diff mbox series

[meta-ti,master/kirkstone] conf: machine: include: k3 enable fit signing for uboot

Message ID 20230613-b4-internal-core-secdev-fit-v1-1-c344639b5be1@ti.com
State Accepted
Delegated to: Ryan Eatmon
Headers show
Series [meta-ti,master/kirkstone] conf: machine: include: k3 enable fit signing for uboot | expand

Commit Message

Manorit Chawdhry June 14, 2023, 7:41 a.m. UTC 
Enables FIT Image signing for K3 platforms

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 meta-ti-bsp/conf/machine/include/k3.inc                  | 7 +++++++
 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 +
 2 files changed, 8 insertions(+)


---
base-commit: 02fb90c7972aa53ad6c3599a161ec62fd91d1efa
change-id: 20230613-b4-internal-core-secdev-fit-027b8db6a112

Best regards,

Comments

Ricardo Salveti June 14, 2023, 3:13 p.m. UTC | #1 
On Wed, Jun 14, 2023 at 4:41 AM Manorit Chawdhry via
lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org>
wrote:
>
> Enables FIT Image signing for K3 platforms
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>  meta-ti-bsp/conf/machine/include/k3.inc                  | 7 +++++++
>  meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 +
>  2 files changed, 8 insertions(+)
>
> diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> index f8bfb3dbcafc..eb25fa780407 100644
> --- a/meta-ti-bsp/conf/machine/include/k3.inc
> +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> @@ -31,6 +31,13 @@ SPL_BINARY = "tispl.bin"
>  SPL_BINARYNAME = "tispl.bin"
>  UBOOT_SUFFIX = "img"
>
> +UBOOT_SIGN_ENABLE = "1"
> +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> +UBOOT_SIGN_KEYNAME ?= "custMpk"
> +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys"

Did you verify that this won't cause a build failure when the key is
not available at runtime (e.g. users not defining TI_SECURE_DEV_PKG)?

Just because UBOOT_SIGN_ENABLE is being forced to 1.

Thanks,
Manorit Chawdhry June 15, 2023, 4:47 a.m. UTC | #2 
Hi Ricardo,

On 12:13-20230614, Ricardo Salveti wrote:
> On Wed, Jun 14, 2023 at 4:41 AM Manorit Chawdhry via
> lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org>
> wrote:
> >
> > Enables FIT Image signing for K3 platforms
> >
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> >  meta-ti-bsp/conf/machine/include/k3.inc                  | 7 +++++++
> >  meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 +
> >  2 files changed, 8 insertions(+)
> >
> > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> > index f8bfb3dbcafc..eb25fa780407 100644
> > --- a/meta-ti-bsp/conf/machine/include/k3.inc
> > +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> > @@ -31,6 +31,13 @@ SPL_BINARY = "tispl.bin"
> >  SPL_BINARYNAME = "tispl.bin"
> >  UBOOT_SUFFIX = "img"
> >
> > +UBOOT_SIGN_ENABLE = "1"
> > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> > +UBOOT_SIGN_KEYNAME ?= "custMpk"
> > +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys"
> 
> Did you verify that this won't cause a build failure when the key is
> not available at runtime (e.g. users not defining TI_SECURE_DEV_PKG)?
> 
> Just because UBOOT_SIGN_ENABLE is being forced to 1.
> 

TI_SECURE_DEV_PKG will always be set whenever we inherit ti-secdev
recipe and that is being done in the linux recipe in the same patch.
The kernel recipe internally uses this variable so no one should be 
required to set this explicitely and the build had passed.

Though on the other hand, the build still passes even in we provide a
wrong folder if I understand correctly and the generate images don't
have the signature. Though I had validated this change on my local setup
and could see the things working as expected.

Regards,
Manorit

> Thanks,
> -- 
> Ricardo Salveti
diff mbox series

Patch

diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
index f8bfb3dbcafc..eb25fa780407 100644
--- a/meta-ti-bsp/conf/machine/include/k3.inc
+++ b/meta-ti-bsp/conf/machine/include/k3.inc
@@ -31,6 +31,13 @@  SPL_BINARY = "tispl.bin"
 SPL_BINARYNAME = "tispl.bin"
 UBOOT_SUFFIX = "img"
 
+UBOOT_SIGN_ENABLE = "1"
+UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
+UBOOT_SIGN_KEYNAME ?= "custMpk"
+UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys"
+FIT_HASH_ALG ?= "sha512"
+FIT_SIGN_ALG ?= "rsa4096"
+
 EXTRA_IMAGEDEPENDS += "virtual/bootloader"
 
 TFA_PLATFORM = "k3"
diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb
index 12ac61d18c6b..3e7e124a80f4 100644
--- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb
+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb
@@ -3,6 +3,7 @@  SUMMARY = "Linux kernel for TI devices"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
+inherit ti-secdev
 inherit kernel
 
 require recipes-kernel/linux/setup-defconfig.inc