On 10/16/2024 2:51 PM, Ryan Eatmon via lists.yoctoproject.org wrote:
On 10/14/2024 3:27 PM, Sergio Prado wrote:
Use weak assignment to make it possible to override the default
value via classes parsed after the machine configuration file.
This is the case when using the tdxref-signed class from
meta-toradex-security to generated signed images for AM6X.
Additionally, explicitly set FIT_SIGN_NUMBITS to 4096 to align with the
default rsa4096 algorithm, preventing potential mismatches between the
signing algorithm and key length.
Signed-off-by: Sergio Prado <[email protected]>
Signed-off-by: Rogerio Borin <[email protected]>
---
meta-ti-bsp/conf/machine/include/k3.inc | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/meta-ti-bsp/conf/machine/include/k3.inc
b/meta-ti-bsp/conf/machine/include/k3.inc
index a296f64fa141..07f0bcb48bfc 100644
--- a/meta-ti-bsp/conf/machine/include/k3.inc
+++ b/meta-ti-bsp/conf/machine/include/k3.inc
@@ -26,10 +26,11 @@ UBOOT_SUFFIX = "img"
UBOOT_SIGN_ENABLE = "1"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
-UBOOT_SIGN_KEYNAME ?= "custMpk"
-UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys"
-FIT_HASH_ALG ?= "sha512"
-FIT_SIGN_ALG ?= "rsa4096"
+UBOOT_SIGN_KEYNAME ??= "custMpk"
+UBOOT_SIGN_KEYDIR ??= "${TI_SECURE_DEV_PKG}/keys"
+FIT_HASH_ALG ??= "sha512"
+FIT_SIGN_ALG ??= "rsa4096"
+FIT_SIGN_NUMBITS ??= "4096"
These changes appear to break the build flow. Since the the only real
change is the addition of FIT_SIGN_NUMBITS, I'm going to assume that is
the culprit.
Signature written to
'<snip>/build/arago-tmp-default-glibc/work/am62axx_evm-oe-linux/u-boot-ti-staging/2024.04+git/build/fitImage-linux', node '/configurations/conf-ti_k3-v3link-imx219-0-2.dtbo/signature-1'
Public key written to 'u-boot.dtb', node '/signature/key-custMpk'
Signature check bad (error 1)
Verifying Hash Integrity for node 'conf-ti_k3-am62a7-sk.dtb'...
sha256,rsa2048:custMpk-
error!
Verification failed for '(null)' hash node in 'conf-ti_k3-am62a7-sk.dtb'
config node
Failed to verify required signature 'key-custMpk'
I think the issue is that the weak assignment happens at the very end of
parsing if there no other value for the variable. But the various
classes (kernel-fitimage.bbclass, uboot-sign.bbclass, etc...) set the
variables using the ?= so that means the values we want for our stuff
never gets set correctly.
I can see how this works for you in your case, but doing this in
meta-ti-bsp breaks everyone not using meta-tordex-security.
I'm not really sure the best solution for this. Should the tordex layer
be in final control of these variables and not allow overrides? Should
it not be using the ?= assignment and instead use the = assignment to
force the issue?
Denys,
Any ideas?
EXTRA_IMAGEDEPENDS += "virtual/bootloader"
--
Ryan Eatmon [email protected]
-----------------------------------------
Texas Instruments, Inc. - LCPD - MGTS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#18008):
https://lists.yoctoproject.org/g/meta-ti/message/18008
Mute This Topic: https://lists.yoctoproject.org/mt/109009846/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
