5 files changed, 171 insertions, 14 deletions

diff --git a/configs/am64x_evm_a53_defconfig b/configs/am64x_evm_a53_defconfig
index 6485ed108a..123a70049a 100644
--- a/configs/am64x_evm_a53_defconfig
+++ b/configs/am64x_evm_a53_defconfig
@@ -14,7 +14,7 @@ CONFIG_TARGET_AM642_A53_EVM=y
 CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
 CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80480000
 CONFIG_ENV_SIZE=0x20000
-CONFIG_ENV_OFFSET=0x680000
+CONFIG_SYS_SPI_U_BOOT_OFFS=0x300000
 CONFIG_DM_GPIO=y
 CONFIG_SPL_DM_SPI=y
 CONFIG_DEFAULT_DEVICE_TREE="k3-am642-evm"
@@ -79,8 +79,6 @@ CONFIG_OF_LIST="k3-am642-evm k3-am642-sk"
 CONFIG_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y
-CONFIG_ENV_IS_IN_MMC=y
-CONFIG_SYS_MMC_ENV_PART=1
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_SPL_DM=y
 CONFIG_SPL_DM_SEQ_ALIAS=y
diff --git a/configs/j7200_evm_a72_defconfig b/configs/j7200_evm_a72_defconfig
index cc68a21217..5fc46ec8c1 100644
--- a/configs/j7200_evm_a72_defconfig
+++ b/configs/j7200_evm_a72_defconfig
@@ -12,7 +12,6 @@ CONFIG_TARGET_J7200_A72_EVM=y
 CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
 CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80480000
 CONFIG_ENV_SIZE=0x20000
-CONFIG_ENV_OFFSET=0x680000
 CONFIG_DM_GPIO=y
 CONFIG_SPL_DM_SPI=y
 CONFIG_DEFAULT_DEVICE_TREE="k3-j7200-common-proc-board"
@@ -23,7 +22,6 @@ CONFIG_SPL_MMC=y
 CONFIG_SPL_SERIAL=y
 CONFIG_SPL_DRIVERS_MISC=y
 CONFIG_SPL_STACK_R_ADDR=0x82000000
-CONFIG_ENV_OFFSET_REDUND=0x6A0000
 CONFIG_SPL_FS_FAT=y
 CONFIG_SPL_LIBDISK_SUPPORT=y
 CONFIG_SPL_SPI_FLASH_SUPPORT=y
@@ -90,8 +88,6 @@ CONFIG_OF_CONTROL=y
 CONFIG_SPL_OF_CONTROL=y
 CONFIG_SPL_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y
-CONFIG_ENV_OVERWRITE=y
-CONFIG_ENV_IS_IN_MMC=y
 CONFIG_SYS_REDUNDAND_ENVIRONMENT=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_NET_RANDOM_ETHADDR=y
diff --git a/configs/j721e_evm_a72_defconfig b/configs/j721e_evm_a72_defconfig
index 32ac47cbdb..bf353aafef 100644
--- a/configs/j721e_evm_a72_defconfig
+++ b/configs/j721e_evm_a72_defconfig
@@ -91,11 +91,7 @@ CONFIG_OF_LIST="k3-j721e-common-proc-board k3-j721e-sk"
 CONFIG_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y
-CONFIG_ENV_OVERWRITE=y
-CONFIG_ENV_IS_NOWHERE=y
-CONFIG_ENV_IS_IN_FAT=y
 CONFIG_SYS_REDUNDAND_ENVIRONMENT=y
-CONFIG_ENV_FAT_DEVICE_AND_PART="1:1"
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_SPL_DM=y
diff --git a/configs/j721s2_evm_a72_defconfig b/configs/j721s2_evm_a72_defconfig
index 37c1fdedc4..5ce4eb5390 100644
--- a/configs/j721s2_evm_a72_defconfig
+++ b/configs/j721s2_evm_a72_defconfig
@@ -89,10 +89,7 @@ CONFIG_SPL_OF_CONTROL=y
 CONFIG_OF_LIST="k3-j721s2-common-proc-board k3-am68-sk-base-board"
 CONFIG_SPL_MULTI_DTB_FIT=y
 CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y
-CONFIG_ENV_OVERWRITE=y
-CONFIG_ENV_IS_IN_FAT=y
 CONFIG_SYS_REDUNDAND_ENVIRONMENT=y
-CONFIG_ENV_FAT_DEVICE_AND_PART="1:1"
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_SPL_DM=y
diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst
index 7390e0305e..2db7bbdb42 100644
--- a/doc/board/ti/k3.rst
+++ b/doc/board/ti/k3.rst
@@ -241,3 +241,173 @@ wakeup and main domain and to boot to the U-Boot prompt
 
    | `tispl.bin` for HS devices or `tispl.bin_unsigned` for GP devices
    | `u-boot.img` for HS devices or `u-boot.img_unsigned` for GP devices
+
+Fit Signature Signing
+---------------------
+
+K3 Platforms have fit signature signing enabled by default on their primary
+platforms. Here we'll take an example for creating fit image for J721e platform
+and the same can be extended to other platforms
+
+1. Describing FIT source
+
+  .. code-block:: bash
+
+    /dts-v1/;
+
+    / {
+            description = "Kernel fitImage for j721e-hs-evm";
+            #address-cells = <1>;
+
+            images {
+                    kernel-1 {
+                            description = "Linux kernel";
+                            data = /incbin/("Image");
+                            type = "kernel";
+                            arch = "arm64";
+                            os = "linux";
+                            compression = "none";
+                            load = <0x80080000>;
+                            entry = <0x80080000>;
+                            hash-1 {
+                                    algo = "sha512";
+                            };
+
+                    };
+                    fdt-ti_k3-j721e-common-proc-board.dtb {
+                            description = "Flattened Device Tree blob";
+                            data = /incbin/("k3-j721e-common-proc-board.dtb");
+                            type = "flat_dt";
+                            arch = "arm64";
+                            compression = "none";
+                            load = <0x83000000>;
+                            hash-1 {
+                                    algo = "sha512";
+                            };
+
+                    };
+            };
+
+            configurations {
+                    default = "conf-ti_k3-j721e-common-proc-board.dtb";
+                    conf-ti_k3-j721e-common-proc-board.dtb {
+                            description = "Linux kernel, FDT blob";
+                            fdt = "fdt-ti_k3-j721e-common-proc-board.dtb";
+                            kernel = "kernel-1";
+                            signature-1 {
+                                    algo = "sha512,rsa4096";
+                                    key-name-hint = "custMpk";
+                                    sign-images = "kernel", "fdt";
+                            };
+                    };
+            };
+    };
+
+  You would require to change the '/incbin/' lines to point to the respective
+  files in your local machine and the key-name-hint also needs to be changed
+  if you are using some other key other than the TI dummy key that we are
+  using for this example.
+
+2. Compile U-boot for the respective board
+
+  .. code-block:: bash
+
+     make O=build/a72 CROSS_COMPILE=aarch64-none-linux-gnu- ARCH=arm
+     BL31=/path/to/bl31.bin TEE=/path/to/bl32.bin
+     BINMAN_INDIRS="/path/to/ti-linux-firmware" -j15
+
+  .. note::
+
+    The changes only affect a72 binaries so the example just builds that
+
+3. Sign the fit image and embed the dtb in uboot
+
+  Now once the build is done, you'll have a dtb for your board that you'll
+  be passing to mkimage for signing the fitImage and embedding the key in
+  the u-boot dtb.
+
+  .. code-block:: bash
+
+    mkimage -r -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K
+    $UBOOT_PATH/build/a72/dts/dt.dtb
+
+  For signing a secondary platform, pass the -K parameter to that DTB
+
+  .. code-block:: bash
+
+    mkimage -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K
+    $UBOOT_PATH/build/a72/arch/arm/dts/k3-j721e-sk.dtb
+
+  .. note::
+
+    If changing `CONFIG_DEFAULT_DEVICE_TREE` to the secondary platform,
+    binman changes would also be required so that correct dtb gets packaged.
+
+    .. code-block:: bash
+
+      diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
+      index 673be646b1e3..752fa805fe8d 100644
+      --- a/arch/arm/dts/k3-j721e-binman.dtsi
+      +++ b/arch/arm/dts/k3-j721e-binman.dtsi
+      @@ -299,8 +299,8 @@
+       #define SPL_J721E_SK_DTB "spl/dts/k3-j721e-sk.dtb"
+
+       #define UBOOT_NODTB "u-boot-nodtb.bin"
+      -#define J721E_EVM_DTB "u-boot.dtb"
+      -#define J721E_SK_DTB "arch/arm/dts/k3-j721e-sk.dtb"
+      +#define J721E_EVM_DTB "arch/arm/dts/k3-j721e-common-proc-board.dtb"
+      +#define J721E_SK_DTB "u-boot.dtb"
+
+5. Rebuilt u-boot
+
+   This is required so that the modified dtb gets updated in u-boot.img
+
+   .. code-block:: bash
+
+     make O=build/a72 CROSS_COMPILE=aarch64-none-linux-gnu- ARCH=arm
+     BL31=/path/to/bl31.bin TEE=/path/to/bl32.bin
+     BINMAN_INDIRS="/path/to/ti-linux-firmware" -j15
+
+6. (Optional) Enabled FIT_SIGNATURE_ENFORCED
+
+   By default u-boot will boot up the fit image without any authentication as
+   such if the public key is not embedded properly, to check if the public key
+   nodes are proper you can enable FIT_SIGNATURE_ENFORCED that would not rely
+   on the dtb for anything else then the signature node for checking the fit
+   image, rest other things will be enforced such as the property of
+   required-keys. This is not an extensive check so do manual checks also
+
+   This is by default enabled for devices with TI_SECURE_DEVICE enabled.
+
+.. note::
+
+   The devices now also have distroboot enabled so if the fit image doesn't
+   work then the fallback to normal distroboot will be there on hs devices,
+   this will need to be explicitly disabled by changing the boot_targets.
+
+Saving environment
+------------------
+
+SAVEENV is disabled by default and for the new flow uses Uenv.txt as the default
+way for saving the environments. This has been done as Uenv.txt is more granular
+then the saveenv command and can be used across various bootmodes too.
+
+**Writing to MMC/EMMC**
+
+.. code-block::
+
+  => env export -t $loadaddr <list of variables>
+  => fatwrite mmc ${mmcdev} ${loadaddr} ${bootenvfile} ${filesize}
+
+**Reading from MMC/EMMC**
+
+By default run envboot will read it from the MMC/EMMC partition ( based on
+mmcdev) and set the environments.
+
+If manually needs to be done then the environment can be read from the
+filesystem and then imported
+
+.. code-block::
+
+  => fatload mmc ${mmcdev} ${loadaddr} ${bootenvfile}
+  => env import -t ${loadaddr} ${filesize}