diff mbox series

[2/3] uboot-sign: sign SPL FIT into a copy of the SPL DTB

Message ID 20260606121836.2782754-3-adrian.freihofer@siemens.com
State New
Headers show
Series fitimage selftests: stop hardcoding DISTRO/MACHINE, drop meta-yocto-bsp dependency | expand

Commit Message

AdrianF June 6, 2026, 12:17 p.m. UTC 
From: Adrian Freihofer <adrian.freihofer@siemens.com>

mkimage's -K flag injects the public key into the DTB in-place. When
the signing target is the compile-output file (spl/u-boot-spl.dtb),
each test run accumulates key nodes from all previous runs in the same
work directory. With SPL_SIGN_CONF=1 every injected key carries
required = "conf", so mkimage requires ALL of them to have signed the
configuration. When a subsequent test uses a different key only its own
key signed the FIT, causing the verification to fail with:

  Failed to verify required signature 'key-<previous-keyname>'

Fix this by copying the compile-output DTB to SPL_DTB_SIGNED first and
passing the copy as the -K target. The original spl/u-boot-spl.dtb is
never modified, so each build starts from a clean state regardless of
how many times the task has been run.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 9cb5c6ccf3..2b10e71730 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -472,21 +472,25 @@  EOF
 	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
 		if [ -n "${SPL_DTB_BINARY}" ] ; then
 			#
-			# Sign the U-boot FIT image and add public key to SPL dtb
+			# Sign the U-boot FIT image and add public key to SPL dtb.
+			# Work on a copy of the DTB so that the compile output is
+			# never modified in-place.  Without this, sequential test
+			# runs that reuse the same work directory accumulate public
+			# key nodes from previous runs, causing mkimage to require
+			# all of them when verifying the conf signature.
 			#
+			cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
 			${UBOOT_MKIMAGE_SIGN} \
 				${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
 				-F -k "${SPL_SIGN_KEYDIR}" \
-				-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
+				-K "${SPL_DIR}/${SPL_DTB_SIGNED}" \
 				-r ${UBOOT_FITIMAGE_BINARY} \
 				${SPL_MKIMAGE_SIGN_ARGS}
 
 			# Verify the U-boot FIT image and SPL dtb
 			${UBOOT_FIT_CHECK_SIGN} \
-				-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+				-k "${SPL_DIR}/${SPL_DTB_SIGNED}" \
 				-f ${UBOOT_FITIMAGE_BINARY}
-
-			cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
 		else
 			# Sign the U-boot FIT image
 			${UBOOT_MKIMAGE_SIGN} \