On Wed, Oct 16, 2024 at 04:35:17PM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: > > > On 10/16/2024 2:51 PM, Ryan Eatmon via lists.yoctoproject.org wrote: > > > > > >On 10/14/2024 3:27 PM, Sergio Prado wrote: > >>Use weak assignment to make it possible to override the default > >>value via classes parsed after the machine configuration file. > >> > >>This is the case when using the tdxref-signed class from > >>meta-toradex-security to generated signed images for AM6X. > >> > >>Additionally, explicitly set FIT_SIGN_NUMBITS to 4096 to align with the > >>default rsa4096 algorithm, preventing potential mismatches between the > >>signing algorithm and key length. > >> > >>Signed-off-by: Sergio Prado <[email protected]> > >>Signed-off-by: Rogerio Borin <[email protected]> > >>--- > >> meta-ti-bsp/conf/machine/include/k3.inc | 9 +++++---- > >> 1 file changed, 5 insertions(+), 4 deletions(-) > >> > >>diff --git a/meta-ti-bsp/conf/machine/include/k3.inc > >>b/meta-ti-bsp/conf/machine/include/k3.inc > >>index a296f64fa141..07f0bcb48bfc 100644 > >>--- a/meta-ti-bsp/conf/machine/include/k3.inc > >>+++ b/meta-ti-bsp/conf/machine/include/k3.inc > >>@@ -26,10 +26,11 @@ UBOOT_SUFFIX = "img" > >> UBOOT_SIGN_ENABLE = "1" > >> UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > >>-UBOOT_SIGN_KEYNAME ?= "custMpk" > >>-UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys" > >>-FIT_HASH_ALG ?= "sha512" > >>-FIT_SIGN_ALG ?= "rsa4096" > >>+UBOOT_SIGN_KEYNAME ??= "custMpk" > >>+UBOOT_SIGN_KEYDIR ??= "${TI_SECURE_DEV_PKG}/keys" > >>+FIT_HASH_ALG ??= "sha512" > >>+FIT_SIGN_ALG ??= "rsa4096" > >>+FIT_SIGN_NUMBITS ??= "4096" > > > >These changes appear to break the build flow. Since the the only > >real change is the addition of FIT_SIGN_NUMBITS, I'm going to > >assume that is the culprit. > > > >Signature written to > >'<snip>/build/arago-tmp-default-glibc/work/am62axx_evm-oe-linux/u-boot-ti-staging/2024.04+git/build/fitImage-linux', > >node > >'/configurations/conf-ti_k3-v3link-imx219-0-2.dtbo/signature-1' > >Public key written to 'u-boot.dtb', node '/signature/key-custMpk' > >Signature check bad (error 1) > >Verifying Hash Integrity for node 'conf-ti_k3-am62a7-sk.dtb'... > >sha256,rsa2048:custMpk- > > error! > >Verification failed for '(null)' hash node in > >'conf-ti_k3-am62a7-sk.dtb' config node > >Failed to verify required signature 'key-custMpk' > > I think the issue is that the weak assignment happens at the very > end of parsing if there no other value for the variable. But the > various classes (kernel-fitimage.bbclass, uboot-sign.bbclass, > etc...) set the variables using the ?= so that means the values we > want for our stuff never gets set correctly. > > I can see how this works for you in your case, but doing this in > meta-ti-bsp breaks everyone not using meta-tordex-security. > > I'm not really sure the best solution for this. Should the tordex > layer be in final control of these variables and not allow > overrides? Should it not be using the ?= assignment and instead use > the = assignment to force the issue? > > Denys, > Any ideas?
Yeah, I had my suspicions about the patch, so not surprised by your confirmation. I'd suggest using machine or SoC overrides in toradex layer to change the defaults set in meta-ti k3.inc -- Denys
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18010): https://lists.yoctoproject.org/g/meta-ti/message/18010 Mute This Topic: https://lists.yoctoproject.org/mt/109009846/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
