mkimage: Add support for bundling TFA BL31 in mkimage -f auto

Introduce two new parameters to be used with mkimage -f auto to bundle TFA BL31 image into fitImage, using auto-generated fitImage. Add -y to specify TFA BL31 file name and -Y to specify TFA BL31 load and entry point address. This is meant to be used with systems which boot all of TFA BL31, Linux and its DT from a single fitImage, all booted by U-Boot. Example invocation: " $ mkimage -E -A arm64 -C none -e 0x50200000 -a 0x50200000 -f auto \ -d arch/arm64/boot/Image \ -b arch/arm64/boot/dts/renesas/r8a779g3-sparrow-hawk.dtb \ -y ../tfa/build/rcar_gen4/release/bl31.bin -Y 0x46400000 \ /path/to/output/fitImage " Documentation update and test are also included, the test validates both positive and negative test cases, where fitImage does not include TFA BL31 and does include TFA BL31 blobs. Signed-off-by: Marek Vasut <[email protected]>
author: Marek Vasut <[email protected]> 2025-09-03 00:01:55 +0200
committer: Tom Rini <[email protected]> 2025-09-12 14:35:36 -0600
commit: 6dfd14e1228e6e14462f377987bc896d6b7f1dd5 (patch)
tree: 5674d882c35129ac2b058a43e9d0f3c04d650838 /test/py
parent: 559f11e66cf78a7cf57100086bba11a5a516cd25 (diff)
1 files changed, 67 insertions, 0 deletions
diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py
index cdfd341c6f5..0b5dbd5401c 100644
--- a/test/py/tests/test_fit_auto_signed.py
+++ b/test/py/tests/test_fit_auto_signed.py
@@ -117,6 +117,23 @@ class SignedFitHelper(object):
             algo = self.__fdt_get_string(f'{node}/signature', 'algo')
             assert algo == sign_algo + "\n", "Missing expected signature algo!"
 
+    def check_fit_loadables(self, present):
+        """Test that loadables contains both kernel and TFA BL31 entries.
+
+        Each configuration must have a loadables property which lists both
+        kernel-1 and tfa-bl31-1 strings in the string list.
+        """
+        if present:
+            assert "/images/tfa-bl31-1" in self.images_nodes
+        else:
+            assert "/images/tfa-bl31-1" not in self.images_nodes
+        for node in self.confgs_nodes:
+            loadables = self.__fdt_get_string(f'{node}', 'loadables')
+            assert "kernel-1" in loadables
+            if present:
+                assert "tfa-bl31-1" in loadables
+            else:
+                assert "tfa-bl31-1" not in loadables
 
 @pytest.mark.buildconfigspec('fit_signature')
 @pytest.mark.requiredtool('fdtget')
@@ -139,6 +156,7 @@ def test_fit_auto_signed(ubman):
     kernel_file = f'{tempdir}/vmlinuz'
     dt1_file = f'{tempdir}/dt-1.dtb'
     dt2_file = f'{tempdir}/dt-2.dtb'
+    tfa_file = f'{tempdir}/tfa-bl31.bin'
     key_name = 'sign-key'
     sign_algo = 'sha256,rsa4096'
     key_file = f'{tempdir}/{key_name}.key'
@@ -154,6 +172,9 @@ def test_fit_auto_signed(ubman):
     with open(dt2_file, 'wb') as fd:
         fd.write(os.urandom(256))
 
+    with open(tfa_file, 'wb') as fd:
+        fd.write(os.urandom(256))
+
     # Create 4096 RSA key and write to file to be read by mkimage
     key = RSA.generate(bits=4096)
     verifier = pkcs1_15.new(key)
@@ -173,6 +194,8 @@ def test_fit_auto_signed(ubman):
 
     fit.check_fit_crc32_images()
 
+    fit.check_fit_loadables(present=False)
+
     # 2 - Create auto FIT with signed images, and verify it
     utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " +
                       fit_file)
@@ -183,6 +206,8 @@ def test_fit_auto_signed(ubman):
 
     fit.check_fit_signed_images(key_name, sign_algo, verifier)
 
+    fit.check_fit_loadables(present=False)
+
     # 3 - Create auto FIT with signed configs and hashed images, and verify it
     utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " +
                       fit_file)
@@ -192,3 +217,45 @@ def test_fit_auto_signed(ubman):
         raise ValueError('FIT-3 has no "/image" nor "/configuration" nodes')
 
     fit.check_fit_signed_confgs(key_name, sign_algo)
+
+    fit.check_fit_loadables(present=False)
+
+    # Run the same tests as 1/2/3 above, but this time with TFA BL31
+    # options -y tfa-bl31.bin -Y 0x12340000 to cover both mkimage with
+    # and without TFA BL31 use cases.
+    b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000"
+
+    # 4 - Create auto FIT with images crc32 checksum, and verify it
+    utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + " " + fit_file)
+
+    fit = SignedFitHelper(ubman, fit_file)
+    if fit.build_nodes_sets() == 0:
+        raise ValueError('FIT-4 has no "/image" nor "/configuration" nodes')
+
+    fit.check_fit_crc32_images()
+
+    fit.check_fit_loadables(present=True)
+
+    # 5 - Create auto FIT with signed images, and verify it
+    utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " +
+                      fit_file)
+
+    fit = SignedFitHelper(ubman, fit_file)
+    if fit.build_nodes_sets() == 0:
+        raise ValueError('FIT-5 has no "/image" nor "/configuration" nodes')
+
+    fit.check_fit_signed_images(key_name, sign_algo, verifier)
+
+    fit.check_fit_loadables(present=True)
+
+    # 6 - Create auto FIT with signed configs and hashed images, and verify it
+    utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " +
+                      fit_file)
+
+    fit = SignedFitHelper(ubman, fit_file)
+    if fit.build_nodes_sets() == 0:
+        raise ValueError('FIT-6 has no "/image" nor "/configuration" nodes')
+
+    fit.check_fit_signed_confgs(key_name, sign_algo)
+
+    fit.check_fit_loadables(present=True)
author	Marek Vasut <[email protected]>	2025-09-03 00:01:55 +0200
committer	Tom Rini <[email protected]>	2025-09-12 14:35:36 -0600
commit	6dfd14e1228e6e14462f377987bc896d6b7f1dd5 (patch)
tree	5674d882c35129ac2b058a43e9d0f3c04d650838 /test/py
parent	559f11e66cf78a7cf57100086bba11a5a516cd25 (diff)