On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote: > This patch series aims at extending U-Boot's verified boot support to > also include SPL. > > Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign > and kernel-fitimage to create and sign a Linux Kernel fitImage. This > proposal introduces the variables UBOOT_FITIMAGE_ENABLE and > SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot > (proper) fitImage that the SPL can load (and verify if enabled) > > In order to accomplish this, the first patch moves some of necessary > infrastructure (variables, functions) used to sign the Kernel > fitImage to more common locations, and then essentially duplicates the > method currently used to sign the Kernel fitImage to also sign the > U-Boot fitImage. > > If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will > copy the SPL files (nodtb image and dtb file) from the u-boot recipe to > the staging area, so that the Kernel recipe can then create the U-Boot > fitImage. > > In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using > the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will > auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and > UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1". > > After the operations above, the Kernel recipe will deploy the (signed) > U-Boot fitImage, the ITS script used to create it, as well as the SPL > concatenated with the DTB containing the pubkey to the images directory. > > The reason why the U-Boot fitImage is created by the Kernel is in order > to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel > fitImage is signed), the U-Boot fitImage being created/signed contains > the pubkey used by the Kernel recipe to sign the Kernel fitImage. > > I added oe-selftest testcases and also tested this on upstream OpenBMC > with AST2600 BMC devices. > > Signed-off-by: Klaus Heinrich Kiwi <[email protected]>
I've merged this, I wanted to say a big thanks for writing some test cases for these code paths. It should start to help a lot in this area in the future. I'm going to be asking that future fixes in this area add/improve test cases to cover issues too. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150240): https://lists.openembedded.org/g/openembedded-core/message/150240 Mute This Topic: https://lists.openembedded.org/mt/81638249/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
