1Binman Entry Documentation 2========================== 3 4This file describes the entry types supported by binman. These entry types can 5be placed in an image one by one to build up a final firmware image. It is 6fairly easy to create new entry types. Just add a new file to the 'etype' 7directory. You can use the existing entries as examples. 8 9Note that some entries are subclasses of others, using and extending their 10features to produce new behaviours. 11 12 13 14.. _etype_alternates_fdt: 15 16Entry: alternates-fdt: Entry that generates alternative sections for each devicetree provided 17--------------------------------------------------------------------------------------------- 18 19When creating an image designed to boot on multiple models, each model 20requires its own devicetree. This entry deals with selecting the correct 21devicetree from a directory containing them. Each one is read in turn, then 22used to produce section contents which are written to a file. This results 23in a number of images, one for each model. 24 25For example this produces images for each .dtb file in the 'dtb' directory:: 26 27 alternates-fdt { 28 fdt-list-dir = "dtb"; 29 filename-pattern = "NAME.bin"; 30 fdt-phase = "tpl"; 31 32 section { 33 u-boot-tpl { 34 }; 35 }; 36 }; 37 38Each output file is named based on its input file, so an input file of 39`model1.dtb` results in an output file of `model1.bin` (i.e. the `NAME` in 40the `filename-pattern` property is replaced with the .dtb basename). 41 42Note that this entry type still produces contents for the 'main' image, in 43that case using the normal dtb provided to Binman, e.g. `u-boot-tpl.dtb`. 44But that image is unlikely to be useful, since it relates to whatever dtb 45happened to be the default when U-Boot builds 46(i.e. `CONFIG_DEFAULT_DEVICE_TREE`). However, Binman ensures that the size 47of each of the alternates is the same as the 'default' one, so they can in 48principle be 'slotted in' to the appropriate place in the main image. 49 50The optional `fdt-phase` property indicates the phase to build. In this 51case, it etype runs fdtgrep to obtain the devicetree subset for that phase, 52respecting the `bootph-xxx` tags in the devicetree. 53 54 55 56.. _etype_atf_bl1: 57 58Entry: atf-bl1: AP Trusted ROM (TF-A) BL1 blob 59----------------------------------------------------- 60 61Properties / Entry arguments: 62 - atf-bl1-path: Filename of file to read into entry. This is typically 63 called bl1.bin 64 65This entry holds the AP Trusted ROM firmware typically used by an SoC to 66help initialize the SoC before the SPL or U-Boot is started. See 67https://github.com/TrustedFirmware-A/trusted-firmware-a for more information 68about Boot Loader stage 1 (BL1) or about Trusted Firmware (TF-A) 69 70 71 72.. _etype_atf_bl31: 73 74Entry: atf-bl31: ARM Trusted Firmware (ATF) BL31 blob 75----------------------------------------------------- 76 77Properties / Entry arguments: 78 - atf-bl31-path: Filename of file to read into entry. This is typically 79 called bl31.bin or bl31.elf 80 81This entry holds the run-time firmware, typically started by U-Boot SPL. 82See the U-Boot README for your architecture or board for how to use it. See 83https://github.com/TrustedFirmware-A/trusted-firmware-a for more information 84about ATF. 85 86 87 88.. _etype_atf_fip: 89 90Entry: atf-fip: ARM Trusted Firmware's Firmware Image Package (FIP) 91------------------------------------------------------------------- 92 93A FIP_ provides a way to group binaries in a firmware image, used by ARM's 94Trusted Firmware A (TF-A) code. It is a simple format consisting of a 95table of contents with information about the type, offset and size of the 96binaries in the FIP. It is quite similar to FMAP, with the major difference 97that it uses UUIDs to indicate the type of each entry. 98 99Note: It is recommended to always add an fdtmap to every image, as well as 100any FIPs so that binman and other tools can access the entire image 101correctly. 102 103The UUIDs correspond to useful names in `fiptool`, provided by ATF to 104operate on FIPs. Binman uses these names to make it easier to understand 105what is going on, although it is possible to provide a UUID if needed. 106 107The contents of the FIP are defined by subnodes of the atf-fip entry, e.g.:: 108 109 atf-fip { 110 soc-fw { 111 filename = "bl31.bin"; 112 }; 113 114 scp-fwu-cfg { 115 filename = "bl2u.bin"; 116 }; 117 118 u-boot { 119 fip-type = "nt-fw"; 120 }; 121 }; 122 123This describes a FIP with three entries: soc-fw, scp-fwu-cfg and nt-fw. 124You can use normal (non-external) binaries like U-Boot simply by adding a 125FIP type, with the `fip-type` property, as above. 126 127Since FIP exists to bring blobs together, Binman assumes that all FIP 128entries are external binaries. If a binary may not exist, you can use the 129`--allow-missing` flag to Binman, in which case the image is still created, 130even though it will not actually work. 131 132The size of the FIP depends on the size of the binaries. There is currently 133no way to specify a fixed size. If the `atf-fip` node has a `size` entry, 134this affects the space taken up by the `atf-fip` entry, but the FIP itself 135does not expand to use that space. 136 137Some other FIP features are available with Binman. The header and the 138entries have 64-bit flag works. The flag flags do not seem to be defined 139anywhere, but you can use `fip-hdr-flags` and fip-flags` to set the values 140of the header and entries respectively. 141 142FIP entries can be aligned to a particular power-of-two boundary. Use 143fip-align for this. 144 145Binman only understands the entry types that are included in its 146implementation. It is possible to specify a 16-byte UUID instead, using the 147fip-uuid property. In this case Binman doesn't know what its type is, so 148just uses the UUID. See the `u-boot` node in this example:: 149 150 binman { 151 atf-fip { 152 fip-hdr-flags = /bits/ 64 <0x123>; 153 fip-align = <16>; 154 soc-fw { 155 fip-flags = /bits/ 64 <0x456>; 156 filename = "bl31.bin"; 157 }; 158 159 scp-fwu-cfg { 160 filename = "bl2u.bin"; 161 }; 162 163 u-boot { 164 fip-uuid = [fc 65 13 92 4a 5b 11 ec 165 94 35 ff 2d 1c fc 79 9c]; 166 }; 167 }; 168 fdtmap { 169 }; 170 }; 171 172Binman allows reading and updating FIP entries after the image is created, 173provided that an FDPMAP is present too. Updates which change the size of a 174FIP entry will cause it to be expanded or contracted as needed. 175 176Properties for top-level atf-fip node 177~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 178 179fip-hdr-flags (64 bits) 180 Sets the flags for the FIP header. 181 182Properties for subnodes 183~~~~~~~~~~~~~~~~~~~~~~~ 184 185fip-type (str) 186 FIP type to use for this entry. This is needed if the entry 187 name is not a valid type. Value types are defined in `fip_util.py`. 188 The FIP type defines the UUID that is used (they map 1:1). 189 190fip-uuid (16 bytes) 191 If there is no FIP-type name defined, or it is not supported by Binman, 192 this property sets the UUID. It should be a 16-byte value, following the 193 hex digits of the UUID. 194 195fip-flags (64 bits) 196 Set the flags for a FIP entry. Use in one of the subnodes of the 197 7atf-fip entry. 198 199fip-align 200 Set the alignment for a FIP entry, FIP entries can be aligned to a 201 particular power-of-two boundary. The default is 1. 202 203Adding new FIP-entry types 204~~~~~~~~~~~~~~~~~~~~~~~~~~ 205 206When new FIP entries are defined by TF-A they appear in the 207`TF-A source tree`_. You can use `fip_util.py` to update Binman to support 208new types, then `send a patch`_ to the U-Boot mailing list. There are two 209source files that the tool examples: 210 211- `include/tools_share/firmware_image_package.h` has the UUIDs 212- `tools/fiptool/tbbr_config.c` has the name and descripion for each UUID 213 214To run the tool:: 215 216 $ tools/binman/fip_util.py -s /path/to/arm-trusted-firmware 217 Warning: UUID 'UUID_NON_TRUSTED_WORLD_KEY_CERT' is not mentioned in tbbr_config.c file 218 Existing code in 'tools/binman/fip_util.py' is up-to-date 219 220If it shows there is an update, it writes a new version of `fip_util.py` 221to `fip_util.py.out`. You can change the output file using the `-i` flag. 222If you have a problem, use `-D` to enable traceback debugging. 223 224FIP commentary 225~~~~~~~~~~~~~~ 226 227As a side effect of use of UUIDs, FIP does not support multiple 228entries of the same type, such as might be used to store fonts or graphics 229icons, for example. For verified boot it could be used for each part of the 230image (e.g. separate FIPs for A and B) but cannot describe the whole 231firmware image. As with FMAP there is no hierarchy defined, although FMAP 232works around this by having 'section' areas which encompass others. A 233similar workaround would be possible with FIP but is not currently defined. 234 235It is recommended to always add an fdtmap to every image, as well as any 236FIPs so that binman and other tools can access the entire image correctly. 237 238.. _FIP: https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#firmware-image-package-fip 239.. _`TF-A source tree`: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git 240.. _`send a patch`: https://docs.u-boot.org/en/latest/develop/sending_patches.html 241 242 243 244.. _etype_blob: 245 246Entry: blob: Arbitrary binary blob 247---------------------------------- 248 249Note: This should not be used by itself. It is normally used as a parent 250class by other entry types. 251 252Properties / Entry arguments: 253 - filename: Filename of file to read into entry 254 - compress: Compression algorithm to use: 255 none: No compression 256 lz4: Use lz4 compression (via 'lz4' command-line utility) 257 258This entry reads data from a file and places it in the entry. The 259default filename is often specified specified by the subclass. See for 260example the 'u-boot' entry which provides the filename 'u-boot.bin'. 261 262If compression is enabled, an extra 'uncomp-size' property is written to 263the node (if enabled with -u) which provides the uncompressed size of the 264data. 265 266 267 268.. _etype_blob_dtb: 269 270Entry: blob-dtb: A blob that holds a device tree 271------------------------------------------------ 272 273This is a blob containing a device tree. The contents of the blob are 274obtained from the list of available device-tree files, managed by the 275'state' module. 276 277Additional attributes: 278 prepend: Header used (e.g. 'length') 279 280 281 282.. _etype_blob_ext: 283 284Entry: blob-ext: Externally built binary blob 285--------------------------------------------- 286 287Note: This should not be used by itself. It is normally used as a parent 288class by other entry types. 289 290If the file providing this blob is missing, binman can optionally ignore it 291and produce a broken image with a warning. 292 293See 'blob' for Properties / Entry arguments. 294 295 296 297.. _etype_blob_ext_list: 298 299Entry: blob-ext-list: List of externally built binary blobs 300----------------------------------------------------------- 301 302This is like blob-ext except that a number of blobs can be provided, 303typically with some sort of relationship, e.g. all are DDC parameters. 304 305If any of the external files needed by this llist is missing, binman can 306optionally ignore it and produce a broken image with a warning. 307 308Args: 309 filenames: List of filenames to read and include 310 311 312 313.. _etype_blob_named_by_arg: 314 315Entry: blob-named-by-arg: A blob entry which gets its filename property from its subclass 316----------------------------------------------------------------------------------------- 317 318Properties / Entry arguments: 319 - <xxx>-path: Filename containing the contents of this entry (optional, 320 defaults to None) 321 322where <xxx> is the blob_fname argument to the constructor. 323 324This entry cannot be used directly. Instead, it is used as a parent class 325for another entry, which defined blob_fname. This parameter is used to 326set the entry-arg or property containing the filename. The entry-arg or 327property is in turn used to set the actual filename. 328 329See cros_ec_rw for an example of this. 330 331 332 333.. _etype_blob_phase: 334 335Entry: blob-phase: Section that holds a phase binary 336---------------------------------------------------- 337 338This is a base class that should not normally be used directly. It is used 339when converting a 'u-boot' entry automatically into a 'u-boot-expanded' 340entry; similarly for SPL. 341 342 343 344.. _etype_cbfs: 345 346Entry: cbfs: Coreboot Filesystem (CBFS) 347--------------------------------------- 348 349A CBFS provides a way to group files into a group. It has a simple directory 350structure and allows the position of individual files to be set, since it is 351designed to support execute-in-place in an x86 SPI-flash device. Where XIP 352is not used, it supports compression and storing ELF files. 353 354CBFS is used by coreboot as its way of orgnanising SPI-flash contents. 355 356The contents of the CBFS are defined by subnodes of the cbfs entry, e.g.:: 357 358 cbfs { 359 size = <0x100000>; 360 u-boot { 361 cbfs-type = "raw"; 362 }; 363 u-boot-dtb { 364 cbfs-type = "raw"; 365 }; 366 }; 367 368This creates a CBFS 1MB in size two files in it: u-boot.bin and u-boot.dtb. 369Note that the size is required since binman does not support calculating it. 370The contents of each entry is just what binman would normally provide if it 371were not a CBFS node. A blob type can be used to import arbitrary files as 372with the second subnode below:: 373 374 cbfs { 375 size = <0x100000>; 376 u-boot { 377 cbfs-name = "BOOT"; 378 cbfs-type = "raw"; 379 }; 380 381 dtb { 382 type = "blob"; 383 filename = "u-boot.dtb"; 384 cbfs-type = "raw"; 385 cbfs-compress = "lz4"; 386 cbfs-offset = <0x100000>; 387 }; 388 }; 389 390This creates a CBFS 1MB in size with u-boot.bin (named "BOOT") and 391u-boot.dtb (named "dtb") and compressed with the lz4 algorithm. 392 393 394Properties supported in the top-level CBFS node: 395 396cbfs-arch: 397 Defaults to "x86", but you can specify the architecture if needed. 398 399 400Properties supported in the CBFS entry subnodes: 401 402cbfs-name: 403 This is the name of the file created in CBFS. It defaults to the entry 404 name (which is the node name), but you can override it with this 405 property. 406 407cbfs-type: 408 This is the CBFS file type. The following are supported: 409 410 raw: 411 This is a 'raw' file, although compression is supported. It can be 412 used to store any file in CBFS. 413 414 stage: 415 This is an ELF file that has been loaded (i.e. mapped to memory), so 416 appears in the CBFS as a flat binary. The input file must be an ELF 417 image, for example this puts "u-boot" (the ELF image) into a 'stage' 418 entry:: 419 420 cbfs { 421 size = <0x100000>; 422 u-boot-elf { 423 cbfs-name = "BOOT"; 424 cbfs-type = "stage"; 425 }; 426 }; 427 428 You can use your own ELF file with something like:: 429 430 cbfs { 431 size = <0x100000>; 432 something { 433 type = "blob"; 434 filename = "cbfs-stage.elf"; 435 cbfs-type = "stage"; 436 }; 437 }; 438 439 As mentioned, the file is converted to a flat binary, so it is 440 equivalent to adding "u-boot.bin", for example, but with the load and 441 start addresses specified by the ELF. At present there is no option 442 to add a flat binary with a load/start address, similar to the 443 'add-flat-binary' option in cbfstool. 444 445cbfs-offset: 446 This is the offset of the file's data within the CBFS. It is used to 447 specify where the file should be placed in cases where a fixed position 448 is needed. Typical uses are for code which is not relocatable and must 449 execute in-place from a particular address. This works because SPI flash 450 is generally mapped into memory on x86 devices. The file header is 451 placed before this offset so that the data start lines up exactly with 452 the chosen offset. If this property is not provided, then the file is 453 placed in the next available spot. 454 455The current implementation supports only a subset of CBFS features. It does 456not support other file types (e.g. payload), adding multiple files (like the 457'files' entry with a pattern supported by binman), putting files at a 458particular offset in the CBFS and a few other things. 459 460Of course binman can create images containing multiple CBFSs, simply by 461defining these in the binman config:: 462 463 464 binman { 465 size = <0x800000>; 466 cbfs { 467 offset = <0x100000>; 468 size = <0x100000>; 469 u-boot { 470 cbfs-type = "raw"; 471 }; 472 u-boot-dtb { 473 cbfs-type = "raw"; 474 }; 475 }; 476 477 cbfs2 { 478 offset = <0x700000>; 479 size = <0x100000>; 480 u-boot { 481 cbfs-type = "raw"; 482 }; 483 u-boot-dtb { 484 cbfs-type = "raw"; 485 }; 486 image { 487 type = "blob"; 488 filename = "image.jpg"; 489 }; 490 }; 491 }; 492 493This creates an 8MB image with two CBFSs, one at offset 1MB, one at 7MB, 494both of size 1MB. 495 496 497 498.. _etype_collection: 499 500Entry: collection: An entry which contains a collection of other entries 501------------------------------------------------------------------------ 502 503Properties / Entry arguments: 504 - content: List of phandles to entries to include 505 506This allows reusing the contents of other entries. The contents of the 507listed entries are combined to form this entry. This serves as a useful 508base class for entry types which need to process data from elsewhere in 509the image, not necessarily child entries. 510 511The entries can generally be anywhere in the same image, even if they are in 512a different section from this entry. 513 514 515 516.. _etype_cros_ec_rw: 517 518Entry: cros-ec-rw: A blob entry which contains a Chromium OS read-write EC image 519-------------------------------------------------------------------------------- 520 521Properties / Entry arguments: 522 - cros-ec-rw-path: Filename containing the EC image 523 524This entry holds a Chromium OS EC (embedded controller) image, for use in 525updating the EC on startup via software sync. 526 527 528 529.. _etype_efi_capsule: 530 531Entry: efi-capsule: Generate EFI capsules 532----------------------------------------- 533 534The parameters needed for generation of the capsules can 535be provided as properties in the entry. 536 537Properties / Entry arguments: 538 - image-index: Unique number for identifying corresponding 539 payload image. Number between 1 and descriptor count, i.e. 540 the total number of firmware images that can be updated. Mandatory 541 property. 542 - image-guid: Image GUID which will be used for identifying the 543 updatable image on the board. Mandatory property. 544 - hardware-instance: Optional number for identifying unique 545 hardware instance of a device in the system. Default value of 0 546 for images where value is not to be used. 547 - fw-version: Value of image version that can be put on the capsule 548 through the Firmware Management Protocol(FMP) header. 549 - monotonic-count: Count used when signing an image. 550 - private-key: Path to PEM formatted .key private key file. Mandatory 551 property for generating signed capsules. 552 - public-key-cert: Path to PEM formatted .crt public key certificate 553 file. Mandatory property for generating signed capsules. 554 - oem-flags - OEM flags to be passed through capsule header. 555 556Since this is a subclass of Entry_section, all properties of the parent 557class also apply here. Except for the properties stated as mandatory, the 558rest of the properties are optional. 559 560For more details on the description of the capsule format, and the capsule 561update functionality, refer Section 8.5 and Chapter 23 in the `UEFI 562specification`_. 563 564The capsule parameters like image index and image GUID are passed as 565properties in the entry. The payload to be used in the capsule is to be 566provided as a subnode of the capsule entry. 567 568A typical capsule entry node would then look something like this:: 569 570 capsule { 571 type = "efi-capsule"; 572 image-index = <0x1>; 573 /* Image GUID for testing capsule update */ 574 image-guid = SANDBOX_UBOOT_IMAGE_GUID; 575 hardware-instance = <0x0>; 576 private-key = "path/to/the/private/key"; 577 public-key-cert = "path/to/the/public-key-cert"; 578 oem-flags = <0x8000>; 579 580 u-boot { 581 }; 582 }; 583 584In the above example, the capsule payload is the U-Boot image. The 585capsule entry would read the contents of the payload and put them 586into the capsule. Any external file can also be specified as the 587payload using the blob-ext subnode. 588 589.. _`UEFI specification`: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf 590 591 592 593.. _etype_efi_empty_capsule: 594 595Entry: efi-empty-capsule: Generate EFI empty capsules 596----------------------------------------------------- 597 598The parameters needed for generation of the empty capsules can 599be provided as properties in the entry. 600 601Properties / Entry arguments: 602 - image-guid: Image GUID which will be used for identifying the 603 updatable image on the board. Mandatory for accept capsule. 604 - capsule-type - String to indicate type of capsule to generate. Valid 605 values are 'accept' and 'revert'. 606 607For more details on the description of the capsule format, and the capsule 608update functionality, refer Section 8.5 and Chapter 23 in the `UEFI 609specification`_. For more information on the empty capsule, refer the 610sections 2.3.2 and 2.3.3 in the `Dependable Boot specification`_. 611 612A typical accept empty capsule entry node would then look something like 613this:: 614 615 empty-capsule { 616 type = "efi-empty-capsule"; 617 /* GUID of image being accepted */ 618 image-type-id = SANDBOX_UBOOT_IMAGE_GUID; 619 capsule-type = "accept"; 620 }; 621 622A typical revert empty capsule entry node would then look something like 623this:: 624 625 empty-capsule { 626 type = "efi-empty-capsule"; 627 capsule-type = "revert"; 628 }; 629 630The empty capsules do not have any input payload image. 631 632.. _`UEFI specification`: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf 633.. _`Dependable Boot specification`: https://git.codelinaro.org/linaro/dependable-boot/mbfw/uploads/6f7ddfe3be24e18d4319e108a758d02e/mbfw.pdf 634 635 636 637.. _etype_encrypted: 638 639Entry: encrypted: Externally built encrypted binary blob 640-------------------------------------------------------- 641 642This entry provides the functionality to include information about how to 643decrypt an encrypted binary. This information is added to the 644resulting device tree by adding a new cipher node in the entry's parent 645node (i.e. the binary). 646 647The key that must be used to decrypt the binary is either directly embedded 648in the device tree or indirectly by specifying a key source. The key source 649can be used as an id of a key that is stored in an external device. 650 651Using an embedded key 652~~~~~~~~~~~~~~~~~~~~~ 653 654This is an example using an embedded key:: 655 656 blob-ext { 657 filename = "encrypted-blob.bin"; 658 }; 659 660 encrypted { 661 algo = "aes256-gcm"; 662 iv-filename = "encrypted-blob.bin.iv"; 663 key-filename = "encrypted-blob.bin.key"; 664 }; 665 666This entry generates the following device tree structure form the example 667above:: 668 669 data = [...] 670 cipher { 671 algo = "aes256-gcm"; 672 key = <0x...>; 673 iv = <0x...>; 674 }; 675 676The data property is generated by the blob-ext etype, the cipher node and 677its content is generated by this etype. 678 679Using an external key 680~~~~~~~~~~~~~~~~~~~~~ 681 682Instead of embedding the key itself into the device tree, it is also 683possible to address an externally stored key by specifying a 'key-source' 684instead of the 'key':: 685 686 blob-ext { 687 filename = "encrypted-blob.bin"; 688 }; 689 690 encrypted { 691 algo = "aes256-gcm"; 692 iv-filename = "encrypted-blob.bin.iv"; 693 key-source = "external-key-id"; 694 }; 695 696This entry generates the following device tree structure form the example 697above:: 698 699 data = [...] 700 cipher { 701 algo = "aes256-gcm"; 702 key-source = "external-key-id"; 703 iv = <0x...>; 704 }; 705 706Properties 707~~~~~~~~~~ 708 709Properties / Entry arguments: 710 - algo: The encryption algorithm. Currently no algorithm is supported 711 out-of-the-box. Certain algorithms will be added in future 712 patches. 713 - iv-filename: The name of the file containing the initialization 714 vector (in short iv). See 715 https://en.wikipedia.org/wiki/Initialization_vector 716 - key-filename: The name of the file containing the key. Either 717 key-filename or key-source must be provided. 718 - key-source: The key that should be used. Either key-filename or 719 key-source must be provided. 720 721 722 723.. _etype_fdtmap: 724 725Entry: fdtmap: An entry which contains an FDT map 726------------------------------------------------- 727 728Properties / Entry arguments: 729 None 730 731An FDT map is just a header followed by an FDT containing a list of all the 732entries in the image. The root node corresponds to the image node in the 733original FDT, and an image-name property indicates the image name in that 734original tree. 735 736The header is the string _FDTMAP_ followed by 8 unused bytes. 737 738When used, this entry will be populated with an FDT map which reflects the 739entries in the current image. Hierarchy is preserved, and all offsets and 740sizes are included. 741 742Note that the -u option must be provided to ensure that binman updates the 743FDT with the position of each entry. 744 745Example output for a simple image with U-Boot and an FDT map:: 746 747 / { 748 image-name = "binman"; 749 size = <0x00000112>; 750 image-pos = <0x00000000>; 751 offset = <0x00000000>; 752 u-boot { 753 size = <0x00000004>; 754 image-pos = <0x00000000>; 755 offset = <0x00000000>; 756 }; 757 fdtmap { 758 size = <0x0000010e>; 759 image-pos = <0x00000004>; 760 offset = <0x00000004>; 761 }; 762 }; 763 764If allow-repack is used then 'orig-offset' and 'orig-size' properties are 765added as necessary. See the binman README. 766 767When extracting files, an alternative 'fdt' format is available for fdtmaps. 768Use `binman extract -F fdt ...` to use this. It will export a devicetree, 769without the fdtmap header, so it can be viewed with `fdtdump`. 770 771 772 773.. _etype_files: 774 775Entry: files: A set of files arranged in a section 776-------------------------------------------------- 777 778Properties / Entry arguments: 779 - pattern: Filename pattern to match the files to include 780 - files-compress: Compression algorithm to use: 781 none: No compression 782 lz4: Use lz4 compression (via 'lz4' command-line utility) 783 - files-align: Align each file to the given alignment 784 785This entry reads a number of files and places each in a separate sub-entry 786within this entry. To access these you need to enable device-tree updates 787at run-time so you can obtain the file positions. 788 789 790 791.. _etype_fill: 792 793Entry: fill: An entry which is filled to a particular byte value 794---------------------------------------------------------------- 795 796Properties / Entry arguments: 797 - fill-byte: Byte to use to fill the entry 798 799Note that the size property must be set since otherwise this entry does not 800know how large it should be. 801 802You can often achieve the same effect using the pad-byte property of the 803overall image, in that the space between entries will then be padded with 804that byte. But this entry is sometimes useful for explicitly setting the 805byte value of a region. 806 807 808 809.. _etype_fit: 810 811Entry: fit: Flat Image Tree (FIT) 812--------------------------------- 813 814This calls mkimage to create a FIT (U-Boot Flat Image Tree) based on the 815input provided. 816 817Nodes for the FIT should be written out in the binman configuration just as 818they would be in a file passed to mkimage. 819 820For example, this creates an image containing a FIT with U-Boot SPL:: 821 822 binman { 823 fit { 824 description = "Test FIT"; 825 fit,fdt-list = "of-list"; 826 827 images { 828 kernel@1 { 829 description = "SPL"; 830 os = "u-boot"; 831 type = "rkspi"; 832 arch = "arm"; 833 compression = "none"; 834 load = <0>; 835 entry = <0>; 836 837 u-boot-spl { 838 }; 839 }; 840 }; 841 }; 842 }; 843 844More complex setups can be created, with generated nodes, as described 845below. 846 847Properties (in the 'fit' node itself) 848~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 849 850Special properties have a `fit,` prefix, indicating that they should be 851processed but not included in the final FIT. 852 853The top-level 'fit' node supports the following special properties: 854 855 fit,external-offset 856 Indicates that the contents of the FIT are external and provides the 857 external offset. This is passed to mkimage via the -E and -p flags. 858 859 fit,align 860 Indicates what alignment to use for the FIT and its external data, 861 and provides the alignment to use. This is passed to mkimage via 862 the -B flag. 863 864 fit,fdt-list 865 Indicates the entry argument which provides the list of device tree 866 files for the gen-fdt-nodes operation (as below). This is often 867 `of-list` meaning that `-a of-list="dtb1 dtb2..."` should be passed 868 to binman. 869 870 fit,fdt-list-val 871 As an alternative to fit,fdt-list the list of device tree files 872 can be provided in this property as a string list, e.g.:: 873 874 fit,fdt-list-val = "dtb1", "dtb2"; 875 876 fit,fdt-list-dir 877 As an alternative to fit,fdt-list the list of device tree files 878 can be provided as a directory. Each .dtb file in the directory is 879 processed, , e.g.:: 880 881 fit,fdt-list-dir = "arch/arm/dts"; 882 883 In this case the input directories are ignored and all devicetree 884 files must be in that directory. 885 886 fit,sign 887 Enable signing FIT images via mkimage as described in 888 verified-boot.rst. If the property is found, the private keys path 889 is detected among binman include directories and passed to mkimage 890 via -k flag. All the keys required for signing FIT must be 891 available at time of signing and must be located in single include 892 directory. 893 894 fit,encrypt 895 Enable data encryption in FIT images via mkimage. If the property 896 is found, the keys path is detected among binman include 897 directories and passed to mkimage via -k flag. All the keys 898 required for encrypting the FIT must be available at the time of 899 encrypting and must be located in a single include directory. 900 901Substitutions 902~~~~~~~~~~~~~ 903 904Node names and property values support a basic string-substitution feature. 905Available substitutions for '@' nodes (and property values) are: 906 907SEQ: 908 Sequence number of the generated fdt (1, 2, ...) 909NAME 910 Name of the dtb as provided (i.e. without adding '.dtb') 911 912The `default` property, if present, will be automatically set to the name 913if of configuration whose devicetree matches the `default-dt` entry 914argument, e.g. with `-a default-dt=sun50i-a64-pine64-lts`. 915 916Available substitutions for property values in these nodes are: 917 918DEFAULT-SEQ: 919 Sequence number of the default fdt, as provided by the 'default-dt' 920 entry argument 921 922DEFAULT-NAME: 923 Name of the default fdt, as provided by the 'default-dt' entry argument 924 925Available operations 926~~~~~~~~~~~~~~~~~~~~ 927 928You can add an operation to an '@' node to indicate which operation is 929required:: 930 931 @fdt-SEQ { 932 fit,operation = "gen-fdt-nodes"; 933 ... 934 }; 935 936Available operations are: 937 938gen-fdt-nodes 939 Generate FDT nodes as above. This is the default if there is no 940 `fit,operation` property. 941 942split-elf 943 Split an ELF file into a separate node for each segment. 944 945Generating nodes from an FDT list (gen-fdt-nodes) 946~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 947 948U-Boot supports creating fdt and config nodes automatically. To do this, 949pass an `of-list` property (e.g. `-a of-list=file1 file2`). This tells 950binman that you want to generates nodes for two files: `file1.dtb` and 951`file2.dtb`. The `fit,fdt-list` property (see above) indicates that 952`of-list` should be used. If the property is missing you will get an error. 953 954Then add a 'generator node', a node with a name starting with '@':: 955 956 images { 957 @fdt-SEQ { 958 description = "fdt-NAME"; 959 type = "flat_dt"; 960 compression = "none"; 961 }; 962 }; 963 964This tells binman to create nodes `fdt-1` and `fdt-2` for each of your two 965files. All the properties you specify will be included in the node. This 966node acts like a template to generate the nodes. The generator node itself 967does not appear in the output - it is replaced with what binman generates. 968A 'data' property is created with the contents of the FDT file. 969 970You can create config nodes in a similar way:: 971 972 configurations { 973 default = "@config-DEFAULT-SEQ"; 974 @config-SEQ { 975 description = "NAME"; 976 firmware = "atf"; 977 loadables = "uboot"; 978 fdt = "fdt-SEQ"; 979 fit,compatible; // optional 980 }; 981 }; 982 983This tells binman to create nodes `config-1` and `config-2`, i.e. a config 984for each of your two files. 985 986It is also possible to use NAME in the node names so that the FDT files name 987will be used instead of the sequence number. This can be useful to identify 988easily at runtime in U-Boot, the config to be used:: 989 990 configurations { 991 default = "@config-DEFAULT-NAME"; 992 @config-NAME { 993 description = "NAME"; 994 firmware = "atf"; 995 loadables = "uboot"; 996 fdt = "fdt-NAME"; 997 fit,compatible; // optional 998 }; 999 }; 1000 1001Note that if no devicetree files are provided (with '-a of-list' as above) 1002then no nodes will be generated. 1003 1004The 'fit,compatible' property (if present) is replaced with the compatible 1005string from the root node of the devicetree, so that things work correctly 1006with FIT's configuration-matching algortihm. 1007 1008Dealing with phases 1009~~~~~~~~~~~~~~~~~~~ 1010 1011FIT can be used to load firmware. In this case it may be necessary to run 1012the devicetree for each model through fdtgrep to remove unwanted properties. 1013The 'fit,fdt-phase' property can be provided to indicate the phase for which 1014the devicetree is intended. 1015 1016For example this indicates that the FDT should be processed for VPL:: 1017 1018 images { 1019 @fdt-SEQ { 1020 description = "fdt-NAME"; 1021 type = "flat_dt"; 1022 compression = "none"; 1023 fit,fdt-phase = "vpl"; 1024 }; 1025 }; 1026 1027Using this mechanism, it is possible to generate a FIT which can provide VPL 1028images for multiple models, with TPL selecting the correct model to use. The 1029same approach can of course be used for SPL images. 1030 1031Note that the `of-spl-remove-props` entryarg can be used to indicate 1032additional properties to remove. It is often used to remove properties like 1033`clock-names` and `pinctrl-names` which are not needed in SPL builds. This 1034value is automatically passed to binman by the U-Boot build. 1035 1036See :ref:`fdtgrep_filter` for more information. 1037 1038Generating nodes from an ELF file (split-elf) 1039~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1040 1041This uses the node as a template to generate multiple nodes. The following 1042special properties are available: 1043 1044split-elf 1045 Split an ELF file into a separate node for each segment. This uses the 1046 node as a template to generate multiple nodes. The following special 1047 properties are available: 1048 1049 fit,load 1050 Generates a `load = <...>` property with the load address of the 1051 segment 1052 1053 fit,entry 1054 Generates a `entry = <...>` property with the entry address of the 1055 ELF. This is only produced for the first entry 1056 1057 fit,data 1058 Generates a `data = <...>` property with the contents of the segment 1059 1060 fit,firmware 1061 Generates a `firmware = <...>` property. Provides a list of possible 1062 nodes to be used as the `firmware` property value. The first valid 1063 node is picked as the firmware. Any remaining valid nodes is 1064 prepended to the `loadable` property generated by `fit,loadables` 1065 1066 fit,loadables 1067 Generates a `loadable = <...>` property with a list of the generated 1068 nodes (including all nodes if this operation is used multiple times) 1069 1070 1071Here is an example showing ATF, TEE and a device tree all combined:: 1072 1073 fit { 1074 description = "test-desc"; 1075 #address-cells = <1>; 1076 fit,fdt-list = "of-list"; 1077 1078 images { 1079 u-boot { 1080 description = "U-Boot (64-bit)"; 1081 type = "standalone"; 1082 os = "U-Boot"; 1083 arch = "arm64"; 1084 compression = "none"; 1085 load = <CONFIG_TEXT_BASE>; 1086 u-boot-nodtb { 1087 }; 1088 }; 1089 @fdt-SEQ { 1090 description = "fdt-NAME.dtb"; 1091 type = "flat_dt"; 1092 compression = "none"; 1093 }; 1094 @atf-SEQ { 1095 fit,operation = "split-elf"; 1096 description = "ARM Trusted Firmware"; 1097 type = "firmware"; 1098 arch = "arm64"; 1099 os = "arm-trusted-firmware"; 1100 compression = "none"; 1101 fit,load; 1102 fit,entry; 1103 fit,data; 1104 1105 atf-bl31 { 1106 }; 1107 hash { 1108 algo = "sha256"; 1109 }; 1110 }; 1111 1112 @tee-SEQ { 1113 fit,operation = "split-elf"; 1114 description = "TEE"; 1115 type = "tee"; 1116 arch = "arm64"; 1117 os = "tee"; 1118 compression = "none"; 1119 fit,load; 1120 fit,entry; 1121 fit,data; 1122 1123 tee-os { 1124 }; 1125 hash { 1126 algo = "sha256"; 1127 }; 1128 }; 1129 }; 1130 1131 configurations { 1132 default = "@config-DEFAULT-SEQ"; 1133 @config-SEQ { 1134 description = "conf-NAME.dtb"; 1135 fdt = "fdt-SEQ"; 1136 fit,firmware = "atf-1", "u-boot"; 1137 fit,loadables; 1138 }; 1139 }; 1140 }; 1141 1142If ATF-BL31 is available, this generates a node for each segment in the 1143ELF file, for example:: 1144 1145 images { 1146 atf-1 { 1147 data = <...contents of first segment...>; 1148 data-offset = <0x00000000>; 1149 entry = <0x00040000>; 1150 load = <0x00040000>; 1151 compression = "none"; 1152 os = "arm-trusted-firmware"; 1153 arch = "arm64"; 1154 type = "firmware"; 1155 description = "ARM Trusted Firmware"; 1156 hash { 1157 algo = "sha256"; 1158 value = <...hash of first segment...>; 1159 }; 1160 }; 1161 atf-2 { 1162 data = <...contents of second segment...>; 1163 load = <0xff3b0000>; 1164 compression = "none"; 1165 os = "arm-trusted-firmware"; 1166 arch = "arm64"; 1167 type = "firmware"; 1168 description = "ARM Trusted Firmware"; 1169 hash { 1170 algo = "sha256"; 1171 value = <...hash of second segment...>; 1172 }; 1173 }; 1174 }; 1175 1176The same applies for OP-TEE if that is available. 1177 1178If each binary is not available, the relevant template node (@atf-SEQ or 1179@tee-SEQ) is removed from the output. 1180 1181This also generates a `config-xxx` node for each device tree in `of-list`. 1182Note that the U-Boot build system uses `-a of-list=$(CONFIG_OF_LIST)` 1183so you can use `CONFIG_OF_LIST` to define that list. In this example it is 1184set up for `firefly-rk3399` with a single device tree and the default set 1185with `-a default-dt=$(CONFIG_DEFAULT_DEVICE_TREE)`, so the resulting output 1186is:: 1187 1188 configurations { 1189 default = "config-1"; 1190 config-1 { 1191 loadables = "u-boot", "atf-2", "atf-3", "tee-1", "tee-2"; 1192 description = "rk3399-firefly.dtb"; 1193 fdt = "fdt-1"; 1194 firmware = "atf-1"; 1195 }; 1196 }; 1197 1198U-Boot SPL can then load the firmware (ATF) and all the loadables (U-Boot 1199proper, ATF and TEE), then proceed with the boot. 1200 1201 1202 1203.. _etype_fmap: 1204 1205Entry: fmap: An entry which contains an Fmap section 1206---------------------------------------------------- 1207 1208Properties / Entry arguments: 1209 None 1210 1211FMAP is a simple format used by flashrom, an open-source utility for 1212reading and writing the SPI flash, typically on x86 CPUs. The format 1213provides flashrom with a list of areas, so it knows what it in the flash. 1214It can then read or write just a single area, instead of the whole flash. 1215 1216The format is defined by the flashrom project, in the file lib/fmap.h - 1217see www.flashrom.org/Flashrom for more information. 1218 1219When used, this entry will be populated with an FMAP which reflects the 1220entries in the current image. Note that any hierarchy is squashed, since 1221FMAP does not support this. Sections are represented as an area appearing 1222before its contents, so that it is possible to reconstruct the hierarchy 1223from the FMAP by using the offset information. This convention does not 1224seem to be documented, but is used in Chromium OS. 1225 1226To mark an area as preserved, use the normal 'preserved' flag in the entry. 1227This will result in the corresponding FMAP area having the 1228FMAP_AREA_PRESERVE flag. This flag does not automatically propagate down to 1229child entries. 1230 1231CBFS entries appear as a single entry, i.e. the sub-entries are ignored. 1232 1233 1234 1235.. _etype_gbb: 1236 1237Entry: gbb: An entry which contains a Chromium OS Google Binary Block 1238--------------------------------------------------------------------- 1239 1240Properties / Entry arguments: 1241 - hardware-id: Hardware ID to use for this build (a string) 1242 - keydir: Directory containing the public keys to use 1243 - bmpblk: Filename containing images used by recovery 1244 1245Chromium OS uses a GBB to store various pieces of information, in particular 1246the root and recovery keys that are used to verify the boot process. Some 1247more details are here: 1248 1249 https://www.chromium.org/chromium-os/firmware-porting-guide/2-concepts 1250 1251but note that the page dates from 2013 so is quite out of date. See 1252README.chromium for how to obtain the required keys and tools. 1253 1254 1255 1256.. _etype_image_header: 1257 1258Entry: image-header: An entry which contains a pointer to the FDT map 1259--------------------------------------------------------------------- 1260 1261Properties / Entry arguments: 1262 location: Location of header ("start" or "end" of image). This is 1263 optional. If omitted then the entry must have an offset property. 1264 1265This adds an 8-byte entry to the start or end of the image, pointing to the 1266location of the FDT map. The format is a magic number followed by an offset 1267from the start or end of the image, in twos-compliment format. 1268 1269This entry must be in the top-level part of the image. 1270 1271NOTE: If the location is at the start/end, you will probably need to specify 1272sort-by-offset for the image, unless you actually put the image header 1273first/last in the entry list. 1274 1275 1276 1277.. _etype_intel_cmc: 1278 1279Entry: intel-cmc: Intel Chipset Micro Code (CMC) file 1280----------------------------------------------------- 1281 1282Properties / Entry arguments: 1283 - filename: Filename of file to read into entry 1284 1285This file contains microcode for some devices in a special format. An 1286example filename is 'Microcode/C0_22211.BIN'. 1287 1288See README.x86 for information about x86 binary blobs. 1289 1290 1291 1292.. _etype_intel_descriptor: 1293 1294Entry: intel-descriptor: Intel flash descriptor block (4KB) 1295----------------------------------------------------------- 1296 1297Properties / Entry arguments: 1298 filename: Filename of file containing the descriptor. This is typically 1299 a 4KB binary file, sometimes called 'descriptor.bin' 1300 1301This entry is placed at the start of flash and provides information about 1302the SPI flash regions. In particular it provides the base address and 1303size of the ME (Management Engine) region, allowing us to place the ME 1304binary in the right place. 1305 1306With this entry in your image, the position of the 'intel-me' entry will be 1307fixed in the image, which avoids you needed to specify an offset for that 1308region. This is useful, because it is not possible to change the position 1309of the ME region without updating the descriptor. 1310 1311See README.x86 for information about x86 binary blobs. 1312 1313 1314 1315.. _etype_intel_fit: 1316 1317Entry: intel-fit: Intel Firmware Image Table (FIT) 1318-------------------------------------------------- 1319 1320This entry contains a dummy FIT as required by recent Intel CPUs. The FIT 1321contains information about the firmware and microcode available in the 1322image. 1323 1324At present binman only supports a basic FIT with no microcode. 1325 1326 1327 1328.. _etype_intel_fit_ptr: 1329 1330Entry: intel-fit-ptr: Intel Firmware Image Table (FIT) pointer 1331-------------------------------------------------------------- 1332 1333This entry contains a pointer to the FIT. It is required to be at address 13340xffffffc0 in the image. 1335 1336 1337 1338.. _etype_intel_fsp: 1339 1340Entry: intel-fsp: Intel Firmware Support Package (FSP) file 1341----------------------------------------------------------- 1342 1343Properties / Entry arguments: 1344 - filename: Filename of file to read into entry 1345 1346This file contains binary blobs which are used on some devices to make the 1347platform work. U-Boot executes this code since it is not possible to set up 1348the hardware using U-Boot open-source code. Documentation is typically not 1349available in sufficient detail to allow this. 1350 1351An example filename is 'FSP/QUEENSBAY_FSP_GOLD_001_20-DECEMBER-2013.fd' 1352 1353See README.x86 for information about x86 binary blobs. 1354 1355 1356 1357.. _etype_intel_fsp_m: 1358 1359Entry: intel-fsp-m: Intel Firmware Support Package (FSP) memory init 1360-------------------------------------------------------------------- 1361 1362Properties / Entry arguments: 1363 - filename: Filename of file to read into entry 1364 1365This file contains a binary blob which is used on some devices to set up 1366SDRAM. U-Boot executes this code in SPL so that it can make full use of 1367memory. Documentation is typically not available in sufficient detail to 1368allow U-Boot do this this itself.. 1369 1370An example filename is 'fsp_m.bin' 1371 1372See README.x86 for information about x86 binary blobs. 1373 1374 1375 1376.. _etype_intel_fsp_s: 1377 1378Entry: intel-fsp-s: Intel Firmware Support Package (FSP) silicon init 1379--------------------------------------------------------------------- 1380 1381Properties / Entry arguments: 1382 - filename: Filename of file to read into entry 1383 1384This file contains a binary blob which is used on some devices to set up 1385the silicon. U-Boot executes this code in U-Boot proper after SDRAM is 1386running, so that it can make full use of memory. Documentation is typically 1387not available in sufficient detail to allow U-Boot do this this itself. 1388 1389An example filename is 'fsp_s.bin' 1390 1391See README.x86 for information about x86 binary blobs. 1392 1393 1394 1395.. _etype_intel_fsp_t: 1396 1397Entry: intel-fsp-t: Intel Firmware Support Package (FSP) temp ram init 1398---------------------------------------------------------------------- 1399 1400Properties / Entry arguments: 1401 - filename: Filename of file to read into entry 1402 1403This file contains a binary blob which is used on some devices to set up 1404temporary memory (Cache-as-RAM or CAR). U-Boot executes this code in TPL so 1405that it has access to memory for its stack and initial storage. 1406 1407An example filename is 'fsp_t.bin' 1408 1409See README.x86 for information about x86 binary blobs. 1410 1411 1412 1413.. _etype_intel_ifwi: 1414 1415Entry: intel-ifwi: Intel Integrated Firmware Image (IFWI) file 1416-------------------------------------------------------------- 1417 1418Properties / Entry arguments: 1419 - filename: Filename of file to read into entry. This is either the 1420 IFWI file itself, or a file that can be converted into one using a 1421 tool 1422 - convert-fit: If present this indicates that the ifwitool should be 1423 used to convert the provided file into a IFWI. 1424 1425This file contains code and data used by the SoC that is required to make 1426it work. It includes U-Boot TPL, microcode, things related to the CSE 1427(Converged Security Engine, the microcontroller that loads all the firmware) 1428and other items beyond the wit of man. 1429 1430A typical filename is 'ifwi.bin' for an IFWI file, or 'fitimage.bin' for a 1431file that will be converted to an IFWI. 1432 1433The position of this entry is generally set by the intel-descriptor entry. 1434 1435The contents of the IFWI are specified by the subnodes of the IFWI node. 1436Each subnode describes an entry which is placed into the IFWFI with a given 1437sub-partition (and optional entry name). 1438 1439Properties for subnodes: 1440 - ifwi-subpart: sub-parition to put this entry into, e.g. "IBBP" 1441 - ifwi-entry: entry name t use, e.g. "IBBL" 1442 - ifwi-replace: if present, indicates that the item should be replaced 1443 in the IFWI. Otherwise it is added. 1444 1445See README.x86 for information about x86 binary blobs. 1446 1447 1448 1449.. _etype_intel_me: 1450 1451Entry: intel-me: Intel Management Engine (ME) file 1452-------------------------------------------------- 1453 1454Properties / Entry arguments: 1455 - filename: Filename of file to read into entry 1456 1457This file contains code used by the SoC that is required to make it work. 1458The Management Engine is like a background task that runs things that are 1459not clearly documented, but may include keyboard, display and network 1460access. For platform that use ME it is not possible to disable it. U-Boot 1461does not directly execute code in the ME binary. 1462 1463A typical filename is 'me.bin'. 1464 1465The position of this entry is generally set by the intel-descriptor entry. 1466 1467See README.x86 for information about x86 binary blobs. 1468 1469 1470 1471.. _etype_intel_mrc: 1472 1473Entry: intel-mrc: Intel Memory Reference Code (MRC) file 1474-------------------------------------------------------- 1475 1476Properties / Entry arguments: 1477 - filename: Filename of file to read into entry 1478 1479This file contains code for setting up the SDRAM on some Intel systems. This 1480is executed by U-Boot when needed early during startup. A typical filename 1481is 'mrc.bin'. 1482 1483See README.x86 for information about x86 binary blobs. 1484 1485 1486 1487.. _etype_intel_refcode: 1488 1489Entry: intel-refcode: Intel Reference Code file 1490----------------------------------------------- 1491 1492Properties / Entry arguments: 1493 - filename: Filename of file to read into entry 1494 1495This file contains code for setting up the platform on some Intel systems. 1496This is executed by U-Boot when needed early during startup. A typical 1497filename is 'refcode.bin'. 1498 1499See README.x86 for information about x86 binary blobs. 1500 1501 1502 1503.. _etype_intel_vbt: 1504 1505Entry: intel-vbt: Intel Video BIOS Table (VBT) file 1506--------------------------------------------------- 1507 1508Properties / Entry arguments: 1509 - filename: Filename of file to read into entry 1510 1511This file contains code that sets up the integrated graphics subsystem on 1512some Intel SoCs. U-Boot executes this when the display is started up. 1513 1514See README.x86 for information about Intel binary blobs. 1515 1516 1517 1518.. _etype_intel_vga: 1519 1520Entry: intel-vga: Intel Video Graphics Adaptor (VGA) file 1521--------------------------------------------------------- 1522 1523Properties / Entry arguments: 1524 - filename: Filename of file to read into entry 1525 1526This file contains code that sets up the integrated graphics subsystem on 1527some Intel SoCs. U-Boot executes this when the display is started up. 1528 1529This is similar to the VBT file but in a different format. 1530 1531See README.x86 for information about Intel binary blobs. 1532 1533 1534 1535.. _etype_mkimage: 1536 1537Entry: mkimage: Binary produced by mkimage 1538------------------------------------------ 1539 1540Properties / Entry arguments: 1541 - args: Arguments to pass 1542 - data-to-imagename: Indicates that the -d data should be passed in as 1543 the image name also (-n) 1544 - multiple-data-files: boolean to tell binman to pass all files as 1545 datafiles to mkimage instead of creating a temporary file the result 1546 of datafiles concatenation 1547 - filename: filename of output binary generated by mkimage 1548 1549The data passed to mkimage via the -d flag is collected from subnodes of the 1550mkimage node, e.g.:: 1551 1552 mkimage { 1553 filename = "imximage.bin"; 1554 args = "-n test -T imximage"; 1555 1556 u-boot-spl { 1557 }; 1558 }; 1559 1560This calls mkimage to create an imximage with `u-boot-spl.bin` as the data 1561file, with mkimage being called like this:: 1562 1563 mkimage -d <data_file> -n test -T imximage <output_file> 1564 1565The output from mkimage then becomes part of the image produced by 1566binman but also is written into `imximage.bin` file. If you need to put 1567multiple things in the data file, you can use a section, or just multiple 1568subnodes like this:: 1569 1570 mkimage { 1571 args = "-n test -T imximage"; 1572 1573 u-boot-spl { 1574 }; 1575 1576 u-boot-tpl { 1577 }; 1578 }; 1579 1580Note that binman places the contents (here SPL and TPL) into a single file 1581and passes that to mkimage using the -d option. 1582 1583To pass all datafiles untouched to mkimage:: 1584 1585 mkimage { 1586 args = "-n rk3399 -T rkspi"; 1587 multiple-data-files; 1588 1589 u-boot-tpl { 1590 }; 1591 1592 u-boot-spl { 1593 }; 1594 }; 1595 1596This calls mkimage to create a Rockchip RK3399-specific first stage 1597bootloader, made of TPL+SPL. Since this first stage bootloader requires to 1598align the TPL and SPL but also some weird hacks that is handled by mkimage 1599directly, binman is told to not perform the concatenation of datafiles prior 1600to passing the data to mkimage. 1601 1602To use CONFIG options in the arguments, use a string list instead, as in 1603this example which also produces four arguments:: 1604 1605 mkimage { 1606 args = "-n", CONFIG_SYS_SOC, "-T imximage"; 1607 1608 u-boot-spl { 1609 }; 1610 }; 1611 1612If you need to pass the input data in with the -n argument as well, then use 1613the 'data-to-imagename' property:: 1614 1615 mkimage { 1616 args = "-T imximage"; 1617 data-to-imagename; 1618 1619 u-boot-spl { 1620 }; 1621 }; 1622 1623That will pass the data to mkimage both as the data file (with -d) and as 1624the image name (with -n). In both cases, a filename is passed as the 1625argument, with the actual data being in that file. 1626 1627If need to pass different data in with -n, then use an `imagename` subnode:: 1628 1629 mkimage { 1630 args = "-T imximage"; 1631 1632 imagename { 1633 blob { 1634 filename = "spl/u-boot-spl.cfgout" 1635 }; 1636 }; 1637 1638 u-boot-spl { 1639 }; 1640 }; 1641 1642This will pass in u-boot-spl as the input data and the .cfgout file as the 1643-n data. 1644 1645 1646 1647.. _etype_null: 1648 1649Entry: null: An entry which has no contents of its own 1650------------------------------------------------------ 1651 1652Note that the size property must be set since otherwise this entry does not 1653know how large it should be. 1654 1655The contents are set by the containing section, e.g. the section's pad 1656byte. 1657 1658 1659 1660.. _etype_nxp_imx8mcst: 1661 1662Entry: nxp-imx8mcst: NXP i.MX8M CST .cfg file generator and cst invoker 1663----------------------------------------------------------------------- 1664 1665Properties / Entry arguments: 1666 - nxp,loader-address - loader address (SPL text base) 1667 1668 1669 1670.. _etype_nxp_imx8mimage: 1671 1672Entry: nxp-imx8mimage: NXP i.MX8M imx8mimage .cfg file generator and mkimage invoker 1673------------------------------------------------------------------------------------ 1674 1675Properties / Entry arguments: 1676 - nxp,boot-from - device to boot from (e.g. 'sd') 1677 - nxp,loader-address - loader address (SPL text base) 1678 - nxp,rom-version - BootROM version ('2' for i.MX8M Nano and Plus) 1679 1680 1681 1682.. _etype_nxp_header_ddrfw: 1683 1684Entry: nxp-header-ddrfw: add a header to DDR PHY firmware images 1685---------------------------------------------------------------- 1686 1687This entry is used to combine DDR PHY firmware images and their byte counts 1688together. See imx95_evk.rst for how to get DDR PHY Firmware Images. 1689 1690 1691 1692.. _etype_opensbi: 1693 1694Entry: opensbi: RISC-V OpenSBI fw_dynamic blob 1695---------------------------------------------- 1696 1697Properties / Entry arguments: 1698 - opensbi-path: Filename of file to read into entry. This is typically 1699 called fw_dynamic.bin 1700 1701This entry holds the run-time firmware, typically started by U-Boot SPL. 1702See the U-Boot README for your architecture or board for how to use it. See 1703https://github.com/riscv/opensbi for more information about OpenSBI. 1704 1705 1706 1707.. _etype_powerpc_mpc85xx_bootpg_resetvec: 1708 1709Entry: powerpc-mpc85xx-bootpg-resetvec: PowerPC mpc85xx bootpg + resetvec code for U-Boot 1710----------------------------------------------------------------------------------------- 1711 1712Properties / Entry arguments: 1713 - filename: Filename of u-boot-br.bin (default 'u-boot-br.bin') 1714 1715This entry is valid for PowerPC mpc85xx cpus. This entry holds 1716'bootpg + resetvec' code for PowerPC mpc85xx CPUs which needs to be 1717placed at offset 'RESET_VECTOR_ADDRESS - 0xffc'. 1718 1719 1720 1721.. _etype_pre_load: 1722 1723Entry: pre-load: Pre load image header 1724-------------------------------------- 1725 1726Properties / Entry arguments: 1727 - pre-load-key-path: Path of the directory that store key (provided by 1728 the environment variable PRE_LOAD_KEY_PATH) 1729 - content: List of phandles to entries to sign 1730 - algo-name: Hash and signature algo to use for the signature 1731 - padding-name: Name of the padding (pkcs-1.5 or pss) 1732 - key-name: Filename of the private key to sign 1733 - header-size: Total size of the header 1734 - version: Version of the header 1735 1736This entry creates a pre-load header that contains a global 1737image signature. 1738 1739For example, this creates an image with a pre-load header and a binary:: 1740 1741 binman { 1742 image2 { 1743 filename = "sandbox.bin"; 1744 1745 pre-load { 1746 content = <&image>; 1747 algo-name = "sha256,rsa2048"; 1748 padding-name = "pss"; 1749 key-name = "private.pem"; 1750 header-size = <4096>; 1751 version = <1>; 1752 }; 1753 1754 image: blob-ext { 1755 filename = "sandbox.itb"; 1756 }; 1757 }; 1758 }; 1759 1760 1761 1762.. _etype_rockchip_tpl: 1763 1764Entry: rockchip-tpl: Rockchip TPL binary 1765---------------------------------------- 1766 1767Properties / Entry arguments: 1768 - rockchip-tpl-path: Filename of file to read into the entry, 1769 typically <soc>_ddr_<version>.bin 1770 1771This entry holds an external TPL binary used by some Rockchip SoCs 1772instead of normal U-Boot TPL, typically to initialize DRAM. 1773 1774 1775 1776.. _etype_scp: 1777 1778Entry: scp: System Control Processor (SCP) firmware blob 1779-------------------------------------------------------- 1780 1781Properties / Entry arguments: 1782 - scp-path: Filename of file to read into the entry, typically scp.bin 1783 1784This entry holds firmware for an external platform-specific coprocessor. 1785 1786 1787 1788.. _etype_section: 1789 1790Entry: section: Entry that contains other entries 1791------------------------------------------------- 1792 1793A section is an entry which can contain other entries, thus allowing 1794hierarchical images to be created. See 'Sections and hierarchical images' 1795in the binman README for more information. 1796 1797The base implementation simply joins the various entries together, using 1798various rules about alignment, etc. 1799 1800Subclassing 1801~~~~~~~~~~~ 1802 1803This class can be subclassed to support other file formats which hold 1804multiple entries, such as CBFS. To do this, override the following 1805functions. The documentation here describes what your function should do. 1806For example code, see etypes which subclass `Entry_section`, or `cbfs.py` 1807for a more involved example:: 1808 1809 $ grep -l \(Entry_section tools/binman/etype/*.py 1810 1811ReadNode() 1812 Call `super().ReadNode()`, then read any special properties for the 1813 section. Then call `self.ReadEntries()` to read the entries. 1814 1815 Binman calls this at the start when reading the image description. 1816 1817ReadEntries() 1818 Read in the subnodes of the section. This may involve creating entries 1819 of a particular etype automatically, as well as reading any special 1820 properties in the entries. For each entry, entry.ReadNode() should be 1821 called, to read the basic entry properties. The properties should be 1822 added to `self._entries[]`, in the correct order, with a suitable name. 1823 1824 Binman calls this at the start when reading the image description. 1825 1826BuildSectionData(required) 1827 Create the custom file format that you want and return it as bytes. 1828 This likely sets up a file header, then loops through the entries, 1829 adding them to the file. For each entry, call `entry.GetData()` to 1830 obtain the data. If that returns None, and `required` is False, then 1831 this method must give up and return None. But if `required` is True then 1832 it should assume that all data is valid. 1833 1834 Binman calls this when packing the image, to find out the size of 1835 everything. It is called again at the end when building the final image. 1836 1837SetImagePos(image_pos): 1838 Call `super().SetImagePos(image_pos)`, then set the `image_pos` values 1839 for each of the entries. This should use the custom file format to find 1840 the `start offset` (and `image_pos`) of each entry. If the file format 1841 uses compression in such a way that there is no offset available (other 1842 than reading the whole file and decompressing it), then the offsets for 1843 affected entries can remain unset (`None`). The size should also be set 1844 if possible. 1845 1846 Binman calls this after the image has been packed, to update the 1847 location that all the entries ended up at. 1848 1849ReadChildData(child, decomp, alt_format): 1850 The default version of this may be good enough, if you are able to 1851 implement SetImagePos() correctly. But that is a bit of a bypass, so 1852 you can override this method to read from your custom file format. It 1853 should read the entire entry containing the custom file using 1854 `super().ReadData(True)`, then parse the file to get the data for the 1855 given child, then return that data. 1856 1857 If your file format supports compression, the `decomp` argument tells 1858 you whether to return the compressed data (`decomp` is False) or to 1859 uncompress it first, then return the uncompressed data (`decomp` is 1860 True). This is used by the `binman extract -U` option. 1861 1862 If your entry supports alternative formats, the alt_format provides the 1863 alternative format that the user has selected. Your function should 1864 return data in that format. This is used by the 'binman extract -l' 1865 option. 1866 1867 Binman calls this when reading in an image, in order to populate all the 1868 entries with the data from that image (`binman ls`). 1869 1870WriteChildData(child): 1871 Binman calls this after `child.data` is updated, to inform the custom 1872 file format about this, in case it needs to do updates. 1873 1874 The default version of this does nothing and probably needs to be 1875 overridden for the 'binman replace' command to work. Your version should 1876 use `child.data` to update the data for that child in the custom file 1877 format. 1878 1879 Binman calls this when updating an image that has been read in and in 1880 particular to update the data for a particular entry (`binman replace`) 1881 1882Properties / Entry arguments 1883~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1884 1885See :ref:`develop/package/binman:Image description format` for more 1886information. 1887 1888align-default 1889 Default alignment for this section, if no alignment is given in the 1890 entry 1891 1892pad-byte 1893 Pad byte to use when padding 1894 1895sort-by-offset 1896 True if entries should be sorted by offset, False if they must be 1897 in-order in the device tree description 1898 1899end-at-4gb 1900 Used to build an x86 ROM which ends at 4GB (2^32) 1901 1902name-prefix 1903 Adds a prefix to the name of every entry in the section when writing out 1904 the map 1905 1906skip-at-start 1907 Number of bytes before the first entry starts. These effectively adjust 1908 the starting offset of entries. For example, if this is 16, then the 1909 first entry would start at 16. An entry with offset = 20 would in fact 1910 be written at offset 4 in the image file, since the first 16 bytes are 1911 skipped when writing. 1912 1913filename 1914 filename to write the unpadded section contents to within the output 1915 directory (None to skip this). 1916 1917Since a section is also an entry, it inherits all the properies of entries 1918too. 1919 1920Note that the `allow_missing` member controls whether this section permits 1921external blobs to be missing their contents. The option will produce an 1922image but of course it will not work. It is useful to make sure that 1923Continuous Integration systems can build without the binaries being 1924available. This is set by the `SetAllowMissing()` method, if 1925`--allow-missing` is passed to binman. 1926 1927 1928 1929.. _etype_tee_os: 1930 1931Entry: tee-os: Entry containing an OP-TEE Trusted OS (TEE) blob 1932--------------------------------------------------------------- 1933 1934Properties / Entry arguments: 1935 - tee-os-path: Filename of file to read into entry. This is typically 1936 called tee.bin or tee.elf 1937 1938This entry holds the run-time firmware, typically started by U-Boot SPL. 1939See the U-Boot README for your architecture or board for how to use it. See 1940https://github.com/OP-TEE/optee_os for more information about OP-TEE. 1941 1942Note that if the file is in ELF format, it must go in a FIT. In that case, 1943this entry will mark itself as absent, providing the data only through the 1944read_elf_segments() method. 1945 1946Marking this entry as absent means that it if is used in the wrong context 1947it can be automatically dropped. Thus it is possible to add an OP-TEE entry 1948like this:: 1949 1950 binman { 1951 tee-os { 1952 }; 1953 }; 1954 1955and pass either an ELF or plain binary in with -a tee-os-path <filename> 1956and have binman do the right thing: 1957 1958 - include the entry if tee.bin is provided and it does NOT have the v1 1959 header 1960 - drop it otherwise 1961 1962When used within a FIT, we can do:: 1963 1964 binman { 1965 fit { 1966 tee-os { 1967 }; 1968 }; 1969 }; 1970 1971which will split the ELF into separate nodes for each segment, if an ELF 1972file is provided (see :ref:`etype_fit`), or produce a single node if the 1973OP-TEE binary v1 format is provided (see optee_doc_) . 1974 1975.. _optee_doc: https://optee.readthedocs.io/en/latest/architecture/core.html#partitioning-of-the-binary 1976 1977 1978 1979.. _etype_text: 1980 1981Entry: text: An entry which contains text 1982----------------------------------------- 1983 1984The text can be provided either in the node itself or by a command-line 1985argument. There is a level of indirection to allow multiple text strings 1986and sharing of text. 1987 1988Properties / Entry arguments: 1989 text-label: The value of this string indicates the property / entry-arg 1990 that contains the string to place in the entry 1991 <xxx> (actual name is the value of text-label): contains the string to 1992 place in the entry. 1993 <text>: The text to place in the entry (overrides the above mechanism). 1994 This is useful when the text is constant. 1995 1996Example node:: 1997 1998 text { 1999 size = <50>; 2000 text-label = "message"; 2001 }; 2002 2003You can then use: 2004 2005 binman -amessage="this is my message" 2006 2007and binman will insert that string into the entry. 2008 2009It is also possible to put the string directly in the node:: 2010 2011 text { 2012 size = <8>; 2013 text-label = "message"; 2014 message = "a message directly in the node" 2015 }; 2016 2017or just:: 2018 2019 text { 2020 size = <8>; 2021 text = "some text directly in the node" 2022 }; 2023 2024The text is not itself nul-terminated. This can be achieved, if required, 2025by setting the size of the entry to something larger than the text. 2026 2027 2028 2029.. _etype_ti_board_config: 2030 2031Entry: ti-board-config: An entry containing a TI schema validated board config binary 2032------------------------------------------------------------------------------------- 2033 2034This etype supports generation of two kinds of board configuration 2035binaries: singular board config binary as well as combined board config 2036binary. 2037 2038Properties / Entry arguments: 2039 - config-file: File containing board configuration data in YAML 2040 - schema-file: File containing board configuration YAML schema against 2041 which the config file is validated 2042 2043Output files: 2044 - board config binary: File containing board configuration binary 2045 2046These above parameters are used only when the generated binary is 2047intended to be a single board configuration binary. Example:: 2048 2049 my-ti-board-config { 2050 ti-board-config { 2051 config = "board-config.yaml"; 2052 schema = "schema.yaml"; 2053 }; 2054 }; 2055 2056To generate a combined board configuration binary, we pack the 2057needed individual binaries into a ti-board-config binary. In this case, 2058the available supported subnode names are board-cfg, pm-cfg, sec-cfg and 2059rm-cfg. The final binary is prepended with a header containing details about 2060the included board config binaries. Example:: 2061 2062 my-combined-ti-board-config { 2063 ti-board-config { 2064 board-cfg { 2065 config = "board-cfg.yaml"; 2066 schema = "schema.yaml"; 2067 }; 2068 sec-cfg { 2069 config = "sec-cfg.yaml"; 2070 schema = "schema.yaml"; 2071 }; 2072 } 2073 } 2074 2075 2076 2077.. _etype_ti_dm: 2078 2079Entry: ti-dm: TI Device Manager (DM) blob 2080----------------------------------------- 2081 2082Properties / Entry arguments: 2083 - ti-dm-path: Filename of file to read into the entry, typically ti-dm.bin 2084 2085This entry holds the device manager responsible for resource and power management 2086in K3 devices. See https://software-dl.ti.com/tisci/esd/latest/ for more information 2087about TI DM. 2088 2089 2090 2091.. _etype_ti_secure: 2092 2093Entry: ti-secure: Entry containing a TI x509 certificate binary 2094--------------------------------------------------------------- 2095 2096Properties / Entry arguments: 2097 - content: List of phandles to entries to sign 2098 - keyfile: Filename of file containing key to sign binary with 2099 - sha: Hash function to be used for signing 2100 - auth-in-place: This is an integer field that contains two pieces 2101 of information: 2102 2103 - Lower Byte - Remains 0x02 as per our use case 2104 ( 0x02: Move the authenticated binary back to the header ) 2105 - Upper Byte - The Host ID of the core owning the firewall 2106 2107Output files: 2108 - input.<unique_name> - input file passed to openssl 2109 - config.<unique_name> - input file generated for openssl (which is 2110 used as the config file) 2111 - cert.<unique_name> - output file generated by openssl (which is 2112 used as the entry contents) 2113 2114Depending on auth-in-place information in the inputs, we read the 2115firewall nodes that describe the configurations of firewall that TIFS 2116will be doing after reading the certificate. 2117 2118The syntax of the firewall nodes are as such:: 2119 2120 firewall-257-0 { 2121 id = <257>; /* The ID of the firewall being configured */ 2122 region = <0>; /* Region number to configure */ 2123 2124 control = /* The control register */ 2125 <(FWCTRL_EN | FWCTRL_LOCK | FWCTRL_BG | FWCTRL_CACHE)>; 2126 2127 permissions = /* The permission registers */ 2128 <((FWPRIVID_ALL << FWPRIVID_SHIFT) | 2129 FWPERM_SECURE_PRIV_RWCD | 2130 FWPERM_SECURE_USER_RWCD | 2131 FWPERM_NON_SECURE_PRIV_RWCD | 2132 FWPERM_NON_SECURE_USER_RWCD)>; 2133 2134 /* More defines can be found in k3-security.h */ 2135 2136 start_address = /* The Start Address of the firewall */ 2137 <0x0 0x0>; 2138 end_address = /* The End Address of the firewall */ 2139 <0xff 0xffffffff>; 2140 }; 2141 2142 2143openssl signs the provided data, using the TI templated config file and 2144writes the signature in this entry. This allows verification that the 2145data is genuine. 2146 2147 2148 2149.. _etype_ti_secure_rom: 2150 2151Entry: ti-secure-rom: Entry containing a TI x509 certificate binary for images booted by ROM 2152-------------------------------------------------------------------------------------------- 2153 2154Properties / Entry arguments: 2155 - keyfile: Filename of file containing key to sign binary with 2156 - combined: boolean if device follows combined boot flow 2157 - countersign: boolean if device contains countersigned system firmware 2158 - load: load address of SPL 2159 - sw-rev: software revision 2160 - sha: Hash function to be used for signing 2161 - core: core on which bootloader runs, valid cores are 'secure' and 'public' 2162 - content: phandle of SPL in case of legacy bootflow or phandles of component binaries 2163 in case of combined bootflow 2164 - core-opts (optional): lockstep (0) or split (2) mode set to 0 by default 2165 2166The following properties are only for generating a combined bootflow binary: 2167 - sysfw-inner-cert: boolean if binary contains sysfw inner certificate 2168 - dm-data: boolean if binary contains dm-data binary 2169 - content-sbl: phandle of SPL binary 2170 - content-sysfw: phandle of sysfw binary 2171 - content-sysfw-data: phandle of sysfw-data or tifs-data binary 2172 - content-sysfw-inner-cert (optional): phandle of sysfw inner certificate binary 2173 - content-dm-data (optional): phandle of dm-data binary 2174 - load-sysfw: load address of sysfw binary 2175 - load-sysfw-data: load address of sysfw-data or tifs-data binary 2176 - load-sysfw-inner-cert (optional): load address of sysfw inner certificate binary 2177 - load-dm-data (optional): load address of dm-data binary 2178 2179Output files: 2180 - input.<unique_name> - input file passed to openssl 2181 - config.<unique_name> - input file generated for openssl (which is 2182 used as the config file) 2183 - cert.<unique_name> - output file generated by openssl (which is 2184 used as the entry contents) 2185 2186openssl signs the provided data, using the TI templated config file and 2187writes the signature in this entry. This allows verification that the 2188data is genuine. 2189 2190 2191 2192.. _etype_u_boot: 2193 2194Entry: u-boot: U-Boot flat binary 2195--------------------------------- 2196 2197Properties / Entry arguments: 2198 - filename: Filename of u-boot.bin (default 'u-boot.bin') 2199 2200This is the U-Boot binary, containing relocation information to allow it 2201to relocate itself at runtime. The binary typically includes a device tree 2202blob at the end of it. 2203 2204U-Boot can access binman symbols at runtime. See :ref:`binman_fdt`. 2205 2206Note that this entry is automatically replaced with u-boot-expanded unless 2207--no-expanded is used or the node has a 'no-expanded' property. 2208 2209 2210 2211.. _etype_u_boot_dtb: 2212 2213Entry: u-boot-dtb: U-Boot device tree 2214------------------------------------- 2215 2216Properties / Entry arguments: 2217 - filename: Filename of u-boot.dtb (default 'u-boot.dtb') 2218 2219This is the U-Boot device tree, containing configuration information for 2220U-Boot. U-Boot needs this to know what devices are present and which drivers 2221to activate. 2222 2223Note: This is mostly an internal entry type, used by others. This allows 2224binman to know which entries contain a device tree. 2225 2226 2227 2228.. _etype_u_boot_dtb_with_ucode: 2229 2230Entry: u-boot-dtb-with-ucode: A U-Boot device tree file, with the microcode removed 2231----------------------------------------------------------------------------------- 2232 2233Properties / Entry arguments: 2234 - filename: Filename of u-boot.dtb (default 'u-boot.dtb') 2235 2236See Entry_u_boot_ucode for full details of the three entries involved in 2237this process. This entry provides the U-Boot device-tree file, which 2238contains the microcode. If the microcode is not being collated into one 2239place then the offset and size of the microcode is recorded by this entry, 2240for use by u-boot-with-ucode_ptr. If it is being collated, then this 2241entry deletes the microcode from the device tree (to save space) and makes 2242it available to u-boot-ucode. 2243 2244 2245 2246.. _etype_u_boot_elf: 2247 2248Entry: u-boot-elf: U-Boot ELF image 2249----------------------------------- 2250 2251Properties / Entry arguments: 2252 - filename: Filename of u-boot (default 'u-boot') 2253 2254This is the U-Boot ELF image. It does not include a device tree but can be 2255relocated to any address for execution. 2256 2257 2258 2259.. _etype_u_boot_env: 2260 2261Entry: u-boot-env: An entry which contains a U-Boot environment 2262--------------------------------------------------------------- 2263 2264Properties / Entry arguments: 2265 - filename: File containing the environment text, with each line in the 2266 form var=value 2267 2268 2269 2270.. _etype_u_boot_expanded: 2271 2272Entry: u-boot-expanded: U-Boot flat binary broken out into its component parts 2273------------------------------------------------------------------------------ 2274 2275This is a section containing the U-Boot binary and a devicetree. Using this 2276entry type automatically creates this section, with the following entries 2277in it: 2278 2279 u-boot-nodtb 2280 u-boot-dtb 2281 2282Having the devicetree separate allows binman to update it in the final 2283image, so that the entries positions are provided to the running U-Boot. 2284 2285 2286 2287.. _etype_u_boot_img: 2288 2289Entry: u-boot-img: U-Boot legacy image 2290-------------------------------------- 2291 2292Properties / Entry arguments: 2293 - filename: Filename of u-boot.img (default 'u-boot.img') 2294 2295This is the U-Boot binary as a packaged image, in legacy format. It has a 2296header which allows it to be loaded at the correct address for execution. 2297 2298You should use FIT (Flat Image Tree) instead of the legacy image for new 2299applications. 2300 2301 2302 2303.. _etype_u_boot_nodtb: 2304 2305Entry: u-boot-nodtb: U-Boot flat binary without device tree appended 2306-------------------------------------------------------------------- 2307 2308Properties / Entry arguments: 2309 - filename: Filename to include (default 'u-boot-nodtb.bin') 2310 2311This is the U-Boot binary, containing relocation information to allow it 2312to relocate itself at runtime. It does not include a device tree blob at 2313the end of it so normally cannot work without it. You can add a u-boot-dtb 2314entry after this one, or use a u-boot entry instead, normally expands to a 2315section containing u-boot and u-boot-dtb 2316 2317 2318 2319.. _etype_u_boot_spl: 2320 2321Entry: u-boot-spl: U-Boot SPL binary 2322------------------------------------ 2323 2324Properties / Entry arguments: 2325 - filename: Filename of u-boot-spl.bin (default 'spl/u-boot-spl.bin') 2326 2327This is the U-Boot SPL (Secondary Program Loader) binary. This is a small 2328binary which loads before U-Boot proper, typically into on-chip SRAM. It is 2329responsible for locating, loading and jumping to U-Boot. Note that SPL is 2330not relocatable so must be loaded to the correct address in SRAM, or written 2331to run from the correct address if direct flash execution is possible (e.g. 2332on x86 devices). 2333 2334SPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2335 2336in the binman README for more information. 2337 2338The ELF file 'spl/u-boot-spl' must also be available for this to work, since 2339binman uses that to look up symbols to write into the SPL binary. 2340 2341Note that this entry is automatically replaced with u-boot-spl-expanded 2342unless --no-expanded is used or the node has a 'no-expanded' property. 2343 2344 2345 2346.. _etype_u_boot_spl_bss_pad: 2347 2348Entry: u-boot-spl-bss-pad: U-Boot SPL binary padded with a BSS region 2349--------------------------------------------------------------------- 2350 2351Properties / Entry arguments: 2352 None 2353 2354This holds the padding added after the SPL binary to cover the BSS (Block 2355Started by Symbol) region. This region holds the various variables used by 2356SPL. It is set to 0 by SPL when it starts up. If you want to append data to 2357the SPL image (such as a device tree file), you must pad out the BSS region 2358to avoid the data overlapping with U-Boot variables. This entry is useful in 2359that case. It automatically pads out the entry size to cover both the code, 2360data and BSS. 2361 2362The contents of this entry will a certain number of zero bytes, determined 2363by __bss_size 2364 2365The ELF file 'spl/u-boot-spl' must also be available for this to work, since 2366binman uses that to look up the BSS address. 2367 2368 2369 2370.. _etype_u_boot_spl_dtb: 2371 2372Entry: u-boot-spl-dtb: U-Boot SPL device tree 2373--------------------------------------------- 2374 2375Properties / Entry arguments: 2376 - filename: Filename of u-boot.dtb (default 'spl/u-boot-spl.dtb') 2377 2378This is the SPL device tree, containing configuration information for 2379SPL. SPL needs this to know what devices are present and which drivers 2380to activate. 2381 2382 2383 2384.. _etype_u_boot_spl_elf: 2385 2386Entry: u-boot-spl-elf: U-Boot SPL ELF image 2387------------------------------------------- 2388 2389Properties / Entry arguments: 2390 - filename: Filename of SPL u-boot (default 'spl/u-boot-spl') 2391 2392This is the U-Boot SPL ELF image. It does not include a device tree but can 2393be relocated to any address for execution. 2394 2395 2396 2397.. _etype_u_boot_spl_expanded: 2398 2399Entry: u-boot-spl-expanded: U-Boot SPL flat binary broken out into its component parts 2400-------------------------------------------------------------------------------------- 2401 2402Properties / Entry arguments: 2403 - spl-dtb: Controls whether this entry is selected (set to 'y' or '1' to 2404 select) 2405 2406This is a section containing the U-Boot binary, BSS padding if needed and a 2407devicetree. Using this entry type automatically creates this section, with 2408the following entries in it: 2409 2410 u-boot-spl-nodtb 2411 u-boot-spl-bss-pad 2412 u-boot-dtb 2413 2414Having the devicetree separate allows binman to update it in the final 2415image, so that the entries positions are provided to the running U-Boot. 2416 2417This entry is selected based on the value of the 'spl-dtb' entryarg. If 2418this is non-empty (and not 'n' or '0') then this expanded entry is selected. 2419 2420 2421 2422.. _etype_u_boot_spl_nodtb: 2423 2424Entry: u-boot-spl-nodtb: SPL binary without device tree appended 2425---------------------------------------------------------------- 2426 2427Properties / Entry arguments: 2428 - filename: Filename to include (default 'spl/u-boot-spl-nodtb.bin') 2429 2430This is the U-Boot SPL binary, It does not include a device tree blob at 2431the end of it so may not be able to work without it, assuming SPL needs 2432a device tree to operate on your platform. You can add a u-boot-spl-dtb 2433entry after this one, or use a u-boot-spl entry instead' which normally 2434expands to a section containing u-boot-spl-dtb, u-boot-spl-bss-pad and 2435u-boot-spl-dtb 2436 2437SPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2438 2439The ELF file 'spl/u-boot-spl' must also be available for this to work, since 2440binman uses that to look up symbols to write into the SPL binary. 2441 2442 2443 2444.. _etype_u_boot_spl_pubkey_dtb: 2445 2446Entry: u-boot-spl-pubkey-dtb: U-Boot SPL device tree including public key 2447------------------------------------------------------------------------- 2448 2449Properties / Entry arguments: 2450 - key-name-hint: Public key name without extension (.crt). 2451 Default is determined by underlying 2452 bintool (fdt_add_pubkey), usually 'key'. 2453 - algo: (Optional) Algorithm used for signing. Default is determined by 2454 underlying bintool (fdt_add_pubkey), usually 'sha1,rsa2048' 2455 - required: (Optional) If present this indicates that the key must be 2456 verified for the image / configuration to be 2457 considered valid 2458 2459The following example shows an image containing an SPL which 2460is packed together with the dtb. Binman will add a signature 2461node to the dtb. 2462 2463Example node:: 2464 2465 image { 2466 ... 2467 spl { 2468 filename = "spl.bin" 2469 2470 u-boot-spl-nodtb { 2471 }; 2472 u-boot-spl-pubkey-dtb { 2473 algo = "sha384,rsa4096"; 2474 required = "conf"; 2475 key-name-hint = "dev"; 2476 }; 2477 }; 2478 ... 2479 } 2480 2481 2482 2483.. _etype_u_boot_spl_with_ucode_ptr: 2484 2485Entry: u-boot-spl-with-ucode-ptr: U-Boot SPL with embedded microcode pointer 2486---------------------------------------------------------------------------- 2487 2488This is used when SPL must set up the microcode for U-Boot. 2489 2490See Entry_u_boot_ucode for full details of the entries involved in this 2491process. 2492 2493 2494 2495.. _etype_u_boot_tpl: 2496 2497Entry: u-boot-tpl: U-Boot TPL binary 2498------------------------------------ 2499 2500Properties / Entry arguments: 2501 - filename: Filename of u-boot-tpl.bin (default 'tpl/u-boot-tpl.bin') 2502 2503This is the U-Boot TPL (Tertiary Program Loader) binary. This is a small 2504binary which loads before SPL, typically into on-chip SRAM. It is 2505responsible for locating, loading and jumping to SPL, the next-stage 2506loader. Note that SPL is not relocatable so must be loaded to the correct 2507address in SRAM, or written to run from the correct address if direct 2508flash execution is possible (e.g. on x86 devices). 2509 2510SPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2511 2512in the binman README for more information. 2513 2514The ELF file 'tpl/u-boot-tpl' must also be available for this to work, since 2515binman uses that to look up symbols to write into the TPL binary. 2516 2517Note that this entry is automatically replaced with u-boot-tpl-expanded 2518unless --no-expanded is used or the node has a 'no-expanded' property. 2519 2520 2521 2522.. _etype_u_boot_tpl_bss_pad: 2523 2524Entry: u-boot-tpl-bss-pad: U-Boot TPL binary padded with a BSS region 2525--------------------------------------------------------------------- 2526 2527Properties / Entry arguments: 2528 None 2529 2530This holds the padding added after the TPL binary to cover the BSS (Block 2531Started by Symbol) region. This region holds the various variables used by 2532TPL. It is set to 0 by TPL when it starts up. If you want to append data to 2533the TPL image (such as a device tree file), you must pad out the BSS region 2534to avoid the data overlapping with U-Boot variables. This entry is useful in 2535that case. It automatically pads out the entry size to cover both the code, 2536data and BSS. 2537 2538The contents of this entry will a certain number of zero bytes, determined 2539by __bss_size 2540 2541The ELF file 'tpl/u-boot-tpl' must also be available for this to work, since 2542binman uses that to look up the BSS address. 2543 2544 2545 2546.. _etype_u_boot_tpl_dtb: 2547 2548Entry: u-boot-tpl-dtb: U-Boot TPL device tree 2549--------------------------------------------- 2550 2551Properties / Entry arguments: 2552 - filename: Filename of u-boot.dtb (default 'tpl/u-boot-tpl.dtb') 2553 2554This is the TPL device tree, containing configuration information for 2555TPL. TPL needs this to know what devices are present and which drivers 2556to activate. 2557 2558 2559 2560.. _etype_u_boot_tpl_dtb_with_ucode: 2561 2562Entry: u-boot-tpl-dtb-with-ucode: U-Boot TPL with embedded microcode pointer 2563---------------------------------------------------------------------------- 2564 2565This is used when TPL must set up the microcode for U-Boot. 2566 2567See Entry_u_boot_ucode for full details of the entries involved in this 2568process. 2569 2570 2571 2572.. _etype_u_boot_tpl_elf: 2573 2574Entry: u-boot-tpl-elf: U-Boot TPL ELF image 2575------------------------------------------- 2576 2577Properties / Entry arguments: 2578 - filename: Filename of TPL u-boot (default 'tpl/u-boot-tpl') 2579 2580This is the U-Boot TPL ELF image. It does not include a device tree but can 2581be relocated to any address for execution. 2582 2583 2584 2585.. _etype_u_boot_tpl_expanded: 2586 2587Entry: u-boot-tpl-expanded: U-Boot TPL flat binary broken out into its component parts 2588-------------------------------------------------------------------------------------- 2589 2590Properties / Entry arguments: 2591 - tpl-dtb: Controls whether this entry is selected (set to 'y' or '1' to 2592 select) 2593 2594This is a section containing the U-Boot binary, BSS padding if needed and a 2595devicetree. Using this entry type automatically creates this section, with 2596the following entries in it: 2597 2598 u-boot-tpl-nodtb 2599 u-boot-tpl-bss-pad 2600 u-boot-dtb 2601 2602Having the devicetree separate allows binman to update it in the final 2603image, so that the entries positions are provided to the running U-Boot. 2604 2605This entry is selected based on the value of the 'tpl-dtb' entryarg. If 2606this is non-empty (and not 'n' or '0') then this expanded entry is selected. 2607 2608 2609 2610.. _etype_u_boot_tpl_nodtb: 2611 2612Entry: u-boot-tpl-nodtb: TPL binary without device tree appended 2613---------------------------------------------------------------- 2614 2615Properties / Entry arguments: 2616 - filename: Filename to include (default 'tpl/u-boot-tpl-nodtb.bin') 2617 2618This is the U-Boot TPL binary, It does not include a device tree blob at 2619the end of it so may not be able to work without it, assuming TPL needs 2620a device tree to operate on your platform. You can add a u-boot-tpl-dtb 2621entry after this one, or use a u-boot-tpl entry instead, which normally 2622expands to a section containing u-boot-tpl-dtb, u-boot-tpl-bss-pad and 2623u-boot-tpl-dtb 2624 2625TPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2626 2627The ELF file 'tpl/u-boot-tpl' must also be available for this to work, since 2628binman uses that to look up symbols to write into the TPL binary. 2629 2630 2631 2632.. _etype_u_boot_tpl_with_ucode_ptr: 2633 2634Entry: u-boot-tpl-with-ucode-ptr: U-Boot TPL with embedded microcode pointer 2635---------------------------------------------------------------------------- 2636 2637See Entry_u_boot_ucode for full details of the entries involved in this 2638process. 2639 2640 2641 2642.. _etype_u_boot_ucode: 2643 2644Entry: u-boot-ucode: U-Boot microcode block 2645------------------------------------------- 2646 2647Properties / Entry arguments: 2648 None 2649 2650The contents of this entry are filled in automatically by other entries 2651which must also be in the image. 2652 2653U-Boot on x86 needs a single block of microcode. This is collected from 2654the various microcode update nodes in the device tree. It is also unable 2655to read the microcode from the device tree on platforms that use FSP 2656(Firmware Support Package) binaries, because the API requires that the 2657microcode is supplied before there is any SRAM available to use (i.e. 2658the FSP sets up the SRAM / cache-as-RAM but does so in the call that 2659requires the microcode!). To keep things simple, all x86 platforms handle 2660microcode the same way in U-Boot (even non-FSP platforms). This is that 2661a table is placed at _dt_ucode_base_size containing the base address and 2662size of the microcode. This is either passed to the FSP (for FSP 2663platforms), or used to set up the microcode (for non-FSP platforms). 2664This all happens in the build system since it is the only way to get 2665the microcode into a single blob and accessible without SRAM. 2666 2667There are two cases to handle. If there is only one microcode blob in 2668the device tree, then the ucode pointer it set to point to that. This 2669entry (u-boot-ucode) is empty. If there is more than one update, then 2670this entry holds the concatenation of all updates, and the device tree 2671entry (u-boot-dtb-with-ucode) is updated to remove the microcode. This 2672last step ensures that that the microcode appears in one contiguous 2673block in the image and is not unnecessarily duplicated in the device 2674tree. It is referred to as 'collation' here. 2675 2676Entry types that have a part to play in handling microcode: 2677 2678 Entry_u_boot_with_ucode_ptr: 2679 Contains u-boot-nodtb.bin (i.e. U-Boot without the device tree). 2680 It updates it with the address and size of the microcode so that 2681 U-Boot can find it early on start-up. 2682 Entry_u_boot_dtb_with_ucode: 2683 Contains u-boot.dtb. It stores the microcode in a 2684 'self.ucode_data' property, which is then read by this class to 2685 obtain the microcode if needed. If collation is performed, it 2686 removes the microcode from the device tree. 2687 Entry_u_boot_ucode: 2688 This class. If collation is enabled it reads the microcode from 2689 the Entry_u_boot_dtb_with_ucode entry, and uses it as the 2690 contents of this entry. 2691 2692 2693 2694.. _etype_u_boot_vpl: 2695 2696Entry: u-boot-vpl: U-Boot VPL binary 2697------------------------------------ 2698 2699Properties / Entry arguments: 2700 - filename: Filename of u-boot-vpl.bin (default 'vpl/u-boot-vpl.bin') 2701 2702This is the U-Boot VPL (Verifying Program Loader) binary. This is a small 2703binary which loads before SPL, typically into on-chip SRAM. It is 2704responsible for locating, loading and jumping to SPL, the next-stage 2705loader. Note that VPL is not relocatable so must be loaded to the correct 2706address in SRAM, or written to run from the correct address if direct 2707flash execution is possible (e.g. on x86 devices). 2708 2709SPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2710 2711in the binman README for more information. 2712 2713The ELF file 'vpl/u-boot-vpl' must also be available for this to work, since 2714binman uses that to look up symbols to write into the VPL binary. 2715 2716Note that this entry is automatically replaced with u-boot-vpl-expanded 2717unless --no-expanded is used or the node has a 'no-expanded' property. 2718 2719 2720 2721.. _etype_u_boot_vpl_bss_pad: 2722 2723Entry: u-boot-vpl-bss-pad: U-Boot VPL binary padded with a BSS region 2724--------------------------------------------------------------------- 2725 2726Properties / Entry arguments: 2727 None 2728 2729This holds the padding added after the VPL binary to cover the BSS (Block 2730Started by Symbol) region. This region holds the various variables used by 2731VPL. It is set to 0 by VPL when it starts up. If you want to append data to 2732the VPL image (such as a device tree file), you must pad out the BSS region 2733to avoid the data overlapping with U-Boot variables. This entry is useful in 2734that case. It automatically pads out the entry size to cover both the code, 2735data and BSS. 2736 2737The contents of this entry will a certain number of zero bytes, determined 2738by __bss_size 2739 2740The ELF file 'vpl/u-boot-vpl' must also be available for this to work, since 2741binman uses that to look up the BSS address. 2742 2743 2744 2745.. _etype_u_boot_vpl_dtb: 2746 2747Entry: u-boot-vpl-dtb: U-Boot VPL device tree 2748--------------------------------------------- 2749 2750Properties / Entry arguments: 2751 - filename: Filename of u-boot.dtb (default 'vpl/u-boot-vpl.dtb') 2752 2753This is the VPL device tree, containing configuration information for 2754VPL. VPL needs this to know what devices are present and which drivers 2755to activate. 2756 2757 2758 2759.. _etype_u_boot_vpl_elf: 2760 2761Entry: u-boot-vpl-elf: U-Boot VPL ELF image 2762------------------------------------------- 2763 2764Properties / Entry arguments: 2765 - filename: Filename of VPL u-boot (default 'vpl/u-boot-vpl') 2766 2767This is the U-Boot VPL ELF image. It does not include a device tree but can 2768be relocated to any address for execution. 2769 2770 2771 2772.. _etype_u_boot_vpl_expanded: 2773 2774Entry: u-boot-vpl-expanded: U-Boot VPL flat binary broken out into its component parts 2775-------------------------------------------------------------------------------------- 2776 2777Properties / Entry arguments: 2778 - vpl-dtb: Controls whether this entry is selected (set to 'y' or '1' to 2779 select) 2780 2781This is a section containing the U-Boot binary, BSS padding if needed and a 2782devicetree. Using this entry type automatically creates this section, with 2783the following entries in it: 2784 2785 u-boot-vpl-nodtb 2786 u-boot-vpl-bss-pad 2787 u-boot-dtb 2788 2789Having the devicetree separate allows binman to update it in the final 2790image, so that the entries positions are provided to the running U-Boot. 2791 2792This entry is selected based on the value of the 'vpl-dtb' entryarg. If 2793this is non-empty (and not 'n' or '0') then this expanded entry is selected. 2794 2795 2796 2797.. _etype_u_boot_vpl_nodtb: 2798 2799Entry: u-boot-vpl-nodtb: VPL binary without device tree appended 2800---------------------------------------------------------------- 2801 2802Properties / Entry arguments: 2803 - filename: Filename to include (default 'vpl/u-boot-vpl-nodtb.bin') 2804 2805This is the U-Boot VPL binary, It does not include a device tree blob at 2806the end of it so may not be able to work without it, assuming VPL needs 2807a device tree to operate on your platform. You can add a u-boot-vpl-dtb 2808entry after this one, or use a u-boot-vpl entry instead, which normally 2809expands to a section containing u-boot-vpl-dtb, u-boot-vpl-bss-pad and 2810u-boot-vpl-dtb 2811 2812VPL can access binman symbols at runtime. See :ref:`binman_fdt`. 2813 2814The ELF file 'vpl/u-boot-vpl' must also be available for this to work, since 2815binman uses that to look up symbols to write into the VPL binary. 2816 2817 2818 2819.. _etype_u_boot_with_ucode_ptr: 2820 2821Entry: u-boot-with-ucode-ptr: U-Boot with embedded microcode pointer 2822-------------------------------------------------------------------- 2823 2824Properties / Entry arguments: 2825 - filename: Filename of u-boot-nodtb.bin (default 'u-boot-nodtb.bin') 2826 - optional-ucode: boolean property to make microcode optional. If the 2827 u-boot.bin image does not include microcode, no error will 2828 be generated. 2829 2830See Entry_u_boot_ucode for full details of the three entries involved in 2831this process. This entry updates U-Boot with the offset and size of the 2832microcode, to allow early x86 boot code to find it without doing anything 2833complicated. Otherwise it is the same as the u-boot entry. 2834 2835 2836 2837.. _etype_vblock: 2838 2839Entry: vblock: An entry which contains a Chromium OS verified boot block 2840------------------------------------------------------------------------ 2841 2842Properties / Entry arguments: 2843 - content: List of phandles to entries to sign 2844 - keydir: Directory containing the public keys to use 2845 - keyblock: Name of the key file to use (inside keydir) 2846 - signprivate: Name of provide key file to use (inside keydir) 2847 - version: Version number of the vblock (typically 1) 2848 - kernelkey: Name of the kernel key to use (inside keydir) 2849 - preamble-flags: Value of the vboot preamble flags (typically 0) 2850 2851Output files: 2852 - input.<unique_name> - input file passed to futility 2853 - vblock.<unique_name> - output file generated by futility (which is 2854 used as the entry contents) 2855 2856Chromium OS signs the read-write firmware and kernel, writing the signature 2857in this block. This allows U-Boot to verify that the next firmware stage 2858and kernel are genuine. 2859 2860 2861 2862.. _etype_x509_cert: 2863 2864Entry: x509-cert: An entry which contains an X509 certificate 2865------------------------------------------------------------- 2866 2867Properties / Entry arguments: 2868 - content: List of phandles to entries to sign 2869 2870Output files: 2871 - input.<unique_name> - input file passed to openssl 2872 - cert.<unique_name> - output file generated by openssl (which is 2873 used as the entry contents) 2874 2875openssl signs the provided data, writing the signature in this entry. This 2876allows verification that the data is genuine 2877 2878 2879 2880.. _etype_x86_reset16: 2881 2882Entry: x86-reset16: x86 16-bit reset code for U-Boot 2883---------------------------------------------------- 2884 2885Properties / Entry arguments: 2886 - filename: Filename of u-boot-x86-reset16.bin (default 2887 'u-boot-x86-reset16.bin') 2888 2889x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2890must be placed at a particular address. This entry holds that code. It is 2891typically placed at offset CONFIG_RESET_VEC_LOC. The code is responsible 2892for jumping to the x86-start16 code, which continues execution. 2893 2894For 64-bit U-Boot, the 'x86_reset16_spl' entry type is used instead. 2895 2896 2897 2898.. _etype_x86_reset16_spl: 2899 2900Entry: x86-reset16-spl: x86 16-bit reset code for U-Boot 2901-------------------------------------------------------- 2902 2903Properties / Entry arguments: 2904 - filename: Filename of u-boot-x86-reset16.bin (default 2905 'u-boot-x86-reset16.bin') 2906 2907x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2908must be placed at a particular address. This entry holds that code. It is 2909typically placed at offset CONFIG_RESET_VEC_LOC. The code is responsible 2910for jumping to the x86-start16 code, which continues execution. 2911 2912For 32-bit U-Boot, the 'x86_reset_spl' entry type is used instead. 2913 2914 2915 2916.. _etype_x86_reset16_tpl: 2917 2918Entry: x86-reset16-tpl: x86 16-bit reset code for U-Boot 2919-------------------------------------------------------- 2920 2921Properties / Entry arguments: 2922 - filename: Filename of u-boot-x86-reset16.bin (default 2923 'u-boot-x86-reset16.bin') 2924 2925x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2926must be placed at a particular address. This entry holds that code. It is 2927typically placed at offset CONFIG_RESET_VEC_LOC. The code is responsible 2928for jumping to the x86-start16 code, which continues execution. 2929 2930For 32-bit U-Boot, the 'x86_reset_tpl' entry type is used instead. 2931 2932 2933 2934.. _etype_x86_start16: 2935 2936Entry: x86-start16: x86 16-bit start-up code for U-Boot 2937------------------------------------------------------- 2938 2939Properties / Entry arguments: 2940 - filename: Filename of u-boot-x86-start16.bin (default 2941 'u-boot-x86-start16.bin') 2942 2943x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2944must be placed in the top 64KB of the ROM. The reset code jumps to it. This 2945entry holds that code. It is typically placed at offset 2946CONFIG_SYS_X86_START16. The code is responsible for changing to 32-bit mode 2947and jumping to U-Boot's entry point, which requires 32-bit mode (for 32-bit 2948U-Boot). 2949 2950For 64-bit U-Boot, the 'x86_start16_spl' entry type is used instead. 2951 2952 2953 2954.. _etype_x86_start16_spl: 2955 2956Entry: x86-start16-spl: x86 16-bit start-up code for SPL 2957-------------------------------------------------------- 2958 2959Properties / Entry arguments: 2960 - filename: Filename of spl/u-boot-x86-start16-spl.bin (default 2961 'spl/u-boot-x86-start16-spl.bin') 2962 2963x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2964must be placed in the top 64KB of the ROM. The reset code jumps to it. This 2965entry holds that code. It is typically placed at offset 2966CONFIG_SYS_X86_START16. The code is responsible for changing to 32-bit mode 2967and jumping to U-Boot's entry point, which requires 32-bit mode (for 32-bit 2968U-Boot). 2969 2970For 32-bit U-Boot, the 'x86-start16' entry type is used instead. 2971 2972 2973 2974.. _etype_x86_start16_tpl: 2975 2976Entry: x86-start16-tpl: x86 16-bit start-up code for TPL 2977-------------------------------------------------------- 2978 2979Properties / Entry arguments: 2980 - filename: Filename of tpl/u-boot-x86-start16-tpl.bin (default 2981 'tpl/u-boot-x86-start16-tpl.bin') 2982 2983x86 CPUs start up in 16-bit mode, even if they are 32-bit CPUs. This code 2984must be placed in the top 64KB of the ROM. The reset code jumps to it. This 2985entry holds that code. It is typically placed at offset 2986CONFIG_SYS_X86_START16. The code is responsible for changing to 32-bit mode 2987and jumping to U-Boot's entry point, which requires 32-bit mode (for 32-bit 2988U-Boot). 2989 2990If TPL is not being used, the 'x86-start16-spl or 'x86-start16' entry types 2991may be used instead. 2992 2993 2994 2995.. _etype_xilinx_bootgen: 2996 2997Entry: xilinx-bootgen: Signed SPL boot image for Xilinx ZynqMP devices 2998---------------------------------------------------------------------- 2999 3000Properties / Entry arguments: 3001 - auth-params: (Optional) Authentication parameters passed to bootgen 3002 - fsbl-config: (Optional) FSBL parameters passed to bootgen 3003 - keysrc-enc: (Optional) Key source when using decryption engine 3004 - pmufw-filename: Filename of PMU firmware. Default: pmu-firmware.elf 3005 - psk-key-name-hint: Name of primary secret key to use for signing the 3006 secondardy public key. Format: .pem file 3007 - ssk-key-name-hint: Name of secondardy secret key to use for signing 3008 the boot image. Format: .pem file 3009 3010The etype is used to create a boot image for Xilinx ZynqMP 3011devices. 3012 3013Information for signed images: 3014 3015In AMD/Xilinx SoCs, two pairs of public and secret keys are used 3016- primary and secondary. The function of the primary public/secret key pair 3017is to authenticate the secondary public/secret key pair. 3018The function of the secondary key is to sign/verify the boot image. [1] 3019 3020AMD/Xilinx uses the following terms for private/public keys [1]: 3021 3022 PSK = Primary Secret Key (Used to sign Secondary Public Key) 3023 PPK = Primary Public Key (Used to verify Secondary Public Key) 3024 SSK = Secondary Secret Key (Used to sign the boot image/partitions) 3025 SPK = Used to verify the actual boot image 3026 3027The following example builds a signed boot image. The fuses of 3028the primary public key (ppk) should be fused together with the RSA_EN flag. 3029 3030Example node:: 3031 3032 spl { 3033 filename = "boot.signed.bin"; 3034 3035 xilinx-bootgen { 3036 psk-key-name-hint = "psk0"; 3037 ssk-key-name-hint = "ssk0"; 3038 auth-params = "ppk_select=0", "spk_id=0x00000000"; 3039 3040 u-boot-spl-nodtb { 3041 }; 3042 u-boot-spl-pubkey-dtb { 3043 algo = "sha384,rsa4096"; 3044 required = "conf"; 3045 key-name-hint = "dev"; 3046 }; 3047 }; 3048 }; 3049 3050For testing purposes, e.g. if no RSA_EN should be fused, one could add 3051the "bh_auth_enable" flag in the fsbl-config field. This will skip the 3052verification of the ppk fuses and boot the image, even if ppk hash is 3053invalid. 3054 3055Example node:: 3056 3057 xilinx-bootgen { 3058 psk-key-name-hint = "psk0"; 3059 psk-key-name-hint = "ssk0"; 3060 ... 3061 fsbl-config = "bh_auth_enable"; 3062 ... 3063 }; 3064 3065[1] https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide/Using-Authentication 3066 3067 3068 3069 3070
