uboot-sign: sign SPL FIT into a copy of the SPL DTB

mkimage's -K flag injects the public key into the DTB in-place. When
the signing target is the compile-output file (spl/u-boot-spl.dtb),
each test run accumulates key nodes from all previous runs in the same
work directory. With SPL_SIGN_CONF=1 every injected key carries
required = "conf", so mkimage requires ALL of them to have signed the
configuration. When a subsequent test uses a different key only its own
key signed the FIT, causing the verification to fail with:

  Failed to verify required signature 'key-<previous-keyname>'

Fix this by copying the compile-output DTB to SPL_DTB_SIGNED first and
passing the copy as the -K target. The original spl/u-boot-spl.dtb is
never modified, so each build starts from a clean state regardless of
how many times the task has been run.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 9cb5c6ccf3caafecb86fcae42c1001bb32033bef..2b10e71730285c0a88b7345b496f993d6018426a 100644 (file)
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -472,21 +472,25 @@ EOF
        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
                if [ -n "${SPL_DTB_BINARY}" ] ; then
                        #
-                       # Sign the U-boot FIT image and add public key to SPL dtb
+                       # Sign the U-boot FIT image and add public key to SPL dtb.
+                       # Work on a copy of the DTB so that the compile output is
+                       # never modified in-place.  Without this, sequential test
+                       # runs that reuse the same work directory accumulate public
+                       # key nodes from previous runs, causing mkimage to require
+                       # all of them when verifying the conf signature.
                        #
+                       cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
                        ${UBOOT_MKIMAGE_SIGN} \
                                ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
                                -F -k "${SPL_SIGN_KEYDIR}" \
-                               -K "${SPL_DIR}/${SPL_DTB_BINARY}" \
+                               -K "${SPL_DIR}/${SPL_DTB_SIGNED}" \
                                -r ${UBOOT_FITIMAGE_BINARY} \
                                ${SPL_MKIMAGE_SIGN_ARGS}
 
                        # Verify the U-boot FIT image and SPL dtb
                        ${UBOOT_FIT_CHECK_SIGN} \
-                               -k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+                               -k "${SPL_DIR}/${SPL_DTB_SIGNED}" \
                                -f ${UBOOT_FITIMAGE_BINARY}
-
-                       cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
                else
                        # Sign the U-boot FIT image
                        ${UBOOT_MKIMAGE_SIGN} \