Message ID | 20230613-b4-internal-core-secdev-fit-v1-1-c344639b5be1@ti.com |
---|---|
State | Accepted |
Delegated to: | Ryan Eatmon |
Headers | show |
Series | [meta-ti,master/kirkstone] conf: machine: include: k3 enable fit signing for uboot | expand |
On Wed, Jun 14, 2023 at 4:41 AM Manorit Chawdhry via lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org> wrote: > > Enables FIT Image signing for K3 platforms > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > --- > meta-ti-bsp/conf/machine/include/k3.inc | 7 +++++++ > meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 + > 2 files changed, 8 insertions(+) > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > index f8bfb3dbcafc..eb25fa780407 100644 > --- a/meta-ti-bsp/conf/machine/include/k3.inc > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > @@ -31,6 +31,13 @@ SPL_BINARY = "tispl.bin" > SPL_BINARYNAME = "tispl.bin" > UBOOT_SUFFIX = "img" > > +UBOOT_SIGN_ENABLE = "1" > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > +UBOOT_SIGN_KEYNAME ?= "custMpk" > +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys" Did you verify that this won't cause a build failure when the key is not available at runtime (e.g. users not defining TI_SECURE_DEV_PKG)? Just because UBOOT_SIGN_ENABLE is being forced to 1. Thanks,
Hi Ricardo, On 12:13-20230614, Ricardo Salveti wrote: > On Wed, Jun 14, 2023 at 4:41 AM Manorit Chawdhry via > lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org> > wrote: > > > > Enables FIT Image signing for K3 platforms > > > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> > > --- > > meta-ti-bsp/conf/machine/include/k3.inc | 7 +++++++ > > meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 + > > 2 files changed, 8 insertions(+) > > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc > > index f8bfb3dbcafc..eb25fa780407 100644 > > --- a/meta-ti-bsp/conf/machine/include/k3.inc > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc > > @@ -31,6 +31,13 @@ SPL_BINARY = "tispl.bin" > > SPL_BINARYNAME = "tispl.bin" > > UBOOT_SUFFIX = "img" > > > > +UBOOT_SIGN_ENABLE = "1" > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" > > +UBOOT_SIGN_KEYNAME ?= "custMpk" > > +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys" > > Did you verify that this won't cause a build failure when the key is > not available at runtime (e.g. users not defining TI_SECURE_DEV_PKG)? > > Just because UBOOT_SIGN_ENABLE is being forced to 1. > TI_SECURE_DEV_PKG will always be set whenever we inherit ti-secdev recipe and that is being done in the linux recipe in the same patch. The kernel recipe internally uses this variable so no one should be required to set this explicitely and the build had passed. Though on the other hand, the build still passes even in we provide a wrong folder if I understand correctly and the generate images don't have the signature. Though I had validated this change on my local setup and could see the things working as expected. Regards, Manorit > Thanks, > -- > Ricardo Salveti
diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc index f8bfb3dbcafc..eb25fa780407 100644 --- a/meta-ti-bsp/conf/machine/include/k3.inc +++ b/meta-ti-bsp/conf/machine/include/k3.inc @@ -31,6 +31,13 @@ SPL_BINARY = "tispl.bin" SPL_BINARYNAME = "tispl.bin" UBOOT_SUFFIX = "img" +UBOOT_SIGN_ENABLE = "1" +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" +UBOOT_SIGN_KEYNAME ?= "custMpk" +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys" +FIT_HASH_ALG ?= "sha512" +FIT_SIGN_ALG ?= "rsa4096" + EXTRA_IMAGEDEPENDS += "virtual/bootloader" TFA_PLATFORM = "k3" diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb index 12ac61d18c6b..3e7e124a80f4 100644 --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb @@ -3,6 +3,7 @@ SUMMARY = "Linux kernel for TI devices" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" +inherit ti-secdev inherit kernel require recipes-kernel/linux/setup-defconfig.inc
Enables FIT Image signing for K3 platforms Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- meta-ti-bsp/conf/machine/include/k3.inc | 7 +++++++ meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.1.bb | 1 + 2 files changed, 8 insertions(+) --- base-commit: 02fb90c7972aa53ad6c3599a161ec62fd91d1efa change-id: 20230613-b4-internal-core-secdev-fit-027b8db6a112 Best regards,