diff mbox series

kernel-fitimage: make signing failure fatal

Message ID 20240830202137.1054805-1-alexander.sverdlin@siemens.com
State Superseded
Headers show
Series kernel-fitimage: make signing failure fatal | expand

Commit Message

Sverdlin, Alexander Aug. 30, 2024, 8:21 p.m. UTC 
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>

mkimage doesn't fail if it is not able to sign FIT nodes.
This may lead to unbootable images in secure boot configurations.
Make signing failures fatal by parsing the mkimage output.

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
---
 meta/classes-recipe/kernel-fitimage.bbclass | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Bruce Ashfield Aug. 31, 2024, 2:22 a.m. UTC | #1 
On Fri, Aug 30, 2024 at 4:22 PM A. Sverdlin via lists.openembedded.org
<alexander.sverdlin=siemens.com@lists.openembedded.org> wrote:

> From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
>
> mkimage doesn't fail if it is not able to sign FIT nodes.
> This may lead to unbootable images in secure boot configurations.
> Make signing failures fatal by parsing the mkimage output.
>
> Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
> ---
>  meta/classes-recipe/kernel-fitimage.bbclass | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes-recipe/kernel-fitimage.bbclass
> b/meta/classes-recipe/kernel-fitimage.bbclass
> index 67c98adb232..fea9e4e19a7 100644
> --- a/meta/classes-recipe/kernel-fitimage.bbclass
> +++ b/meta/classes-recipe/kernel-fitimage.bbclass
> @@ -753,11 +753,15 @@ fitimage_assemble() {
>         # Step 8: Sign the image
>         #
>         if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
> -               ${UBOOT_MKIMAGE_SIGN} \
> +               output=$(${UBOOT_MKIMAGE_SIGN} \
>                         ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if
> len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
>                         -F -k "${UBOOT_SIGN_KEYDIR}" \
>                         -r ${KERNEL_OUTPUT_DIR}/$2 \
> -                       ${UBOOT_MKIMAGE_SIGN_ARGS}
> +                       ${UBOOT_MKIMAGE_SIGN_ARGS})
> +               echo "$output"
> +               if echo "$output" | grep -qE "Sign value:\s*unavailable";
> then
> +                       bbfatal "${UBOOT_MKIMAGE_SIGN}: Failed to provide
> some signatures"
>
Since you have the specific information available in the log, it should
either
be output as part of the fatal message, or the message should point to the
log file location.

Bruce



> +               fi
>         fi
>  }
>
> --
> 2.46.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203970):
> https://lists.openembedded.org/g/openembedded-core/message/203970
> Mute This Topic: https://lists.openembedded.org/mt/108186299/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
diff mbox series

Patch

diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass
index 67c98adb232..fea9e4e19a7 100644
--- a/meta/classes-recipe/kernel-fitimage.bbclass
+++ b/meta/classes-recipe/kernel-fitimage.bbclass
@@ -753,11 +753,15 @@  fitimage_assemble() {
 	# Step 8: Sign the image
 	#
 	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
-		${UBOOT_MKIMAGE_SIGN} \
+		output=$(${UBOOT_MKIMAGE_SIGN} \
 			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
 			-F -k "${UBOOT_SIGN_KEYDIR}" \
 			-r ${KERNEL_OUTPUT_DIR}/$2 \
-			${UBOOT_MKIMAGE_SIGN_ARGS}
+			${UBOOT_MKIMAGE_SIGN_ARGS})
+		echo "$output"
+		if echo "$output" | grep -qE "Sign value:\s*unavailable"; then
+			bbfatal "${UBOOT_MKIMAGE_SIGN}: Failed to provide some signatures"
+		fi
 	fi
 }