| Message ID | 20250401135010.3278105-1-anshuld@ti.com |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] u-boot: kernel-fitimage: add pre-processing hooks | expand |
Hi Anshul The kernel-fitimage.bbclass is already a bit complicated because of the many special cases it supports. The patch looks like it adds support for another very special use case to the kernel, which makes it even more complicated. Especially when patches come without test cases, this makes the situation worse. Adding the same code multiple times does not look like an elegant solution. This is of course also because of the existing code base. I'm working on a re-implementation in Python, which would probably allow to do this much more elegant. https://web.git.yoctoproject.org/poky- contrib/commit/?h=adrianf/fitimage-improvements Note: I have a newer version which I will push soon. The next version of these patches will move the FIT image generation out of the kernel recipe into a separate recipe. This would also allow to have a customized recipe in your layer which does the pre- processing. That would be much simpler than doing this in the context of the complicated kernel recipe. The plan is here: https://bugzilla.yoctoproject.org/show_bug.cgi?id=12912 Did you also consider to implement this feature in uboot mkimage? mkimage is supposed to do the signing of all the artifacts in the FIT image. There are 2 modes supported: * FIT_SIGN_INDIVIDUAL=1: Sign all the image artifacts and the configuration nodes This mode looks like doing what your patches try to do indepepndently from mkimage. * IT_SIGN_INDIVIDUAL=0: Sign only the configuration nodes. Since your hook is related to signing: Is it the right approach to do half of the signing process in OE-core when the design is currently such that mkimage can normally do this completely on its own? Thank you and regards, Adrian On Tue, 2025-04-01 at 19:20 +0530, Anshul Dalal via lists.openembedded.org wrote: > In some use cases it is desirable to perform some pre-processing on > fitImage's individual components before packaging them in the final > FIT > such as using a custom signing mechanism for secure booting separate > from mkimage. > > Therefore this patch adds a pre-processing hook called > `preprocess_binary` in the kernel-fitimage class to allow bsp layers > to > override it and perform pre-processing to the fit components. > > This functionality is enabled by setting the FIT_PREPROCESS_BINARY > variable to 1 which defaults to 0. > > Signed-off-by: Anshul Dalal <anshuld@ti.com> > --- > meta/classes-recipe/kernel-fitimage.bbclass | 52 > +++++++++++++++++++-- > 1 file changed, 47 insertions(+), 5 deletions(-) > > diff --git a/meta/classes-recipe/kernel-fitimage.bbclass > b/meta/classes-recipe/kernel-fitimage.bbclass > index 18ab17bd2c..ebe159ea03 100644 > --- a/meta/classes-recipe/kernel-fitimage.bbclass > +++ b/meta/classes-recipe/kernel-fitimage.bbclass > @@ -84,6 +84,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509" > # Sign individual images as well > FIT_SIGN_INDIVIDUAL ?= "0" > > +# Preprocess individual fitImage binaries (kernel, dtb etc.) with an > overridable `preprocess_binary` function > +FIT_PREPROCESS_BINARY ?= "0" > + > FIT_CONF_PREFIX ?= "conf-" > FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node > name" > > @@ -553,6 +556,10 @@ EOF > EOF > } > > +preprocess_binary() { > + bbfatal "Provide an implementation for 'preprocess_binary' to > preprocess fitImage binaries or unset FIT_PREPROCESS_BINARY" > +} > + > # > # Assemble fitImage > # > @@ -581,7 +588,14 @@ fitimage_assemble() { > fitimage_emit_section_maint $1 imagestart > > uboot_prep_kimage > - fitimage_emit_section_kernel $1 $kernelcount linux.bin > "$linux_comp" > + BINARY_PATH="linux.bin" > + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then > + PROCESSED_BINARY="${BINARY_PATH}.processed" > + preprocess_binary $BINARY_PATH $PROCESSED_BINARY > + fitimage_emit_section_kernel $1 $kernelcount $PROCESSED_BINARY > "$linux_comp" > + else > + fitimage_emit_section_kernel $1 $kernelcount $BINARY_PATH > "$linux_comp" > + fi > > # > # Step 2: Prepare a DTB image section > @@ -622,7 +636,14 @@ fitimage_assemble() { > > DTBS="$DTBS $DTB" > DTB=$(echo $DTB | tr '/' '_') > - fitimage_emit_section_dtb $1 $DTB $DTB_PATH > + BINARY_PATH="$DTB_PATH" > + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then > + PROCESSED_BINARY="${BINARY_PATH}.processed" > + preprocess_binary $BINARY_PATH $PROCESSED_BINARY > + fitimage_emit_section_dtb $1 $DTB $PROCESSED_BINARY > + else > + fitimage_emit_section_dtb $1 $DTB $BINARY_PATH > + fi > done > fi > > @@ -646,7 +667,14 @@ fitimage_assemble() { > [ $(symlink_points_below $DTB "${EXTERNAL_KERNEL_DEVICETREE}") ] && > continue > > DTB=$(echo $DTB | tr '/' '_') > - fitimage_emit_section_dtb $1 $DTB > "${EXTERNAL_KERNEL_DEVICETREE}/$DTB" > + BINARY_PATH="${EXTERNAL_KERNEL_DEVICETREE}/$DTB" > + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then > + PROCESSED_BINARY="${BINARY_PATH}.processed" > + preprocess_binary $BINARY_PATH $PROCESSED_BINARY > + fitimage_emit_section_dtb $1 $DTB $PROCESSED_BINARY > + else > + fitimage_emit_section_dtb $1 $DTB $BINARY_PATH > + fi > done > fi > > @@ -662,7 +690,14 @@ fitimage_assemble() { > if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then > cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B} > bootscr_id="${UBOOT_ENV_BINARY}" > - fitimage_emit_section_boot_script $1 "$bootscr_id" > ${UBOOT_ENV_BINARY} > + BINARY_PATH="${UBOOT_ENV_BINARY}" > + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then > + PROCESSED_BINARY="${BINARY_PATH}.processed" > + preprocess_binary $BINARY_PATH $PROCESSED_BINARY > + fitimage_emit_section_boot_script $1 "$bootscr_id" > $PROCESSED_BINARY > + else > + fitimage_emit_section_boot_script $1 "$bootscr_id" $BINARY_PATH > + fi > else > bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found." > fi > @@ -673,7 +708,14 @@ fitimage_assemble() { > # > if [ -e ${KERNEL_OUTPUT_DIR}/setup.bin ]; then > setupcount=1 > - fitimage_emit_section_setup $1 $setupcount > ${KERNEL_OUTPUT_DIR}/setup.bin > + BINARY_PATH="${KERNEL_OUTPUT_DIR}/setup.bin" > + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then > + PROCESSED_BINARY="${BINARY_PATH}.processed" > + preprocess_binary $BINARY_PATH $PROCESSED_BINARY > + fitimage_emit_section_setup $1 $setupcount $PROCESSED_BINARY > + else > + fitimage_emit_section_setup $1 $setupcount $BINARY_PATH > + fi > fi > > # > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#214128): > https://lists.openembedded.org/g/openembedded-core/message/214128 > Mute This Topic: https://lists.openembedded.org/mt/112026315/4454582 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded- > core/unsub [adrian.freihofer@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 18ab17bd2c..ebe159ea03 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass @@ -84,6 +84,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509" # Sign individual images as well FIT_SIGN_INDIVIDUAL ?= "0" +# Preprocess individual fitImage binaries (kernel, dtb etc.) with an overridable `preprocess_binary` function +FIT_PREPROCESS_BINARY ?= "0" + FIT_CONF_PREFIX ?= "conf-" FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name" @@ -553,6 +556,10 @@ EOF EOF } +preprocess_binary() { + bbfatal "Provide an implementation for 'preprocess_binary' to preprocess fitImage binaries or unset FIT_PREPROCESS_BINARY" +} + # # Assemble fitImage # @@ -581,7 +588,14 @@ fitimage_assemble() { fitimage_emit_section_maint $1 imagestart uboot_prep_kimage - fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp" + BINARY_PATH="linux.bin" + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then + PROCESSED_BINARY="${BINARY_PATH}.processed" + preprocess_binary $BINARY_PATH $PROCESSED_BINARY + fitimage_emit_section_kernel $1 $kernelcount $PROCESSED_BINARY "$linux_comp" + else + fitimage_emit_section_kernel $1 $kernelcount $BINARY_PATH "$linux_comp" + fi # # Step 2: Prepare a DTB image section @@ -622,7 +636,14 @@ fitimage_assemble() { DTBS="$DTBS $DTB" DTB=$(echo $DTB | tr '/' '_') - fitimage_emit_section_dtb $1 $DTB $DTB_PATH + BINARY_PATH="$DTB_PATH" + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then + PROCESSED_BINARY="${BINARY_PATH}.processed" + preprocess_binary $BINARY_PATH $PROCESSED_BINARY + fitimage_emit_section_dtb $1 $DTB $PROCESSED_BINARY + else + fitimage_emit_section_dtb $1 $DTB $BINARY_PATH + fi done fi @@ -646,7 +667,14 @@ fitimage_assemble() { [ $(symlink_points_below $DTB "${EXTERNAL_KERNEL_DEVICETREE}") ] && continue DTB=$(echo $DTB | tr '/' '_') - fitimage_emit_section_dtb $1 $DTB "${EXTERNAL_KERNEL_DEVICETREE}/$DTB" + BINARY_PATH="${EXTERNAL_KERNEL_DEVICETREE}/$DTB" + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then + PROCESSED_BINARY="${BINARY_PATH}.processed" + preprocess_binary $BINARY_PATH $PROCESSED_BINARY + fitimage_emit_section_dtb $1 $DTB $PROCESSED_BINARY + else + fitimage_emit_section_dtb $1 $DTB $BINARY_PATH + fi done fi @@ -662,7 +690,14 @@ fitimage_assemble() { if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B} bootscr_id="${UBOOT_ENV_BINARY}" - fitimage_emit_section_boot_script $1 "$bootscr_id" ${UBOOT_ENV_BINARY} + BINARY_PATH="${UBOOT_ENV_BINARY}" + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then + PROCESSED_BINARY="${BINARY_PATH}.processed" + preprocess_binary $BINARY_PATH $PROCESSED_BINARY + fitimage_emit_section_boot_script $1 "$bootscr_id" $PROCESSED_BINARY + else + fitimage_emit_section_boot_script $1 "$bootscr_id" $BINARY_PATH + fi else bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found." fi @@ -673,7 +708,14 @@ fitimage_assemble() { # if [ -e ${KERNEL_OUTPUT_DIR}/setup.bin ]; then setupcount=1 - fitimage_emit_section_setup $1 $setupcount ${KERNEL_OUTPUT_DIR}/setup.bin + BINARY_PATH="${KERNEL_OUTPUT_DIR}/setup.bin" + if [ "x${FIT_PREPROCESS_BINARY}" = "x1" ]; then + PROCESSED_BINARY="${BINARY_PATH}.processed" + preprocess_binary $BINARY_PATH $PROCESSED_BINARY + fitimage_emit_section_setup $1 $setupcount $PROCESSED_BINARY + else + fitimage_emit_section_setup $1 $setupcount $BINARY_PATH + fi fi #
In some use cases it is desirable to perform some pre-processing on fitImage's individual components before packaging them in the final FIT such as using a custom signing mechanism for secure booting separate from mkimage. Therefore this patch adds a pre-processing hook called `preprocess_binary` in the kernel-fitimage class to allow bsp layers to override it and perform pre-processing to the fit components. This functionality is enabled by setting the FIT_PREPROCESS_BINARY variable to 1 which defaults to 0. Signed-off-by: Anshul Dalal <anshuld@ti.com> --- meta/classes-recipe/kernel-fitimage.bbclass | 52 +++++++++++++++++++-- 1 file changed, 47 insertions(+), 5 deletions(-)