meta-aspeed: otp: create otp image

1. Add otptool.bbclass to create otp image.
2. Update u-boot recipe to "inherit otptool.bbclass" for
otp image creation in the u-boot tasks.
3. Update socsec tool for SPL and OTP image verification if
verify failed u-boot should be built failed.
4. Use OE logging utilities.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Change-Id: I0ba5da4d112b49d182bdf2751614afe62850eac3

3 files changed, 71 insertions, 0 deletions

diff --git a/meta-aspeed/classes/otptool.bbclass b/meta-aspeed/classes/otptool.bbclass
new file mode 100644
index 0000000000..bb766c186c
--- /dev/null
+++ b/meta-aspeed/classes/otptool.bbclass
@@ -0,0 +1,60 @@
+# ASPEED AST2600 devices can use Aspeed's utility 'otptool'
+# to create OTP image
+# The variables below carry default values to the create_otp()
+# function below.
+OTPTOOL_CONFIG ?= ""
+OTPTOOL_KEY_DIR ?= ""
+OTPTOOL_EXTRA_OPTS ?= ""
+OTPTOOL_EXTRA_DEPENDS ?= " socsec-native"
+DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", "${OTPTOOL_EXTRA_DEPENDS}", "", d)}'
+
+# Creates the OTP image
+create_otp_helper() {
+    if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then
+        bbwarn "OTP creation is only supported on AST2600 boards"
+    elif [ ! -e "${OTPTOOL_CONFIG}" ] ; then
+        bbfatal "Invalid otptool config: ${OTPTOOL_CONFIG}"
+    elif [ ! -d "${OTPTOOL_KEY_DIR}" ] ; then
+        bbfatal "Invalid otptool signing key directory: ${OTPTOOL_KEY_DIR}"
+    else
+        otptool make_otp_image \
+            --key_folder ${OTPTOOL_KEY_DIR} \
+            ${OTPTOOL_CONFIG} \
+            ${OTPTOOL_EXTRA_OPTS}
+
+        if [ $? -ne 0 ]; then
+            bbfatal "Generated OTP image failed."
+        fi
+
+        otptool \
+            print \
+            ${B}/${CONFIG_B_PATH}/otp-all.image
+
+        if [ $? -ne 0 ]; then
+            bbfatal "Printed OTP image failed."
+        fi
+
+        install -m 0644 ${B}/${CONFIG_B_PATH}/otp-* ${DEPLOYDIR}
+    fi
+}
+
+create_otp() {
+    mkdir -p ${DEPLOYDIR}
+    if [ -n "${UBOOT_CONFIG}" ]; then
+        for config in ${UBOOT_MACHINE}; do
+            CONFIG_B_PATH="${config}"
+            cd ${B}/${config}
+            create_otp_helper
+        done
+    else
+        CONFIG_B_PATH=""
+        cd ${B}
+        create_otp_helper
+    fi
+}
+
+do_deploy:prepend() {
+    if [ "${SOCSEC_SIGN_ENABLE}" = "1" ] ; then
+        create_otp
+    fi
+}
diff --git a/meta-aspeed/classes/socsec-sign.bbclass b/meta-aspeed/classes/socsec-sign.bbclass
index 5b90da1184..f46147d748 100644
--- a/meta-aspeed/classes/socsec-sign.bbclass
+++ b/meta-aspeed/classes/socsec-sign.bbclass
@@ -60,9 +60,19 @@ sign_spl() {
     fi
 }
 
+verify_spl_otp() {
+    socsec verify \
+        --sec_image ${DEPLOYDIR}/${SPL_IMAGE} \
+        --otp_image ${DEPLOYDIR}/otp-all.image
+
+    if [ $? -ne 0 ]; then
+        bbfatal "Verified OTP image failed."
+    fi
+}
 
 do_deploy:append() {
     if [ "${SOCSEC_SIGN_ENABLE}" = "1" -a -n "${SPL_BINARY}" ] ; then
         sign_spl
+        verify_spl_otp
     fi
 }
diff --git a/meta-aspeed/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bb b/meta-aspeed/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bb
index 575d3876c1..108f8489d2 100644
--- a/meta-aspeed/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bb
+++ b/meta-aspeed/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bb
@@ -20,6 +20,7 @@ SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512"
 SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false --rsa_key_order=big"
 
 inherit socsec-sign
+inherit otptool
 
 UBOOT_ENV_SIZE:df-phosphor-mmc = "0x10000"
 UBOOT_ENV:df-phosphor-mmc = "u-boot-env"