mkimage: Add support for bundling TEE in mkimage -f auto

Introduce two new parameters to be used with mkimage -f auto to bundle TEE image into fitImage, using auto-generated fitImage. Add -z to specify TEE file name and -Z to specify TEE load and entry point address. This is meant to be used with systems which boot all of TEE, Linux and its DT from a single fitImage, all booted by U-Boot. Example invocation: " $ mkimage -E -A arm -C none -e 0xc0008000 -a 0xc0008000 -f auto \ -d arch/arm/boot/zImage \ -b arch/arm/boot/dts/st/stm32mp135f-dhcor-dhsbc.dtb \ -z ../optee_os/out/arm-plat-stm32mp1/core/tee-raw.bin \ -Z 0xde000000 \ /path/to/output/fitImage " Documentation update and test are also included, the test validates both positive and negative test cases, where fitImage does not include TEE and does include TEE blobs. Acked-by: Quentin Schulz <[email protected]> Signed-off-by: Marek Vasut <[email protected]>
author: Marek Vasut <[email protected]> 2025-11-25 16:42:57 +0100
committer: Tom Rini <[email protected]> 2025-12-06 11:46:09 -0600
commit: 22aa122eee021a631e1b92c761ff1a434d46890e (patch)
tree: d1a018d86a962abbd5fbde8b52ed96908a4c381b /test
parent: 23eb6c9ce11b6b781f7902ced7340f2c6c433e4f (diff)
1 files changed, 58 insertions, 7 deletions
diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py
index 6220fe6ff59..eb162f785ac 100644
--- a/test/py/tests/test_fit_auto_signed.py
+++ b/test/py/tests/test_fit_auto_signed.py
@@ -117,28 +117,36 @@ class SignedFitHelper(object):
             algo = self.__fdt_get_string(f'{node}/signature', 'algo')
             assert algo == sign_algo + "\n", "Missing expected signature algo!"
 
-    def check_fit_loadables(self, present):
-        """Test that loadables contains both kernel and TFA BL31 entries.
+    def check_fit_loadables(self, bl31present, teepresent):
+        """Test that loadables contains both kernel, TFA BL31, TEE entries.
 
         Each configuration must have a loadables property which lists both
-        kernel-1 and tfa-bl31-1 strings in the string list.
+        kernel-1, tfa-bl31-1 and tee-1 strings in the string list.
         """
-        if present:
+        if bl31present:
             assert "/images/tfa-bl31-1" in self.images_nodes
         else:
             assert "/images/tfa-bl31-1" not in self.images_nodes
+        if teepresent:
+            assert "/images/tee-1" in self.images_nodes
+        else:
+            assert "/images/tee-1" not in self.images_nodes
         for node in self.confgs_nodes:
             loadables = self.__fdt_get_string(f'{node}', 'loadables')
             assert "kernel-1" in loadables
-            if present:
+            if bl31present:
                 assert "tfa-bl31-1" in loadables
             else:
                 assert "tfa-bl31-1" not in loadables
+            if teepresent:
+                assert "tee-1" in loadables
+            else:
+                assert "tee-1" not in loadables
 
 @pytest.mark.buildconfigspec('fit_signature')
 @pytest.mark.requiredtool('fdtget')
 def test_fit_auto_signed(ubman):
-    def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, key_name="", sign_algo="", verifier=""):
+    def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, teepresent=False, key_name="", sign_algo="", verifier=""):
         """Generate fitImage and test for expected entries.
 
         Generate a fitImage and test whether suitable entries are part of
@@ -158,7 +166,7 @@ def test_fit_auto_signed(ubman):
         if scfgs:
             fit.check_fit_signed_confgs(key_name, sign_algo)
 
-        fit.check_fit_loadables(bl31present)
+        fit.check_fit_loadables(bl31present, teepresent)
 
     """Test that mkimage generates auto-FIT with signatures/hashes as expected.
 
@@ -178,6 +186,7 @@ def test_fit_auto_signed(ubman):
     dt1_file = f'{tempdir}/dt-1.dtb'
     dt2_file = f'{tempdir}/dt-2.dtb'
     tfa_file = f'{tempdir}/tfa-bl31.bin'
+    tee_file = f'{tempdir}/tee.bin'
     key_name = 'sign-key'
     sign_algo = 'sha256,rsa4096'
     key_file = f'{tempdir}/{key_name}.key'
@@ -196,6 +205,9 @@ def test_fit_auto_signed(ubman):
     with open(tfa_file, 'wb') as fd:
         fd.write(os.urandom(256))
 
+    with open(tee_file, 'wb') as fd:
+        fd.write(os.urandom(256))
+
     # Create 4096 RSA key and write to file to be read by mkimage
     key = RSA.generate(bits=4096)
     verifier = pkcs1_15.new(key)
@@ -238,3 +250,42 @@ def test_fit_auto_signed(ubman):
     generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
                                  scfgs=True, bl31present=True,
                                  key_name=key_name, sign_algo=sign_algo)
+
+    # Run the same tests as 1/2/3 above, but this time with TEE
+    # options -z tee.bin -Z 0x56780000 to cover both mkimage with
+    # and without TEE use cases.
+    b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -z" + tee_file + " -Z 0x56780000"
+
+    # 7 - Create auto FIT with images crc32 checksum, and verify it
+    generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file,
+                                 crc=True, teepresent=True)
+
+    # 8 - Create auto FIT with signed images, and verify it
+    generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file,
+                                 simgs=True, teepresent=True,
+                                 key_name=key_name, sign_algo=sign_algo, verifier=verifier)
+
+    # 9 - Create auto FIT with signed configs and hashed images, and verify it
+    generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
+                                 scfgs=True, teepresent=True,
+                                 key_name=key_name, sign_algo=sign_algo)
+
+    # Run the same tests as 1/2/3 above, but this time with both
+    # TFA BL31 and TEE options -y tfa-bl31.bin -Y 0x12340000 and
+    # -z tee.bin -Z 0x56780000 to cover both mkimage with and
+    # without both TFA BL31 and TEE use cases.
+    b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" + " -z" + tee_file + " -Z 0x56780000"
+
+    # 10 - Create auto FIT with images crc32 checksum, and verify it
+    generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file,
+                                 crc=True, bl31present=True, teepresent=True)
+
+    # 11 - Create auto FIT with signed images, and verify it
+    generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file,
+                                 simgs=True, bl31present=True, teepresent=True,
+                                 key_name=key_name, sign_algo=sign_algo, verifier=verifier)
+
+    # 12 - Create auto FIT with signed configs and hashed images, and verify it
+    generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
+                                 scfgs=True, bl31present=True, teepresent=True,
+                                 key_name=key_name, sign_algo=sign_algo)
author	Marek Vasut <[email protected]>	2025-11-25 16:42:57 +0100
committer	Tom Rini <[email protected]>	2025-12-06 11:46:09 -0600
commit	22aa122eee021a631e1b92c761ff1a434d46890e (patch)
tree	d1a018d86a962abbd5fbde8b52ed96908a4c381b /test
parent	23eb6c9ce11b6b781f7902ced7340f2c6c433e4f (diff)