From: Andrew F. Davis Date: Fri, 6 Jan 2017 22:20:02 +0000 (-0600) Subject: arm: mach-omap2: Fix secure file generation X-Git-Tag: v2017.01~5 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7410f1464e3fc2e35761160176c8ce14c5122bc9;p=platform%2Fkernel%2Fu-boot.git arm: mach-omap2: Fix secure file generation When TI_SECURE_DEV_PKG is not defined we warn that the file '*_HS' was not generated but generate an unsigned one anyway, first fix this warning to say that it was generated but not secured. When the user then exports TI_SECURE_DEV_PKG after getting this warning, and tries to re-build, 'make' will detect the build artifacts as unchanged and so assume they do not need to be re-generated. This causes it to fail to sign the files and it will pack unsigned files into the final image, even though TI_SECURE_DEV_PKG is now correctly defined and working. Fix this by using FORCE on the targets causes them to be re-run even if the dependent files have not changed. This then causes another issue. We currently rename the signed dtb files to overwrite the non-signed ones. We do this so the 'mkimage' tool gives the packaged dtb sections the correct name. If we do not rename the files then SPL will not find them during boot. Fix this by renaming the dtb files by appending _HS to the end of the filename, after the ".dtb", this causes them to still be named correctly in the FIT blob. Signed-off-by: Andrew F. Davis --- diff --git a/arch/arm/mach-omap2/config_secure.mk b/arch/arm/mach-omap2/config_secure.mk index 1122439e38..0c843338d7 100644 --- a/arch/arm/mach-omap2/config_secure.mk +++ b/arch/arm/mach-omap2/config_secure.mk @@ -3,7 +3,7 @@ # # SPDX-License-Identifier: GPL-2.0+ # -quiet_cmd_mkomapsecimg = MKIMAGE $@ +quiet_cmd_mkomapsecimg = SECURE $@ ifneq ($(TI_SECURE_DEV_PKG),) ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh),) ifneq ($(CONFIG_SPL_BUILD),) @@ -18,11 +18,12 @@ endif else cmd_mkomapsecimg = echo "WARNING:" \ "$(TI_SECURE_DEV_PKG)/scripts/create-boot-image.sh not found." \ - "$@ was NOT created!" + "$@ was NOT secured!"; cp $< $@ endif else cmd_mkomapsecimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ - "variable must be defined for TI secure devices. $@ was NOT created!" + "variable must be defined for TI secure devices. \ + $@ was NOT secured!"; cp $< $@ endif ifdef CONFIG_SPL_LOAD_FIT @@ -35,51 +36,51 @@ cmd_omapsecureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ else cmd_omapsecureimg = echo "WARNING:" \ "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ - "$@ was NOT created!"; cp $< $@ + "$@ was NOT secured!"; cp $< $@ endif else cmd_omapsecureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ "variable must be defined for TI secure devices." \ - "$@ was NOT created!"; cp $< $@ + "$@ was NOT secured!"; cp $< $@ endif endif # Standard X-LOADER target (QPSI, NOR flash) -u-boot-spl_HS_X-LOADER: $(obj)/u-boot-spl.bin +u-boot-spl_HS_X-LOADER: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) # For MLO targets (SD card boot) the final file name that is copied to the SD # card FAT partition must be MLO, so we make a copy of the output file to a new # file with that name -u-boot-spl_HS_MLO: $(obj)/u-boot-spl.bin +u-boot-spl_HS_MLO: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) @if [ -f $@ ]; then \ cp -f $@ MLO; \ fi # Standard 2ND target (certain peripheral boot modes) -u-boot-spl_HS_2ND: $(obj)/u-boot-spl.bin +u-boot-spl_HS_2ND: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) # Standard ULO target (certain peripheral boot modes) -u-boot-spl_HS_ULO: $(obj)/u-boot-spl.bin +u-boot-spl_HS_ULO: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) # Standard ISSW target (certain devices, various boot modes) -u-boot-spl_HS_ISSW: $(obj)/u-boot-spl.bin +u-boot-spl_HS_ISSW: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) # For SPI flash on AM335x and AM43xx, these require special byte swap handling # so we use the SPI_X-LOADER target instead of X-LOADER and let the # create-boot-image.sh script handle that -u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin +u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin FORCE $(call if_changed,mkomapsecimg) # For supporting single stage XiP QSPI on AM43xx, the image is a full u-boot # file, not an SPL. In this case the mkomapsecimg command looks for a # u-boot-HS_* prefix -u-boot_HS_XIP_X-LOADER: $(obj)/u-boot.bin +u-boot_HS_XIP_X-LOADER: $(obj)/u-boot.bin FORCE $(call if_changed,mkomapsecimg) # For supporting the SPL loading and interpreting of FIT images whose @@ -90,21 +91,18 @@ ifdef CONFIG_SPL_LOAD_FIT MKIMAGEFLAGS_u-boot_HS.img = -f auto -A $(ARCH) -T firmware -C none -O u-boot \ -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ - $(patsubst %,-b arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST))) OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) $(OF_LIST_TARGETS): dtbs -%_HS.dtb: %.dtb +%.dtb_HS: %.dtb FORCE $(call if_changed,omapsecureimg) - $(Q)if [ -f $@ ]; then \ - cp -f $@ $<; \ - fi -u-boot-nodtb_HS.bin: u-boot-nodtb.bin +u-boot-nodtb_HS.bin: u-boot-nodtb.bin FORCE $(call if_changed,omapsecureimg) -u-boot_HS.img: u-boot-nodtb_HS.bin u-boot.img $(patsubst %.dtb,%_HS.dtb,$(OF_LIST_TARGETS)) +u-boot_HS.img: u-boot-nodtb_HS.bin u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE $(call if_changed,mkimage) $(Q)if [ -f $@ ]; then \ cp -f $@ u-boot.img; \