[Buildroot] [PATCH v8 07/10] board/ti/am62x_sk|am64x_sk: switch to HS-FS device variants

Andreas Dannenberg dannenberg at ti.com
Fri Jun 16 12:02:30 UTC 2023 

Hi François,

On Fri, Jun 16, 2023 at 01:15:04PM +0200, François Perrad wrote:
> Le ven. 16 juin 2023 à 02:38, Andreas Dannenberg via buildroot <
> buildroot at buildroot.org> a écrit :
> 
> > Current starter kits for AM62x (called SK-AM62B, see [1]) and AM64x
> > (called SK-AM64B, see [2]) both contain High Security - Field Securable
> > (HS-FS) device variants, and those are really the recommended production
> > device variants and boards TI will provide moving forward. Hence, switch
> > the defconfigs for those boards over to accommodate those now-shipping
> > device variants and boards.
> >
> > [1] https://www.ti.com/tool/SK-AM62B
> > [2] https://www.ti.com/tool/SK-AM64B
> >
> > Signed-off-by: Andreas Dannenberg <dannenberg at ti.com>
> > ---
> >  board/ti/am62x_sk/readme.txt | 16 ++++++++++++++++
> >  board/ti/am64x_sk/readme.txt | 16 ++++++++++++++++
> >  configs/am62x_sk_defconfig   |  2 +-
> >  configs/am64x_sk_defconfig   |  4 ++--
> >  4 files changed, 35 insertions(+), 3 deletions(-)
> >
> > diff --git a/board/ti/am62x_sk/readme.txt b/board/ti/am62x_sk/readme.txt
> > index ccbb24896b..9c7c8818af 100644
> > --- a/board/ti/am62x_sk/readme.txt
> > +++ b/board/ti/am62x_sk/readme.txt
> > @@ -12,6 +12,22 @@ $ make am62x_sk_defconfig
> >  Optional: modify the configuration:
> >  $ make menuconfig
> >
> > +Required setup step for High Security HS-FS and HS-SE SoC variants:
> > +
> > +To allow the image signing process for various firmware artifacts to
> > +work the build process for HS-FS and HS-SE device variants is using
> > +an external 'core-secdev-k3' package which can be obtained from
> > +https://git.ti.com/cgit/security-development-tools/core-secdev-k3.
> > +To prepare building for those device variants create a local copy of
> > +the 'core-secdev-k3' and export its location through the
> > +TI_SECURE_DEV_PKG environmental variable. Use the package as-is for
> > +HS-FS device variants such as populated on the SK-AM64B board, or
> > +customize this package with your private signing keys when using a
> > +HS-SE device variant.
> > +
> > +$ git clone
> > https://git.ti.com/git/security-development-tools/core-secdev-k3.git
> > +$ export TI_SECURE_DEV_PKG=$PWD/core-secdev-k3
> >
> 
> core-secdev-k3 could be a host package and an optional dependency of uboot
> or atf

Good suggestion, I thought about same but wasn't quite sure how to set
this up, but I'll look into this based on your below starting point. It
would cover HS-FS device variants ("High Security - Field Securable"),
which is 90% of the use case, and 100% of the initial use case (somebody
getting a board, evaluating), all when the custom keys were not yet
programmed into the SOC (which is what turns the device into a HS-SE
device, at which time custom signing keys will need to be provided as
part of core-secdev-k3).

Can a host package easily export/share and ENV variable
(TI_SECURE_DEV_PKG)?

This will be needed not only by ti-k3-image-gen but also by uboot and
potentially other packages in the future.

Regards, Andreas

> 
> ################################################################################
> #
> # ti-core-secdev-k3
> #
> ################################################################################
> 
> TI_CORE_SECDEV_K3_VERSION = 08.06.00.007
> TI_CORE_SECDEV_K3_SITE =
> https://git.ti.com/cgit/security-development-tools/core-secdev-k3/snapshot
> TI_CORE_SECDEV_K3_SOURCE =
> core-secdev-k3-$(TI_CORE_SECDEV_K3_VERSION).tar.gz
> 
> TI_SECURE_DEV_PKG=$(BUILD_DIR)/ti-core-secdev-k3-$(TI_CORE_SECDEV_K3_VERSION)
> 
> $(eval $(host-generic-package))
> 
> François
> 
> 
> 
> > +
> >  Build:
> >  $ make
> >
> > diff --git a/board/ti/am64x_sk/readme.txt b/board/ti/am64x_sk/readme.txt
> > index fe83c675f5..51d0312726 100644
> > --- a/board/ti/am64x_sk/readme.txt
> > +++ b/board/ti/am64x_sk/readme.txt
> > @@ -12,6 +12,22 @@ $ make am64x_sk_defconfig
> >  Optional: modify the configuration:
> >  $ make menuconfig
> >
> > +Required setup step for High Security HS-FS and HS-SE SoC variants:
> > +
> > +To allow the image signing process for various firmware artifacts to
> > +work the build process for HS-FS and HS-SE device variants is using
> > +an external 'core-secdev-k3' package which can be obtained from
> > +https://git.ti.com/cgit/security-development-tools/core-secdev-k3.
> > +To prepare building for those device variants create a local copy of
> > +the 'core-secdev-k3' and export its location through the
> > +TI_SECURE_DEV_PKG environmental variable. Use the package as-is for
> > +HS-FS device variants such as populated on the SK-AM64B board, or
> > +customize this package with your private signing keys when using a
> > +HS-SE device variant.
> > +
> > +$ git clone
> > https://git.ti.com/git/security-development-tools/core-secdev-k3.git
> > +$ export TI_SECURE_DEV_PKG=$PWD/core-secdev-k3
> > +
> >  Build:
> >  $ make
> >
> > diff --git a/configs/am62x_sk_defconfig b/configs/am62x_sk_defconfig
> > index 2d05ddd96b..033101b735 100644
> > --- a/configs/am62x_sk_defconfig
> > +++ b/configs/am62x_sk_defconfig
> > @@ -28,7 +28,7 @@ BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY=y
> >  BR2_TARGET_OPTEE_OS_PLATFORM="k3"
> >  BR2_TARGET_TI_K3_IMAGE_GEN=y
> >  BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am62x"
> > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="gp"
> > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="hs-fs"
> >  BR2_TARGET_TI_K3_IMAGE_GEN_CONFIG="evm"
> >  BR2_TARGET_TI_K3_R5_LOADER=y
> >  BR2_TARGET_TI_K3_R5_LOADER_CUSTOM_TARBALL=y
> > diff --git a/configs/am64x_sk_defconfig b/configs/am64x_sk_defconfig
> > index a26e38a043..096dd77f6a 100644
> > --- a/configs/am64x_sk_defconfig
> > +++ b/configs/am64x_sk_defconfig
> > @@ -28,8 +28,8 @@ BR2_TARGET_OPTEE_OS_NEEDS_PYTHON_CRYPTOGRAPHY=y
> >  BR2_TARGET_OPTEE_OS_PLATFORM="k3"
> >  BR2_TARGET_TI_K3_IMAGE_GEN=y
> >  BR2_TARGET_TI_K3_IMAGE_GEN_FW_TYPE_TISCI=y
> > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am64x"
> > -BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="gp"
> > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC="am64x_sr2"
> > +BR2_TARGET_TI_K3_IMAGE_GEN_SOC_TYPE="hs-fs"
> >  BR2_TARGET_TI_K3_IMAGE_GEN_CONFIG="evm"
> >  BR2_TARGET_TI_K3_R5_LOADER=y
> >  BR2_TARGET_TI_K3_R5_LOADER_CUSTOM_TARBALL=y
> > --
> > 2.34.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
> >

More information about the buildroot mailing list