From: Madan Srinivas Date: Mon, 27 Jun 2016 14:19:23 +0000 (-0500) Subject: arm: am4x: add U-Boot FIT signing and SPL image post-processing X-Git-Tag: v2016.09-rc1~131 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e29878f;p=u-boot arm: am4x: add U-Boot FIT signing and SPL image post-processing Modify the SPL build procedure for AM437x high-security (HS) device variants to create a secure u-boot_HS.img FIT blob that contains U-Boot and DTB artifacts signed (and optionally encrypted) with a TI-specific process based on the CONFIG_TI_SECURE_DEVICE config option and the externally-provided image signing tool. Also populate the corresponding FIT image post processing call to be performed during SPL runtime. Signed-off-by: Madan Srinivas Signed-off-by: Andreas Dannenberg Reviewed-by: Tom Rini --- diff --git a/arch/arm/cpu/armv7/am33xx/config.mk b/arch/arm/cpu/armv7/am33xx/config.mk index 6d95d327b4..ab9470820d 100644 --- a/arch/arm/cpu/armv7/am33xx/config.mk +++ b/arch/arm/cpu/armv7/am33xx/config.mk @@ -26,6 +26,7 @@ endif else ifeq ($(CONFIG_TI_SECURE_DEVICE),y) ALL-$(CONFIG_QSPI_BOOT) += u-boot_HS_XIP_X-LOADER +ALL-y += u-boot_HS.img endif ALL-y += u-boot.img endif diff --git a/board/ti/am43xx/board.c b/board/ti/am43xx/board.c index f005762eda..27c311ee9d 100644 --- a/board/ti/am43xx/board.c +++ b/board/ti/am43xx/board.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -862,3 +863,10 @@ int board_fit_config_name_match(const char *name) return -1; } #endif + +#ifdef CONFIG_TI_SECURE_DEVICE +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + secure_boot_verify_image(p_image, p_size); +} +#endif diff --git a/configs/am43xx_hs_evm_defconfig b/configs/am43xx_hs_evm_defconfig index 4856a19f0b..68dfb6c575 100644 --- a/configs/am43xx_hs_evm_defconfig +++ b/configs/am43xx_hs_evm_defconfig @@ -13,6 +13,7 @@ CONFIG_SPL_STACK_R=y CONFIG_FIT=y CONFIG_SYS_EXTRA_OPTIONS="CONS_INDEX=1, NAND" CONFIG_SPL_LOAD_FIT=y +CONFIG_SPL_FIT_IMAGE_POST_PROCESS=y CONFIG_HUSH_PARSER=y CONFIG_CMD_BOOTZ=y # CONFIG_CMD_IMLS is not set