Commit 60774248a5 solves issues when i or j
have been set in other shell functions.
Since j is not unset after the inner loop, the image will only be copied
for the first configuration.
Unsetting i and j after the loops also prevents index issues in other functions.
(From OE-Core rev: f6de96c9fa8d0b6c81c32016f342ad93c8940d9e)
Signed-off-by: Florian Amstutz <florian.amstutz@scs.ch>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When generating our SPL-verifying certificate, we use FIT_KEY_REQ_ARGS,
which is intended for the U-Boot-verifying certificate. Instead, use
UBOOT_FIT_KEY_REQ_ARGS.
Fixes: 0e6b0fefa0 ("u-boot: Use a different Key for SPL signing")
(From OE-Core rev: a066246170af979b29945c45b436228f5dbba121)
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a2d939ccb182a1ad29280d236b9f9e1d09527af1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This allows choosing padding algorithm when building fitImage. It may be pkcs-1.5 or pss.
(From OE-Core rev: 149f61eef11b2e1e20aabed7054df237272ad7f4)
Signed-off-by: LUIS ENRIQUEZ <luis.enriquez@se.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 29d5336c728b28890bbaadebf0ccff00ad90a64d)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The condition for calling install_spl_helper when compiling multiple
configs does not match the condition for a single config. This causes
compilation failures when ${UBOOT_FITIMAGE_ENABLE} is 1 but
${SPL_SIGN_ENABLE} is not.
Fixes: 5af4dfe83c2 ("u-boot: Add infrastructure to SPL verified boot")
(From OE-Core rev: 7dc155961649c022d33cf7c6a5155cdfa5dc2969)
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some BSPs, especially those of meta-freescale and meta-ti allow to build U-Boot
binaries using different configuration for a given target, for example:
- UBOOT_CONFIG ??= "tfa-secure-boot tfa"
- UBOOT_CONFIG ??= "nand sdcard spi nor"
When this is the case the public key wasn't concatenated to all U-Boot binaries
built.
(From OE-Core rev: dfd71ae3d102f3010c6117d774e9739a322930f6)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- use bash variable notation without {} where possible
- just to make sure it looks like bash variable not bitbake variable one
- fix indent style in "cat" commands
- replace "! -z" -> "-n"
- make debug info in ramdisk section creation more verbose
(From OE-Core rev: f44bb458884da64356ee188917094b5515d3b159)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A "install -d" command is missing when dealing with
${UBOOT_NODTB_BINARY} in install_spl_helper function, this can lead
to invalid install error saying:
| install: cannot create .../usr/share/u-boot-nodtb-2021.04-r0.bin': No such file or directory
Let's drop all "install -d" and replace them with "install -Dm" in
install_helper/install_spl_helper functions.
(From OE-Core rev: db2b1da511ea3d4daef136a8b1d85b7040a46632)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently generate_rsa_keys tasks are being executed parallelly in
kernel and uboot's task list, and both of them are calling openssl to
generate rsa keys in same path, this can lead to race condition.
Let's split it to kernel_generate_rsa_keys and uboot_generate_rsa_keys.
(From OE-Core rev: 36814f5467c9abd84aeb05916b4fd49f766f4f9f)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* The kernel-fitimage class adds a do_assemble_fitimage_initramfs task
regardless of INITRAMFS_IMAGE_BUNDLE setting, which in some cases can
result in that task running after do_uboot_assemble_fitimage and
overwriting the u-boot-spl.dtb file with the pristine version (without
public key). Fix this by making do_uboot_assemble_fitimage dependant
on both do_assemble_fitimage_* tasks, regardless of the aforementioned
setting.
* Adjust 'type' and 'os' on the U-boot fitimage its script so that
mkimage/dumpimage can recognize them.
* Move the deployment of the u-boot-spl-nodtb files outside of
concat_spl_dtb_helper(), so that we can better isolate the scenarios
of creating an (unsigned) U-Boot fitimage versus also signing it. This
prevents some stale files from being deployed in the images directory.
* Remove any u-boot-fitImage and u-boot-its files from build tree, in
case the build tree is being reused across bitbake calls.
(From OE-Core rev: dc26d35e0935f30af55a3d2cb5c501d1b5c35437)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Duplicate the variables governing u-boot signing so that we can have a
different set of keys/parameters signing the SPL.
(From OE-Core rev: 0e6b0fefa02356afeb11a32dfee7f0c7c250ab7f)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add the necessary infrastructure to create a U-boot proper fitimage,
sign it (using the same keys as the kernel-fitimage), and put the public
key in the SPL binary so that verified SPL boot can be accomplished.
(From OE-Core rev: 5af4dfe83c2f6509015916262be32fc09bc9714d)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Move some definitions from u-boot.inc into uboot-config.bbclass and
similarly from kernel-fitimage.bbclass into uboot-sign.bbclass, so that
they can be useful when signing the U-boot proper fitimage, for a
verified-boot SPL.
(From OE-Core rev: cc6c3e31526d3b6ef3a87ba5e548fcad7483bd51)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some image recipes uses ${DEPLOY_DIR_IMAGE}/${UBOOT_BINARY} to create
their images. Force the re-creation of those symlinks pointing to the
u-boot-fitImage in case UBOOT_FITIMAGE_ENABLE is set.
(From OE-Core rev: 11a016aaf243a110f7139ea052fd4e568aad40dd)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When inherited by the u-boot recipe (UBOOT_PN), uboot-sign.bbclass adds
a concat_dtb step, which places additional files into ${DEPLOYDIR}
before do_deploy. By turning this from a prefunc into a part of the normal
do_deploy function, it becomes possible to use
do_deploy[cleandirs] = "${DEPLOYDIR}"
in the future, without deleting the files produced by concat_dtb.
As before, care is taken to not interfere with the kernel's do_deploy
definition, since concat_dtb was only needed for u-boot.
(From OE-Core rev: 17619c1a41fa961afc317e4aafab9cdc4ff14a49)
Signed-off-by: Daniel Klauer <daniel.klauer@gin.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
u-boot.bin with dtb & signature should be placed in ${B} so that
it can be deployed by u-boot as expected. Otherwise, the version
without signature is installed.
(From OE-Core rev: bfc8c964a9760a2c4a1d1902918908a1e7361c17)
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since UBOOT_DTB_BINARY empty means we don't need to inject signatures
into the U-Boot DTB, we can remove the dependencies between consumers of
these two classes and resolve a circular dependency between u-boot and
kernel.
(From OE-Core rev: c6b49cb75285e71909d1f9e4bf636f186941b519)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using u-boot-nodtb, the symlink didn't install correctly to the
${DEPLOYDIR}. This commit fixes this bug.
(From OE-Core rev: c4eddb65e2ddb61bf519b768fab1e131fb0c297b)
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When UBOOT_DTB_BINARY is empty and because the code now changes
directory into ${B}, the test for the existence becomes `[ -f ]` which
succeeds and subsequently the install fails.
Reorder the code so it's clear that UBOOT_DTB_BINARY empty is an
expected configuration and then quote UBOOT_DTB_BINARY everywhere so
no one trips over this again.
Fixes: bacb59079eb6 ("uboot-sign: add support for different u-boot configurations")
(From OE-Core rev: e79f0db0745625b35dd83483747e486d08eebfde)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is done by concatenating the DTB with the kernels public key
to all built u-boot binaries. Furthermore the installation of all
the binaries is required.
(From OE-Core rev: bacb59079eb6ba7e43507a6d3a357341fb367f83)
Signed-off-by: Andreas Obergschwandtner <andreas.obergschwandtner@skidata.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When UBOOT_DTB_BINARY is set to "", the keys for signed booting are
expected to be already present in U-Boot's DTB, so don't issue warnings
for this.
(From OE-Core rev: 04656f5df326a72747fc5878ce201b636a2a419c)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed:
MACHINE = "beaglebone-yocto"
KERNEL_CLASSES += "kernel-fitimage"
KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"
UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/conf"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_SIGN_ENABLE = "1"
IMAGE_INSTALL_remove = "kernel-image-zimage"
$ cd conf
$ openssl genrsa -F4 -out dev.key 2048
$ openssl req -batch -new -x509 -key dev.key -out dev.crt
$ cd ../
$ bitbake u-boot linux-yocto
$ grep signature tmp/deploy/images/beaglebone-yocto/*.dtb
Binary file tmp/deploy/images/beaglebone-yocto/u-boot-beaglebone-yocto-2018.07-r0.dtb matches
Binary file tmp/deploy/images/beaglebone-yocto/u-boot-beaglebone-yocto.dtb matches
Binary file tmp/deploy/images/beaglebone-yocto/u-boot.dtb matches
And there would be no signature info when rebuild from sstate:
$ bitbake u-boot linux-yocto -cclean
$ bitbake u-boot linux-yocto
$ grep signature tmp/deploy/images/beaglebone-yocto/*.dtb
No result
This s because kernel directly edit ${DEPLOY_DIR_IMAGE}/u-boot.dtb, (Note, it
is global ${DEPLOY_DIR_IMAGE}, not recipe's DEPLOYDIR), so that the modified
info is not in sstate, and would be lost when rebuild from sstate.
There are other problems in previouse code:
- The u-boot.dtb is provided by u-boot, but edited by kernel during signing, so
it should be deployed by kernel rather than u-boot.
- The u-boot.do_concat_dtb directly install files to global ${DEPLOY_DIR_IMAGE},
this is incorrect, the ${DEPLOY_DIR_IMAGE} should be installed by do_deploy.
- It seems that it assumes do_deploy depends on do_install according the comments,
but they have no relationships:
# do_concat_dtb is scheduled _before_ do_install as it overwrite the
# u-boot.bin in both DEPLOYDIR and DEPLOY_IMAGE_DIR.
- The do_concat_dtb should be run after do_compile, but it doesn't have this
dependency.
Make u-boot install u-boot.dtb to ${datadir}, kernel copies u-boot.dtb from
${STAGING_DATADIR} to ${B} and deploy it can fix the problem.
[YOCTO #12112]
Reported-by: Christian Andersen <c.andersen@kostal.com>
(From OE-Core rev: 493f70cfb177f1d452a13329647a38642bf2b161)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
U-Boot people are amazingly pedantic in their insistence on proper
spelling of "U-Boot", so humour them.
(From OE-Core rev: f346a9bdc372ec477bafcda358f9339ff4e4c79d)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that out of tree building is enabled, ${B} must be used instead of
${S} as the path for UBOOT_BINARY.
(From OE-Core rev: 1fe17c52e4d7ce1b9d69aaa2cd9d4b351a4b2603)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Prior to running oe_runmake make sure $B is the cwd. This is required
due to bitbake commit 67a7b8b021badc17d8fdf447c250e79d291e75f7
"build: don't use $B as the default cwd for functions".
Without this change, do_concat_dtb fails with:
| ERROR: oe_runmake failed
| make: *** No targets specified and no makefile found. Stop.
(From OE-Core rev: 6dca3dee34b587157d0d49c590a177ff1dabb374)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Handle u-boot.rom signing (U-Boot as x86 BIOS replacement) the same way
that u-boot.img signing is handled.
(From OE-Core rev: 94e3f427bbeb005d8443e9d822c3182f280df470)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
u-boot-nodtb.img doesn't exist so if UBOOT_SUFFIX = "img" is used
u-boot.img must be rebuilt by running make with
EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} then the resulting .img file must
be install to the deploy directories.
(From OE-Core rev: 4afee787e455ce1d4c002cd5c003182f1fc50028)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This enable the deployment of u-boot-nodtb.bin and u-boot.dtb files.
(From OE-Core rev: 396a3fb0f55a443f73d6ddd99d8ba83412db2d40)
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This introduces a new uboot-sign.class to support U-Boot verified boot.
This part delivers the new class file, with related environment variables, and
a new task intended to run before do_install task and which performs the
concatenation of the u-boot-nodtb.bin and the device tree blob. The 'cat'
command used overrides the u-boot.bin in both DEPLOYDIR & build dir to
propagate the changes in later tasks (do_install, do_package, etc.)
(From OE-Core rev: 27e21c50ada2f5fb6296cce680da4350a229977c)
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
