On Tue Jan 14, 2025 at 2:01 AM CET, Marek Vasut via lists.openembedded.org
wrote:
> In case both UBOOT_SIGN_ENABLE and UBOOT_ENV are enabled and
> kernel-fitimage.bbclass is in use to generate signed kernel
> fitImage, there is a circular dependency between uboot-sign
> and kernel-fitimage bbclasses . The loop looks like this:
>
> kernel-fitimage.bbclass:
> - do_populate_sysroot depends on do_assemble_fitimage
> - do_assemble_fitimage depends on virtual/bootloader:do_populate_sysroot
> - virtual/bootloader:do_populate_sysroot depends on
> virtual/bootloader:do_install
> => The virtual/bootloader:do_install installs and the
> virtual/bootloader:do_populate_sysroot places into
> sysroot an U-Boot environment script embedded into
> kernel fitImage during do_assemble_fitimage run .
>
> uboot-sign.bbclass:
> - DEPENDS on KERNEL_PN, which is really virtual/kernel. More accurately
> - do_deploy depends on do_uboot_assemble_fitimage
> - do_install depends on do_uboot_assemble_fitimage
> - do_uboot_assemble_fitimage depends on virtual/kernel:do_populate_sysroot
> => do_install depends on virtual/kernel:do_populate_sysroot
>
> => virtual/bootloader:do_install depends on virtual/kernel:do_populate_sysroot
> virtual/kernel:do_populate_sysroot depends on virtual/bootloader:do_install
>
> Attempt to resolve the loop. Pull fitimage_assemble() into separate new
> bbclass
> kernel-fitimage-its.bbclass and split fitimage_assemble() into two functions,
> fitimage_assemble_its() to generate the fit-image.its and
> fitimage_assemble_itb()
> to run mkimage on fit-image.its and produce the final fitImage-none fitImage.
>
> Inherit kernel-fitimage-its.bbclass in uboot-sign.bbclass and use these two
> new functions to generate a dummy signed fitImage which, instead of containing
> any meaningful blobs as payloads contains a dummy u-boot.dtb as payload for
> every single blob included in the fitImage. The placement of signature {}
> nodes in this dummy signed fitImage exactly matches the final signed kernel
> fitImage, which is very important.
>
> The follow up mkimage invocation which inserts public key material into
> u-boot.dtb /signature {} node does not care about the content of the dummy
> signed fitImage blobs, that mkimage invocation only cares about the placement
> of signature {} nodes in that dummy signed fitImage. That mkimage invocation
> uses the placement of these signature {} nodes to construct u-boot.dtb
> /signature/<key> 'required' property content, which is used by U-Boot
> when authenticating blobs in the fitImage using the public <key> that
> was currently inserted into the u-boot.dtb by mkimage .
>
> Fixes: 5e12dc911d0c ("u-boot: Rework signing to remove interdependencies")
> Signed-off-by: Marek Vasut <[email protected]>
> ---
Hi Marek,
I believe this patch is breaking the oe-selftests on the autobuilder,
with the following error:
ERROR: linux-yocto-6.12.9+git-r0 do_assemble_fitimage: Execution of
'/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022'
failed with exit code 127
ERROR: Logfile of failure stored in:
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/log.do_assemble_fitimage.1950022
Log data follows:
| DEBUG: Executing shell function do_assemble_fitimage
|
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022:
line 150: fitimage_assemble: command not found
| WARNING:
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022:150
exit 127 from 'fitimage_assemble fit-image.its fitImage-none ""'
| WARNING: Backtrace (BB generated script):
| #1: do_assemble_fitimage,
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022,
line 150
| #2: main,
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022,
line 157
NOTE: recipe linux-yocto-6.12.9+git-r0: task do_assemble_fitimage: Failed
https://valkyrie.yoctoproject.org/#/builders/48/builds/726/steps/14/logs/stdio
Can you have a look at this issue please ?
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#209784):
https://lists.openembedded.org/g/openembedded-core/message/209784
Mute This Topic: https://lists.openembedded.org/mt/110600041/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
