tools: binman: add ti-secure entry type

This entry type is used to create a secured binary for use with K3 High Security (HS) devices. This allows us to no longer depend on k3_fit_atf.sh for A53 SPL and u-boot image generation even for HS devices. We still depend on the availability of an external tool provided by the TI_SECURE_DEV_PKG environment variable to secure the binaries. Signed-off-by: Roger Quadros <rogerq@kernel.org>
2022-02-17 22:18:50 +02:00 · 2022-02-17 22:18:50 +02:00 · 4c234bdc0c
parent a04d820c97
commit 4c234bdc0c
4 changed files with 83 additions and 0 deletions
--- a/1
+++ b/1
@ -1339,6 +1339,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
 		-I arch/$(ARCH)/dts -a of-list=$(CONFIG_OF_LIST) \
 		-a atf-bl31-path=${BL31} \
 		-a tee-os-path=${TEE} \
 		-a ti-secure-dev-pkg-path=${TI_SECURE_DEV_PKG} \
 		-a default-dt=$(default_dt) \
 		-a scp-path=$(SCP) \
 		$(BINMAN_$(@F))
--- a/tools/binman/README.entries
+++ b/tools/binman/README.entries
@ -1290,3 +1290,18 @@ may be used instead.
 Entry: ti-secure: Entry containing a Secured binary blob
 --------------------------------------------------------
 Properties / Entry arguments:
    - filename: Filename of file to sign and read into entry
 Texas Instruments High-Security (HS) devices need secure binaries to be
 provided. This entry uses an external tool to append a x509 certificate
 to the file provided in the filename property and places it in the entry.
 The path for the external tool is fetched from TI_SECURE_DEV_PKG
 environment variable.
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@ -0,0 +1,59 @@
 # SPDX-License-Identifier: GPL-2.0+
 # Copyright (c) 2022 Texas Instruments Incorporated - https://www.ti.com/
 #
 # Support for secure binaries for TI K3 platform
 from collections import OrderedDict
 import os
 from binman.entry import Entry, EntryArg
 from dtoc import fdt_util
 from patman import tools
 class Entry_ti_secure(Entry):
    """An entry which contains a secure binary for High-Security (HS) device use.
    Properties / Entry arguments:
 	- filename: filename of binary file to be secured
    Output files:
        - filename_HS - output file generated by secure uility (which is
            used as the entry contents)
    """
    def __init__(self, section, etype, node):
        super().__init__(section, etype, node)
        self.filename = fdt_util.GetString(self._node, 'filename')
        self.toolpresent = False
        if not self.filename:
            self.Raise("ti_secure must have a 'filename' property")
        self.toolspath, = self.GetEntryArgsOrProps(
            [EntryArg('ti-secure-dev-pkg-path', str)])
        if not self.toolspath:
            print("WARNING: TI_SECURE_DEV_PKG environment " \
                  "variable must be defined for TI secure devices. " +
                  self.filename + " was NOT secured!")
            return
        self.tool = self.toolspath + "/scripts/secure-binary-image.sh"
        self.toolpresent = os.path.exists(self.tool)
        if not self.toolpresent:
            print(self.tool + " not found. " +
                  self.filename + " was NOT secured!")
    def ObtainContents(self):
        input_fname = self.filename
        output_fname =  input_fname + "_HS"
        args = [
            input_fname, output_fname,
        ]
        if self.toolpresent:
            stdout = tools.Run(self.tool, *args)
        else:
            stdout = tools.Run('cp', *args)
            print(output_fname + ' not secured!')
        self.SetContents(tools.ReadFile(output_fname))
        return True
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@ -81,6 +81,7 @@ SCP_DATA              = b'scp'
 TEST_FDT1_DATA        = b'fdt1'
 TEST_FDT2_DATA        = b'test-fdt2'
 ENV_DATA              = b'var1=1\nvar2="2"'
 TI_UNSECURE_DATA      = b'this is some unsecure data'
 # Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@ -189,6 +190,7 @@ class TestFunctional(unittest.TestCase):
                                      TEST_FDT2_DATA)
        TestFunctional._MakeInputFile('env.txt', ENV_DATA)
        TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
        # Travis-CI may have an old lz4
        cls.have_lz4 = True
@ -4146,6 +4148,12 @@ class TestFunctional(unittest.TestCase):
            }
        self.assertEqual(expected, props)
    def testPackTisecure(self):
        """Test that an image with a TI secured binary can be created"""
        data = self._DoReadFile('187_ti_secure.dts')
 	securedata = tools.ReadFile('ti_unsecure.bin_HS')
 	self.assertEquals(data, securedata)
 if __name__ == "__main__":
    unittest.main()