binman: openssl: x509: ti_secure_rom: Add support for bootcore_opts
According to the TRMs of K3 platform of devices, the ROM boot image
format specifies a "Core Options Field" that provides the capability to
set the boot core in lockstep when set to 0 or to split mode when set
to 2. Add support for providing the same from the binman DTS. Also
modify existing test case for ensuring future coverage.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index aad3b61..7ee2683 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -155,6 +155,7 @@
C, ST, L, O, OU, CN and emailAddress
cert_type (int): Certification type
bootcore (int): Booting core
+ bootcore_opts(int): Booting core option, lockstep (0) or split (2) mode
load_addr (int): Load address of image
sha (int): Hash function
@@ -225,7 +226,7 @@
imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw,
hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data,
hashval_sysfw_data, sysfw_inner_cert_ext_boot_block,
- dm_data_ext_boot_block):
+ dm_data_ext_boot_block, bootcore_opts):
"""Create a certificate
Args:
@@ -241,6 +242,7 @@
bootcore (int): Booting core
load_addr (int): Load address of image
sha (int): Hash function
+ bootcore_opts (int): Booting core option, lockstep (0) or split (2) mode
Returns:
str: Tool output
@@ -285,7 +287,7 @@
[sbl]
compType = INTEGER:1
bootCore = INTEGER:16
-compOpts = INTEGER:0
+compOpts = INTEGER:{bootcore_opts}
destAddr = FORMAT:HEX,OCT:{load_addr:08x}
compSize = INTEGER:{imagesize_sbl}
shaType = OID:{sha_type}
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e7b4e93..2402adb 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1944,6 +1944,7 @@
- core: core on which bootloader runs, valid cores are 'secure' and 'public'
- content: phandle of SPL in case of legacy bootflow or phandles of component binaries
in case of combined bootflow
+ - core-opts (optional): lockstep (0) or split (2) mode set to 0 by default
The following properties are only for generating a combined bootflow binary:
- sysfw-inner-cert: boolean if binary contains sysfw inner certificate
diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py
index 9a7ac9e..f6fc3f9 100644
--- a/tools/binman/etype/ti_secure_rom.py
+++ b/tools/binman/etype/ti_secure_rom.py
@@ -32,6 +32,7 @@
- core: core on which bootloader runs, valid cores are 'secure' and 'public'
- content: phandle of SPL in case of legacy bootflow or phandles of component binaries
in case of combined bootflow
+ - core-opts (optional): lockstep (0) or split (2) mode set to 0 by default
The following properties are only for generating a combined bootflow binary:
- sysfw-inner-cert: boolean if binary contains sysfw inner certificate
@@ -69,6 +70,7 @@
self.sw_rev = fdt_util.GetInt(self._node, 'sw-rev', 1)
self.sha = fdt_util.GetInt(self._node, 'sha', 512)
self.core = fdt_util.GetString(self._node, 'core', 'secure')
+ self.bootcore_opts = fdt_util.GetInt(self._node, 'core-opts')
self.key_fname = self.GetEntryArgsOrProps([
EntryArg('keyfile', str)], required=True)[0]
if self.combined:
@@ -97,17 +99,19 @@
bytes content of the entry, which is the certificate binary for the
provided data
"""
+ if self.bootcore_opts is None:
+ self.bootcore_opts = 0
+
if self.core == 'secure':
if self.countersign:
self.cert_type = 3
else:
self.cert_type = 2
self.bootcore = 0
- self.bootcore_opts = 32
else:
self.cert_type = 1
self.bootcore = 16
- self.bootcore_opts = 0
+
return super().GetCertificate(required=required, type='rom')
def CombinedGetCertificate(self, required):
@@ -126,6 +130,9 @@
self.num_comps = 3
self.sha_type = SHA_OIDS[self.sha]
+ if self.bootcore_opts is None:
+ self.bootcore_opts = 0
+
# sbl
self.content = fdt_util.GetPhandleList(self._node, 'content-sbl')
input_data_sbl = self.GetContents(required)
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index d028cfe..fc0bb12 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -136,7 +136,8 @@
imagesize_sysfw_data=self.imagesize_sysfw_data,
hashval_sysfw_data=self.hashval_sysfw_data,
sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block,
- dm_data_ext_boot_block=self.dm_data_ext_boot_block
+ dm_data_ext_boot_block=self.dm_data_ext_boot_block,
+ bootcore_opts=self.bootcore_opts
)
if stdout is not None:
data = tools.read_file(output_fname)
diff --git a/tools/binman/test/297_ti_secure_rom.dts b/tools/binman/test/297_ti_secure_rom.dts
index d131376..1a3eca9 100644
--- a/tools/binman/test/297_ti_secure_rom.dts
+++ b/tools/binman/test/297_ti_secure_rom.dts
@@ -9,6 +9,7 @@
binman {
ti-secure-rom {
content = <&unsecure_binary>;
+ core-opts = <2>;
};
unsecure_binary: blob-ext {
filename = "ti_unsecure.bin";