Klaus Heinrich Kiwi | 92f659d | 2021-03-09 21:03:42 -0300 | [diff] [blame^] | 1 | # ASPEED AST2600 devices can use Aspeed's utility 'socsec' |
| 2 | # to sign the SPL (pubkey written to OTP region) |
| 3 | # The variables below carry default values to the spl_sign() |
| 4 | # function below. |
| 5 | SOCSEC_SIGN_ENABLE ?= "0" |
| 6 | SOCSEC_SIGN_KEY ?= "" |
| 7 | SOCSEC_SIGN_SOC ?= "2600" |
| 8 | SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512" |
| 9 | SOCSEC_SIGN_HELPER ?= "" |
| 10 | # u-boot-aspeed-sdk commit '2c3b53489c ast2600: Modify SPL SRAM layout' |
| 11 | # changes the SDRAM layout so that the verification region does NOT |
| 12 | # intersects the stack. The parameter below can be used to instruct |
| 13 | # socsec to work in either mode (ommitting it throws a warning), but |
| 14 | # newer (post v00.03.03) u-boot-aspeed-sdk need this set to false |
| 15 | SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false" |
| 16 | DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", " socsec-native", "", d)}' |
| 17 | |
| 18 | |
| 19 | # Signs the SPL binary with a pre-established key |
| 20 | sign_spl_helper() { |
| 21 | signing_helper_args="" |
| 22 | |
| 23 | if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then |
| 24 | echo "Warning: SPL signing is only supported on AST2600 boards" |
| 25 | elif [ ! -e "${SOCSEC_SIGN_KEY}" ] ; then |
| 26 | echo "Warning: Invalid socsec signing key - SPL verified boot won't be available" |
| 27 | else |
| 28 | rm -f ${SPL_BINARY}.staged |
| 29 | |
| 30 | if [ -n "${SOCSEC_SIGN_HELPER}" ] ; then |
| 31 | signing_helper_args="--signing_helper ${SOCSEC_SIGN_HELPER}" |
| 32 | fi |
| 33 | socsec make_secure_bl1_image \ |
| 34 | --soc ${SOCSEC_SIGN_SOC} \ |
| 35 | --algorithm ${SOCSEC_SIGN_ALGO} \ |
| 36 | --rsa_sign_key ${SOCSEC_SIGN_KEY} \ |
| 37 | --bl1_image ${DEPLOYDIR}/${SPL_IMAGE} \ |
| 38 | ${signing_helper_args} \ |
| 39 | ${SOCSEC_SIGN_EXTRA_OPTS} \ |
| 40 | --output ${SPL_BINARY}.staged |
| 41 | cp -f ${SPL_BINARY}.staged ${B}/${CONFIG_B_PATH}/${SPL_BINARY} |
| 42 | mv -f ${SPL_BINARY}.staged ${DEPLOYDIR}/${SPL_IMAGE} |
| 43 | fi |
| 44 | } |
| 45 | |
| 46 | sign_spl() { |
| 47 | mkdir -p ${DEPLOYDIR} |
| 48 | if [ -n "${UBOOT_CONFIG}" ]; then |
| 49 | for config in ${UBOOT_MACHINE}; do |
| 50 | CONFIG_B_PATH="${config}" |
| 51 | cd ${B}/${config} |
| 52 | sign_spl_helper |
| 53 | done |
| 54 | else |
| 55 | CONFIG_B_PATH="" |
| 56 | cd ${B} |
| 57 | sign_spl_helper |
| 58 | fi |
| 59 | } |
| 60 | |
| 61 | |
| 62 | do_deploy_append() { |
| 63 | if [ "${SOCSEC_SIGN_ENABLE}" = "1" -a -n "${SPL_BINARY}" ] ; then |
| 64 | sign_spl |
| 65 | fi |
| 66 | } |