From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3ECFC7619A for ; Fri, 31 Mar 2023 00:02:24 +0000 (UTC) Received: from mailout4.zoneedit.com (mailout4.zoneedit.com [64.68.198.64]) by mx.groups.io with SMTP id smtpd.web11.42904.1680220941205506444 for ; Thu, 30 Mar 2023 17:02:21 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: denix.org, ip: 64.68.198.64, mailfrom: denis@denix.org) Received: from localhost (localhost [127.0.0.1]) by mailout4.zoneedit.com (Postfix) with ESMTP id 6C5E440C1E; Fri, 31 Mar 2023 00:02:20 +0000 (UTC) Received: from mailout4.zoneedit.com ([127.0.0.1]) by localhost (zmo14-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrX1YdyA8mxt; Fri, 31 Mar 2023 00:02:20 +0000 (UTC) Received: from mail.denix.org (pool-100-15-88-116.washdc.fios.verizon.net [100.15.88.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout4.zoneedit.com (Postfix) with ESMTPSA id 38AC640ACD; Fri, 31 Mar 2023 00:02:17 +0000 (UTC) Received: by mail.denix.org (Postfix, from userid 1000) id 5BC7C1637E5; Thu, 30 Mar 2023 20:01:42 -0400 (EDT) Date: Thu, 30 Mar 2023 20:01:42 -0400 From: Denys Dmytriyenko To: reatmon@ti.com Cc: Praneeth Bajjuri , Denys Dmytriyenko , meta-ti@lists.yoctoproject.org Subject: Re: [meta-ti][master/kirkstone][PATCH 4/4] kernel-fitimage: Add signing of fitImage entries for 5.10 kernel Message-ID: <20230331000142.GZ18050@denix.org> References: <20230330212440.19437-1-reatmon@ti.com> <20230330212440.19437-5-reatmon@ti.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230330212440.19437-5-reatmon@ti.com> User-Agent: Mutt/1.5.20 (2009-06-14) List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Mar 2023 00:02:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-ti/message/16268 On Thu, Mar 30, 2023 at 04:24:40PM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: > While we are mirgrating to kernel v6.1 and u-boot 2023.04, we want to > keep kernel 5.10 and u-boot 2021.01 "working" for anyone looking at > kirkstone. > One of the changes we are looking at changing is the signing of entries > in the fitImage. You might want to rephrase this one :) > To try and acheive a limited parity with dunfell while we work on the > migration, this creates a class that implements the logic that was in > dunfell and applies that class to the 5.10 kernel. Maybe mention falling back to using SECDEV tooling for now instead of uboot-sign class, with the plan to get back and clean it up later? > Signed-off-by: Ryan Eatmon > --- > .../classes/kernel-fitimage-ti-u-boot.bbclass | 214 ++++++++++++++++++ > .../linux/linux-ti-staging_5.10.bb | 2 + > 2 files changed, 216 insertions(+) > create mode 100644 meta-ti-bsp/classes/kernel-fitimage-ti-u-boot.bbclass > > diff --git a/meta-ti-bsp/classes/kernel-fitimage-ti-u-boot.bbclass b/meta-ti-bsp/classes/kernel-fitimage-ti-u-boot.bbclass > new file mode 100644 > index 00000000..503c6d25 > --- /dev/null > +++ b/meta-ti-bsp/classes/kernel-fitimage-ti-u-boot.bbclass > @@ -0,0 +1,214 @@ > + > +inherit ti-secdev > + > +# The TI u-boot requires that the kernel image is signed. To not overload the > +# entire kernel-fitimage.bbclass from oe-core, we just overwrite one function > +# and do the signing in there. I'm wondering how the inherit ordering is handled in this case and whether there are any chances of a race - which fitimage_assemble will be used? > +# > +# Assemble fitImage > +# > +# $1 ... .its filename > +# $2 ... fitImage name > +# $3 ... include ramdisk > +fitimage_assemble() { > + kernelcount=1 > + dtbcount="" > + DTBS="" > + ramdiskcount=$3 > + setupcount="" > + bootscr_id="" > + rm -f $1 arch/${ARCH}/boot/$2 > + > + if [ -n "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then > + bbfatal "Keys used to sign images and configuration nodes must be different." > + fi > +} > + > +fitimage_ti_secure() { > + if test -n "${TI_SECURE_DEV_PKG}"; then > + export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh $1 $2 > + else > + cp $1 $2 > + fi > +} > + > diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_5.10.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_5.10.bb > index cc67188a..f3793baf 100644 > --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_5.10.bb > +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_5.10.bb > @@ -3,6 +3,8 @@ SUMMARY = "Linux kernel for TI devices" > LICENSE = "GPL-2.0-only" > LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" > > +KERNEL_CLASSES += "${@bb.utils.contains('TFA_PLATFORM', 'k3', 'kernel-fitimage-ti-u-boot', '', d)}" "contains" does a substring search, a bit faster to use "conditional" here: KERNEL_CLASSES += "${@oe.utils.cconditional('TFA_PLATFORM', 'k3', 'kernel-fitimage-ti-u-boot', '', d)}" or even a simple Python if-else directly: KERNEL_CLASSES += "${@ 'kernel-fitimage-ti-u-boot' if d.getVar('TFA_PLATFORM') == 'k3' else ''}" > + > inherit kernel > > DEFCONFIG_BUILDER = "${S}/ti_config_fragments/defconfig_builder.sh" > -- > 2.17.1