From: Adrian Freihofer <[email protected]> mkimage's -K flag injects the public key into the DTB in-place. When the signing target is the compile-output file (spl/u-boot-spl.dtb), each test run accumulates key nodes from all previous runs in the same work directory. With SPL_SIGN_CONF=1 every injected key carries required = "conf", so mkimage requires ALL of them to have signed the configuration. When a subsequent test uses a different key only its own key signed the FIT, causing the verification to fail with:
Failed to verify required signature 'key-<previous-keyname>' Fix this by copying the compile-output DTB to SPL_DTB_SIGNED first and passing the copy as the -K target. The original spl/u-boot-spl.dtb is never modified, so each build starts from a clean state regardless of how many times the task has been run. Signed-off-by: Adrian Freihofer <[email protected]> --- meta/classes-recipe/uboot-sign.bbclass | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 9cb5c6ccf3..2b10e71730 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -472,21 +472,25 @@ EOF if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then if [ -n "${SPL_DTB_BINARY}" ] ; then # - # Sign the U-boot FIT image and add public key to SPL dtb + # Sign the U-boot FIT image and add public key to SPL dtb. + # Work on a copy of the DTB so that the compile output is + # never modified in-place. Without this, sequential test + # runs that reuse the same work directory accumulate public + # key nodes from previous runs, causing mkimage to require + # all of them when verifying the conf signature. # + cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} ${UBOOT_MKIMAGE_SIGN} \ ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ -F -k "${SPL_SIGN_KEYDIR}" \ - -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -K "${SPL_DIR}/${SPL_DTB_SIGNED}" \ -r ${UBOOT_FITIMAGE_BINARY} \ ${SPL_MKIMAGE_SIGN_ARGS} # Verify the U-boot FIT image and SPL dtb ${UBOOT_FIT_CHECK_SIGN} \ - -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -k "${SPL_DIR}/${SPL_DTB_SIGNED}" \ -f ${UBOOT_FITIMAGE_BINARY} - - cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} else # Sign the U-boot FIT image ${UBOOT_MKIMAGE_SIGN} \ -- 2.54.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238219): https://lists.openembedded.org/g/openembedded-core/message/238219 Mute This Topic: https://lists.openembedded.org/mt/119676459/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
