[Buildroot] [PATCH v8 07/10] board/ti/am62x_sk|am64x_sk: switch to HS-FS device variants

François Perrad francois.perrad at gadz.org
Fri Jun 16 16:40:35 UTC 2023 

Le ven. 16 juin 2023 à 14:05, Andreas Dannenberg <dannenberg at ti.com> a
écrit :

> Hi François,
>
> On Fri, Jun 16, 2023 at 01:15:04PM +0200, François Perrad wrote:
> > Le ven. 16 juin 2023 à 02:38, Andreas Dannenberg via buildroot <
> > buildroot at buildroot.org> a écrit :
> >
> > > Current starter kits for AM62x (called SK-AM62B, see [1]) and AM64x
> > > (called SK-AM64B, see [2]) both contain High Security - Field Securable
> > > (HS-FS) device variants, and those are really the recommended
> production
> > > device variants and boards TI will provide moving forward. Hence,
> switch
> > > the defconfigs for those boards over to accommodate those now-shipping
> > > device variants and boards.
> > >
> > > [1] https://www.ti.com/tool/SK-AM62B
> > > [2] https://www.ti.com/tool/SK-AM64B
> > >
> > > Signed-off-by: Andreas Dannenberg <dannenberg at ti.com>
> > > ---
> > >  board/ti/am62x_sk/readme.txt | 16 ++++++++++++++++
> > >  board/ti/am64x_sk/readme.txt | 16 ++++++++++++++++
> > >  configs/am62x_sk_defconfig   |  2 +-
> > >  configs/am64x_sk_defconfig   |  4 ++--
> > >  4 files changed, 35 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/board/ti/am62x_sk/readme.txt
> b/board/ti/am62x_sk/readme.txt
> > > index ccbb24896b..9c7c8818af 100644
> > > --- a/board/ti/am62x_sk/readme.txt
> > > +++ b/board/ti/am62x_sk/readme.txt
> > > @@ -12,6 +12,22 @@ $ make am62x_sk_defconfig
> > >  Optional: modify the configuration:
> > >  $ make menuconfig
> > >
> > > +Required setup step for High Security HS-FS and HS-SE SoC variants:
> > > +
> > > +To allow the image signing process for various firmware artifacts to
> > > +work the build process for HS-FS and HS-SE device variants is using
> > > +an external 'core-secdev-k3' package which can be obtained from
> > > +https://git.ti.com/cgit/security-development-tools/core-secdev-k3.
> > > +To prepare building for those device variants create a local copy of
> > > +the 'core-secdev-k3' and export its location through the
> > > +TI_SECURE_DEV_PKG environmental variable. Use the package as-is for
> > > +HS-FS device variants such as populated on the SK-AM64B board, or
> > > +customize this package with your private signing keys when using a
> > > +HS-SE device variant.
> > > +
> > > +$ git clone
> > > https://git.ti.com/git/security-development-tools/core-secdev-k3.git
> > > +$ export TI_SECURE_DEV_PKG=$PWD/core-secdev-k3
> > >
> >
> > core-secdev-k3 could be a host package and an optional dependency of
> uboot
> > or atf
>
> Good suggestion, I thought about same but wasn't quite sure how to set
> this up, but I'll look into this based on your below starting point. It
> would cover HS-FS device variants ("High Security - Field Securable"),
> which is 90% of the use case, and 100% of the initial use case (somebody
> getting a board, evaluating), all when the custom keys were not yet
> programmed into the SOC (which is what turns the device into a HS-SE
> device, at which time custom signing keys will need to be provided as
> part of core-secdev-k3).
>
> Can a host package easily export/share and ENV variable
> (TI_SECURE_DEV_PKG)?
>
>
yes (we are in a Makefile fragment):
export
TI_SECURE_DEV_PKG=$(BUILD_DIR)/ti-core-secdev-k3-$(TI_CORE_SECDEV_K3_VERSION)

when a package needed it, just add :
FOO_DEPENDENCIES += host-ti-core-secdev-k3

François


> This will be needed not only by ti-k3-image-gen but also by uboot and
> potentially other packages in the future.
>
> Regards, Andreas
>
> >
> >
> ################################################################################
> > #
> > # ti-core-secdev-k3
> > #
> >
> ################################################################################
> >
> > TI_CORE_SECDEV_K3_VERSION = 08.06.00.007
> > TI_CORE_SECDEV_K3_SITE =
> >
> https://git.ti.com/cgit/security-development-tools/core-secdev-k3/snapshot
> > TI_CORE_SECDEV_K3_SOURCE =
> > core-secdev-k3-$(TI_CORE_SECDEV_K3_VERSION).tar.gz
> >
> >
> TI_SECURE_DEV_PKG=$(BUILD_DIR)/ti-core-secdev-k3-$(TI_CORE_SECDEV_K3_VERSION)
> >
> > $(eval $(host-generic-package))
> >
> > François
> >
> >
> >
> > > +
> > >  Build:
> > >  $ make
> > >
> > > diff --git a/board/ti/am64x_sk/readme.txt
> b/board/ti/am64x_sk/readme.txt
> > > index fe83c675f5..51d0312726 100644
> > > --- a/board/ti/am64x_sk/readme.txt
> > > +++ b/board/ti/am64x_sk/readme.txt
> > > @@ -12,6 +12,22 @@ $ make am64x_sk_defconfig
> > >  Optional: modify the configuration:
> > >  $ make menuconfig
> > >
> > > +Required setup step for High Security HS-FS and HS-SE SoC variants:
> > > +
> > > +To allow the image signing process for various firmware artifacts to
> > > +work the build process for HS-FS and HS-SE device variants is using
> > > +an external 'core-secdev-k3' package which can be obtained from
> > > +https://git.ti.com/cgit/security-development-tools/core-secdev-k3.
> > > +To prepare building for those device variants create a local copy of
> > > +the 'core-secdev-k3' and export its location through the
> > > +TI_SECURE_DEV_PKG environmental variable. Use the package as-is for
> > > +HS-FS device variants such as populated on the SK-AM64B board, or
> > > +customize this package with your private signing keys when using a
> > > +HS-SE device variant.
> > > +
> > > +$ git clone
> > > https://git.ti.com/git/security-development-tools/core-secdev-k3.git
> > > +$ export TI_SECURE_DEV_PKG=$PWD/core-secdev-k3
> > > +
> > >  Build:
> > >  $ make
> > >
> > > diff --git a/configs/am62x_sk_defconfig b/configs/am62x_sk_defconfig
> > > index 2d05ddd96b..033101b735 100644
> > > --- a/configs/am62x_sk_defconfig
> > > +++ b/configs/am62x_sk_defconfig
> > > @@ -28,7 +28,7 @@ BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY=y
> > >  BR2_TARGET_OPTEE_OS_PLATFORM="k3"
> > >  BR2_TARGET_TI_K3_IMAGE_GEN=y
> > >  BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am62x"
> > > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="gp"
> > > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="hs-fs"
> > >  BR2_TARGET_TI_K3_IMAGE_GEN_CONFIG="evm"
> > >  BR2_TARGET_TI_K3_R5_LOADER=y
> > >  BR2_TARGET_TI_K3_R5_LOADER_CUSTOM_TARBALL=y
> > > diff --git a/configs/am64x_sk_defconfig b/configs/am64x_sk_defconfig
> > > index a26e38a043..096dd77f6a 100644
> > > --- a/configs/am64x_sk_defconfig
> > > +++ b/configs/am64x_sk_defconfig
> > > @@ -28,8 +28,8 @@ BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY=y
> > >  BR2_TARGET_OPTEE_OS_PLATFORM="k3"
> > >  BR2_TARGET_TI_K3_IMAGE_GEN=y
> > >  BR2_TARGET_TI_K3_IMAGE_GEN_FW_TYPE_TISCI=y
> > > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am64x"
> > > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="gp"
> > > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am64x_sr2"
> > > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="hs-fs"
> > >  BR2_TARGET_TI_K3_IMAGE_GEN_CONFIG="evm"
> > >  BR2_TARGET_TI_K3_R5_LOADER=y
> > >  BR2_TARGET_TI_K3_R5_LOADER_CUSTOM_TARBALL=y
> > > --
> > > 2.34.1
> > >
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot at buildroot.org
> > > https://lists.buildroot.org/mailman/listinfo/buildroot
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20230616/15d48b3c/attachment-0001.html>

More information about the buildroot mailing list