diff options
-rw-r--r-- | configs/am64x_evm_a53_defconfig | 4 | ||||
-rw-r--r-- | configs/j7200_evm_a72_defconfig | 4 | ||||
-rw-r--r-- | configs/j721e_evm_a72_defconfig | 4 | ||||
-rw-r--r-- | configs/j721s2_evm_a72_defconfig | 3 | ||||
-rw-r--r-- | doc/board/ti/k3.rst | 170 |
5 files changed, 171 insertions, 14 deletions
diff --git a/configs/am64x_evm_a53_defconfig b/configs/am64x_evm_a53_defconfig index 6485ed108a..123a70049a 100644 --- a/configs/am64x_evm_a53_defconfig +++ b/configs/am64x_evm_a53_defconfig @@ -14,7 +14,7 @@ CONFIG_TARGET_AM642_A53_EVM=y CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80480000 CONFIG_ENV_SIZE=0x20000 -CONFIG_ENV_OFFSET=0x680000 +CONFIG_SYS_SPI_U_BOOT_OFFS=0x300000 CONFIG_DM_GPIO=y CONFIG_SPL_DM_SPI=y CONFIG_DEFAULT_DEVICE_TREE="k3-am642-evm" @@ -79,8 +79,6 @@ CONFIG_OF_LIST="k3-am642-evm k3-am642-sk" CONFIG_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y -CONFIG_ENV_IS_IN_MMC=y -CONFIG_SYS_MMC_ENV_PART=1 CONFIG_NET_RANDOM_ETHADDR=y CONFIG_SPL_DM=y CONFIG_SPL_DM_SEQ_ALIAS=y diff --git a/configs/j7200_evm_a72_defconfig b/configs/j7200_evm_a72_defconfig index cc68a21217..5fc46ec8c1 100644 --- a/configs/j7200_evm_a72_defconfig +++ b/configs/j7200_evm_a72_defconfig @@ -12,7 +12,6 @@ CONFIG_TARGET_J7200_A72_EVM=y CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80480000 CONFIG_ENV_SIZE=0x20000 -CONFIG_ENV_OFFSET=0x680000 CONFIG_DM_GPIO=y CONFIG_SPL_DM_SPI=y CONFIG_DEFAULT_DEVICE_TREE="k3-j7200-common-proc-board" @@ -23,7 +22,6 @@ CONFIG_SPL_MMC=y CONFIG_SPL_SERIAL=y CONFIG_SPL_DRIVERS_MISC=y CONFIG_SPL_STACK_R_ADDR=0x82000000 -CONFIG_ENV_OFFSET_REDUND=0x6A0000 CONFIG_SPL_FS_FAT=y CONFIG_SPL_LIBDISK_SUPPORT=y CONFIG_SPL_SPI_FLASH_SUPPORT=y @@ -90,8 +88,6 @@ CONFIG_OF_CONTROL=y CONFIG_SPL_OF_CONTROL=y CONFIG_SPL_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y -CONFIG_ENV_OVERWRITE=y -CONFIG_ENV_IS_IN_MMC=y CONFIG_SYS_REDUNDAND_ENVIRONMENT=y CONFIG_SYS_RELOC_GD_ENV_ADDR=y CONFIG_NET_RANDOM_ETHADDR=y diff --git a/configs/j721e_evm_a72_defconfig b/configs/j721e_evm_a72_defconfig index 32ac47cbdb..bf353aafef 100644 --- a/configs/j721e_evm_a72_defconfig +++ b/configs/j721e_evm_a72_defconfig @@ -91,11 +91,7 @@ CONFIG_OF_LIST="k3-j721e-common-proc-board k3-j721e-sk" CONFIG_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y -CONFIG_ENV_OVERWRITE=y -CONFIG_ENV_IS_NOWHERE=y -CONFIG_ENV_IS_IN_FAT=y CONFIG_SYS_REDUNDAND_ENVIRONMENT=y -CONFIG_ENV_FAT_DEVICE_AND_PART="1:1" CONFIG_SYS_RELOC_GD_ENV_ADDR=y CONFIG_NET_RANDOM_ETHADDR=y CONFIG_SPL_DM=y diff --git a/configs/j721s2_evm_a72_defconfig b/configs/j721s2_evm_a72_defconfig index 37c1fdedc4..5ce4eb5390 100644 --- a/configs/j721s2_evm_a72_defconfig +++ b/configs/j721s2_evm_a72_defconfig @@ -89,10 +89,7 @@ CONFIG_SPL_OF_CONTROL=y CONFIG_OF_LIST="k3-j721s2-common-proc-board k3-am68-sk-base-board" CONFIG_SPL_MULTI_DTB_FIT=y CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y -CONFIG_ENV_OVERWRITE=y -CONFIG_ENV_IS_IN_FAT=y CONFIG_SYS_REDUNDAND_ENVIRONMENT=y -CONFIG_ENV_FAT_DEVICE_AND_PART="1:1" CONFIG_SYS_RELOC_GD_ENV_ADDR=y CONFIG_NET_RANDOM_ETHADDR=y CONFIG_SPL_DM=y diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst index 7390e0305e..2db7bbdb42 100644 --- a/doc/board/ti/k3.rst +++ b/doc/board/ti/k3.rst @@ -241,3 +241,173 @@ wakeup and main domain and to boot to the U-Boot prompt | `tispl.bin` for HS devices or `tispl.bin_unsigned` for GP devices | `u-boot.img` for HS devices or `u-boot.img_unsigned` for GP devices + +Fit Signature Signing +--------------------- + +K3 Platforms have fit signature signing enabled by default on their primary +platforms. Here we'll take an example for creating fit image for J721e platform +and the same can be extended to other platforms + +1. Describing FIT source + + .. code-block:: bash + + /dts-v1/; + + / { + description = "Kernel fitImage for j721e-hs-evm"; + #address-cells = <1>; + + images { + kernel-1 { + description = "Linux kernel"; + data = /incbin/("Image"); + type = "kernel"; + arch = "arm64"; + os = "linux"; + compression = "none"; + load = <0x80080000>; + entry = <0x80080000>; + hash-1 { + algo = "sha512"; + }; + + }; + fdt-ti_k3-j721e-common-proc-board.dtb { + description = "Flattened Device Tree blob"; + data = /incbin/("k3-j721e-common-proc-board.dtb"); + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + load = <0x83000000>; + hash-1 { + algo = "sha512"; + }; + + }; + }; + + configurations { + default = "conf-ti_k3-j721e-common-proc-board.dtb"; + conf-ti_k3-j721e-common-proc-board.dtb { + description = "Linux kernel, FDT blob"; + fdt = "fdt-ti_k3-j721e-common-proc-board.dtb"; + kernel = "kernel-1"; + signature-1 { + algo = "sha512,rsa4096"; + key-name-hint = "custMpk"; + sign-images = "kernel", "fdt"; + }; + }; + }; + }; + + You would require to change the '/incbin/' lines to point to the respective + files in your local machine and the key-name-hint also needs to be changed + if you are using some other key other than the TI dummy key that we are + using for this example. + +2. Compile U-boot for the respective board + + .. code-block:: bash + + make O=build/a72 CROSS_COMPILE=aarch64-none-linux-gnu- ARCH=arm + BL31=/path/to/bl31.bin TEE=/path/to/bl32.bin + BINMAN_INDIRS="/path/to/ti-linux-firmware" -j15 + + .. note:: + + The changes only affect a72 binaries so the example just builds that + +3. Sign the fit image and embed the dtb in uboot + + Now once the build is done, you'll have a dtb for your board that you'll + be passing to mkimage for signing the fitImage and embedding the key in + the u-boot dtb. + + .. code-block:: bash + + mkimage -r -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K + $UBOOT_PATH/build/a72/dts/dt.dtb + + For signing a secondary platform, pass the -K parameter to that DTB + + .. code-block:: bash + + mkimage -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K + $UBOOT_PATH/build/a72/arch/arm/dts/k3-j721e-sk.dtb + + .. note:: + + If changing `CONFIG_DEFAULT_DEVICE_TREE` to the secondary platform, + binman changes would also be required so that correct dtb gets packaged. + + .. code-block:: bash + + diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi + index 673be646b1e3..752fa805fe8d 100644 + --- a/arch/arm/dts/k3-j721e-binman.dtsi + +++ b/arch/arm/dts/k3-j721e-binman.dtsi + @@ -299,8 +299,8 @@ + #define SPL_J721E_SK_DTB "spl/dts/k3-j721e-sk.dtb" + + #define UBOOT_NODTB "u-boot-nodtb.bin" + -#define J721E_EVM_DTB "u-boot.dtb" + -#define J721E_SK_DTB "arch/arm/dts/k3-j721e-sk.dtb" + +#define J721E_EVM_DTB "arch/arm/dts/k3-j721e-common-proc-board.dtb" + +#define J721E_SK_DTB "u-boot.dtb" + +5. Rebuilt u-boot + + This is required so that the modified dtb gets updated in u-boot.img + + .. code-block:: bash + + make O=build/a72 CROSS_COMPILE=aarch64-none-linux-gnu- ARCH=arm + BL31=/path/to/bl31.bin TEE=/path/to/bl32.bin + BINMAN_INDIRS="/path/to/ti-linux-firmware" -j15 + +6. (Optional) Enabled FIT_SIGNATURE_ENFORCED + + By default u-boot will boot up the fit image without any authentication as + such if the public key is not embedded properly, to check if the public key + nodes are proper you can enable FIT_SIGNATURE_ENFORCED that would not rely + on the dtb for anything else then the signature node for checking the fit + image, rest other things will be enforced such as the property of + required-keys. This is not an extensive check so do manual checks also + + This is by default enabled for devices with TI_SECURE_DEVICE enabled. + +.. note:: + + The devices now also have distroboot enabled so if the fit image doesn't + work then the fallback to normal distroboot will be there on hs devices, + this will need to be explicitly disabled by changing the boot_targets. + +Saving environment +------------------ + +SAVEENV is disabled by default and for the new flow uses Uenv.txt as the default +way for saving the environments. This has been done as Uenv.txt is more granular +then the saveenv command and can be used across various bootmodes too. + +**Writing to MMC/EMMC** + +.. code-block:: + + => env export -t $loadaddr <list of variables> + => fatwrite mmc ${mmcdev} ${loadaddr} ${bootenvfile} ${filesize} + +**Reading from MMC/EMMC** + +By default run envboot will read it from the MMC/EMMC partition ( based on +mmcdev) and set the environments. + +If manually needs to be done then the environment can be read from the +filesystem and then imported + +.. code-block:: + + => fatload mmc ${mmcdev} ${loadaddr} ${bootenvfile} + => env import -t ${loadaddr} ${filesize} |