| Message ID | 20230509-b4-k3-fit-signing-v1-1-2e335869bec8@ti.com |
|---|---|
| State | RFC |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,master/kirkstone,RFC] conf: machine: include: k3 enable fit signing for uboot | expand |
On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote: > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > --- > To: Ryan Eatmon <reatmon@ti.com> > To: Denys Dmytriyenko <denys@ti.com> > Cc: meta-ti@lists.yoctoproject.org > Cc: Vignesh Raghavendra <vigneshr@ti.com> > Cc: Praneeth Bajjuri <praneeth@ti.com> > Cc: Udit Kumar <u-kumar1@ti.com> > Cc: Andrew Davis <afd@ti.com> > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > --- > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > index fff1550564b3..ab7e45a8016f 100644 > --- a/meta-ti-bsp/conf/machine/include/k3.inc > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > SPL_BINARYNAME = "tispl.bin" > UBOOT_SUFFIX = "img" > > +UBOOT_SIGN_ENABLE = "1" > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" How are the keys get into there? Are there extra docs/instructions? > +FIT_GENERATE_KEYS = "1" > + > EXTRA_IMAGEDEPENDS += "virtual/bootloader" > > TFA_PLATFORM = "k3" > > --- > base-commit: a9b35f1e7c3a7746fb4f6807166bcb27ba9ca5eb > change-id: 20230509-b4-k3-fit-signing-316ca2af859c > > Best regards, > -- > Manorit Chawdhry <m-chawdhry@ti.com>
On Thu, May 11, 2023 at 3:24 AM Manorit Chawdhry via lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org> wrote: > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > --- > To: Ryan Eatmon <reatmon@ti.com> > To: Denys Dmytriyenko <denys@ti.com> > Cc: meta-ti@lists.yoctoproject.org > Cc: Vignesh Raghavendra <vigneshr@ti.com> > Cc: Praneeth Bajjuri <praneeth@ti.com> > Cc: Udit Kumar <u-kumar1@ti.com> > Cc: Andrew Davis <afd@ti.com> > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > --- > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > index fff1550564b3..ab7e45a8016f 100644 > --- a/meta-ti-bsp/conf/machine/include/k3.inc > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > SPL_BINARYNAME = "tispl.bin" > UBOOT_SUFFIX = "img" > > +UBOOT_SIGN_ENABLE = "1" > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" > +FIT_GENERATE_KEYS = "1" I think it is better to make this decision a bit more flexible by using ?= instead of a hard set, since distros might not want to use automatically generated keys (and keys with a different name as well). Cheers,
On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote: > > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote: > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > > --- > > To: Ryan Eatmon <reatmon@ti.com> > > To: Denys Dmytriyenko <denys@ti.com> > > Cc: meta-ti@lists.yoctoproject.org > > Cc: Vignesh Raghavendra <vigneshr@ti.com> > > Cc: Praneeth Bajjuri <praneeth@ti.com> > > Cc: Udit Kumar <u-kumar1@ti.com> > > Cc: Andrew Davis <afd@ti.com> > > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > > --- > > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > > index fff1550564b3..ab7e45a8016f 100644 > > --- a/meta-ti-bsp/conf/machine/include/k3.inc > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > > SPL_BINARYNAME = "tispl.bin" > > UBOOT_SUFFIX = "img" > > > > +UBOOT_SIGN_ENABLE = "1" > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" > > How are the keys get into there? Are there extra docs/instructions? FIT_GENERATE_KEYS set to 1 forces the key to be automatically generated by openembedded-core/meta/classes/uboot-sign.bbclass, so they are created during build time. Cheers,
On Thu, May 11, 2023 at 01:20:08PM -0300, Ricardo Salveti wrote: > On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote: > > > > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote: > > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > > > --- > > > To: Ryan Eatmon <reatmon@ti.com> > > > To: Denys Dmytriyenko <denys@ti.com> > > > Cc: meta-ti@lists.yoctoproject.org > > > Cc: Vignesh Raghavendra <vigneshr@ti.com> > > > Cc: Praneeth Bajjuri <praneeth@ti.com> > > > Cc: Udit Kumar <u-kumar1@ti.com> > > > Cc: Andrew Davis <afd@ti.com> > > > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > > > --- > > > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > > > index fff1550564b3..ab7e45a8016f 100644 > > > --- a/meta-ti-bsp/conf/machine/include/k3.inc > > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > > > SPL_BINARYNAME = "tispl.bin" > > > UBOOT_SUFFIX = "img" > > > > > > +UBOOT_SIGN_ENABLE = "1" > > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" > > > > How are the keys get into there? Are there extra docs/instructions? > > FIT_GENERATE_KEYS set to 1 forces the key to be automatically > generated by openembedded-core/meta/classes/uboot-sign.bbclass, so > they are created during build time. I know, and that is fine for development, but not so much for production - that is why I asked for docs/instructions for someone to deploy their own keys and disable autogeneration.
Hi Denys, On 12:44-20230511, Denys Dmytriyenko wrote: > On Thu, May 11, 2023 at 01:20:08PM -0300, Ricardo Salveti wrote: > > On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote: > > > > > > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote: > > > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > > > > --- > > > > To: Ryan Eatmon <reatmon@ti.com> > > > > To: Denys Dmytriyenko <denys@ti.com> > > > > Cc: meta-ti@lists.yoctoproject.org > > > > Cc: Vignesh Raghavendra <vigneshr@ti.com> > > > > Cc: Praneeth Bajjuri <praneeth@ti.com> > > > > Cc: Udit Kumar <u-kumar1@ti.com> > > > > Cc: Andrew Davis <afd@ti.com> > > > > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > > > > --- > > > > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > > > > index fff1550564b3..ab7e45a8016f 100644 > > > > --- a/meta-ti-bsp/conf/machine/include/k3.inc > > > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > > > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > > > > SPL_BINARYNAME = "tispl.bin" > > > > UBOOT_SUFFIX = "img" > > > > > > > > +UBOOT_SIGN_ENABLE = "1" > > > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > > > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > > > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" > > > > > > How are the keys get into there? Are there extra docs/instructions? > > > > FIT_GENERATE_KEYS set to 1 forces the key to be automatically > > generated by openembedded-core/meta/classes/uboot-sign.bbclass, so > > they are created during build time. > > I know, and that is fine for development, but not so much for production - > that is why I asked for docs/instructions for someone to deploy their own > keys and disable autogeneration. > Even I am trying to decide if we should have ti-dummy keys type thing for this or if we should make them dynamic, i believe keeping them constant would be good for development as well but need to get opinion of others ( and also the place to keep the keys ), let me know if you guys have any idea on this? Regards, Manorit > -- > Denys
On 13:20-20230511, Ricardo Salveti wrote: > On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote: > > > > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote: > > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > > > --- > > > To: Ryan Eatmon <reatmon@ti.com> > > > To: Denys Dmytriyenko <denys@ti.com> > > > Cc: meta-ti@lists.yoctoproject.org > > > Cc: Vignesh Raghavendra <vigneshr@ti.com> > > > Cc: Praneeth Bajjuri <praneeth@ti.com> > > > Cc: Udit Kumar <u-kumar1@ti.com> > > > Cc: Andrew Davis <afd@ti.com> > > > Cc: Kamlesh Gurudasani <kamlesh@ti.com> > > > --- > > > meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > > > index fff1550564b3..ab7e45a8016f 100644 > > > --- a/meta-ti-bsp/conf/machine/include/k3.inc > > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" > > > SPL_BINARYNAME = "tispl.bin" > > > UBOOT_SUFFIX = "img" > > > > > > +UBOOT_SIGN_ENABLE = "1" > > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" > > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" > > > > How are the keys get into there? Are there extra docs/instructions? > > FIT_GENERATE_KEYS set to 1 forces the key to be automatically > generated by openembedded-core/meta/classes/uboot-sign.bbclass, so > they are created during build time. > Sure, would update the same, thanks! Regards, Manorit > Cheers, > -- > Ricardo Salveti
diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc index fff1550564b3..ab7e45a8016f 100644 --- a/meta-ti-bsp/conf/machine/include/k3.inc +++ b/meta-ti-bsp/conf/machine/include/k3.inc @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin" SPL_BINARYNAME = "tispl.bin" UBOOT_SUFFIX = "img" +UBOOT_SIGN_ENABLE = "1" +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key" +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys" +FIT_GENERATE_KEYS = "1" + EXTRA_IMAGEDEPENDS += "virtual/bootloader" TFA_PLATFORM = "k3"
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- To: Ryan Eatmon <reatmon@ti.com> To: Denys Dmytriyenko <denys@ti.com> Cc: meta-ti@lists.yoctoproject.org Cc: Vignesh Raghavendra <vigneshr@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Andrew Davis <afd@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> --- meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++ 1 file changed, 6 insertions(+) --- base-commit: a9b35f1e7c3a7746fb4f6807166bcb27ba9ca5eb change-id: 20230509-b4-k3-fit-signing-316ca2af859c Best regards,