| Age | Commit message (Collapse) | Author |
|---|
|
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.
Acked-by: Andrew Davis <[email protected]>
Signed-off-by: Bryan Brattlof <[email protected]>
|
|
Build the imx code singing tool from source instead of relying on the
distro to provide the tool.
Use the debian/unstable branch because the default branch is outdated.
The binary is supposed to be build with docker, work around that by selecting
the correct Makefile directly.
Also append the description and add a link to documentation.
Signed-off-by: Leonard Anderweit <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved. Adding 'fit,encrypt' property to the 'fit' node, leads to
try to find keys directory among binman include directories.
_get_priv_keys_dir() is renamed as _get_keys_dir() and adapted to support both
signing and encryption nodes in the FIT.
Signed-off-by: Paul HENRYS <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The patch implement new property 'fit,sign' that can be declared
at the top-level 'fit' node. If that option is declared, fit tryies
to detect private keys directory among binman include directories.
That directory than passed to mkimage using '-k' flag and that enable
signing of FIT.
Signed-off-by: Alexander Kochetkov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Renumbered files, moved new tests to end:
Signed-off-by: Simon Glass <[email protected]>
|
|
This returns stdout, not a CommandResult so update the comment.
Signed-off-by: Simon Glass <[email protected]>
|
|
Now that this tool has a version number, collect it.
Signed-off-by: Simon Glass <[email protected]>
|
|
FIT provides a way to select between different devicetree blobs
depending on the model. This works fine for U-Boot proper and allows SPL
to select the correct blob for the current board at runtime. The boot
sequence (SPL->U-Boot proper) is therefore covered by the existing
feature set.
The first boot phase (typically TPL) cannot use FIT since SoC boot ROMs
don't currently support it. Therefore the TPL image must be specific to
each model it boots on.
To support booting on mulitple models, binman must therefore produce a
separate TPL image for each model, even if the images for the rest of
the phases are identical.
TPL needs to be packaged as an executable binary along with a reduced
devicetree. When multiple models are supported, a reduced devicetree
must be provided for each model.
U-Boot's build system is designed to build a single devicetree for SPL
builds, so does not support this requirement.
Add a new 'alternatives' feature to Binman, allowing it to automatically
subset a devicetree to produce the reduced devicetree for a particular
phase for each supported model. With this it is possible to produce a
separate TPL image for each of the models. The correct one can then be
loaded onto a board, along with the common FIT image(s).
Signed-off-by: Simon Glass <[email protected]>
|
|
Binman needs the ability to run fdtgrep to prepare devicetree subsets
for use by SPL and TPL. Add a new bintool in preparation for this.
Signed-off-by: Simon Glass <[email protected]>
|
|
This function returns a value, so add documentation for it.
Signed-off-by: Simon Glass <[email protected]>
|
|
Update to a newer version of this tool, 4.22.01. This runs OK with the
current binman tests and matches the one in CI.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Add new binman etype which allows signing both the SPL and fitImage sections
of i.MX8M flash.bin using CST. There are multiple DT properties which govern
the signing process, nxp,loader-address is the only mandatory one which sets
the SPL signature start address without the imx8mimage header, this should be
SPL text base. The key material can be configured using optional DT properties
nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material
names generated by CST tool scripts. The nxp,unlock property can be used to
unlock CAAM access in SPL section.
Reviewed-by: Tim Harvey <[email protected]>
Signed-off-by: Marek Vasut <[email protected]>
|
|
Fix a typo, no functional change.
Signed-off-by: Marek Vasut <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
To debug using jtag, ROM needs to unlock jtag debugging on HS devices
and it does that looking at this debug extension.
Add the debug extension and enable it by default.
Link: https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/sec_cert_format.html?highlight=debug#sysfw-debug-ext
Signed-off-by: Manorit Chawdhry <[email protected]>
Reviewed-by: Neha Malcom Francis <[email protected]>
|
|
We can now firewall entities while loading them through our secure
entity TIFS, the required information should be present in the
certificate that is being parsed by TIFS.
The following commit adds the support to enable the certificates to be
generated if the firewall configurations are present in the binman dtsi
nodes.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Manorit Chawdhry <[email protected]>
|
|
According to the TRMs of K3 platform of devices, the ROM boot image
format specifies a "Core Options Field" that provides the capability to
set the boot core in lockstep when set to 0 or to split mode when set
to 2. Add support for providing the same from the binman DTS. Also
modify existing test case for ensuring future coverage.
Signed-off-by: Neha Malcom Francis <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add a method to the mkeficapsule bintool to generate empty
capsules. These are capsules needed for the FWU A/B update feature.
Signed-off-by: Sughosh Ganu <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The argument type of `build_from_git` was changed from string to list
in d71e7116997f14097735f04cc7847f0a68dbc485.
This commit adapts the argument type of all bintools using this
function.
Signed-off-by: Lukas Funke <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Tested-by: Simon Glass <[email protected]>
|
|
Add a bintool for generating EFI capsules. This calls the mkeficapsule
tool which generates the capsules.
Signed-off-by: Sughosh Ganu <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create
bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The
btool creates a signed version of the SPL. Additionally to signing the
key source for the decryption engine can be passend to the boot image.
Signed-off-by: Lukas Funke <[email protected]>
|
|
Add btool which calls 'fdt_add_pubkey'
Signed-off-by: Lukas Funke <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The ti-secure entry contains certificate for binaries that will be
loaded or booted by system firmware whereas the ti-secure-rom entry
contains certificate for binaries that will be booted by ROM. Support
for both these types of certificates is necessary for booting of K3
devices.
Reviewed-by: Simon Glass <[email protected]>
[[email protected]: fixed inconsist cert generation by multiple packing]
Signed-off-by: Vignesh Raghavendra <[email protected]>
Signed-off-by: Neha Malcom Francis <[email protected]>
|
|
And a new entry type which supports generation of x509 certificates.
This uses a new 'openssl' btool with just one operation so far.
Signed-off-by: Simon Glass <[email protected]>
|
|
The patman directory has a number of modules which are used by other tools
in U-Boot. This makes it hard to package the tools using pypi since the
common files must be copied along with the tool that uses them.
To address this, move these files into a new u_boot_pylib library. This
can be packaged separately and listed as a dependency of each tool.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add support to indicate what alignment to use for the FIT and its
external data. Pass the alignment to mkimage via the -B flag.
Signed-off-by: Jonas Karlman <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
This reverts commit daa2da754afe1bac777f6cb0f05233e0de7b325d.
This commit is not needed anymore since the btool_ prefix is
automatically stripped by bintool.
Cc: Quentin Schulz <[email protected]>
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The binary is looked on the system by the suffix of the packer class.
This means binman was looking for btool_gzip on the system and not gzip.
Since a btool can have its btool_ prefix missing but its module and
binary presence on the system appropriately found, there's no need to
actually keep this prefix after listing all possible btools, so let's
remove it.
This fixes gzip btool by letting Bintool.find_bintool_class handle the
missing prefix and still return the correct class which is then init
with gzip name instead of btool_gzip.
Additionally, there was an issue with the cached module global variable.
The variable only stores the module and not the associated class name
when calling find_bintool_class.
This means that when caching the module on the first call to
find_bintool_class, class_name would be set to Bintoolbtool_gzip but the
module_name gzip only, adding the module in the gzip key in the module
dictionary. When hitting the cache on next calls, the gzip key would be
found, so its value (the module) is used. However the default class_name
(Bintoolgzip) is used, failing the getattr call.
Instead, let's enforce the same class name: Bintool<packer>, whatever
the filename it is contained in.
Cc: Quentin Schulz <[email protected]>
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
A binary download is not great, since it depends on libraries being
present in the system. Build futility from source instead.
Signed-off-by: Simon Glass <[email protected]>
|
|
Upstream bzip2 1.0.x actually is stuck when running bzip2 -V and
redirecting the output. This is fixed in Debian for about a decade
already in
https://git.launchpad.net/ubuntu/+source/bzip2/tree/debian/patches/20-legacy.patch?h=ubuntu/jammy
and in bzip2 1.1.x (no release yet, see
https://gitlab.com/bzip2/bzip2/-/commit/65179284ceddc43e6388bf4ed8c2d85cf16e1b2f
).
Fedora notably does not have such a patch.
Since bzip2 --help actually prints the version number too, let's use it
instead so that binman works fine on (hopefully) all distributions.
Fixes: 45aa2798008c ("binman: Add bzip2 bintool")
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Bintool.version can now be passed the binary argument to return the
version text, so there's no need to override it in futility anymore.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Bintool.version can now be passed the binary argument to return the
version text, so there's no need to override it in fiptool anymore.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Bintool.version already contains everything required to get the version
out of mkimage binary so let's not override it with its own
implementation.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Bintool.version already contains everything required to get the version
out of lz4 binary so let's not override it with its own implementation.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The binary is looked on the system by the suffix of the packer class.
This means binman was looking for btool_gzip on the system and not gzip.
Therefore, let's pass "gzip" as the name so that it can be found and
used.
Fixes: 0f369d79925a ("binman: Add gzip bintool")
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add zstd bintool to binman to support on-the-fly compression.
Signed-off-by: Stefan Herbrechtsmeier <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add xz bintool to binman to support on-the-fly compression.
Signed-off-by: Stefan Herbrechtsmeier <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add lzop bintool to binman to support on-the-fly compression.
Signed-off-by: Stefan Herbrechtsmeier <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add gzip bintool to binman to support on-the-fly compression of Linux
kernel images and FPGA bitstreams. The SPL basic fitImage implementation
supports only gzip decompression.
Signed-off-by: Stefan Herbrechtsmeier <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Rename the module and support this, since gzip.py is a system module:
Signed-off-by: Simon Glass <[email protected]>
|
|
Add bzip2 bintool to binman to support on-the-fly compression.
Signed-off-by: Stefan Herbrechtsmeier <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The conversion to bintools broke the invocation of the utility, since
the arguments are not correct. Fix it.
Signed-off-by: Simon Glass <[email protected]>
|
|
Convert this file to snake case and update all files which use it.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to compress and decompress data.
It supports the features needed by binman as well as installing via the
lzma-alone package.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to compress and decompress data.
It supports the features needed by binman as well as installing via the
lz4 package.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to build images for use by U-Boot.
It supports the features needed by binman as well as installing via the
u-boot-tools packages. Although this is built in the U-Boot tree, it is
still useful to install a binary on the system.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to build Intel IFWI images. It
supports the features needed by the tests as well as downloading a binary
from Google Drive. Although this is built in the U-Boot tree, it is not
currently included with u-boot-tools, so it may be useful to install a
binary on the system.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to sign Chrome OS images and
build the Google Binary Block (GBB). It supports the features needed by
binman as well as fetching a binary from Google Drive. Building it from
source is possible but is left for another time, as it requires at least
one other library.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to run FIP tests. It supports
the features needed by the tests as well as building a binary from
the git tree.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a Bintool for this, which is used to run CBFS tests. It supports
the features needed by the tests as well as fetching a binary from
Google Drive. Building it from source is very slow since it is not
separately supported by the coreboot build system and it builds an
entire gcc toolchain before starting.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add tests to cover the bintool functionality.
Signed-off-by: Simon Glass <[email protected]>
|
