mkimage: Add support for bundling TEE in mkimage -f auto

Introduce two new parameters to be used with mkimage -f auto to bundle TEE image into fitImage, using auto-generated fitImage. Add -z to specify TEE file name and -Z to specify TEE load and entry point address. This is meant to be used with systems which boot all of TEE, Linux and its DT from a single fitImage, all booted by U-Boot. Example invocation: " $ mkimage -E -A arm -C none -e 0xc0008000 -a 0xc0008000 -f auto \ -d arch/arm/boot/zImage \ -b arch/arm/boot/dts/st/stm32mp135f-dhcor-dhsbc.dtb \ -z ../optee_os/out/arm-plat-stm32mp1/core/tee-raw.bin \ -Z 0xde000000 \ /path/to/output/fitImage " Documentation update and test are also included, the test validates both positive and negative test cases, where fitImage does not include TEE and does include TEE blobs. Acked-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
2026-06-02 09:46:37 +03:00 · 2025-11-25 16:42:57 +01:00
parent 23eb6c9ce1
commit 22aa122eee
6 changed files with 134 additions and 14 deletions
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -251,6 +251,18 @@ Append TFA BL31 file to the image.
 .B \-\-tfa-bl31-addr
 Set TFA BL31 file load and entry point address.
 .
 .TP
 .B \-z
 .TQ
 .B \-\-tee-file
 Append raw TEE file to the image.
 .
 .TP
 .B \-Z
 .TQ
 .B \-\-tee-addr
 Set raw TEE file load and entry point address, in hexadecimal.
 .
 .SS Options for creating FIT images
 .
 .TP
--- a/include/image.h
+++ b/include/image.h
@@ -1105,6 +1105,7 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size,
 #define FIT_SCRIPT_PROP		"script"
 #define FIT_PHASE_PROP		"phase"
 #define FIT_TFA_BL31_PROP	"tfa-bl31"
 #define FIT_TEE_PROP		"tee"
 #define FIT_MAX_HASH_LEN	HASH_MAX_DIGEST_SIZE
--- a/test/py/tests/test_fit_auto_signed.py
+++ b/test/py/tests/test_fit_auto_signed.py
@@ -117,28 +117,36 @@ class SignedFitHelper(object):
            algo = self.__fdt_get_string(f'{node}/signature', 'algo')
            assert algo == sign_algo + "\n", "Missing expected signature algo!"
-    def check_fit_loadables(self, present):
+    def check_fit_loadables(self, bl31present, teepresent):
-        """Test that loadables contains both kernel and TFA BL31 entries.
+        """Test that loadables contains both kernel, TFA BL31, TEE entries.
        Each configuration must have a loadables property which lists both
-        kernel-1 and tfa-bl31-1 strings in the string list.
+        kernel-1, tfa-bl31-1 and tee-1 strings in the string list.
        """
-        if present:
+        if bl31present:
            assert "/images/tfa-bl31-1" in self.images_nodes
        else:
            assert "/images/tfa-bl31-1" not in self.images_nodes
        if teepresent:
            assert "/images/tee-1" in self.images_nodes
        else:
            assert "/images/tee-1" not in self.images_nodes
        for node in self.confgs_nodes:
            loadables = self.__fdt_get_string(f'{node}', 'loadables')
            assert "kernel-1" in loadables
-            if present:
+            if bl31present:
                assert "tfa-bl31-1" in loadables
            else:
                assert "tfa-bl31-1" not in loadables
            if teepresent:
                assert "tee-1" in loadables
            else:
                assert "tee-1" not in loadables
@pytest.mark.buildconfigspec('fit_signature')
@pytest.mark.requiredtool('fdtget')
 def test_fit_auto_signed(ubman):
-    def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, key_name="", sign_algo="", verifier=""):
+    def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, teepresent=False, key_name="", sign_algo="", verifier=""):
        """Generate fitImage and test for expected entries.
        Generate a fitImage and test whether suitable entries are part of
@@ -158,7 +166,7 @@ def test_fit_auto_signed(ubman):
        if scfgs:
            fit.check_fit_signed_confgs(key_name, sign_algo)
-        fit.check_fit_loadables(bl31present)
+        fit.check_fit_loadables(bl31present, teepresent)
    """Test that mkimage generates auto-FIT with signatures/hashes as expected.
@@ -178,6 +186,7 @@ def test_fit_auto_signed(ubman):
    dt1_file = f'{tempdir}/dt-1.dtb'
    dt2_file = f'{tempdir}/dt-2.dtb'
    tfa_file = f'{tempdir}/tfa-bl31.bin'
    tee_file = f'{tempdir}/tee.bin'
    key_name = 'sign-key'
    sign_algo = 'sha256,rsa4096'
    key_file = f'{tempdir}/{key_name}.key'
@@ -196,6 +205,9 @@ def test_fit_auto_signed(ubman):
    with open(tfa_file, 'wb') as fd:
        fd.write(os.urandom(256))
    with open(tee_file, 'wb') as fd:
        fd.write(os.urandom(256))
    # Create 4096 RSA key and write to file to be read by mkimage
    key = RSA.generate(bits=4096)
    verifier = pkcs1_15.new(key)
@@ -238,3 +250,42 @@ def test_fit_auto_signed(ubman):
    generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
                                 scfgs=True, bl31present=True,
                                 key_name=key_name, sign_algo=sign_algo)
    # Run the same tests as 1/2/3 above, but this time with TEE
    # options -z tee.bin -Z 0x56780000 to cover both mkimage with
    # and without TEE use cases.
    b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -z" + tee_file + " -Z 0x56780000"
    # 7 - Create auto FIT with images crc32 checksum, and verify it
    generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file,
                                 crc=True, teepresent=True)
    # 8 - Create auto FIT with signed images, and verify it
    generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file,
                                 simgs=True, teepresent=True,
                                 key_name=key_name, sign_algo=sign_algo, verifier=verifier)
    # 9 - Create auto FIT with signed configs and hashed images, and verify it
    generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
                                 scfgs=True, teepresent=True,
                                 key_name=key_name, sign_algo=sign_algo)
    # Run the same tests as 1/2/3 above, but this time with both
    # TFA BL31 and TEE options -y tfa-bl31.bin -Y 0x12340000 and
    # -z tee.bin -Z 0x56780000 to cover both mkimage with and
    # without both TFA BL31 and TEE use cases.
    b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" + " -z" + tee_file + " -Z 0x56780000"
    # 10 - Create auto FIT with images crc32 checksum, and verify it
    generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file,
                                 crc=True, bl31present=True, teepresent=True)
    # 11 - Create auto FIT with signed images, and verify it
    generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file,
                                 simgs=True, bl31present=True, teepresent=True,
                                 key_name=key_name, sign_algo=sign_algo, verifier=verifier)
    # 12 - Create auto FIT with signed configs and hashed images, and verify it
    generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file,
                                 scfgs=True, bl31present=True, teepresent=True,
                                 key_name=key_name, sign_algo=sign_algo)
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -180,6 +180,13 @@ static int fit_calc_size(struct image_tool_params *params)
 		total_size += size;
 	}
 	if (params->fit_tee) {
 		size = imagetool_get_filesize(params, params->fit_tee);
 		if (size < 0)
 			return -1;
 		total_size += size;
 	}
 	for (cont = params->content_head; cont; cont = cont->next) {
 		size = imagetool_get_filesize(params, cont->fname);
 		if (size < 0)
@@ -433,6 +440,30 @@ static int fit_write_images(struct image_tool_params *params, char *fdt)
 		fdt_end_node(fdt);
 	}
 	/* And a TEE file if available */
 	if (params->fit_tee) {
 		fdt_begin_node(fdt, FIT_TEE_PROP "-1");
 		fdt_property_string(fdt, FIT_TYPE_PROP, FIT_TEE_PROP);
 		fdt_property_string(fdt, FIT_OS_PROP,
 				    genimg_get_os_short_name(params->os));
 		fdt_property_string(fdt, FIT_ARCH_PROP,
 				    genimg_get_arch_short_name(params->arch));
 		get_basename(str, sizeof(str), params->fit_tee);
 		fdt_property_string(fdt, FIT_DESC_PROP, str);
 		ret = fdt_property_file(params, fdt, FIT_DATA_PROP,
 					params->fit_tee);
 		if (ret)
 			return ret;
 		fdt_property_u32(fdt, FIT_LOAD_PROP, params->fit_tee_addr);
 		fdt_property_u32(fdt, FIT_ENTRY_PROP, params->fit_tee_addr);
 		fit_add_hash_or_sign(params, fdt, true);
 		if (ret)
 			return ret;
 		fdt_end_node(fdt);
 	}
 	fdt_end_node(fdt);
 	return 0;
@@ -474,9 +505,13 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt)
 		fdt_property_string(fdt, typename, str);
 		if (params->fit_tfa_bl31) {
-			snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename);
+			snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TFA_BL31_PROP "-1");
-			str[len] = 0;
+			len += strlen(&str[len + 1]) + 1;
-			len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
+		}
 		if (params->fit_tee) {
 			snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TEE_PROP "-1");
 			len += strlen(&str[len + 1]) + 1;
 		}
 		fdt_property(fdt, FIT_LOADABLE_PROP, str, len + 1);
@@ -499,9 +534,13 @@ static void fit_write_configs(struct image_tool_params *params, char *fdt)
 		fdt_property_string(fdt, typename, str);
 		if (params->fit_tfa_bl31) {
-			snprintf(str, sizeof(str), "%s-1." FIT_TFA_BL31_PROP "-1", typename);
+			snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TFA_BL31_PROP "-1");
-			str[len] = 0;
+			len += strlen(&str[len + 1]) + 1;
-			len += strlen(FIT_TFA_BL31_PROP "-1") + 1;
+		}
 		if (params->fit_tee) {
 			snprintf(&str[len + 1], sizeof(str) - (len + 1), FIT_TEE_PROP "-1");
 			len += strlen(&str[len + 1]) + 1;
 		}
 		fdt_property(fdt, FIT_LOADABLE_PROP, str, len + 1);
--- a/tools/imagetool.h
+++ b/tools/imagetool.h
@@ -101,6 +101,8 @@ struct image_tool_params {
 	struct image_summary summary;	/* results of signing process */
 	char *fit_tfa_bl31;	/* TFA BL31 file to include */
 	unsigned int fit_tfa_bl31_addr;	/* TFA BL31 load and entry point address */
 	char *fit_tee;		/* TEE file to include */
 	unsigned int fit_tee_addr;	/* TEE load and entry point address */
 };
 /*
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -103,6 +103,8 @@ static void usage(const char *msg)
 		"          -s ==> create an image with no data\n"
 		"          -y ==> append TFA BL31 file to the image\n"
 		"          -Y ==> set TFA BL31 file load and entry point address\n"
 		"          -z ==> append raw TEE file to the image\n"
 		"          -Z ==> set raw TEE file load and entry point address\n"
 		"          -v ==> verbose\n",
 		params.cmdname);
 	fprintf(stderr,
@@ -162,7 +164,7 @@ static int add_content(int type, const char *fname)
 }
 static const char optstring[] =
-	"a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qrR:stT:vVxy:Y:";
+	"a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qrR:stT:vVxy:Y:z:Z:";
 static const struct option longopts[] = {
 	{ "load-address", required_argument, NULL, 'a' },
@@ -200,6 +202,8 @@ static const struct option longopts[] = {
 	{ "xip", no_argument, NULL, 'x' },
 	{ "tfa-bl31-file", no_argument, NULL, 'y' },
 	{ "tfa-bl31-addr", no_argument, NULL, 'Y' },
 	{ "tee-file", no_argument, NULL, 'z' },
 	{ "tee-addr", no_argument, NULL, 'Z' },
 	{ /* sentinel */ },
 };
@@ -382,6 +386,17 @@ static void process_args(int argc, char **argv)
 				exit(EXIT_FAILURE);
 			}
 			break;
 		case 'z':
 			params.fit_tee = optarg;
 			break;
 		case 'Z':
 			params.fit_tee_addr = strtoull(optarg, &ptr, 16);
 			if (*ptr) {
 				fprintf(stderr, "%s: invalid TEE address %s\n",
 					params.cmdname, optarg);
 				exit(EXIT_FAILURE);
 			}
 			break;
 		default:
 			usage("Invalid option");
 		}