On 1/14/25 9:52 AM, Mathieu Dubois-Briand wrote:
On Tue Jan 14, 2025 at 2:01 AM CET, Marek Vasut via lists.openembedded.org
wrote:
In case both UBOOT_SIGN_ENABLE and UBOOT_ENV are enabled and
kernel-fitimage.bbclass is in use to generate signed kernel
fitImage, there is a circular dependency between uboot-sign
and kernel-fitimage bbclasses . The loop looks like this:
kernel-fitimage.bbclass:
- do_populate_sysroot depends on do_assemble_fitimage
- do_assemble_fitimage depends on virtual/bootloader:do_populate_sysroot
- virtual/bootloader:do_populate_sysroot depends on
virtual/bootloader:do_install
=> The virtual/bootloader:do_install installs and the
virtual/bootloader:do_populate_sysroot places into
sysroot an U-Boot environment script embedded into
kernel fitImage during do_assemble_fitimage run .
uboot-sign.bbclass:
- DEPENDS on KERNEL_PN, which is really virtual/kernel. More accurately
- do_deploy depends on do_uboot_assemble_fitimage
- do_install depends on do_uboot_assemble_fitimage
- do_uboot_assemble_fitimage depends on virtual/kernel:do_populate_sysroot
=> do_install depends on virtual/kernel:do_populate_sysroot
=> virtual/bootloader:do_install depends on virtual/kernel:do_populate_sysroot
virtual/kernel:do_populate_sysroot depends on virtual/bootloader:do_install
Attempt to resolve the loop. Pull fitimage_assemble() into separate new bbclass
kernel-fitimage-its.bbclass and split fitimage_assemble() into two functions,
fitimage_assemble_its() to generate the fit-image.its and
fitimage_assemble_itb()
to run mkimage on fit-image.its and produce the final fitImage-none fitImage.
Inherit kernel-fitimage-its.bbclass in uboot-sign.bbclass and use these two
new functions to generate a dummy signed fitImage which, instead of containing
any meaningful blobs as payloads contains a dummy u-boot.dtb as payload for
every single blob included in the fitImage. The placement of signature {}
nodes in this dummy signed fitImage exactly matches the final signed kernel
fitImage, which is very important.
The follow up mkimage invocation which inserts public key material into
u-boot.dtb /signature {} node does not care about the content of the dummy
signed fitImage blobs, that mkimage invocation only cares about the placement
of signature {} nodes in that dummy signed fitImage. That mkimage invocation
uses the placement of these signature {} nodes to construct u-boot.dtb
/signature/<key> 'required' property content, which is used by U-Boot
when authenticating blobs in the fitImage using the public <key> that
was currently inserted into the u-boot.dtb by mkimage .
Fixes: 5e12dc911d0c ("u-boot: Rework signing to remove interdependencies")
Signed-off-by: Marek Vasut <[email protected]>
---
Hi Marek,
I believe this patch is breaking the oe-selftests on the autobuilder,
with the following error:
ERROR: linux-yocto-6.12.9+git-r0 do_assemble_fitimage: Execution of
'/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022'
failed with exit code 127
ERROR: Logfile of failure stored in:
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/log.do_assemble_fitimage.1950022
Log data follows:
| DEBUG: Executing shell function do_assemble_fitimage
|
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022:
line 150: fitimage_assemble: command not found
| WARNING:
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022:150
exit 127 from 'fitimage_assemble fit-image.its fitImage-none ""'
| WARNING: Backtrace (BB generated script):
| #1: do_assemble_fitimage,
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022,
line 150
| #2: main,
/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022,
line 157
NOTE: recipe linux-yocto-6.12.9+git-r0: task do_assemble_fitimage: Failed
https://valkyrie.yoctoproject.org/#/builders/48/builds/726/steps/14/logs/stdio
Can you have a look at this issue please ?
Hopefully fixed in V4 , in an even better way.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210009):
https://lists.openembedded.org/g/openembedded-core/message/210009
Mute This Topic: https://lists.openembedded.org/mt/110600041/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
