From patchwork Mon Jun 2 07:56:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Freihofer, Adrian" X-Patchwork-Id: 64077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B0D6C71132 for ; Mon, 2 Jun 2025 07:57:34 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.44073.1748851049613607219 for ; Mon, 02 Jun 2025 00:57:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=adrian.freihofer@siemens.com header.s=fm2 header.b=xCIfPuF2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-1329275-202506020757274c2e4b957a56db29c1-kv6_qr@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202506020757274c2e4b957a56db29c1 for ; Mon, 02 Jun 2025 09:57:27 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=adrian.freihofer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=ZHIY3BlOK5lomKUhKp3k7RgRZmCN7HoU6+FdTwvAXk4=; b=xCIfPuF2v+4m1U78AoEe7A/BcxQNnqm6EHgWc/htG+VU1hFS8qFiYebE1PPMVwuxARYKpo o4YnKTXFdxFnyvZt+kCgwua6NI5DeKE47CWrRnWtEH3nEf79HYlhlMwJRcPmc8IFw9WUEIMH +sWZjTjbPSj5M4+RieXsmo1yUgcyh+UPoMFV4CsUzoNQPpy2MtEAqP0BLhjwI3cu29zQzuJp Y64qADk7DmVKgREqMgur/a/3sqaG3E6YGeCXo4XvpCqtem73VmGI7dllUeWl9/xesOqg33bZ 8NNnGlcB1aQptcUf/01wSrynlads2YTl71vPfXuF2I27kj00HbIGpK0Q==; From: AdrianF To: openembedded-core@lists.openembedded.org Cc: marex@denx.de, a.fatoum@pengutronix.de, Adrian Freihofer Subject: [PATCH v6 08/21] oe-selftest: fitimage: cleanup FIT_GENERATE_KEYS Date: Mon, 2 Jun 2025 09:56:18 +0200 Message-ID: <20250602075714.32122-9-adrian.freihofer@siemens.com> In-Reply-To: <20250602075714.32122-1-adrian.freihofer@siemens.com> References: <20250602075714.32122-1-adrian.freihofer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1329275:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Jun 2025 07:57:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217698 From: Adrian Freihofer It is closer to practice to use static and predictable keys to sign the FIT images. In addition, the new kernel-signing-keys-native is only reliable if the temporary directory is not deleted. However, depending on how this test suite is started, this can happen. There will therefore only be one test that uses the recipe to generate the keys, which ensures that the recipe works in principle. It is also ensured that no keys are present before the test and that the recipe runs safely and is not skipped by Bitbake. Signed-off-by: Adrian Freihofer --- meta/lib/oeqa/selftest/cases/fitimage.py | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py index 8a3eb7f8c11..fcba28b7b76 100644 --- a/meta/lib/oeqa/selftest/cases/fitimage.py +++ b/meta/lib/oeqa/selftest/cases/fitimage.py @@ -760,8 +760,7 @@ PREFERRED_PROVIDER_virtual/dtb = "bbb-dtbs-as-ext" and the configuration nodes are signed correctly. Expected: 1) its and FIT image are built successfully 2) Scanning the its file indicates signing is enabled - as requested by UBOOT_SIGN_ENABLE (using 1 key - generated by the test not via FIT_GENERATE_KEYS) + as requested by UBOOT_SIGN_ENABLE 3) Dumping the FIT image indicates signature values are present (only for the configuration nodes as FIT_SIGN_INDIVIDUAL is disabled) @@ -792,10 +791,7 @@ FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb" 'UBOOT_SIGN_KEYDIR', ]) - # Do not use the random keys generated by FIT_GENERATE_KEYS. - # Using a static key is probably a more realistic scenario. self._gen_signing_key(bb_vars) - self._test_fitimage(bb_vars) def test_sign_fit_image_individual(self): @@ -804,11 +800,11 @@ FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb" and all nodes are signed correctly. Expected: 1) its and FIT image are built successfully 2) Scanning the its file indicates signing is enabled - as requested by UBOOT_SIGN_ENABLE (using 2 keys - generated via FIT_GENERATE_KEYS) + as requested by UBOOT_SIGN_ENABLE 3) Dumping the FIT image indicates signature values are present (including for images as enabled via FIT_SIGN_INDIVIDUAL) + This also implies that FIT_GENERATE_KEYS = "1" works. 4) Verify the FIT image contains the comments passed via UBOOT_MKIMAGE_SIGN_ARGS once per image and per configuration node. @@ -837,6 +833,10 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" config = self._config_add_uboot_env(config) self.write_config(config) bb_vars = self._fit_get_bb_vars() + + # Ensure new keys are generated and FIT_GENERATE_KEYS = "1" is tested + bitbake("kernel-signing-keys-native -c cleansstate") + self._test_fitimage(bb_vars) def test_fit_image_sign_initramfs(self): @@ -875,7 +875,6 @@ UBOOT_ARCH = "arm" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_MKIMAGE_KERNEL_TYPE = "kernel" UBOOT_EXTLINUX = "0" -FIT_GENERATE_KEYS = "1" KERNEL_IMAGETYPE_REPLACEMENT = "zImage" FIT_KERNEL_COMP_ALG = "none" FIT_HASH_ALG = "sha256" @@ -892,10 +891,7 @@ FIT_HASH_ALG = "sha256" 'UBOOT_SIGN_KEYDIR', ]) - # Do not use the random keys generated by FIT_GENERATE_KEYS. - # Using a static key is probably a more realistic scenario. self._gen_signing_key(bb_vars) - self._test_fitimage(bb_vars) def test_fit_image_sign_initramfs_bundle(self): @@ -933,7 +929,6 @@ UBOOT_ARCH = "arm" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_MKIMAGE_KERNEL_TYPE = "kernel" UBOOT_EXTLINUX = "0" -FIT_GENERATE_KEYS = "1" KERNEL_IMAGETYPE_REPLACEMENT = "zImage" FIT_KERNEL_COMP_ALG = "none" FIT_HASH_ALG = "sha256" @@ -941,6 +936,7 @@ FIT_HASH_ALG = "sha256" config = self._config_add_uboot_env(config) self.write_config(config) bb_vars = self._fit_get_bb_vars() + self._gen_signing_key(bb_vars) self._test_fitimage(bb_vars) @@ -1345,9 +1341,7 @@ UBOOT_SIGN_KEYNAME = "cfg-oe-selftest" self.write_config(config) bb_vars = self._fit_get_bb_vars() - # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass self._gen_signing_key(bb_vars) - self._test_fitimage(bb_vars) self._check_kernel_dtb(bb_vars) @@ -1508,8 +1502,6 @@ FIT_SIGN_INDIVIDUAL = "1" """ self.write_config(config) bb_vars = self._fit_get_bb_vars() - - # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass self._gen_signing_key(bb_vars) bitbake("virtual/bootloader")