armv7R: K3: am654: Add support for generating build targets

Update Makefiles to generate: - tiboot3.bin: Image format that can be processed by ROM. Below is the tiboot3.bin image format that is required by ROM: _______________________ | X509 | | Certificate | | ____________________ | | | | | | | u-boot-spl.bin | | | | | | | |___________________| | |_______________________| Reviewed-by: Tom Rini <trini@konsulko.com> Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com> Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
2024-11-25 05:04:23 +08:00 · 2018-11-02 19:51:04 +05:30 · 2018-11-02 19:51:04 +05:30 · 890b2e750d
commit 890b2e750d
parent 23f7b1a776
3 changed files with 118 additions and 0 deletions
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@ -47,5 +47,16 @@ config SYS_K3_BOOT_PARAM_TABLE_INDEX
 	  Address at which ROM stores the value which determines if SPL
 	  is booted up by primary boot media or secondary boot media.

+config SYS_K3_KEY
+	string "Key used to generate x509 certificate"
+	help
+	  This option enables to provide a custom key that can be used for
+	  generating x509 certificate for spl binary. If not needed leave
+	  it blank so that a random key is generated and used.
+
+config SYS_K3_BOOT_CORE_ID
+	int
+	default 16
+
 source "board/ti/am65x/Kconfig"
 endif
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@ -5,6 +5,65 @@

 ifdef CONFIG_SPL_BUILD

+# Openssl is required to generate x509 certificate.
+# Error out if openssl is not available.
+ifeq ($(shell which openssl),)
+$(error "No openssl in $(PATH), consider installing openssl")
+endif
+
+SHA_VALUE=  $(shell openssl dgst -sha512 -hex $(obj)/u-boot-spl.bin | sed -e "s/^.*= //g")
+IMAGE_SIZE= $(shell cat $(obj)/u-boot-spl.bin | wc -c)
+LOADADDR= $(shell echo $(CONFIG_SPL_TEXT_BASE) | sed -e "s/^0x//g")
+MAX_SIZE= $(shell printf "%d" $(CONFIG_SYS_K3_MAX_DOWNLODABLE_IMAGE_SIZE))
+
+# Parameters to get populated into the x509 template
+SED_OPTS=  -e s/TEST_IMAGE_LENGTH/$(IMAGE_SIZE)/
+SED_OPTS+= -e s/TEST_IMAGE_SHA_VAL/$(SHA_VALUE)/
+SED_OPTS+= -e s/TEST_CERT_TYPE/1/		# CERT_TYPE_PRIMARY_IMAGE_BIN
+SED_OPTS+= -e s/TEST_BOOT_CORE/$(CONFIG_SYS_K3_BOOT_CORE_ID)/
+SED_OPTS+= -e s/TEST_BOOT_ARCH_WIDTH/32/
+SED_OPTS+= -e s/TEST_BOOT_ADDR/$(LOADADDR)/
+
+# Command to generate ecparam key
+quiet_cmd_genkey = OPENSSL $@
+cmd_genkey = openssl ecparam -out $@ -name prime256v1 -genkey
+
+# Command to generate x509 certificate
+quiet_cmd_gencert = OPENSSL $@
+cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boot-spl-x509.txt; \
+	openssl req -new -x509 -key $(KEY) -nodes -outform DER -out $@ -config u-boot-spl-x509.txt -sha512
+
+# If external key is not provided, generate key using openssl.
+ifeq ($(CONFIG_SYS_K3_KEY), "")
+KEY=u-boot-spl-eckey.pem
+else
+KEY=$(patsubst "%",%,$(CONFIG_SYS_K3_KEY))
+endif
+
+u-boot-spl-eckey.pem: FORCE
+	$(call if_changed,genkey)
+
+# tiboot3.bin is mandated by ROM and ROM only supports R5 boot.
+# So restrict tiboot3.bin creation for CPU_V7R.
+ifdef CONFIG_CPU_V7R
+u-boot-spl-cert.bin: $(KEY) $(obj)/u-boot-spl.bin image_check FORCE
+	$(call if_changed,gencert)
+
+image_check: $(obj)/u-boot-spl.bin FORCE
+	@if [ $(IMAGE_SIZE) -gt $(MAX_SIZE) ]; then			    \
+		echo "===============================================" >&2; \
+		echo "ERROR: Final Image too big. " >&2;		    \
+		echo "$< size = $(IMAGE_SIZE), max size = $(MAX_SIZE)" >&2; \
+		echo "===============================================" >&2; \
+		exit 1;							    \
+	fi
+
+tiboot3.bin: u-boot-spl-cert.bin $(obj)/u-boot-spl.bin FORCE
+	$(call if_changed,cat)
+
+ALL-y	+= tiboot3.bin
+endif
+
 ifdef CONFIG_ARM64
 SPL_ITS := u-boot-spl-k3.its
 $(SPL_ITS): FORCE
--- a/tools/k3_x509template.txt
+++ b/tools/k3_x509template.txt
@ -0,0 +1,48 @@
+ [ req ]
+ distinguished_name     = req_distinguished_name
+ x509_extensions        = v3_ca
+ prompt                 = no
+ dirstring_type         = nobmp
+
+ [ req_distinguished_name ]
+ C                      = US
+ ST                     = TX
+ L                      = Dallas
+ O                      = Texas Instruments Incorporated
+ OU                     = Processors
+ CN                     = TI Support
+ emailAddress           = support@ti.com
+
+ [ v3_ca ]
+ basicConstraints = CA:true
+ 1.3.6.1.4.1.294.1.1 = ASN1:SEQUENCE:boot_seq
+ 1.3.6.1.4.1.294.1.2 = ASN1:SEQUENCE:image_integrity
+ 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv
+# 1.3.6.1.4.1.294.1.4 = ASN1:SEQUENCE:encryption
+ 1.3.6.1.4.1.294.1.8 = ASN1:SEQUENCE:debug
+
+ [ boot_seq ]
+ certType = INTEGER:TEST_CERT_TYPE
+ bootCore = INTEGER:TEST_BOOT_CORE
+ bootCoreOpts = INTEGER:TEST_BOOT_ARCH_WIDTH
+ destAddr = FORMAT:HEX,OCT:TEST_BOOT_ADDR
+ imageSize = INTEGER:TEST_IMAGE_LENGTH
+
+ [ image_integrity ]
+ shaType = OID:2.16.840.1.101.3.4.2.3
+ shaValue = FORMAT:HEX,OCT:TEST_IMAGE_SHA_VAL
+
+ [ swrv ]
+ swrv = INTEGER:0
+
+# [ encryption ]
+# initalVector = FORMAT:HEX,OCT:TEST_IMAGE_ENC_IV
+# randomString = FORMAT:HEX,OCT:TEST_IMAGE_ENC_RS
+# iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX
+# salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT
+
+ [ debug ]
+ debugType = INTEGER:4
+ coreDbgEn = INTEGER:0
+ coreDbgSecEn = INTEGER:0
+ debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000