 2 64bits address
87	UBOOT_FIT_ADDRESS_CELLS ?= "1"	87	UBOOT_FIT_ADDRESS_CELLS ?= "1"
88		88
		89	# ARM Trusted Firmware(ATF) is a reference implementation of secure world
		90	# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including
		91	# an Exception Level 3 (EL3) Secure Monitor.
		92	UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0"
		93	UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
		94
		95	# A Trusted Execution Environment(TEE) is an environment for executing code,
		96	# in which those executing the code can have high levels of trust in the asset
		97	# management of that surrounding environment.
		98	UBOOT_FIT_TEE ?= "0"
		99	UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
		100
89	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"	101	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
90	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"	102	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
91		103
@@ -282,9 +294,64 @@ do_uboot_generate_rsa_keys() {
282		294
283	addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile	295	addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
284		296
		297	# Create a ITS file for the atf
		298	uboot_fitimage_atf() {
		299	cat << EOF >> ${UBOOT_ITS}
		300	atf {
		301	description = "ARM Trusted Firmware";
		302	data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}");
		303	type = "firmware";
		304	arch = "${UBOOT_ARCH}";
		305	os = "arm-trusted-firmware";
		306	load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>;
		307	entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
		308	compression = "none";
		309	EOF
		310	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
		311	cat << EOF >> ${UBOOT_ITS}
		312	signature {
		313	algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
		314	key-name-hint = "${SPL_SIGN_KEYNAME}";
		315	};
		316	EOF
		317	fi
		318
		319	cat << EOF >> ${UBOOT_ITS}
		320	};
		321	EOF
		322	}
		323
		324	# Create a ITS file for the tee
		325	uboot_fitimage_tee() {
		326	cat << EOF >> ${UBOOT_ITS}
		327	tee {
		328	description = "Trusted Execution Environment";
		329	data = /incbin/("${UBOOT_FIT_TEE_IMAGE}");
		330	type = "tee";
		331	arch = "${UBOOT_ARCH}";
		332	os = "tee";
		333	load = <${UBOOT_FIT_TEE_LOADADDRESS}>;
		334	entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
		335	compression = "none";
		336	EOF
		337	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
		338	cat << EOF >> ${UBOOT_ITS}
		339	signature {
		340	algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
		341	key-name-hint = "${SPL_SIGN_KEYNAME}";
		342	};
		343	EOF
		344	fi
		345
		346	cat << EOF >> ${UBOOT_ITS}
		347	};
		348	EOF
		349	}
		350
285	# Create a ITS file for the U-boot FIT, for use when	351	# Create a ITS file for the U-boot FIT, for use when
286	# we want to sign it so that the SPL can verify it	352	# we want to sign it so that the SPL can verify it
287	uboot_fitimage_assemble() {	353	uboot_fitimage_assemble() {
		354	conf_loadables="\"uboot\""
288	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}	355	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
289		356
290	# First we create the ITS script	357	# First we create the ITS script
@@ -337,13 +404,24 @@ EOF
337		404
338	cat << EOF >> ${UBOOT_ITS}	405	cat << EOF >> ${UBOOT_ITS}
339	};	406	};
		407	EOF
		408	if [ "${UBOOT_FIT_TEE}" = "1" ] ; then
		409	conf_loadables="\"tee\", ${conf_loadables}"
		410	uboot_fitimage_tee
		411	fi
		412
		413	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then
		414	conf_loadables="\"atf\", ${conf_loadables}"
		415	uboot_fitimage_atf
		416	fi
		417	cat << EOF >> ${UBOOT_ITS}
340	};	418	};
341		419
342	configurations {	420	configurations {
343	default = "conf";	421	default = "conf";
344	conf {	422	conf {
345	description = "Boot with signed U-Boot FIT";	423	description = "Boot with signed U-Boot FIT";
346	loadables = "uboot";	424	loadables = ${conf_loadables};
347	fdt = "fdt";	425	fdt = "fdt";
348	};	426	};
349	};	427	};