528229d210
For secure VMs, the signing tool will create a ticket called the "ESM blob" for the Enter Secure Mode ultravisor call with the signatures of the kernel and initrd among other things. This adds support to the wrapper script for adding that blob via the "-e" option to the zImage.pseries. It also adds code to the zImage wrapper itself to retrieve and if necessary relocate the blob, and pass its address to Linux via the device-tree, to be later consumed by prom_init. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> [ bauerman: Minor adjustments to some comments. ] Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20190820021326.6884-4-bauerman@linux.ibm.com
577 lines
14 KiB
Bash
Executable File
577 lines
14 KiB
Bash
Executable File
#!/bin/sh
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# Copyright (C) 2006 Paul Mackerras, IBM Corporation <paulus@samba.org>
|
|
|
|
# This script takes a kernel binary and optionally an initrd image
|
|
# and/or a device-tree blob, and creates a bootable zImage for a
|
|
# given platform.
|
|
|
|
# Options:
|
|
# -o zImage specify output file
|
|
# -p platform specify platform (links in $platform.o)
|
|
# -i initrd specify initrd file
|
|
# -d devtree specify device-tree blob
|
|
# -s tree.dts specify device-tree source file (needs dtc installed)
|
|
# -e esm_blob specify ESM blob for secure images
|
|
# -c cache $kernel.strip.gz (use if present & newer, else make)
|
|
# -C prefix specify command prefix for cross-building tools
|
|
# (strip, objcopy, ld)
|
|
# -D dir specify directory containing data files used by script
|
|
# (default ./arch/powerpc/boot)
|
|
# -W dir specify working directory for temporary files (default .)
|
|
# -z use gzip (legacy)
|
|
# -Z zsuffix compression to use (gz, xz or none)
|
|
|
|
# Stop execution if any command fails
|
|
set -e
|
|
|
|
# Allow for verbose output
|
|
if [ "$V" = 1 ]; then
|
|
set -x
|
|
fi
|
|
|
|
# defaults
|
|
kernel=
|
|
ofile=zImage
|
|
platform=of
|
|
initrd=
|
|
dtb=
|
|
dts=
|
|
esm_blob=
|
|
cacheit=
|
|
binary=
|
|
compression=.gz
|
|
uboot_comp=gzip
|
|
pie=
|
|
format=
|
|
|
|
# cross-compilation prefix
|
|
CROSS=
|
|
|
|
# mkimage wrapper script
|
|
MKIMAGE=$srctree/scripts/mkuboot.sh
|
|
|
|
# directory for object and other files used by this script
|
|
object=arch/powerpc/boot
|
|
objbin=$object
|
|
dtc=scripts/dtc/dtc
|
|
|
|
# directory for working files
|
|
tmpdir=.
|
|
|
|
usage() {
|
|
echo 'Usage: wrapper [-o output] [-p platform] [-i initrd]' >&2
|
|
echo ' [-d devtree] [-s tree.dts] [-e esm_blob]' >&2
|
|
echo ' [-c] [-C cross-prefix] [-D datadir] [-W workingdir]' >&2
|
|
echo ' [-Z (gz|xz|none)] [--no-compression] [vmlinux]' >&2
|
|
exit 1
|
|
}
|
|
|
|
run_cmd() {
|
|
if [ "$V" = 1 ]; then
|
|
$* 2>&1
|
|
else
|
|
local msg
|
|
|
|
set +e
|
|
msg=$($* 2>&1)
|
|
|
|
if [ $? -ne "0" ]; then
|
|
echo $msg
|
|
exit 1
|
|
fi
|
|
set -e
|
|
fi
|
|
}
|
|
|
|
while [ "$#" -gt 0 ]; do
|
|
case "$1" in
|
|
-o)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
ofile="$1"
|
|
;;
|
|
-p)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
platform="$1"
|
|
;;
|
|
-i)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
initrd="$1"
|
|
;;
|
|
-d)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
dtb="$1"
|
|
;;
|
|
-e)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
esm_blob="$1"
|
|
;;
|
|
-s)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
dts="$1"
|
|
;;
|
|
-c)
|
|
cacheit=y
|
|
;;
|
|
-C)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
CROSS="$1"
|
|
;;
|
|
-D)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
object="$1"
|
|
objbin="$1"
|
|
;;
|
|
-W)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
tmpdir="$1"
|
|
;;
|
|
-z)
|
|
compression=.gz
|
|
uboot_comp=gzip
|
|
;;
|
|
-Z)
|
|
shift
|
|
[ "$#" -gt 0 ] || usage
|
|
[ "$1" != "gz" -o "$1" != "xz" -o "$1" != "lzma" -o "$1" != "lzo" -o "$1" != "none" ] || usage
|
|
|
|
compression=".$1"
|
|
uboot_comp=$1
|
|
|
|
if [ $compression = ".none" ]; then
|
|
compression=
|
|
uboot_comp=none
|
|
fi
|
|
if [ $uboot_comp = "gz" ]; then
|
|
uboot_comp=gzip
|
|
fi
|
|
;;
|
|
--no-gzip)
|
|
# a "feature" of the the wrapper script is that it can be used outside
|
|
# the kernel tree. So keeping this around for backwards compatibility.
|
|
compression=
|
|
uboot_comp=none
|
|
;;
|
|
-?)
|
|
usage
|
|
;;
|
|
*)
|
|
[ -z "$kernel" ] || usage
|
|
kernel="$1"
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
|
|
if [ -n "$dts" ]; then
|
|
if [ ! -r "$dts" -a -r "$object/dts/$dts" ]; then
|
|
dts="$object/dts/$dts"
|
|
fi
|
|
if [ -z "$dtb" ]; then
|
|
dtb="$platform.dtb"
|
|
fi
|
|
$dtc -O dtb -o "$dtb" -b 0 "$dts"
|
|
fi
|
|
|
|
if [ -z "$kernel" ]; then
|
|
kernel=vmlinux
|
|
fi
|
|
|
|
LANG=C elfformat="`${CROSS}objdump -p "$kernel" | grep 'file format' | awk '{print $4}'`"
|
|
case "$elfformat" in
|
|
elf64-powerpcle) format=elf64lppc ;;
|
|
elf64-powerpc) format=elf32ppc ;;
|
|
elf32-powerpc) format=elf32ppc ;;
|
|
esac
|
|
|
|
ld_version()
|
|
{
|
|
# Poached from scripts/ld-version.sh, but we don't want to call that because
|
|
# this script (wrapper) is distributed separately from the kernel source.
|
|
# Extract linker version number from stdin and turn into single number.
|
|
awk '{
|
|
gsub(".*\\)", "");
|
|
gsub(".*version ", "");
|
|
gsub("-.*", "");
|
|
split($1,a, ".");
|
|
print a[1]*100000000 + a[2]*1000000 + a[3]*10000;
|
|
exit
|
|
}'
|
|
}
|
|
|
|
# Do not include PT_INTERP segment when linking pie. Non-pie linking
|
|
# just ignores this option.
|
|
LD_VERSION=$(${CROSS}ld --version | ld_version)
|
|
LD_NO_DL_MIN_VERSION=$(echo 2.26 | ld_version)
|
|
if [ "$LD_VERSION" -ge "$LD_NO_DL_MIN_VERSION" ] ; then
|
|
nodl="--no-dynamic-linker"
|
|
fi
|
|
|
|
platformo=$object/"$platform".o
|
|
lds=$object/zImage.lds
|
|
ext=strip
|
|
objflags=-S
|
|
tmp=$tmpdir/zImage.$$.o
|
|
ksection=.kernel:vmlinux.strip
|
|
isection=.kernel:initrd
|
|
esection=.kernel:esm_blob
|
|
link_address='0x400000'
|
|
make_space=y
|
|
|
|
|
|
if [ -n "$esm_blob" -a "$platform" != "pseries" ]; then
|
|
echo "ESM blob not support on non-pseries platforms" >&2
|
|
exit 1
|
|
fi
|
|
|
|
case "$platform" in
|
|
of)
|
|
platformo="$object/of.o $object/epapr.o"
|
|
make_space=n
|
|
;;
|
|
pseries)
|
|
platformo="$object/pseries-head.o $object/of.o $object/epapr.o"
|
|
link_address='0x4000000'
|
|
if [ "$format" != "elf32ppc" ]; then
|
|
link_address=
|
|
pie=-pie
|
|
fi
|
|
make_space=n
|
|
;;
|
|
maple)
|
|
platformo="$object/of.o $object/epapr.o"
|
|
link_address='0x400000'
|
|
make_space=n
|
|
;;
|
|
pmac|chrp)
|
|
platformo="$object/of.o $object/epapr.o"
|
|
make_space=n
|
|
;;
|
|
coff)
|
|
platformo="$object/crt0.o $object/of.o $object/epapr.o"
|
|
lds=$object/zImage.coff.lds
|
|
link_address='0x500000'
|
|
make_space=n
|
|
pie=
|
|
;;
|
|
miboot|uboot*)
|
|
# miboot and U-boot want just the bare bits, not an ELF binary
|
|
ext=bin
|
|
objflags="-O binary"
|
|
tmp="$ofile"
|
|
ksection=image
|
|
isection=initrd
|
|
;;
|
|
cuboot*)
|
|
binary=y
|
|
compression=
|
|
case "$platform" in
|
|
*-mpc866ads|*-mpc885ads|*-adder875*|*-ep88xc)
|
|
platformo=$object/cuboot-8xx.o
|
|
;;
|
|
*5200*|*-motionpro)
|
|
platformo=$object/cuboot-52xx.o
|
|
;;
|
|
*-pq2fads|*-ep8248e|*-mpc8272*|*-storcenter)
|
|
platformo=$object/cuboot-pq2.o
|
|
;;
|
|
*-mpc824*)
|
|
platformo=$object/cuboot-824x.o
|
|
;;
|
|
*-mpc83*|*-asp834x*)
|
|
platformo=$object/cuboot-83xx.o
|
|
;;
|
|
*-tqm8541|*-mpc8560*|*-tqm8560|*-tqm8555|*-ksi8560*)
|
|
platformo=$object/cuboot-85xx-cpm2.o
|
|
;;
|
|
*-mpc85*|*-tqm85*|*-sbc85*)
|
|
platformo=$object/cuboot-85xx.o
|
|
;;
|
|
*-amigaone)
|
|
link_address='0x800000'
|
|
;;
|
|
esac
|
|
;;
|
|
ps3)
|
|
platformo="$object/ps3-head.o $object/ps3-hvcall.o $object/ps3.o"
|
|
lds=$object/zImage.ps3.lds
|
|
compression=
|
|
ext=bin
|
|
objflags="-O binary --set-section-flags=.bss=contents,alloc,load,data"
|
|
ksection=.kernel:vmlinux.bin
|
|
isection=.kernel:initrd
|
|
link_address=''
|
|
make_space=n
|
|
pie=
|
|
;;
|
|
ep88xc|ep405|ep8248e)
|
|
platformo="$object/fixed-head.o $object/$platform.o"
|
|
binary=y
|
|
;;
|
|
adder875-redboot)
|
|
platformo="$object/fixed-head.o $object/redboot-8xx.o"
|
|
binary=y
|
|
;;
|
|
simpleboot-virtex405-*)
|
|
platformo="$object/virtex405-head.o $object/simpleboot.o $object/virtex.o"
|
|
binary=y
|
|
;;
|
|
simpleboot-virtex440-*)
|
|
platformo="$object/fixed-head.o $object/simpleboot.o $object/virtex.o"
|
|
binary=y
|
|
;;
|
|
simpleboot-*)
|
|
platformo="$object/fixed-head.o $object/simpleboot.o"
|
|
binary=y
|
|
;;
|
|
asp834x-redboot)
|
|
platformo="$object/fixed-head.o $object/redboot-83xx.o"
|
|
binary=y
|
|
;;
|
|
xpedite52*)
|
|
link_address='0x1400000'
|
|
platformo=$object/cuboot-85xx.o
|
|
;;
|
|
gamecube|wii)
|
|
link_address='0x600000'
|
|
platformo="$object/$platform-head.o $object/$platform.o"
|
|
;;
|
|
treeboot-currituck)
|
|
link_address='0x1000000'
|
|
;;
|
|
treeboot-akebono)
|
|
link_address='0x1000000'
|
|
;;
|
|
treeboot-iss4xx-mpic)
|
|
platformo="$object/treeboot-iss4xx.o"
|
|
;;
|
|
epapr)
|
|
platformo="$object/pseries-head.o $object/epapr.o $object/epapr-wrapper.o"
|
|
link_address='0x20000000'
|
|
pie=-pie
|
|
;;
|
|
mvme5100)
|
|
platformo="$object/fixed-head.o $object/mvme5100.o"
|
|
binary=y
|
|
;;
|
|
mvme7100)
|
|
platformo="$object/motload-head.o $object/mvme7100.o"
|
|
link_address='0x4000000'
|
|
binary=y
|
|
;;
|
|
esac
|
|
|
|
vmz="$tmpdir/`basename \"$kernel\"`.$ext"
|
|
|
|
# Calculate the vmlinux.strip size
|
|
${CROSS}objcopy $objflags "$kernel" "$vmz.$$"
|
|
strip_size=$(${CONFIG_SHELL} "${srctree}/scripts/file-size.sh" "$vmz.$$")
|
|
|
|
if [ -z "$cacheit" -o ! -f "$vmz$compression" -o "$vmz$compression" -ot "$kernel" ]; then
|
|
# recompress the image if we need to
|
|
case $compression in
|
|
.xz)
|
|
xz --check=crc32 -f -6 "$vmz.$$"
|
|
;;
|
|
.gz)
|
|
gzip -n -f -9 "$vmz.$$"
|
|
;;
|
|
.lzma)
|
|
xz --format=lzma -f -6 "$vmz.$$"
|
|
;;
|
|
.lzo)
|
|
lzop -f -9 "$vmz.$$"
|
|
;;
|
|
*)
|
|
# drop the compression suffix so the stripped vmlinux is used
|
|
compression=
|
|
uboot_comp=none
|
|
;;
|
|
esac
|
|
|
|
if [ -n "$cacheit" ]; then
|
|
mv -f "$vmz.$$$compression" "$vmz$compression"
|
|
else
|
|
vmz="$vmz.$$"
|
|
fi
|
|
else
|
|
rm -f $vmz.$$
|
|
fi
|
|
|
|
vmz="$vmz$compression"
|
|
|
|
if [ "$make_space" = "y" ]; then
|
|
# Round the size to next higher MB limit
|
|
round_size=$(((strip_size + 0xfffff) & 0xfff00000))
|
|
|
|
round_size=0x$(printf "%x" $round_size)
|
|
link_addr=$(printf "%d" $link_address)
|
|
|
|
if [ $link_addr -lt $strip_size ]; then
|
|
echo "INFO: Uncompressed kernel (size 0x$(printf "%x\n" $strip_size))" \
|
|
"overlaps the address of the wrapper($link_address)"
|
|
echo "INFO: Fixing the link_address of wrapper to ($round_size)"
|
|
link_address=$round_size
|
|
fi
|
|
fi
|
|
|
|
# Extract kernel version information, some platforms want to include
|
|
# it in the image header
|
|
version=`${CROSS}strings "$kernel" | grep '^Linux version [-0-9.]' | \
|
|
cut -d' ' -f3`
|
|
if [ -n "$version" ]; then
|
|
uboot_version="-n Linux-$version"
|
|
fi
|
|
|
|
# physical offset of kernel image
|
|
membase=`${CROSS}objdump -p "$kernel" | grep -m 1 LOAD | awk '{print $7}'`
|
|
|
|
case "$platform" in
|
|
uboot)
|
|
rm -f "$ofile"
|
|
${MKIMAGE} -A ppc -O linux -T kernel -C $uboot_comp -a $membase -e $membase \
|
|
$uboot_version -d "$vmz" "$ofile"
|
|
if [ -z "$cacheit" ]; then
|
|
rm -f "$vmz"
|
|
fi
|
|
exit 0
|
|
;;
|
|
uboot-obs600)
|
|
rm -f "$ofile"
|
|
# obs600 wants a multi image with an initrd, so we need to put a fake
|
|
# one in even when building a "normal" image.
|
|
if [ -n "$initrd" ]; then
|
|
real_rd="$initrd"
|
|
else
|
|
real_rd=`mktemp`
|
|
echo "\0" >>"$real_rd"
|
|
fi
|
|
${MKIMAGE} -A ppc -O linux -T multi -C gzip -a $membase -e $membase \
|
|
$uboot_version -d "$vmz":"$real_rd":"$dtb" "$ofile"
|
|
if [ -z "$initrd" ]; then
|
|
rm -f "$real_rd"
|
|
fi
|
|
if [ -z "$cacheit" ]; then
|
|
rm -f "$vmz"
|
|
fi
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
addsec() {
|
|
${CROSS}objcopy $4 $1 \
|
|
--add-section=$3="$2" \
|
|
--set-section-flags=$3=contents,alloc,load,readonly,data
|
|
}
|
|
|
|
addsec $tmp "$vmz" $ksection $object/empty.o
|
|
if [ -z "$cacheit" ]; then
|
|
rm -f "$vmz"
|
|
fi
|
|
|
|
if [ -n "$initrd" ]; then
|
|
addsec $tmp "$initrd" $isection
|
|
fi
|
|
|
|
if [ -n "$dtb" ]; then
|
|
addsec $tmp "$dtb" .kernel:dtb
|
|
if [ -n "$dts" ]; then
|
|
rm $dtb
|
|
fi
|
|
fi
|
|
|
|
if [ -n "$esm_blob" ]; then
|
|
addsec $tmp "$esm_blob" $esection
|
|
fi
|
|
|
|
if [ "$platform" != "miboot" ]; then
|
|
if [ -n "$link_address" ] ; then
|
|
text_start="-Ttext $link_address"
|
|
fi
|
|
#link everything
|
|
${CROSS}ld -m $format -T $lds $text_start $pie $nodl -o "$ofile" \
|
|
$platformo $tmp $object/wrapper.a
|
|
rm $tmp
|
|
fi
|
|
|
|
# Some platforms need the zImage's entry point and base address
|
|
base=0x`${CROSS}nm "$ofile" | grep ' _start$' | cut -d' ' -f1`
|
|
entry=`${CROSS}objdump -f "$ofile" | grep '^start address ' | cut -d' ' -f3`
|
|
|
|
if [ -n "$binary" ]; then
|
|
mv "$ofile" "$ofile".elf
|
|
${CROSS}objcopy -O binary "$ofile".elf "$ofile"
|
|
fi
|
|
|
|
# post-processing needed for some platforms
|
|
case "$platform" in
|
|
pseries|chrp|maple)
|
|
$objbin/addnote "$ofile"
|
|
;;
|
|
coff)
|
|
${CROSS}objcopy -O aixcoff-rs6000 --set-start "$entry" "$ofile"
|
|
$objbin/hack-coff "$ofile"
|
|
;;
|
|
cuboot*)
|
|
gzip -n -f -9 "$ofile"
|
|
${MKIMAGE} -A ppc -O linux -T kernel -C gzip -a "$base" -e "$entry" \
|
|
$uboot_version -d "$ofile".gz "$ofile"
|
|
;;
|
|
treeboot*)
|
|
mv "$ofile" "$ofile.elf"
|
|
$objbin/mktree "$ofile.elf" "$ofile" "$base" "$entry"
|
|
if [ -z "$cacheit" ]; then
|
|
rm -f "$ofile.elf"
|
|
fi
|
|
exit 0
|
|
;;
|
|
ps3)
|
|
# The ps3's loader supports loading a gzipped binary image from flash
|
|
# rom to ram addr zero. The loader then enters the system reset
|
|
# vector at addr 0x100. A bootwrapper overlay is used to arrange for
|
|
# a binary image of the kernel to be at addr zero, and yet have a
|
|
# suitable bootwrapper entry at 0x100. To construct the final rom
|
|
# image 512 bytes from offset 0x100 is copied to the bootwrapper
|
|
# place holder at symbol __system_reset_kernel. The 512 bytes of the
|
|
# bootwrapper entry code at symbol __system_reset_overlay is then
|
|
# copied to offset 0x100. At runtime the bootwrapper program copies
|
|
# the data at __system_reset_kernel back to addr 0x100.
|
|
|
|
system_reset_overlay=0x`${CROSS}nm "$ofile" \
|
|
| grep ' __system_reset_overlay$' \
|
|
| cut -d' ' -f1`
|
|
system_reset_overlay=`printf "%d" $system_reset_overlay`
|
|
system_reset_kernel=0x`${CROSS}nm "$ofile" \
|
|
| grep ' __system_reset_kernel$' \
|
|
| cut -d' ' -f1`
|
|
system_reset_kernel=`printf "%d" $system_reset_kernel`
|
|
overlay_dest="256"
|
|
overlay_size="512"
|
|
|
|
${CROSS}objcopy -O binary "$ofile" "$ofile.bin"
|
|
|
|
run_cmd dd if="$ofile.bin" of="$ofile.bin" conv=notrunc \
|
|
skip=$overlay_dest seek=$system_reset_kernel \
|
|
count=$overlay_size bs=1
|
|
|
|
run_cmd dd if="$ofile.bin" of="$ofile.bin" conv=notrunc \
|
|
skip=$system_reset_overlay seek=$overlay_dest \
|
|
count=$overlay_size bs=1
|
|
|
|
odir="$(dirname "$ofile.bin")"
|
|
rm -f "$odir/otheros.bld"
|
|
gzip -n --force -9 --stdout "$ofile.bin" > "$odir/otheros.bld"
|
|
;;
|
|
esac
|