From patchwork Tue Jun 17 08:10:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jamin Lin X-Patchwork-Id: 65108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B58D4C7115F for ; Tue, 17 Jun 2025 08:10:59 +0000 (UTC) Received: from TWMBX01.aspeed.com (TWMBX01.aspeed.com [211.20.114.72]) by mx.groups.io with SMTP id smtpd.web10.13301.1750147855276325504 for ; Tue, 17 Jun 2025 01:10:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: aspeedtech.com, ip: 211.20.114.72, mailfrom: jamin_lin@aspeedtech.com) Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Tue, 17 Jun 2025 16:10:52 +0800 Received: from mail.aspeedtech.com (192.168.10.10) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server id 15.2.1748.10 via Frontend Transport; Tue, 17 Jun 2025 16:10:52 +0800 From: Jamin Lin To: CC: , Subject: [PATCH v2 1/3] uboot-sign: Support signing U-Boot FIT image without SPL Date: Tue, 17 Jun 2025 16:10:50 +0800 Message-ID: <20250617081052.3087995-2-jamin_lin@aspeedtech.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> References: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Jun 2025 08:10:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218859 Previously, the signing flow in "uboot-sign.bbclass" assumed that SPL was always present and that the FIT signing process must inject the public key into the SPL DTB. This made it inflexible for use cases where only the U-Boot proper FIT image is built and signed, with no SPL binary at all. This change introduces the following adjustments: - The `SPL_DTB_BINARY` variable can be explicitly set to an empty string to indicate that no SPL is present. - The signing logic checks `SPL_DTB_BINARY` and skips injecting the key or verifying the SPL DTB if it is empty. - The FIT image generation and deployment are always performed if `UBOOT_FITIMAGE_ENABLE` is enabled, regardless of the SPL settings. - The deploy helper now uses a single check on `SPL_DTB_BINARY` to decide whether to deploy the signed SPL DTB. Now the sign step checks if SPL_DTB_BINARY is empty: If present, it signs the FIT image and injects the public key into the SPL DTB, then verifies both. If empty, it only signs the FIT image and generates the ITS with the signature node, but does not attempt to verify or add the key to a non-existent SPL DTB. Key Behavior Explained If SPL_DTB_BINARY is empty, we assume there is no SPL. If UBOOT_FITIMAGE_ENABLE=1, we always create the FIT image and ITS. If SPL_SIGN_ENABLE=1, we always sign the FIT image, but only inject the key into the SPL DTB if it exists. Example usage: UBOOT_FITIMAGE_ENABLE = "1" SPL_SIGN_ENABLE = "1" SPL_DTB_BINARY = "" This means: - Generate and sign the FIT image. - Do not attempt to sign or deploy an SPL DTB. This aligns the implementation with real scenarios where some boards do not require an SPL. Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 50 +++++++++++++++----------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 73e9ce3f11..01c53c7448 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -50,6 +50,8 @@ UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage" UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}" SPL_DIR ?= "spl" SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb" +# When SPL is not used, set SPL_DTB_BINARY ?= "" to explicitly indicate +# that no SPL DTB should be created or signed. SPL_DTB_BINARY ?= "u-boot-spl.dtb" SPL_DTB_SIGNED ?= "${SPL_DTB_BINARY}-signed" SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb" @@ -466,25 +468,31 @@ EOF ${UBOOT_FITIMAGE_BINARY} if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then - # - # Sign the U-boot FIT image and add public key to SPL dtb - # - ${UBOOT_MKIMAGE_SIGN} \ - ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ - -F -k "${SPL_SIGN_KEYDIR}" \ - -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ - -r ${UBOOT_FITIMAGE_BINARY} \ - ${SPL_MKIMAGE_SIGN_ARGS} - # - # Verify the U-boot FIT image and SPL dtb - # - ${UBOOT_FIT_CHECK_SIGN} \ - -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ - -f ${UBOOT_FITIMAGE_BINARY} - fi + if [ -n "${SPL_DTB_BINARY}" ] ; then + # + # Sign the U-boot FIT image and add public key to SPL dtb + # + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ + -F -k "${SPL_SIGN_KEYDIR}" \ + -K "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -r ${UBOOT_FITIMAGE_BINARY} \ + ${SPL_MKIMAGE_SIGN_ARGS} - if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then - cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + # Verify the U-boot FIT image and SPL dtb + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${SPL_DIR}/${SPL_DTB_BINARY}" \ + -f ${UBOOT_FITIMAGE_BINARY} + + cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} + else + # Sign the U-boot FIT image + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ + -F -k "${SPL_SIGN_KEYDIR}" \ + -r ${UBOOT_FITIMAGE_BINARY} \ + ${SPL_MKIMAGE_SIGN_ARGS} + fi fi } @@ -496,7 +504,7 @@ uboot_assemble_fitimage_helper() { concat_dtb "$type" "$binary" fi - if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then + if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then uboot_fitimage_assemble fi @@ -543,7 +551,7 @@ deploy_helper() { deploy_dtb $type fi - if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then + if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then if [ -n "${type}" ]; then uboot_its_image="u-boot-its-${type}-${PV}-${PR}" uboot_fitimage_image="u-boot-fitImage-${type}-${PV}-${PR}" @@ -561,7 +569,7 @@ deploy_helper() { fi fi - if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_SIGNED}" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then deploy_spl_dtb $type fi } From patchwork Tue Jun 17 08:10:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jamin Lin X-Patchwork-Id: 65109 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6688C7115B for ; Tue, 17 Jun 2025 08:10:59 +0000 (UTC) Received: from TWMBX01.aspeed.com (TWMBX01.aspeed.com [211.20.114.72]) by mx.groups.io with SMTP id smtpd.web10.13301.1750147855276325504 for ; Tue, 17 Jun 2025 01:10:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: aspeedtech.com, ip: 211.20.114.72, mailfrom: jamin_lin@aspeedtech.com) Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Tue, 17 Jun 2025 16:10:52 +0800 Received: from mail.aspeedtech.com (192.168.10.10) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server id 15.2.1748.10 via Frontend Transport; Tue, 17 Jun 2025 16:10:52 +0800 From: Jamin Lin To: CC: , Subject: [PATCH v2 2/3] uboot-sign.bbclass: Refactor condition checks to use && and || instead of -a and -o Date: Tue, 17 Jun 2025 16:10:51 +0800 Message-ID: <20250617081052.3087995-3-jamin_lin@aspeedtech.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> References: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Jun 2025 08:10:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218860 This commit cleans up and modernizes the shell condition expressions in `uboot-sign.bbclass` to follow best practices for portable and reliable shell usage. Key changes: - Replace legacy `[ -a ]` and `[ -o ]` with explicit `[ ] && [ ]` and `[ ] || [ ]`. Modern POSIX and busybox sh recommend using `&&` and `||` instead of `-a` and `-o` because `-a` and `-o` are less robust and can cause parsing ambiguities in some shells. - Simplify `concat_dtb()` by moving the DTB existence check to the top and using early `return` to avoid deep nesting. - Remove redundant fallback `else` blocks; use clearer control flow with direct checks. This improves maintainability, reduces shell syntax pitfalls, and aligns with current shell scripting best practices. References: - POSIX recommends avoiding `-a` and `-o` in `[ ]` and using explicit `&&` and `||`: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html Signed-off-by: Jamin Lin --- meta/classes-recipe/uboot-sign.bbclass | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 01c53c7448..0f387a3a3e 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -198,21 +198,23 @@ concat_dtb() { # If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB # with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble) if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then - if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ - [ -e "${UBOOT_DTB_BINARY}" ]; then + if [ ! -e "${UBOOT_DTB_BINARY}" ]; then + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." + return + fi + + if [ "x${UBOOT_SUFFIX}" = "ximg" ] || [ "x${UBOOT_SUFFIX}" = "xrom" ]; then oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET} if [ -n "${binary}" ]; then cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} fi - elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then + elif [ -e "${UBOOT_NODTB_BINARY}" ]; then if [ -n "${binary}" ]; then cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \ ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} else cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} > ${UBOOT_BINARY} fi - else - bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." fi fi } @@ -244,7 +246,7 @@ deploy_dtb() { } concat_spl_dtb() { - if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then + if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" ] && [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}" else bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available." @@ -500,7 +502,7 @@ uboot_assemble_fitimage_helper() { type="$1" binary="$2" - if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then concat_dtb "$type" "$binary" fi @@ -508,7 +510,7 @@ uboot_assemble_fitimage_helper() { uboot_fitimage_assemble fi - if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then concat_spl_dtb fi } @@ -547,7 +549,7 @@ addtask uboot_assemble_fitimage before do_install do_deploy after do_compile deploy_helper() { type="$1" - if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_SIGNED}" ] ; then + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_SIGNED}" ] ; then deploy_dtb $type fi @@ -569,7 +571,7 @@ deploy_helper() { fi fi - if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then deploy_spl_dtb $type fi } @@ -594,7 +596,7 @@ do_deploy:prepend() { deploy_helper "" fi - if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY} ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK} ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK} @@ -608,7 +610,7 @@ do_deploy:prepend() { ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK} fi - if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK} ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY} ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK} From patchwork Tue Jun 17 08:10:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jamin Lin X-Patchwork-Id: 65107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A53A0C71136 for ; Tue, 17 Jun 2025 08:10:59 +0000 (UTC) Received: from TWMBX01.aspeed.com (TWMBX01.aspeed.com [211.20.114.72]) by mx.groups.io with SMTP id smtpd.web10.13301.1750147855276325504 for ; Tue, 17 Jun 2025 01:10:58 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: aspeedtech.com, ip: 211.20.114.72, mailfrom: jamin_lin@aspeedtech.com) Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Tue, 17 Jun 2025 16:10:52 +0800 Received: from mail.aspeedtech.com (192.168.10.10) by TWMBX01.aspeed.com (192.168.0.62) with Microsoft SMTP Server id 15.2.1748.10 via Frontend Transport; Tue, 17 Jun 2025 16:10:52 +0800 From: Jamin Lin To: CC: , Subject: [PATCH v2 3/3] oe-selftest: fitimage: Add test for signing U-Boot FIT image without SPL Date: Tue, 17 Jun 2025 16:10:52 +0800 Message-ID: <20250617081052.3087995-4-jamin_lin@aspeedtech.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> References: <20250617081052.3087995-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Jun 2025 08:10:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218861 This adds a new selftest case `test_sign_uboot_fit_image_without_spl` to verify that the build can correctly generate and sign a U-Boot FIT image in a scenario where no SPL is used. Background: - Some boards build only the U-Boot proper FIT image and do not require an SPL. - The signing flow must handle this case gracefully: generate the ITS, sign the FIT image, and skip signing/injecting a key into the SPL DTB. What this test does: 1) Enables `UBOOT_FITIMAGE_ENABLE` and `SPL_SIGN_ENABLE` but explicitly sets `SPL_DTB_BINARY` to an empty string to indicate that no SPL is present. 2) Verifies that the U-Boot ITS and FIT image are built successfully. 3) Confirms that the generated ITS file includes signature metadata as requested. 4) Dumps the FIT image to ensure that the signature nodes exist. 5) Confirms that the log for `do_uboot_assemble_fitimage` shows the expected mkimage/mkimage_sign invocation. This ensures that signing works correctly even when only the U-Boot proper is built, which matches real-world configurations that do not require an SPL. Signed-off-by: Jamin Lin --- meta/lib/oeqa/selftest/cases/fitimage.py | 37 ++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py index ca4724d1ae..3c40857747 100644 --- a/meta/lib/oeqa/selftest/cases/fitimage.py +++ b/meta/lib/oeqa/selftest/cases/fitimage.py @@ -1692,3 +1692,40 @@ FIT_SIGN_INDIVIDUAL = "1" # Just check the DTB of u-boot since there is no u-boot FIT image self._check_kernel_dtb(bb_vars) + + + def test_sign_uboot_fit_image_without_spl(self): + """ + Summary: Check if U-Boot FIT image and Image Tree Source (its) are + created and signed correctly for the scenario where only + the U-Boot proper fitImage is being created and signed + (no SPL included). + Expected: 1) U-Boot its and FIT image are built successfully + 2) Scanning the its file indicates signing is enabled + as requested by SPL_SIGN_ENABLE (using keys generated + via UBOOT_FIT_GENERATE_KEYS) + 3) Dumping the FIT image indicates signature values + are present + 4) Examination of the do_uboot_assemble_fitimage + runfile/logfile indicate that UBOOT_MKIMAGE and + UBOOT_MKIMAGE_SIGN are working as expected. + Product: oe-core + Author: Jamin Lin + """ + config = """ +# There's no U-boot defconfig with CONFIG_FIT_SIGNATURE yet, so we need at +# least CONFIG_SPL_LOAD_FIT and CONFIG_SPL_OF_CONTROL set +MACHINE = "qemuarm" +UBOOT_MACHINE = "am57xx_evm_defconfig" +# Enable creation and signing of the U-Boot fitImage (no SPL) +UBOOT_FITIMAGE_ENABLE = "1" +SPL_DTB_BINARY = "" +SPL_SIGN_ENABLE = "1" +SPL_SIGN_KEYNAME = "spl-oe-selftest" +SPL_SIGN_KEYDIR = "${TOPDIR}/signing-keys" +UBOOT_FIT_GENERATE_KEYS = "1" +""" + self.write_config(config) + bb_vars = self._fit_get_bb_vars() + self._test_fitimage(bb_vars) +