diff mbox series

[1/1] uboot-sign.bbclass: Break dependency loop in fitImage signing

Message ID 20240118151030.1781313-2-david.wretman@ferroamp.se
State New
Headers show
Series uboot-sign: Break dependency loop in fitImage signing | expand

Commit Message

David Wretman Jan. 18, 2024, 3:10 p.m. UTC 
This commit creates a dummy fitImage to feed to mkimage when adding the
public key to the U-Boot dtb. This instead of using the Linux fitImage.
The dependency on Linux fitImage availability from U-Boot recipes can
then be removed, breaking a dependecy loop created when trying to add
a boot script to a signed Linux fitImage.

Signed-off-by: David Wretman <david.wretman@ferroamp.se>
---
 meta/classes-recipe/uboot-sign.bbclass | 77 ++++++++++++++++++++------
 1 file changed, 61 insertions(+), 16 deletions(-)
diff mbox series

Patch

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index ad04c82378..e08ebda232 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -90,26 +90,75 @@  KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
 
 python() {
     # We need u-boot-tools-native if we're creating a U-Boot fitImage
-    sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
-    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
+    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or d.getVar('UBOOT_SIGN_ENABLE') == '1':
         d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
-    if sign:
-        d.appendVar('DEPENDS', " " + d.getVar('KERNEL_PN'))
 }
 
+# Create a dummy U-boot FIT and use that as input to mkimage when we want to
+# add the public key used to sign the Linux FIT to the U-Boot dtb.
+uboot_dtb_add_keys() {
+	# First we create an ITS script
+	cat << EOF > dummy.its
+/dts-v1/;
+
+/ {
+    description = "Dummy U-Boot its";
+
+    images {
+        uboot {
+            description = "U-Boot image";
+            data = /incbin/("${UBOOT_NODTB_BINARY}");
+            type = "standalone";
+            os = "u-boot";
+            arch = "${UBOOT_ARCH}";
+            compression = "none";
+            load = <${UBOOT_LOADADDRESS}>;
+            entry = <${UBOOT_ENTRYPOINT}>;
+            signature {
+                algo = "${FIT_HASH_ALG},${FIT_SIGN_ALG}";
+                key-name-hint = "${UBOOT_SIGN_KEYNAME}";
+            };
+        };
+    };
+
+    configurations {
+        default = "conf";
+        conf {
+            description = "Boot with signed U-Boot FIT";
+            loadables = "uboot";
+        };
+    };
+};
+EOF
+
+	#
+	# Assemble the Dummy FIT image
+	#
+	${UBOOT_MKIMAGE} \
+		${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+		-f dummy.its \
+		dummy-fitImage
+
+	#
+	# Sign the Dummy FIT image to add public key to the U-Boot dtb
+	#
+	${UBOOT_MKIMAGE_SIGN} \
+		${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+		-F -k "${UBOOT_SIGN_KEYDIR}" \
+		-K "${UBOOT_DTB_BINARY}" \
+		-r ${B}/dummy-fitImage \
+		${UBOOT_MKIMAGE_SIGN_ARGS}
+	cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
+}
+
+
+
 concat_dtb() {
 	type="$1"
 	binary="$2"
 
 	if [ -e "${UBOOT_DTB_BINARY}" ]; then
-		# Re-sign the kernel in order to add the keys to our dtb
-		${UBOOT_MKIMAGE_SIGN} \
-			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-			-F -k "${UBOOT_SIGN_KEYDIR}" \
-			-K "${UBOOT_DTB_BINARY}" \
-			-r ${B}/fitImage-linux \
-			${UBOOT_MKIMAGE_SIGN_ARGS}
-		cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
+		uboot_dtb_add_keys
 	fi
 
 	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
@@ -336,10 +385,6 @@  uboot_assemble_fitimage_helper() {
 }
 
 do_uboot_assemble_fitimage() {
-	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
-		cp "${STAGING_DIR_HOST}/sysroot-only/fitImage" "${B}/fitImage-linux"
-	fi
-
 	if [ -n "${UBOOT_CONFIG}" ]; then
 		unset i j k
 		for config in ${UBOOT_MACHINE}; do