From: Jamin Lin Date: Fri, 19 Jan 2024 06:19:36 +0000 (+0800) Subject: u-boot-sign:uboot-config: support to verify signed FIT image X-Git-Tag: uninative-4.4~198 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17d3c8315e7a7adbe27183e11e1b6d588c1a1784;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git u-boot-sign:uboot-config: support to verify signed FIT image It does not verify the signed FIT image of kernel and uboot. To catch the unexpected errors as far as possible at the build time, add uboot-fit-check-sign tool which is provided by u-boot to verify the signed FIT image. Signed-off-by: Jamin Lin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass index 9be1d64d3ef..0c579e8861b 100644 --- a/meta/classes-recipe/uboot-config.bbclass +++ b/meta/classes-recipe/uboot-config.bbclass @@ -94,6 +94,9 @@ SPL_MKIMAGE_SIGN_ARGS ?= "" UBOOT_DTB ?= "" UBOOT_DTB_BINARY ??= "" +# uboot-fit_check_sign command +UBOOT_FIT_CHECK_SIGN ?= "uboot-fit_check_sign" + python () { ubootmachine = d.getVar("UBOOT_MACHINE") ubootconfigflags = d.getVarFlags('UBOOT_CONFIG') diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 4b462698f94..7a0b8047e49 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -112,6 +112,10 @@ concat_dtb() { -K "${UBOOT_DTB_BINARY}" \ -r ${B}/fitImage-linux \ ${UBOOT_MKIMAGE_SIGN_ARGS} + # Verify the kernel image and u-boot dtb + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${UBOOT_DTB_BINARY}" \ + -f ${B}/fitImage-linux cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi @@ -316,6 +320,12 @@ EOF -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ -r ${UBOOT_FITIMAGE_BINARY} \ ${SPL_MKIMAGE_SIGN_ARGS} + # + # Verify the U-boot FIT image and SPL dtb + # + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -f ${UBOOT_FITIMAGE_BINARY} fi if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then