diff mbox series

[v6,08/21] oe-selftest: fitimage: cleanup FIT_GENERATE_KEYS

Message ID 20250602075714.32122-9-adrian.freihofer@siemens.com
State Accepted, archived
Commit 97e58d7c2bc1943f0696fc72984788f459f7f7c4
Headers show
Series FIT image improvements | expand

Commit Message

AdrianF June 2, 2025, 7:56 a.m. UTC 
From: Adrian Freihofer <adrian.freihofer@siemens.com>

It is closer to practice to use static and predictable keys to sign the
FIT images. In addition, the new kernel-signing-keys-native is only
reliable if the temporary directory is not deleted. However, depending
on how this test suite is started, this can happen.
There will therefore only be one test that uses the recipe to generate
the keys, which ensures that the recipe works in principle.
It is also ensured that no keys are present before the test and that the
recipe runs safely and is not skipped by Bitbake.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 meta/lib/oeqa/selftest/cases/fitimage.py | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)
diff mbox series

Patch

diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 8a3eb7f8c11..fcba28b7b76 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -760,8 +760,7 @@  PREFERRED_PROVIDER_virtual/dtb = "bbb-dtbs-as-ext"
                      and the configuration nodes are signed correctly.
         Expected:    1) its and FIT image are built successfully
                      2) Scanning the its file indicates signing is enabled
-                        as requested by UBOOT_SIGN_ENABLE (using 1 key
-                        generated by the test not via FIT_GENERATE_KEYS)
+                        as requested by UBOOT_SIGN_ENABLE
                      3) Dumping the FIT image indicates signature values
                         are present (only for the configuration nodes as
                         FIT_SIGN_INDIVIDUAL is disabled)
@@ -792,10 +791,7 @@  FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb"
             'UBOOT_SIGN_KEYDIR',
         ])
 
-        # Do not use the random keys generated by FIT_GENERATE_KEYS.
-        # Using a static key is probably a more realistic scenario.
         self._gen_signing_key(bb_vars)
-
         self._test_fitimage(bb_vars)
 
     def test_sign_fit_image_individual(self):
@@ -804,11 +800,11 @@  FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb"
                      and all nodes are signed correctly.
         Expected:    1) its and FIT image are built successfully
                      2) Scanning the its file indicates signing is enabled
-                        as requested by UBOOT_SIGN_ENABLE (using 2 keys
-                        generated via FIT_GENERATE_KEYS)
+                        as requested by UBOOT_SIGN_ENABLE
                      3) Dumping the FIT image indicates signature values
                         are present (including for images as enabled via
                         FIT_SIGN_INDIVIDUAL)
+                        This also implies that FIT_GENERATE_KEYS = "1" works.
                      4) Verify the FIT image contains the comments passed via
                         UBOOT_MKIMAGE_SIGN_ARGS once per image and per
                         configuration node.
@@ -837,6 +833,10 @@  UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
         config = self._config_add_uboot_env(config)
         self.write_config(config)
         bb_vars = self._fit_get_bb_vars()
+
+        # Ensure new keys are generated and FIT_GENERATE_KEYS = "1" is tested
+        bitbake("kernel-signing-keys-native -c cleansstate")
+
         self._test_fitimage(bb_vars)
 
     def test_fit_image_sign_initramfs(self):
@@ -875,7 +875,6 @@  UBOOT_ARCH = "arm"
 UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
 UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
 UBOOT_EXTLINUX = "0"
-FIT_GENERATE_KEYS = "1"
 KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
 FIT_KERNEL_COMP_ALG = "none"
 FIT_HASH_ALG = "sha256"
@@ -892,10 +891,7 @@  FIT_HASH_ALG = "sha256"
             'UBOOT_SIGN_KEYDIR',
         ])
 
-        # Do not use the random keys generated by FIT_GENERATE_KEYS.
-        # Using a static key is probably a more realistic scenario.
         self._gen_signing_key(bb_vars)
-
         self._test_fitimage(bb_vars)
 
     def test_fit_image_sign_initramfs_bundle(self):
@@ -933,7 +929,6 @@  UBOOT_ARCH = "arm"
 UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
 UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
 UBOOT_EXTLINUX = "0"
-FIT_GENERATE_KEYS = "1"
 KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
 FIT_KERNEL_COMP_ALG = "none"
 FIT_HASH_ALG = "sha256"
@@ -941,6 +936,7 @@  FIT_HASH_ALG = "sha256"
         config = self._config_add_uboot_env(config)
         self.write_config(config)
         bb_vars = self._fit_get_bb_vars()
+        self._gen_signing_key(bb_vars)
         self._test_fitimage(bb_vars)
 
 
@@ -1345,9 +1341,7 @@  UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
         self.write_config(config)
         bb_vars = self._fit_get_bb_vars()
 
-        # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass
         self._gen_signing_key(bb_vars)
-
         self._test_fitimage(bb_vars)
         self._check_kernel_dtb(bb_vars)
 
@@ -1508,8 +1502,6 @@  FIT_SIGN_INDIVIDUAL = "1"
 """
         self.write_config(config)
         bb_vars = self._fit_get_bb_vars()
-
-        # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass
         self._gen_signing_key(bb_vars)
 
         bitbake("virtual/bootloader")