Re: [OE-core] [PATCH] kernel-fitimage: make signing failure fatal

Fri, 30 Aug 2024 19:22:35 -0700 

On Fri, Aug 30, 2024 at 4:22 PM A. Sverdlin via lists.openembedded.org
<[email protected]> wrote:

> From: Alexander Sverdlin <[email protected]>
>
> mkimage doesn't fail if it is not able to sign FIT nodes.
> This may lead to unbootable images in secure boot configurations.
> Make signing failures fatal by parsing the mkimage output.
>
> Signed-off-by: Alexander Sverdlin <[email protected]>
> ---
>  meta/classes-recipe/kernel-fitimage.bbclass | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes-recipe/kernel-fitimage.bbclass
> b/meta/classes-recipe/kernel-fitimage.bbclass
> index 67c98adb232..fea9e4e19a7 100644
> --- a/meta/classes-recipe/kernel-fitimage.bbclass
> +++ b/meta/classes-recipe/kernel-fitimage.bbclass
> @@ -753,11 +753,15 @@ fitimage_assemble() {
>         # Step 8: Sign the image
>         #
>         if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
> -               ${UBOOT_MKIMAGE_SIGN} \
> +               output=$(${UBOOT_MKIMAGE_SIGN} \
>                         ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if
> len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
>                         -F -k "${UBOOT_SIGN_KEYDIR}" \
>                         -r ${KERNEL_OUTPUT_DIR}/$2 \
> -                       ${UBOOT_MKIMAGE_SIGN_ARGS}
> +                       ${UBOOT_MKIMAGE_SIGN_ARGS})
> +               echo "$output"
> +               if echo "$output" | grep -qE "Sign value:\s*unavailable";
> then
> +                       bbfatal "${UBOOT_MKIMAGE_SIGN}: Failed to provide
> some signatures"
>
Since you have the specific information available in the log, it should
either
be output as part of the fatal message, or the message should point to the
log file location.

Bruce



> +               fi
>         fi
>  }
>
> --
> 2.46.0
>
>
> 
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203974): 
https://lists.openembedded.org/g/openembedded-core/message/203974
Mute This Topic: https://lists.openembedded.org/mt/108186299/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to