From 4c234bdc0ce852e3401b98c672f9e704c285a14b Mon Sep 17 00:00:00 2001
From: Roger Quadros <rogerq@kernel.org>
Date: Thu, 17 Feb 2022 22:18:50 +0200
Subject: [PATCH] tools: binman: add ti-secure entry type

This entry type is used to create a secured binary
for use with K3 High Security (HS) devices.

This allows us to no longer depend on k3_fit_atf.sh for
A53 SPL and u-boot image generation even for HS devices.

We still depend on the availability of an external
tool provided by the TI_SECURE_DEV_PKG environment
variable to secure the binaries.

Signed-off-by: Roger Quadros <rogerq@kernel.org>
---
 Makefile                        |  1 +
 tools/binman/README.entries     | 15 +++++++++
 tools/binman/etype/ti_secure.py | 59 +++++++++++++++++++++++++++++++++
 tools/binman/ftest.py           |  8 +++++
 4 files changed, 83 insertions(+)
 create mode 100644 tools/binman/etype/ti_secure.py

diff --git a/Makefile b/Makefile
index 1fe59a9bbd..c8a878a4ce 100644
--- a/Makefile
+++ b/Makefile
@@ -1339,6 +1339,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
 		-I arch/$(ARCH)/dts -a of-list=$(CONFIG_OF_LIST) \
 		-a atf-bl31-path=${BL31} \
 		-a tee-os-path=${TEE} \
+		-a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \
 		-a default-dt=$(default_dt) \
 		-a scp-path=$(SCP) \
 		$(BINMAN_$(@F))
diff --git a/tools/binman/README.entries b/tools/binman/README.entries
index 79ab1f0b1f..991f004cc7 100644
--- a/tools/binman/README.entries
+++ b/tools/binman/README.entries
@@ -1290,3 +1290,18 @@ may be used instead.
 
 
 
+Entry: ti-secure: Entry containing a Secured binary blob
+--------------------------------------------------------
+
+Properties / Entry arguments:
+    - filename: Filename of file to sign and read into entry
+
+Texas Instruments High-Security (HS) devices need secure binaries to be
+provided. This entry uses an external tool to append a x509 certificate
+to the file provided in the filename property and places it in the entry.
+
+The path for the external tool is fetched from TI_SECURE_DEV_PKG
+environment variable.
+
+
+
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
new file mode 100644
index 0000000000..86772994bc
--- /dev/null
+++ b/tools/binman/etype/ti_secure.py
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
+#
+
+# Support for secure binaries for TI K3 platform
+
+from collections import OrderedDict
+import os
+
+from binman.entry import Entry, EntryArg
+
+from dtoc import fdt_util
+from patman import tools
+
+class Entry_ti_secure(Entry):
+    """An entry which contains a secure binary for High-Security (HS) device use.
+
+    Properties / Entry arguments:
+	- filename: filename of binary file to be secured
+
+    Output files:
+        - filename_HS - output file generated by secure uility (which is
+            used as the entry contents)
+
+    """
+    def __init__(self, section, etype, node):
+        super().__init__(section, etype, node)
+        self.filename = fdt_util.GetString(self._node, 'filename')
+        self.toolpresent = False
+        if not self.filename:
+            self.Raise("ti_secure must have a 'filename' property")
+        self.toolspath, = self.GetEntryArgsOrProps(
+            [EntryArg('ti-secure-dev-pkg-path', str)])
+        if not self.toolspath:
+            print("WARNING: TI_SECURE_DEV_PKG environment " \
+                  "variable must be defined for TI secure devices. " +
+                  self.filename + " was NOT secured!")
+            return
+
+        self.tool = self.toolspath + "/scripts/secure-binary-image.sh"
+        self.toolpresent = os.path.exists(self.tool)
+        if not self.toolpresent:
+            print(self.tool + " not found. " +
+                  self.filename + " was NOT secured!")
+
+    def ObtainContents(self):
+        input_fname = self.filename
+        output_fname =  input_fname + "_HS"
+        args = [
+            input_fname, output_fname,
+        ]
+        if self.toolpresent:
+            stdout = tools.Run(self.tool, *args)
+        else:
+            stdout = tools.Run('cp', *args)
+            print(output_fname + ' not secured!')
+
+        self.SetContents(tools.ReadFile(output_fname))
+        return True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 32014ea8d9..1a03eed040 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -81,6 +81,7 @@ SCP_DATA              = b'scp'
 TEST_FDT1_DATA        = b'fdt1'
 TEST_FDT2_DATA        = b'test-fdt2'
 ENV_DATA              = b'var1=1\nvar2="2"'
+TI_UNSECURE_DATA      = b'this is some unsecure data'
 
 # Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@@ -189,6 +190,7 @@ class TestFunctional(unittest.TestCase):
                                       TEST_FDT2_DATA)
 
         TestFunctional._MakeInputFile('env.txt', ENV_DATA)
+        TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
 
         # Travis-CI may have an old lz4
         cls.have_lz4 = True
@@ -4146,6 +4148,12 @@ class TestFunctional(unittest.TestCase):
             }
         self.assertEqual(expected, props)
 
+    def testPackTisecure(self):
+        """Test that an image with a TI secured binary can be created"""
+        data = self._DoReadFile('187_ti_secure.dts')
+	securedata = tools.ReadFile('ti_unsecure.bin_HS')
+	self.assertEquals(data, securedata)
+
 
 if __name__ == "__main__":
     unittest.main()