Here is the bbappend for u-boot.
SRC_URI += "\
file://0001-Add-MMC-boot-support.patch \
file://0002-Add-MT41K128M16JT-125K-support.patch \
file://0003-Remove-video-support.patch \
file://0004-Ethernet-Use-ENET1.patch \
file://0005-Rename-DTB-file-used-to-imx6ul-aveli.dtb.patch \
file://0006-Add-PMIC-pf3001-support.patch \
file://0007-Disable-I2C2.patch \
file://0008-Add-USB-support-force-port-0-in-host-mode.patch \
file://0009-Only-use-default-env-var-and-import-bootpart-from-sd.patch \
file://0010-Add-bootcount-support.patch \
file://0011-hab-auth-zimage.patch \
file://0012-Load-uImage-and-DTB-present-at-mmc-address.patch \
file://0013-Verify-DTB-signature.patch \
file://0014-Add-active-passive-kernel-dtb-support.patch \
file://0016-Enable-watchdog.patch \
"
FILESEXTRAPATHS_append := "${THISDIR}/${PN}"
UBOOT_MAKE_TARGET = ""
UBOOT_BINARY = "u-boot-ivt.img"
addtask sign_uboot before do_build after do_deploy
do_sign_uboot () {
if [ -e ${CST_ROOT}/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem ] ; then
cd ${CST_ROOT}
bash mkfinalimage.sh ${CST_ROOT} ${DEPLOYDIR} ${DEPLOY_DIR_IMAGE}
${SPL_BINARYNAME} ${UBOOT_IMAGE}
else
if [ ! -d ${CST_ROOT} ] ; then
bberror "The CST Tool at path ${CST_ROOT} doesn't exist"
fi
bberror "The CST keys are not created yet"
fi
}
mkfinalimage.sh creates the signed copy of SPL and u-boot.img using the
Code Signing Tool from NXP.
I switched the UBOOT_BINARY variable to "u-boot-ivt.img" and u-boot
compiled well. However even if it boots for now, I'll have to test the
signature check.
What I meant with my question was that I don't know if my do_sign task
is redundant with compiling u-boot with the SECURE_BOOT activated (which
would sign the image no?).
Sincerely,
Romain Bazile
/Hardware R&D Engineer/
www.ubiant.com <http://www.ubiant.com>
Le 16/06/2017 à 17:04, Otavio Salvador a écrit :
On Wed, Jun 14, 2017 at 1:45 PM, Romain Bazile <romain.baz...@ubiant.com> wrote:
...
We have in our bbappend a custom task, `sign_uboot`. This task uses the IMX
Code Signing Tool distributed by NXP to sign `u-boot.img` .
During the migration, I had a compilation problem. Basically, the build
system would complain that authenticate_image was an undefined reference.
When having a look at u-boot code, it seemed normal since it was not built
in the absence of `CONFIG_SECURE_BOOT`.
I added a patchfile changing this in `mx6ul_14x14_defconfig`, but now, a
different problem appears.
Basically, the do_compile task is failing when it tries to copy `u-boot.img`
(as defined in my bbappend `UBOOT_BINARY`). This is "normal", since this
file is not in the filesystem, and likely not built. However, I do have a
`u-boot-ivt.img` (but this file is supposed to be created at a later stage
by the task `sign_uboot`).
Also, just before, a couple of errors appears, where a script complains
about `bc` and `comm` not being found, except they are installed in the
build machine. This may not be related and not have consequences, I believe
this could be linked to the per-recipe sysroot.
Sorry for the long post, I can also share the details if needed (the task
`sign_uboot` and the scripts used to sign).
My questions are as follows:
Do I still need to use this custom script if I use `CONFIG_SECURE_BOOT`?
How can I insure that u-boot-fslc will be correctly built?
Please share the patch so we can look how it is done...
--
_______________________________________________
meta-freescale mailing list
meta-freescale@yoctoproject.org
https://lists.yoctoproject.org/listinfo/meta-freescale
