This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE. Basically, this task merges the u-boot-nodtb.bin and the device tree blob using the 'cat' command and overrides the u-boot.bin file which is generated at the compilation step.
This task is intended to be used in the verified-boot image generation process after the kernel-fitimage class had appended a public key to the device tree blob. It is placed after the do_deploy and before the do_install tasks and it replaces the u-boot binaries in both deploy directory and build directory in order to minimize the changes in later tasks. Signed-off-by: Yannick Gicquel <[email protected]> --- meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc new file mode 100644 index 0000000..c88a2a1 --- /dev/null +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc @@ -0,0 +1,21 @@ +# This file is part of U-Boot verified boot support and is intended to be +# included from u-boot recipe and from kernel-fitimage.bbclass +# +# The signature procedure requires the user to generate an RSA key and +# certificate in a directory and to define the following variable: +# +# UBOOT_SIGN_KEYDIR = "/keys/directory" +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key") +# UBOOT_SIGN_ENABLE = "1" +# +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot. +# +# For more details, please refer to U-boot documentation. + +UBOOT_SIGN_ENABLE ?= "0" +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" +UBOOT_DTB_BINARY ?= "u-boot.dtb" +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb" +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}" +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}" +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}" diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc index 3ba866d..29b0b95 100644 --- a/meta/recipes-bsp/u-boot/u-boot.inc +++ b/meta/recipes-bsp/u-boot/u-boot.inc @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}" UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}" UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}" +# The use of verified boot requires to share environment variables with kernel +# fitImage class as the mkimage call requires dtb filepath to append signature +# public key. +require u-boot-sign.inc + +do_assemble_dtb() { + # Concatenate U-Boot w/o DTB & DTB with public key + # (cf. kernel-fitimage.bbclass for more details) + cd ${DEPLOYDIR} + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then + if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE} + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY} + else + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." + fi + fi +} + +addtask assemble_dtb after do_deploy before do_install +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}" + do_compile () { if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
