| Message ID | 20230201143126.3003913-1-w.egorov@phytec.de |
|---|---|
| State | Rejected |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [dunfell] ti-rtos-firmware: Check if TI_SECURE_DEV is set before signing | expand |
On 2/1/23 8:31 AM, Wadim Egorov wrote: > Check if ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh is set > before signing firmware for am62xx based machines. Otherwise do not > sign, instead copy the binary and warn about it. > > Fixes > run.do_install: 111: /scripts/secure-binary-image.sh: not found > > Signed-off-by: Wadim Egorov <w.egorov@phytec.de> > --- This patch only fixes this for AM62x, a better way might be to use the ti-k3-secdev-native package to get the signing tool when it is not defined. I do that in the series for Kirkstone that includes several fixes to this recipe[0]. Andrew [0] https://lists.yoctoproject.org/g/meta-ti/topic/master_kirkstone_patch_1_8/96819771 > recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) > > diff --git a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb > index 72d85a6b..66c6a4e4 100644 > --- a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb > +++ b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb > @@ -179,12 +179,23 @@ do_install_prepend_am62xx() { > export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > ( cd ${RTOS_DM_FW_DIR}; \ > mv ${DM_FIRMWARE} ${DM_FIRMWARE}.unsigned; \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ > + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ > + else \ > + echo "Warning: TI_SECURE_DEV_PKG not set, ${DM_FIRMWARE} not signed."; \ > + cp ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ > + fi; \ > ) > ( cd ${RTOS_IPC_FW_DIR}; \ > mv am62-mcu-m4f0_0-fw ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f; \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ > - ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ > + > + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ > + ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ > + else \ > + echo "Warning: TI_SECURE_DEV_PKG not set, ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f not signed"; \ > + cp ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ > + fi; \ > ) > } > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#15718): https://lists.yoctoproject.org/g/meta-ti/message/15718 > Mute This Topic: https://lists.yoctoproject.org/mt/96677334/3619733 > Group Owner: meta-ti+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [afd@ti.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 2/7/2023 17:44, Andrew Davis via lists.yoctoproject.org wrote: > On 2/1/23 8:31 AM, Wadim Egorov wrote: >> Check if ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh is set >> before signing firmware for am62xx based machines. Otherwise do not >> sign, instead copy the binary and warn about it. >> >> Fixes >> run.do_install: 111: /scripts/secure-binary-image.sh: not found >> >> Signed-off-by: Wadim Egorov <w.egorov@phytec.de> >> --- > > This patch only fixes this for AM62x, a better way might be to use > the ti-k3-secdev-native package to get the signing tool when it is > not defined. I do that in the series for Kirkstone that includes > several fixes to this recipe[0]. > > Andrew > > [0] > https://lists.yoctoproject.org/g/meta-ti/topic/master_kirkstone_patch_1_8/96819771 I had similar comments. This patch is too narrowly focused to just a single platform, I know it was the platform you were caring about but the patch as is is too narrow. And, the requirement we have is to generate the signed images, so bypassing the signing is not going to fly. All that said, I have back ported the above patch that is pending for kirkstone to dunfell. So this patch should not be needed because it will use in the internal recipe to fetch the signing tool if you are not using the external toolset. >> recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb | 17 ++++++++++++++--- >> 1 file changed, 14 insertions(+), 3 deletions(-) >> >> diff --git a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >> b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >> index 72d85a6b..66c6a4e4 100644 >> --- a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >> +++ b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >> @@ -179,12 +179,23 @@ do_install_prepend_am62xx() { >> export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} >> ( cd ${RTOS_DM_FW_DIR}; \ >> mv ${DM_FIRMWARE} ${DM_FIRMWARE}.unsigned; \ >> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >> ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >> + if [ -f >> ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ >> + >> ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >> ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >> + else \ >> + echo "Warning: TI_SECURE_DEV_PKG not set, >> ${DM_FIRMWARE} not signed."; \ >> + cp ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >> + fi; \ >> ) >> ( cd ${RTOS_IPC_FW_DIR}; \ >> mv am62-mcu-m4f0_0-fw >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f; \ >> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ >> - >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >> + >> + if [ -f >> ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ >> + >> ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ >> + >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >> + else \ >> + echo "Warning: TI_SECURE_DEV_PKG not set, >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f not signed"; \ >> + cp >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f >> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >> + fi; \ >> ) >> } >> >> >> >> >> > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#15749): https://lists.yoctoproject.org/g/meta-ti/message/15749 > Mute This Topic: https://lists.yoctoproject.org/mt/96677334/6551054 > Group Owner: meta-ti+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [reatmon@ti.com] > -=-=-=-=-=-=-=-=-=-=-=- > -- Ryan Eatmon reatmon@ti.com ----------------------------------------- Texas Instruments, Inc. - LCPD - MGTS
Am 08.02.23 um 21:58 schrieb Ryan Eatmon: > > > On 2/7/2023 17:44, Andrew Davis via lists.yoctoproject.org wrote: >> On 2/1/23 8:31 AM, Wadim Egorov wrote: >>> Check if ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh is set >>> before signing firmware for am62xx based machines. Otherwise do not >>> sign, instead copy the binary and warn about it. >>> >>> Fixes >>> run.do_install: 111: /scripts/secure-binary-image.sh: not found >>> >>> Signed-off-by: Wadim Egorov <w.egorov@phytec.de> >>> --- >> >> This patch only fixes this for AM62x, a better way might be to use >> the ti-k3-secdev-native package to get the signing tool when it is >> not defined. I do that in the series for Kirkstone that includes >> several fixes to this recipe[0]. >> >> Andrew >> >> [0] >> https://lists.yoctoproject.org/g/meta-ti/topic/master_kirkstone_patch_1_8/96819771 > > I had similar comments. This patch is too narrowly focused to just a single > platform, I know it was the platform you were caring about but the patch as is > is too narrow. And, the requirement we have is to generate the signed images, > so bypassing the signing is not going to fly. > > All that said, I have back ported the above patch that is pending for > kirkstone to dunfell. So this patch should not be needed because it will use > in the internal recipe to fetch the signing tool if you are not using the > external toolset. Thank you for backporting it to dunfell :) > > >>> recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb | 17 ++++++++++++++--- >>> 1 file changed, 14 insertions(+), 3 deletions(-) >>> >>> diff --git a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >>> b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >>> index 72d85a6b..66c6a4e4 100644 >>> --- a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >>> +++ b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb >>> @@ -179,12 +179,23 @@ do_install_prepend_am62xx() { >>> export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} >>> ( cd ${RTOS_DM_FW_DIR}; \ >>> mv ${DM_FIRMWARE} ${DM_FIRMWARE}.unsigned; \ >>> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >>> + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ]; then \ >>> + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >>> + else \ >>> + echo "Warning: TI_SECURE_DEV_PKG not set, >>> ${DM_FIRMWARE} not signed."; \ >>> + cp ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ >>> + fi; \ >>> ) >>> ( cd ${RTOS_IPC_FW_DIR}; \ >>> mv am62-mcu-m4f0_0-fw >>> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f; \ >>> - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ >>> - ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >>> + >>> + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ]; then \ >>> + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh >>> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ >>> + ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >>> + else \ >>> + echo "Warning: TI_SECURE_DEV_PKG not set, >>> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f not signed"; \ >>> + cp ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f >>> ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ >>> + fi; \ >>> ) >>> } >>> >>> >>> >>> >>> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#15749): >> https://lists.yoctoproject.org/g/meta-ti/message/15749 >> Mute This Topic: https://lists.yoctoproject.org/mt/96677334/6551054 >> Group Owner: meta-ti+owner@lists.yoctoproject.org >> Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [reatmon@ti.com] >> -=-=-=-=-=-=-=-=-=-=-=- >> >
diff --git a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb index 72d85a6b..66c6a4e4 100644 --- a/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb +++ b/recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb @@ -179,12 +179,23 @@ do_install_prepend_am62xx() { export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} ( cd ${RTOS_DM_FW_DIR}; \ mv ${DM_FIRMWARE} ${DM_FIRMWARE}.unsigned; \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ + else \ + echo "Warning: TI_SECURE_DEV_PKG not set, ${DM_FIRMWARE} not signed."; \ + cp ${DM_FIRMWARE}.unsigned ${DM_FIRMWARE}; \ + fi; \ ) ( cd ${RTOS_IPC_FW_DIR}; \ mv am62-mcu-m4f0_0-fw ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f; \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ - ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ + + if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f \ + ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ + else \ + echo "Warning: TI_SECURE_DEV_PKG not set, ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f not signed"; \ + cp ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f ipc_echo_baremetal_test_mcu2_0_release_strip.xer5f.signed; \ + fi; \ ) }
Check if ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh is set before signing firmware for am62xx based machines. Otherwise do not sign, instead copy the binary and warn about it. Fixes run.do_install: 111: /scripts/secure-binary-image.sh: not found Signed-off-by: Wadim Egorov <w.egorov@phytec.de> --- recipes-ti/ti-rtos-bin/ti-rtos-firmware.bb | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-)