| Message ID | 20240902114523.1168083-1-alexander.sverdlin@siemens.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] kernel-fitimage: make signing failure fatal | expand |
On Mon, Sep 2, 2024 at 7:46 AM A. Sverdlin <alexander.sverdlin@siemens.com> wrote: > From: Alexander Sverdlin <alexander.sverdlin@siemens.com> > > mkimage doesn't fail if it is not able to sign FIT nodes. > This may lead to unbootable images in secure boot configurations. > Make signing failures fatal by parsing the mkimage output. > > Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com> > --- > Changes in v2: > - bbfatal -> bbfatal_log > > meta/classes-recipe/kernel-fitimage.bbclass | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/meta/classes-recipe/kernel-fitimage.bbclass > b/meta/classes-recipe/kernel-fitimage.bbclass > index 67c98adb232..cfda17f5e3b 100644 > --- a/meta/classes-recipe/kernel-fitimage.bbclass > +++ b/meta/classes-recipe/kernel-fitimage.bbclass > @@ -753,11 +753,15 @@ fitimage_assemble() { > # Step 8: Sign the image > # > if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then > - ${UBOOT_MKIMAGE_SIGN} \ > + output=$(${UBOOT_MKIMAGE_SIGN} \ > ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if > len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ > -F -k "${UBOOT_SIGN_KEYDIR}" \ > -r ${KERNEL_OUTPUT_DIR}/$2 \ > - ${UBOOT_MKIMAGE_SIGN_ARGS} > + ${UBOOT_MKIMAGE_SIGN_ARGS}) > + echo "$output" > + if echo "$output" | grep -qE "Sign value:\s*unavailable"; > then > + bbfatal_log "${UBOOT_MKIMAGE_SIGN}: Failed to > provide some signatures" > This still is missing the details about the issue. Either pointing to the log, or including the relevant bits of $output in the error message will save everyone a lot of time. Bruce > + fi > fi > } > > -- > 2.46.0 > >
Hi Bruce, thanks for the quick review! On Mon, 2024-09-02 at 09:52 -0400, Bruce Ashfield wrote: > > From: Alexander Sverdlin <alexander.sverdlin@siemens.com> > > > > mkimage doesn't fail if it is not able to sign FIT nodes. > > This may lead to unbootable images in secure boot configurations. > > Make signing failures fatal by parsing the mkimage output. > > > > Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com> > > --- > > Changes in v2: > > - bbfatal -> bbfatal_log > > > > meta/classes-recipe/kernel-fitimage.bbclass | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass > > index 67c98adb232..cfda17f5e3b 100644 > > --- a/meta/classes-recipe/kernel-fitimage.bbclass > > +++ b/meta/classes-recipe/kernel-fitimage.bbclass > > @@ -753,11 +753,15 @@ fitimage_assemble() { > > # Step 8: Sign the image > > # > > if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then > > - ${UBOOT_MKIMAGE_SIGN} \ > > + output=$(${UBOOT_MKIMAGE_SIGN} \ > > ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ > > -F -k "${UBOOT_SIGN_KEYDIR}" \ > > -r ${KERNEL_OUTPUT_DIR}/$2 \ > > - ${UBOOT_MKIMAGE_SIGN_ARGS} > > + ${UBOOT_MKIMAGE_SIGN_ARGS}) > > + echo "$output" > > + if echo "$output" | grep -qE "Sign value:\s*unavailable"; then > > + bbfatal_log "${UBOOT_MKIMAGE_SIGN}: Failed to provide some signatures" > > > This still is missing the details about the issue. > > Either pointing to the log, or including the relevant bits of $output in the error message > will save everyone a lot of time. I'll be sending v3, which provides the following bitbake output: | FIT description: Kernel fitImage for XXX - XXX (Systemd + Virt)/6.8.9/XXX | Created: Tue Apr 5 23:00:00 2011 | Image 0 (kernel-1) | Description: Linux kernel | Created: Tue Apr 5 23:00:00 2011 | Type: Kernel Image | Compression: gzip compressed | Data Size: 9007561 Bytes = 8796.45 KiB = 8.59 MiB | Architecture: AArch64 | OS: Linux | Load Address: 0x80400000 | Entry Point: 0x80400000 | Hash algo: sha256 | Hash value: 50eb1a52d311ea9c59b32789b5a87f5971ac386ba09a7f3e7b1b82be220a11b3 | Image 1 (fdt-k3-am625-XXX.dtb) | Description: Flattened Device Tree blob | Created: Tue Apr 5 23:00:00 2011 | Type: Flat Device Tree | Compression: uncompressed | Data Size: 41968 Bytes = 40.98 KiB = 0.04 MiB | Architecture: AArch64 | Load Address: 0x84e00000 | Hash algo: sha256 | Hash value: 2b6e5fe04478dc88ba587779dc12a5e079f7a0583d3d5511134108e3acd738ce | Image 2 (fdt-k3-am625-XXX.10.dtb) | Description: Flattened Device Tree blob | Created: Tue Apr 5 23:00:00 2011 | Type: Flat Device Tree | Compression: uncompressed | Data Size: 45771 Bytes = 44.70 KiB = 0.04 MiB | Architecture: AArch64 | Load Address: 0x84e00000 | Hash algo: sha256 | Hash value: 5d8ba8ad5307c5086ef7cc3df4e0a0903477ccee07f6b82234b3e95ad2b44dbd | Image 3 (ramdisk-1) | Description: XXX-image-sd-initramfs | Created: Tue Apr 5 23:00:00 2011 | Type: RAMDisk Image | Compression: uncompressed | Data Size: 14769626 Bytes = 14423.46 KiB = 14.09 MiB | Architecture: AArch64 | OS: Linux | Load Address: 0x85000000 | Entry Point: unavailable | Hash algo: sha256 | Hash value: 1a6d2605843624dc0e1eae67b81aa605e31c8318944c5b5c31e498ce8c397d3d | Default Configuration: 'conf-k3-am625-XXX.dtb' | Configuration 0 (conf-k3-am625-XXX.dtb) | Description: 1 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Configuration 1 (conf-k3-am625-XXX.10.dtb) | Description: 0 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.10.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Couldn't open RSA private key: '/builds/XXX/meta-XXX/projects/XXX-sd-virt/tmp/work/XXX-XXX-linux/linux-XXX/6.8.9/secure-boot/dev.key': No such file or directory | Failed to sign 'signature-1' signature node in 'conf-k3-am625-XXX.dtb' conf node | Couldn't open RSA private key: '/builds/XXX/meta-XXX/projects/XXX-sd-virt/tmp/work/XXX-XXX-linux/linux-XXX/6.8.9/secure-boot/dev.key': No such file or directory | Failed to sign 'signature-1' signature node in 'conf-k3-am625-XXX.10.dtb' conf node | FIT description: Kernel fitImage for XXX - XXX (Systemd + Virt)/6.8.9/XXX | Created: Tue Apr 5 23:00:00 2011 | Image 0 (kernel-1) | Description: Linux kernel | Created: Tue Apr 5 23:00:00 2011 | Type: Kernel Image | Compression: gzip compressed | Data Size: 9007561 Bytes = 8796.45 KiB = 8.59 MiB | Architecture: AArch64 | OS: Linux | Load Address: 0x80400000 | Entry Point: 0x80400000 | Hash algo: sha256 | Hash value: 50eb1a52d311ea9c59b32789b5a87f5971ac386ba09a7f3e7b1b82be220a11b3 | Image 1 (fdt-k3-am625-XXX.dtb) | Description: Flattened Device Tree blob | Created: Tue Apr 5 23:00:00 2011 | Type: Flat Device Tree | Compression: uncompressed | Data Size: 41968 Bytes = 40.98 KiB = 0.04 MiB | Architecture: AArch64 | Load Address: 0x84e00000 | Hash algo: sha256 | Hash value: 2b6e5fe04478dc88ba587779dc12a5e079f7a0583d3d5511134108e3acd738ce | Image 2 (fdt-k3-am625-XXX.10.dtb) | Description: Flattened Device Tree blob | Created: Tue Apr 5 23:00:00 2011 | Type: Flat Device Tree | Compression: uncompressed | Data Size: 45771 Bytes = 44.70 KiB = 0.04 MiB | Architecture: AArch64 | Load Address: 0x84e00000 | Hash algo: sha256 | Hash value: 5d8ba8ad5307c5086ef7cc3df4e0a0903477ccee07f6b82234b3e95ad2b44dbd | Image 3 (ramdisk-1) | Description: XXX-image-sd-initramfs | Created: Tue Apr 5 23:00:00 2011 | Type: RAMDisk Image | Compression: uncompressed | Data Size: 14769626 Bytes = 14423.46 KiB = 14.09 MiB | Architecture: AArch64 | OS: Linux | Load Address: 0x85000000 | Entry Point: unavailable | Hash algo: sha256 | Hash value: 1a6d2605843624dc0e1eae67b81aa605e31c8318944c5b5c31e498ce8c397d3d | Default Configuration: 'conf-k3-am625-XXX.dtb' | Configuration 0 (conf-k3-am625-XXX.dtb) | Description: 1 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Configuration 1 (conf-k3-am625-XXX.10.dtb) | Description: 0 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.10.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Signature written to '/builds/XXX/meta-XXX/projects/XXX-sd-virt/tmp/work/XXX-XXX-linux/linux-XXX/6.8.9/deploy-fitimage-unbundled-linux-XXX/fitImage-XXX-image-sd-initramfs-XXX--6.8.9-r0-XXX- 20240902152131.bin', node '/configurations/conf-k3-am625-XXX.10.dtb/signature-1' | ERROR: uboot-mkimage failed to provide signatures for these images: | ERROR: | Configuration 0 (conf-k3-am625-XXX.dtb) | Description: 1 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Configuration 1 (conf-k3-am625-XXX.10.dtb) | Description: 0 Linux kernel, FDT blob, ramdisk | Kernel: kernel-1 | Init Ramdisk: ramdisk-1 | FDT: fdt-k3-am625-XXX.10.dtb | Hash algo: sha256 | Hash value: unavailable | Sign algo: sha256,rsa2048:dev | Sign padding: pkcs-1.5 | Sign value: unavailable | Timestamp: unavailable | Signature written to '/builds/XXX/meta-XXX/projects/XXX-sd-virt/tmp/work/XXX-XXX-linux/linux-XXX/6.8.9/deploy-fitimage-unbundled-linux-XXX/fitImage-XXX-image-sd-initramfs-XXX--6.8.9-r0-XXX- 20240902152131.bin', node '/configurations/conf-k3-am625-XXX.10.dtb/signature-1' | WARNING: exit code 1 from a shell command. NOTE: recipe linux-XXX-6.8.9-r0: task do_deploy_fitimage_unbundled: Failed ERROR: Task (/builds/XXX/meta-XXX/projects/XXX-sd-virt/../../meta-XXX/recipes-kernel/linux/linux-XXX_6.8.bb:do_deploy_fitimage_unbundled) failed with exit code '1' NOTE: Tasks Summary: Attempted 9689 tasks of which 9226 didn't need to be rerun and 1 failed. -- Alexander Sverdlin Siemens AG www.siemens.com
diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 67c98adb232..cfda17f5e3b 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass @@ -753,11 +753,15 @@ fitimage_assemble() { # Step 8: Sign the image # if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then - ${UBOOT_MKIMAGE_SIGN} \ + output=$(${UBOOT_MKIMAGE_SIGN} \ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ -F -k "${UBOOT_SIGN_KEYDIR}" \ -r ${KERNEL_OUTPUT_DIR}/$2 \ - ${UBOOT_MKIMAGE_SIGN_ARGS} + ${UBOOT_MKIMAGE_SIGN_ARGS}) + echo "$output" + if echo "$output" | grep -qE "Sign value:\s*unavailable"; then + bbfatal_log "${UBOOT_MKIMAGE_SIGN}: Failed to provide some signatures" + fi fi }