SPL
In boards using SPL as the second stage bootloader, like the supported
i.MX targets, SPL is used to load and verify the integrity of the FIT
image (i.e. u-boot.itb file), which includes U-Boot proper, DTB, OP-TEE,
Arm Trusted Firmware (ARMv8), and possible other firmware. SPL verifies
the signature of these sequentially loaded images, signed as part of
FoundriesFactory CI, to make sure they were generated with the expected
keys.
Note
At this moment, secure boot is only supported on SPL-based targets as LmP relies on a signed SPL as the root of trust.
The U-Boot should support SPL so meta-lmp handles the SPL and FIT image generation and signing of the FIT image components. If SPL is not yet supported, the user can enable it following U-Boot documentation and guidelines and append it to their U-Boot porting, or contact Foundries.io support for guidance.
Next, review the board-specific U-Boot patches and align them with the
respective u-boot-fio version. Commits can be applied with git rebase or
git cherry-pick on top of the u-boot-fio branch. The patches can be
copied to the appropriate directory under meta-subscriber-overrides and
included in a u-boot-fio .bbappend file. Devtool can be used during the
process, as described in the Yocto Project documentation:
devtool modify u-boot-fio
devtool finish --force-patch-refresh u-boot-fio <layer_path>
The resultant source code from the merge of u-boot-fio and
board-specific patches can now be compiled and tested on a target. In
some cases, the user may need to create additional patches in order to
align their board support with the u-boot-fio tree.
For example:
recipes-bsp/u-boot/
├── u-boot-fio
│ └── <board>
│ ├── 0001-add-<board>-support.patch
│ ├── 0002-add-feature.patch
│ ├── 0003-fix-bug.patch
│ └── 0004-align-with-u-boot-fio.patch
└── u-boot-fio_%.bbappend
If applicable, the user might need to do the same procedure for TF-A patches. This would be the case for ARMv8 targets that have additional implementations by the vendor. Some considerations on TF-A to comply with LmP can be found in TF-A/OP-TEE.
Note
If the target is based on imx8m*, the user might also want to pay
attention to the provided firmwares, like DDR and HDMI (when
applicable), and the vendor imx-mkimage implementation. The vendor
changes applied to u-boot-fio should match with the related projects
(imx-atf, imx-mkimage) otherwise the u-boot-fio porting will not work.