[meta-freescale] [PATCH 23/29] secure-boot-qoriq : add recipes

Sat Sep 30 06:06:44 PDT 2017

On Thu, Sep 28, 2017 at 2:34 AM, Chunrong Guo <B40290 at freescale.com> wrote:
> From: Chunrong Guo <chunrong.guo at nxp.com>
>
> Signed-off-by: Chunrong Guo <chunrong.guo at nxp.com>>

This seems complex and has a lot of indirection that can be
simplified. Why instead of using the script in variables you don't use
text files which has indenting and allow for easier reading?

> ---
>  recipes-bsp/u-boot/secure-boot-qoriq.bb | 177 ++++++++++++++++++++++++++++++++
>  1 file changed, 177 insertions(+)
>  create mode 100644 recipes-bsp/u-boot/secure-boot-qoriq.bb
>
> diff --git a/recipes-bsp/u-boot/secure-boot-qoriq.bb b/recipes-bsp/u-boot/secure-boot-qoriq.bb
> new file mode 100644
> index 0000000..d4ba2dc
> --- /dev/null
> +++ b/recipes-bsp/u-boot/secure-boot-qoriq.bb
> @@ -0,0 +1,177 @@
> +DESCRIPTION = "NXP secure bootloader for qoriq devices"
> +SECTION = "bootloaders"
> +LICENSE = "GPLv2"
> +
> +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
> +
> +inherit deploy
> +
> +DEPENDS = "u-boot-mkimage-native cst-native"
> +
> +do_deploy[nostamp] = "1"
> +do_deploy[depends] += "virtual/kernel:do_build u-boot:do_build"
> +
> +S = "${WORKDIR}"
> +
> +do_patch[noexec] = "1"
> +do_configure[noexec] = "1"
> +do_compile[noexec] = "1"
> +
> +do_deploy () {
> +    if [ -n "${UBOOT_SCR}" ] ; then
> +        if [ -n "${SECUREVALIDATE}" ]; then
> +            if [ "${ENCAP}" = "1" ] ; then
> +                if [ "${BOOTSCRIPT_DEC}" != null ] ; then
> +                    echo ${SECUREVALIDATE_DEC} > ${BOOTSCRIPT_DEC}.tmp
> +                    echo ${DISTROBOOT} >> ${BOOTSCRIPT_DEC}.tmp
> +                mkimage -A arm64 -O linux -T script -C none -a 0 -e 0  -n "boot.scr" -d ${BOOTSCRIPT_DEC}.tmp ${BOOTSCRIPT_DEC}
> +                rm -f ${BOOTSCRIPT_DEC}.tmp
> +                install ${B}/${BOOTSCRIPT_DEC} ${DEPLOY_DIR_IMAGE}/
> +                fi
> +                echo ${SECUREVALIDATE_ENC} > ${UBOOT_SCR}.tmp
> +            else
> +                echo ${SECUREVALIDATE} > ${UBOOT_SCR}.tmp
> +            fi
> +        fi
> +        echo ${DISTROBOOT} >> ${UBOOT_SCR}.tmp
> +        mkimage -A arm64 -O linux -T script -C none -a 0 -e 0  -n "boot.scr" -d ${UBOOT_SCR}.tmp ${UBOOT_SCR}
> +        rm -f ${UBOOT_SCR}.tmp
> +        install ${B}/${UBOOT_SCR} ${DEPLOY_DIR_IMAGE}/
> +        install ${B}/${UBOOT_SCR} ${DEPLOY_DIR_IMAGE}/bootscript
> +    fi
> +
> +    if [ "x${UBOOT_SECURE_ENABLE}" = "x1" ]; then
> +        echo ${DISTROBOOT} >> bootscript
> +        cp bootscript ${DEPLOY_DIR_IMAGE}/
> +    fi
> +
> +    if [ -n "${KERNEL_IMG}" ]; then
> +        cd ${DEPLOY_DIR_IMAGE}
> +        rm -rf  ${KERNEL_IMG}.bin.gz ${KERNEL_IMG}.bin
> +        cp ${KERNEL_IMG} ${KERNEL_IMG}.bin
> +        gzip ${KERNEL_IMG}.bin
> +        mkimage -A arm64 -O linux -T kernel -C gzip  -a 0x80080000 -e 0x80080000 -n Linux -d ${KERNEL_IMG}.bin.gz ${KERNEL_UIMG}
> +    fi
> +
> +    cd ${RECIPE_SYSROOT_NATIVE}/usr/bin/cst
> +    ./gen_keys 1024
> +    if [ "${ENCAP}" = "1" ]; then
> +        cp ${DEPLOY_DIR_IMAGE}/${BOOTSCRIPT_DEC} ./
> +    fi
> +    cp ${DEPLOY_DIR_IMAGE}/bootscript  ./
> +    if [ ${MACHINE} = ls1021atwr ]; then
> +        cp ${DEPLOY_DIR_IMAGE}/${KERNEL_UIMG}-${MACHINE}.bin   uImage.bin
> +        cp ${DEPLOY_DIR_IMAGE}/${KERNEL_UIMG}-${DEVICE_TREE}  uImage.dtb
> +        cp ${DEPLOY_DIR_IMAGE}/itbImage-${MACHINE}.bin  kernel.itb
> +    else
> +        cp ${DEPLOY_DIR_IMAGE}/${KERNEL_IMG}-${DEVICE_TREE}  uImage.dtb
> +        cp ${DEPLOY_DIR_IMAGE}/${KERNEL_UIMG}   uImage.bin
> +        cp ${DEPLOY_DIR_IMAGE}/itbImage-${MACHINE}.bin  kernel.itb
> +    fi
> +
> +
> +    if [ -n "${UBOOT_CONFIG}" ]
> +    then
> +        for type in ${UBOOT_CONFIG}; do
> +            if  echo ${type} | grep -iE 'nor-secure-boot'; then
> +                type_tmp=nor
> +                if [ ${MACHINE} = ls2088ardb -o ${MACHINE} = ls1088ardb ] ; then
> +                    if [ -z "${RCW_NOR}" -o "${RCW_NOR}" = "null" ]; then
> +                        echo boot nor on board not unsupported!
> +                        exit
> +                    fi
> +                    cp ${DEPLOY_DIR_IMAGE}/${RCW_NOR} rcw.bin
> +                fi
> +                cp ${DEPLOY_DIR_IMAGE}/${UBOOT_NORBOOT_SEC}  u-boot-dtb.bin
> +            elif echo ${type} | grep -iE 'qspi-secure-boot'; then
> +                 type_tmp=qspi
> +                 if [ ${MACHINE} = ls2088ardb -o ${MACHINE} = ls1088ardb ] ; then
> +                    if [ -z "${RCW_QSPI}" -o "${RCW_QSPI}" = "null" ]; then
> +                        echo boot qspi on board not unsupported!
> +                        exit
> +                    fi
> +                    cp ${DEPLOY_DIR_IMAGE}/${RCW_QSPI} rcw.bin
> +                fi
> +                cp ${DEPLOY_DIR_IMAGE}/${UBOOT_QSPIBOOT_SEC}  u-boot-dtb.bin
> +            elif echo ${type} | grep -iE 'sdcard-secure-boot'; then
> +                type_tmp=sd
> +                if [ ${MACHINE} = ls1088ardb -o ${MACHINE} = ls2088ardb ] ; then
> +                    if [ -z "${RCW_SD}" -o "${RCW_SD}" = "null" ]; then
> +                        echo boot sd on board not unsupported!
> +                        exit
> +                    fi
> +                    cp ${DEPLOY_DIR_IMAGE}/${RCW_SD} rcw.bin
> +                fi
> +                if [ "${UBOOT_SDBOOT_SEC}" = "null" -o -z "${UBOOT_SDBOOT_SEC}" ]; then
> +                    echo sd sec boot on board for secureboot unsupported
> +                    exit
> +                fi
> +                cp ${DEPLOY_DIR_IMAGE}/${UBOOT_SDBOOT_SEC} u-boot-with-spl-pbl.bin
> +                cp ${DEPLOY_DIR_IMAGE}/${UBOOT_SPL} u-boot-spl.bin
> +                cp ${DEPLOY_DIR_IMAGE}/${UBOOT_DTB} u-boot-dtb.bin
> +            else
> +                type_tmp=nand
> +            fi
> +
> +            if [ ${type_tmp} = nand ]; then
> +                continue;
> +            fi
> +
> +            if [ -f ${DEPLOY_DIR_IMAGE}/ppa.itb ] ; then
> +                cp ${DEPLOY_DIR_IMAGE}/ppa.itb  ppa.itb
> +            fi
> +
> +            if [ -f ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_FW} ] ; then
> +                cp ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_FW}   mc.itb
> +            fi
> +
> +            if [ -f ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_DPC} ] ; then
> +                cp ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_DPC}  dpc.dtb
> +            fi
> +
> +            if [ -f ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_DPL} ] ; then
> +                cp ${DEPLOY_DIR_IMAGE}/${DPAA2_MC_DPL} dpl.dtb
> +            fi
> +
> +            if echo ${type} | grep -iE 'nand'; then
> +                . ${NAND_SCRIPT}
> +            elif echo ${type} | grep -iE 'sd'; then
> +                . ${SD_SCRIPT}
> +            elif echo ${type} | grep -iE 'nor'; then
> +                . ${NOR_SCRIPT}
> +            elif echo ${type} | grep -iE 'qspi'; then
> +               . ${QSPI_SCRIPT}
> +            fi
> +
> +            if echo ${type} | grep -iE 'sd'; then
> +                if [  ${MACHINE} = ls2088ardb -o ${MACHINE} = ls1088ardb ] ; then
> +                    cp rcw_sec.bin ${DEPLOY_DIR_IMAGE}/${UBOOT_SDBOOT_SEC}
> +                else
> +                    cp u-boot-with-spl-pbl-sec.bin ${DEPLOY_DIR_IMAGE}/${UBOOT_SDBOOT_SEC}
> +                fi
> +            elif echo ${type} | grep -iE 'nand'; then
> +                cp u-boot-with-spl-pbl-sec.bin ${DEPLOY_DIR_IMAGE}/${UBOOT_NANDBOOT_SEC}
> +            else
> +                if [ ${MACHINE} = ls2088ardb -o ${MACHINE} = ls1088ardb ] && [ -f ${DEPLOY_DIR_IMAGE}/rcw_sec.bin ]; then
> +                    cp rcw_sec.bin ${DEPLOY_DIR_IMAGE}/$rcwimg_sec
> +                fi
> +            fi
> +
> +            install -d ${DEPLOYDIR}/secboot_hdrs
> +            install -m 755  hdr_dtb.out ${DEPLOYDIR}/secboot_hdrs/
> +            install -m 755  hdr_linux.out  ${DEPLOYDIR}/secboot_hdrs/
> +            install -m 755  hdr_bs.out ${DEPLOYDIR}/secboot_hdrs/hrd_${MACHINE}_bs.out
> +            install -m 755  secboot_hdrs.bin  ${DEPLOYDIR}/secboot_hdrs
> +            install -m 755  srk_hash.txt ${DEPLOYDIR}/secboot_hdrs
> +            install -m 755  srk.pri ${DEPLOYDIR}/secboot_hdrs
> +            install -m 755  srk.pub ${DEPLOYDIR}/secboot_hdrs
> +            if [ "$ENCAP" = "1" ]; then
> +                install -m 755 hdr_bs_dec.out ${DEPLOYDIR}/secboot_hdrs/hdr_${MACHINE}_bs_dec.out
> +            fi
> +        done
> +    fi
> +}
> +
> +addtask deploy before do_build after do_compile
> +
> +PACKAGE_ARCH = "${MACHINE_ARCH}"
> --
> 1.9.0
>
> --
> _______________________________________________
> meta-freescale mailing list
> meta-freescale at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-freescale

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750