binman: ti-secure: Add support for TI signing
The ti-secure entry contains certificate for binaries that will be
loaded or booted by system firmware whereas the ti-secure-rom entry
contains certificate for binaries that will be booted by ROM. Support
for both these types of certificates is necessary for booting of K3
devices.
Reviewed-by: Simon Glass <sjg@chromium.org>
[vigneshr@ti.com: fixed inconsist cert generation by multiple packing]
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 8a9e778..1621ff3 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1712,6 +1712,71 @@
+.. _etype_ti_secure:
+
+Entry: ti-secure: Entry containing a TI x509 certificate binary
+---------------------------------------------------------------
+
+Properties / Entry arguments:
+ - content: List of phandles to entries to sign
+ - keyfile: Filename of file containing key to sign binary with
+ - sha: Hash function to be used for signing
+
+Output files:
+ - input.<unique_name> - input file passed to openssl
+ - config.<unique_name> - input file generated for openssl (which is
+ used as the config file)
+ - cert.<unique_name> - output file generated by openssl (which is
+ used as the entry contents)
+
+openssl signs the provided data, using the TI templated config file and
+writes the signature in this entry. This allows verification that the
+data is genuine.
+
+
+
+.. _etype_ti_secure_rom:
+
+Entry: ti-secure-rom: Entry containing a TI x509 certificate binary for images booted by ROM
+--------------------------------------------------------------------------------------------
+
+Properties / Entry arguments:
+ - keyfile: Filename of file containing key to sign binary with
+ - combined: boolean if device follows combined boot flow
+ - countersign: boolean if device contains countersigned system firmware
+ - load: load address of SPL
+ - sw-rev: software revision
+ - sha: Hash function to be used for signing
+ - core: core on which bootloader runs, valid cores are 'secure' and 'public'
+ - content: phandle of SPL in case of legacy bootflow or phandles of component binaries
+ in case of combined bootflow
+
+The following properties are only for generating a combined bootflow binary:
+ - sysfw-inner-cert: boolean if binary contains sysfw inner certificate
+ - dm-data: boolean if binary contains dm-data binary
+ - content-sbl: phandle of SPL binary
+ - content-sysfw: phandle of sysfw binary
+ - content-sysfw-data: phandle of sysfw-data or tifs-data binary
+ - content-sysfw-inner-cert (optional): phandle of sysfw inner certificate binary
+ - content-dm-data (optional): phandle of dm-data binary
+ - load-sysfw: load address of sysfw binary
+ - load-sysfw-data: load address of sysfw-data or tifs-data binary
+ - load-sysfw-inner-cert (optional): load address of sysfw inner certificate binary
+ - load-dm-data (optional): load address of dm-data binary
+
+Output files:
+ - input.<unique_name> - input file passed to openssl
+ - config.<unique_name> - input file generated for openssl (which is
+ used as the config file)
+ - cert.<unique_name> - output file generated by openssl (which is
+ used as the entry contents)
+
+openssl signs the provided data, using the TI templated config file and
+writes the signature in this entry. This allows verification that the
+data is genuine.
+
+
+
.. _etype_u_boot:
Entry: u-boot: U-Boot flat binary