From: Marek Vasut Date: Tue, 25 Nov 2025 15:42:57 +0000 (+0100) Subject: mkimage: Add support for bundling TEE in mkimage -f auto X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22aa122eee021a631e1b92c761ff1a434d46890e;p=thirdparty%2Fu-boot.git mkimage: Add support for bundling TEE in mkimage -f auto Introduce two new parameters to be used with mkimage -f auto to bundle TEE image into fitImage, using auto-generated fitImage. Add -z to specify TEE file name and -Z to specify TEE load and entry point address. This is meant to be used with systems which boot all of TEE, Linux and its DT from a single fitImage, all booted by U-Boot. Example invocation: " $ mkimage -E -A arm -C none -e 0xc0008000 -a 0xc0008000 -f auto \ -d arch/arm/boot/zImage \ -b arch/arm/boot/dts/st/stm32mp135f-dhcor-dhsbc.dtb \ -z ../optee_os/out/arm-plat-stm32mp1/core/tee-raw.bin \ -Z 0xde000000 \ /path/to/output/fitImage " Documentation update and test are also included, the test validates both positive and negative test cases, where fitImage does not include TEE and does include TEE blobs. Acked-by: Quentin Schulz Signed-off-by: Marek Vasut --- diff --git a/doc/mkimage.1 b/doc/mkimage.1 index c705218d345..9a2d07cee75 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -251,6 +251,18 @@ Append TFA BL31 file to the image. .B \-\-tfa-bl31-addr Set TFA BL31 file load and entry point address. . +.TP +.B \-z +.TQ +.B \-\-tee-file +Append raw TEE file to the image. +. +.TP +.B \-Z +.TQ +.B \-\-tee-addr +Set raw TEE file load and entry point address, in hexadecimal. +. .SS Options for creating FIT images . .TP diff --git a/include/image.h b/include/image.h index 9a1c828416d..d543c6cf254 100644 --- a/include/image.h +++ b/include/image.h @@ -1105,6 +1105,7 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size, #define FIT_SCRIPT_PROP "script" #define FIT_PHASE_PROP "phase" #define FIT_TFA_BL31_PROP "tfa-bl31" +#define FIT_TEE_PROP "tee" #define FIT_MAX_HASH_LEN HASH_MAX_DIGEST_SIZE diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py index 6220fe6ff59..eb162f785ac 100644 --- a/test/py/tests/test_fit_auto_signed.py +++ b/test/py/tests/test_fit_auto_signed.py @@ -117,28 +117,36 @@ class SignedFitHelper(object): algo = self.__fdt_get_string(f'{node}/signature', 'algo') assert algo == sign_algo + "\n", "Missing expected signature algo!" - def check_fit_loadables(self, present): - """Test that loadables contains both kernel and TFA BL31 entries. + def check_fit_loadables(self, bl31present, teepresent): + """Test that loadables contains both kernel, TFA BL31, TEE entries. Each configuration must have a loadables property which lists both - kernel-1 and tfa-bl31-1 strings in the string list. + kernel-1, tfa-bl31-1 and tee-1 strings in the string list. """ - if present: + if bl31present: assert "/images/tfa-bl31-1" in self.images_nodes else: assert "/images/tfa-bl31-1" not in self.images_nodes + if teepresent: + assert "/images/tee-1" in self.images_nodes + else: + assert "/images/tee-1" not in self.images_nodes for node in self.confgs_nodes: loadables = self.__fdt_get_string(f'{node}', 'loadables') assert "kernel-1" in loadables - if present: + if bl31present: assert "tfa-bl31-1" in loadables else: assert "tfa-bl31-1" not in loadables + if teepresent: + assert "tee-1" in loadables + else: + assert "tee-1" not in loadables @pytest.mark.buildconfigspec('fit_signature') @pytest.mark.requiredtool('fdtget') def test_fit_auto_signed(ubman): - def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, key_name="", sign_algo="", verifier=""): + def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, teepresent=False, key_name="", sign_algo="", verifier=""): """Generate fitImage and test for expected entries. Generate a fitImage and test whether suitable entries are part of @@ -158,7 +166,7 @@ def test_fit_auto_signed(ubman): if scfgs: fit.check_fit_signed_confgs(key_name, sign_algo) - fit.check_fit_loadables(bl31present) + fit.check_fit_loadables(bl31present, teepresent) """Test that mkimage generates auto-FIT with signatures/hashes as expected. @@ -178,6 +186,7 @@ def test_fit_auto_signed(ubman): dt1_file = f'{tempdir}/dt-1.dtb' dt2_file = f'{tempdir}/dt-2.dtb' tfa_file = f'{tempdir}/tfa-bl31.bin' + tee_file = f'{tempdir}/tee.bin' key_name = 'sign-key' sign_algo = 'sha256,rsa4096' key_file = f'{tempdir}/{key_name}.key' @@ -196,6 +205,9 @@ def test_fit_auto_signed(ubman): with open(tfa_file, 'wb') as fd: fd.write(os.urandom(256)) + with open(tee_file, 'wb') as fd: + fd.write(os.urandom(256)) + # Create 4096 RSA key and write to file to be read by mkimage key = RSA.generate(bits=4096) verifier = pkcs1_15.new(key) @@ -238,3 +250,42 @@ def test_fit_auto_signed(ubman): generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, scfgs=True, bl31present=True, key_name=key_name, sign_algo=sign_algo) + + # Run the same tests as 1/2/3 above, but this time with TEE + # options -z tee.bin -Z 0x56780000 to cover both mkimage with + # and without TEE use cases. + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -z" + tee_file + " -Z 0x56780000" + + # 7 - Create auto FIT with images crc32 checksum, and verify it + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True, teepresent=True) + + # 8 - Create auto FIT with signed images, and verify it + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) + + # 9 - Create auto FIT with signed configs and hashed images, and verify it + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo) + + # Run the same tests as 1/2/3 above, but this time with both + # TFA BL31 and TEE options -y tfa-bl31.bin -Y 0x12340000 and + # -z tee.bin -Z 0x56780000 to cover both mkimage with and + # without both TFA BL31 and TEE use cases. + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" + " -z" + tee_file + " -Z 0x56780000" + + # 10 - Create auto FIT with images crc32 checksum, and verify it + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True, bl31present=True, teepresent=True) + + # 11 - Create auto FIT with signed images, and verify it + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, bl31present=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) + + # 12 - Create auto FIT with signed configs and hashed images, and verify it + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, bl31present=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo) diff --git a/tools/fit_image.c b/tools/fit_image.c index 0306333141e..4aa0ce2dbfe 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -180,6 +180,13 @@ static int fit_calc_size(struct image_tool_params *params) total_size += size; } + if (params->fit_tee) { + size = imagetool_get_filesize(params, params->fit_tee); + if (size < 0) + return -1; + total_size += size; + } + for (cont = params->content_head; cont; cont = cont->next) { size = imagetool_get_filesize(params, cont->fname); if (size < 0) @@ -433,6 +440,30 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) fdt_end_node(fdt); } + /* And a TEE file if available */ + if (params->fit_tee) { + fdt_begin_node(fdt, FIT_TEE_PROP "-1"); + + fdt_property_string(fdt, FIT_TYPE_PROP, FIT_TEE_PROP); + fdt_property_string(fdt, FIT_OS_PROP, + genimg_get_os_short_name(params->os)); + fdt_property_string(fdt, FIT_ARCH_PROP, + genimg_get_arch_short_name(params->arch)); + get_basename(str, sizeof(str), params->fit_tee); + fdt_property_string(fdt, FIT_DESC_PROP, str); + + ret = fdt_property_file(params, fdt, FIT_DATA_PROP, + params->fit_tee); + if (ret) + return ret; + fdt_property_u32(fdt, FIT_LOAD_PROP, params->fit_tee_addr); + fdt_property_u32(fdt, FIT_ENTRY_PROP, params->fit_tee_addr); + fit_add_hash_or_sign(params, fdt, true); + if (ret) + return ret; + fdt_end_node(fdt); + } + fdt_end_node(fdt); return 0; @@ -474,9 +505,13 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt) fdt_property_string(fdt, typename, str); if (params->fit_tfa_bl31) { - snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename); - str[len] = 0; - len += strlen(FIT_TFA_BL31_PROP "-1") + 1; + snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TFA_BL31_PROP "-1"); + len += strlen(&str[len + 1]) + 1; + } + + if (params->fit_tee) { + snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TEE_PROP "-1"); + len += strlen(&str[len + 1]) + 1; } fdt_property(fdt, FIT_LOADABLE_PROP, str, len + 1); @@ -499,9 +534,13 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt) fdt_property_string(fdt, typename, str); if (params->fit_tfa_bl31) { - snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename); - str[len] = 0; - len += strlen(FIT_TFA_BL31_PROP "-1") + 1; + snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TFA_BL31_PROP "-1"); + len += strlen(&str[len + 1]) + 1; + } + + if (params->fit_tee) { + snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TEE_PROP "-1"); + len += strlen(&str[len + 1]) + 1; } fdt_property(fdt, FIT_LOADABLE_PROP, str, len + 1); diff --git a/tools/imagetool.h b/tools/imagetool.h index 866b8834fd7..d0e7d6d56e3 100644 --- a/tools/imagetool.h +++ b/tools/imagetool.h @@ -101,6 +101,8 @@ struct image_tool_params { struct image_summary summary; /* results of signing process */ char *fit_tfa_bl31; /* TFA BL31 file to include */ unsigned int fit_tfa_bl31_addr; /* TFA BL31 load and entry point address */ + char *fit_tee; /* TEE file to include */ + unsigned int fit_tee_addr; /* TEE load and entry point address */ }; /* diff --git a/tools/mkimage.c b/tools/mkimage.c index a800f9507bf..3c43962807d 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -103,6 +103,8 @@ static void usage(const char *msg) " -s ==> create an image with no data\n" " -y ==> append TFA BL31 file to the image\n" " -Y ==> set TFA BL31 file load and entry point address\n" + " -z ==> append raw TEE file to the image\n" + " -Z ==> set raw TEE file load and entry point address\n" " -v ==> verbose\n", params.cmdname); fprintf(stderr, @@ -162,7 +164,7 @@ static int add_content(int type, const char *fname) } static const char optstring[] = - "a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qrR:stT:vVxy:Y:"; + "a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qrR:stT:vVxy:Y:z:Z:"; static const struct option longopts[] = { { "load-address", required_argument, NULL, 'a' }, @@ -200,6 +202,8 @@ static const struct option longopts[] = { { "xip", no_argument, NULL, 'x' }, { "tfa-bl31-file", no_argument, NULL, 'y' }, { "tfa-bl31-addr", no_argument, NULL, 'Y' }, + { "tee-file", no_argument, NULL, 'z' }, + { "tee-addr", no_argument, NULL, 'Z' }, { /* sentinel */ }, }; @@ -382,6 +386,17 @@ static void process_args(int argc, char **argv) exit(EXIT_FAILURE); } break; + case 'z': + params.fit_tee = optarg; + break; + case 'Z': + params.fit_tee_addr = strtoull(optarg, &ptr, 16); + if (*ptr) { + fprintf(stderr, "%s: invalid TEE address %s\n", + params.cmdname, optarg); + exit(EXIT_FAILURE); + } + break; default: usage("Invalid option"); }