| Message ID | 20260204153344.445281-1-kory.maincent@bootlin.com |
|---|---|
| State | New |
| Headers | show |
| Series | uboot-sign: Rebuild binman image with configuration signing keys | expand |
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 9cb5c6ccf3..9268bfc451 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -192,6 +192,15 @@ concat_dtb() { -k "${UBOOT_DTB_BINARY}" \ -f ${B}/unused.itb fi + + # Regenerate binman image with the newly signed key + if [ "${UBOOT_BINMAN_IMAGE}" = "1" ] && [ -f "..binman_stamp.cmd" ]; then + binman_cmd=$(sed -n 's/^cmd_[^:]*:= *//p' ..binman_stamp.cmd) + dtb_binary=$(basename ${UBOOT_DTB_BINARY} .dtb) + binman_cmd="${binman_cmd} -a of-list=\"${dtb_binary}\" -a default-dt=\"${dtb_binary}\"" + eval ${binman_cmd} + fi + cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi
When using binman to generate U-Boot images, the configuration signing keys are not included in the final image. This occurs because the binman image is not regenerated after the configuration signing keys are added to the device tree. In case binman is used, regenerate the image with the updated device tree containing the configuration signing keys. This ensures the signed configuration is properly included in the final U-Boot image. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> --- meta/classes-recipe/uboot-sign.bbclass | 9 +++++++++ 1 file changed, 9 insertions(+)