From patchwork Mon Sep 2 16:13:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sverdlin, Alexander" X-Patchwork-Id: 48579 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C48F5CA0ED3 for ; Mon, 2 Sep 2024 16:14:42 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.2834.1725293678446739741 for ; Mon, 02 Sep 2024 09:14:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=alexander.sverdlin@siemens.com header.s=fm1 header.b=Wctp83LK; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-456497-202409021614341e80d89388b59f01e5-14s4ul@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202409021614341e80d89388b59f01e5 for ; Mon, 02 Sep 2024 18:14:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=alexander.sverdlin@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=BIM5zV7A4jATq9JbQcGdD9I4hKoXlTOyikhAxWteM1E=; b=Wctp83LKFSbGSnYo1NvvF5MZWHfgCA/SHU6kUxZTQAJG6snP2PQUmZgx/hfHwQKRet1AC0 iD2Cn82rxpsqRpJ8lLgU/n6CydNklyQ14x7kVZOiVFG4YjHAJ3d0S05GrnYg0lqPqRFOMexT NcM0F3nHEtdR1bC19T+XmLzbIT0IxVdBcGcedVU9QO8mXu22Iz+5KFv9XYKypsfiG8iNtuYu 7pXJAxl8YRwfDswSqvOQNbyfMGluj8AIZuN02s0anrjg9qHMYwfG7HZpXNhKw/4PfIOh+XXL 49onHX7+oBZ7+fxTmTSKJUAV09t4PJzQKsCtUn3LDU/+Rr2E//k8RHpA==; From: "A. Sverdlin" To: openembedded-core@lists.openembedded.org, Bruce Ashfield Cc: Alexander Sverdlin Subject: [PATCH v3] kernel-fitimage: make signing failure fatal Date: Mon, 2 Sep 2024 18:13:06 +0200 Message-ID: <20240902161307.1222507-1-alexander.sverdlin@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-456497:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Sep 2024 16:14:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204109 From: Alexander Sverdlin mkimage doesn't fail if it is not able to sign FIT nodes. This may lead to unbootable images in secure boot configurations. Make signing failures fatal by parsing the mkimage output. Signed-off-by: Alexander Sverdlin --- Changes in v3: - bbfatag_log -> bberror + bbfatal_log with relevant mkimage output snippets Changes in v2: - bbfatal -> bbfatal_log meta/classes-recipe/kernel-fitimage.bbclass | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 67c98adb232..ccf848e643f 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass @@ -753,11 +753,16 @@ fitimage_assemble() { # Step 8: Sign the image # if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then - ${UBOOT_MKIMAGE_SIGN} \ + output=$(${UBOOT_MKIMAGE_SIGN} \ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ -F -k "${UBOOT_SIGN_KEYDIR}" \ -r ${KERNEL_OUTPUT_DIR}/$2 \ - ${UBOOT_MKIMAGE_SIGN_ARGS} + ${UBOOT_MKIMAGE_SIGN_ARGS}) + echo "$output" + if err=$(echo "$output" | grep -C9 -E "Sign value:\s*unavailable"); then + bberror "${UBOOT_MKIMAGE_SIGN} failed to provide signatures for these images:" + bbfatal_log "\n$err" + fi fi }