[meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Manorit Chawdhry]

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
To: Ryan Eatmon <reatmon@ti.com>
To: Denys Dmytriyenko <denys@ti.com>
Cc: meta-ti@lists.yoctoproject.org
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: Praneeth Bajjuri <praneeth@ti.com>
Cc: Udit Kumar <u-kumar1@ti.com>
Cc: Andrew Davis <afd@ti.com>
Cc: Kamlesh Gurudasani <kamlesh@ti.com>
---
 meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
index fff1550564b3..ab7e45a8016f 100644
--- a/meta-ti-bsp/conf/machine/include/k3.inc
+++ b/meta-ti-bsp/conf/machine/include/k3.inc
@@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
 SPL_BINARYNAME = "tispl.bin"
 UBOOT_SUFFIX = "img"
 
+UBOOT_SIGN_ENABLE = "1"
+UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
+UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
+UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
+FIT_GENERATE_KEYS = "1"
+
 EXTRA_IMAGEDEPENDS += "virtual/bootloader"
 
 TFA_PLATFORM = "k3"

---
base-commit: a9b35f1e7c3a7746fb4f6807166bcb27ba9ca5eb
change-id: 20230509-b4-k3-fit-signing-316ca2af859c

Best regards,
-- 
Manorit Chawdhry <m-chawdhry@ti.com>

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Denys Dmytriyenko]

On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote:
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
> To: Ryan Eatmon <reatmon@ti.com>
> To: Denys Dmytriyenko <denys@ti.com>
> Cc: meta-ti@lists.yoctoproject.org
> Cc: Vignesh Raghavendra <vigneshr@ti.com>
> Cc: Praneeth Bajjuri <praneeth@ti.com>
> Cc: Udit Kumar <u-kumar1@ti.com>
> Cc: Andrew Davis <afd@ti.com>
> Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> ---
>  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> index fff1550564b3..ab7e45a8016f 100644
> --- a/meta-ti-bsp/conf/machine/include/k3.inc
> +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
>  SPL_BINARYNAME = "tispl.bin"
>  UBOOT_SUFFIX = "img"
>  
> +UBOOT_SIGN_ENABLE = "1"
> +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"

How are the keys get into there? Are there extra docs/instructions?


> +FIT_GENERATE_KEYS = "1"
> +
>  EXTRA_IMAGEDEPENDS += "virtual/bootloader"
>  
>  TFA_PLATFORM = "k3"
> 
> ---
> base-commit: a9b35f1e7c3a7746fb4f6807166bcb27ba9ca5eb
> change-id: 20230509-b4-k3-fit-signing-316ca2af859c
> 
> Best regards,
> -- 
> Manorit Chawdhry <m-chawdhry@ti.com>

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Ricardo Salveti]

On Thu, May 11, 2023 at 3:24 AM Manorit Chawdhry via
lists.yoctoproject.org <m-chawdhry=ti.com@lists.yoctoproject.org>
wrote:
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
> To: Ryan Eatmon <reatmon@ti.com>
> To: Denys Dmytriyenko <denys@ti.com>
> Cc: meta-ti@lists.yoctoproject.org
> Cc: Vignesh Raghavendra <vigneshr@ti.com>
> Cc: Praneeth Bajjuri <praneeth@ti.com>
> Cc: Udit Kumar <u-kumar1@ti.com>
> Cc: Andrew Davis <afd@ti.com>
> Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> ---
>  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> index fff1550564b3..ab7e45a8016f 100644
> --- a/meta-ti-bsp/conf/machine/include/k3.inc
> +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
>  SPL_BINARYNAME = "tispl.bin"
>  UBOOT_SUFFIX = "img"
>
> +UBOOT_SIGN_ENABLE = "1"
> +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
> +FIT_GENERATE_KEYS = "1"

I think it is better to make this decision a bit more flexible by
using ?= instead of a hard set, since distros might not want to use
automatically generated keys (and keys with a different name as well).

Cheers,
-- 
Ricardo Salveti

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Ricardo Salveti]

On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote:
>
> On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote:
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> > To: Ryan Eatmon <reatmon@ti.com>
> > To: Denys Dmytriyenko <denys@ti.com>
> > Cc: meta-ti@lists.yoctoproject.org
> > Cc: Vignesh Raghavendra <vigneshr@ti.com>
> > Cc: Praneeth Bajjuri <praneeth@ti.com>
> > Cc: Udit Kumar <u-kumar1@ti.com>
> > Cc: Andrew Davis <afd@ti.com>
> > Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> > ---
> >  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> > index fff1550564b3..ab7e45a8016f 100644
> > --- a/meta-ti-bsp/conf/machine/include/k3.inc
> > +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
> >  SPL_BINARYNAME = "tispl.bin"
> >  UBOOT_SUFFIX = "img"
> >
> > +UBOOT_SIGN_ENABLE = "1"
> > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
>
> How are the keys get into there? Are there extra docs/instructions?

FIT_GENERATE_KEYS set to 1 forces the key to be automatically
generated by openembedded-core/meta/classes/uboot-sign.bbclass, so
they are created during build time.

Cheers,
-- 
Ricardo Salveti

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Denys Dmytriyenko]

On Thu, May 11, 2023 at 01:20:08PM -0300, Ricardo Salveti wrote:
> On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote:
> >
> > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote:
> > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > > ---
> > > To: Ryan Eatmon <reatmon@ti.com>
> > > To: Denys Dmytriyenko <denys@ti.com>
> > > Cc: meta-ti@lists.yoctoproject.org
> > > Cc: Vignesh Raghavendra <vigneshr@ti.com>
> > > Cc: Praneeth Bajjuri <praneeth@ti.com>
> > > Cc: Udit Kumar <u-kumar1@ti.com>
> > > Cc: Andrew Davis <afd@ti.com>
> > > Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> > > ---
> > >  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
> > >  1 file changed, 6 insertions(+)
> > >
> > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> > > index fff1550564b3..ab7e45a8016f 100644
> > > --- a/meta-ti-bsp/conf/machine/include/k3.inc
> > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
> > >  SPL_BINARYNAME = "tispl.bin"
> > >  UBOOT_SUFFIX = "img"
> > >
> > > +UBOOT_SIGN_ENABLE = "1"
> > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
> >
> > How are the keys get into there? Are there extra docs/instructions?
> 
> FIT_GENERATE_KEYS set to 1 forces the key to be automatically
> generated by openembedded-core/meta/classes/uboot-sign.bbclass, so
> they are created during build time.

I know, and that is fine for development, but not so much for production - 
that is why I asked for docs/instructions for someone to deploy their own 
keys and disable autogeneration.

-- 
Denys

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Manorit Chawdhry]

Hi Denys,

On 12:44-20230511, Denys Dmytriyenko wrote:
> On Thu, May 11, 2023 at 01:20:08PM -0300, Ricardo Salveti wrote:
> > On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote:
> > >
> > > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote:
> > > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > > > ---
> > > > To: Ryan Eatmon <reatmon@ti.com>
> > > > To: Denys Dmytriyenko <denys@ti.com>
> > > > Cc: meta-ti@lists.yoctoproject.org
> > > > Cc: Vignesh Raghavendra <vigneshr@ti.com>
> > > > Cc: Praneeth Bajjuri <praneeth@ti.com>
> > > > Cc: Udit Kumar <u-kumar1@ti.com>
> > > > Cc: Andrew Davis <afd@ti.com>
> > > > Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> > > > ---
> > > >  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
> > > >  1 file changed, 6 insertions(+)
> > > >
> > > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> > > > index fff1550564b3..ab7e45a8016f 100644
> > > > --- a/meta-ti-bsp/conf/machine/include/k3.inc
> > > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> > > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
> > > >  SPL_BINARYNAME = "tispl.bin"
> > > >  UBOOT_SUFFIX = "img"
> > > >
> > > > +UBOOT_SIGN_ENABLE = "1"
> > > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> > > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> > > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
> > >
> > > How are the keys get into there? Are there extra docs/instructions?
> > 
> > FIT_GENERATE_KEYS set to 1 forces the key to be automatically
> > generated by openembedded-core/meta/classes/uboot-sign.bbclass, so
> > they are created during build time.
> 
> I know, and that is fine for development, but not so much for production - 
> that is why I asked for docs/instructions for someone to deploy their own 
> keys and disable autogeneration.
> 

Even I am trying to decide if we should have ti-dummy keys type thing
for this or if we should make them dynamic, i believe keeping them
constant would be good for development as well but need to get opinion
of others ( and also the place to keep the keys ), let me know if you
guys have any idea on this?

Regards,
Manorit

> -- 
> Denys

Re: [meta-ti][master/kirkstone][RFC PATCH] conf: machine: include: k3 enable fit signing for uboot

[Manorit Chawdhry]

On 13:20-20230511, Ricardo Salveti wrote:
> On Thu, May 11, 2023 at 12:48 PM Denys Dmytriyenko <denis@denix.org> wrote:
> >
> > On Thu, May 11, 2023 at 11:54:00AM +0530, Manorit Chawdhry via lists.yoctoproject.org wrote:
> > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > > ---
> > > To: Ryan Eatmon <reatmon@ti.com>
> > > To: Denys Dmytriyenko <denys@ti.com>
> > > Cc: meta-ti@lists.yoctoproject.org
> > > Cc: Vignesh Raghavendra <vigneshr@ti.com>
> > > Cc: Praneeth Bajjuri <praneeth@ti.com>
> > > Cc: Udit Kumar <u-kumar1@ti.com>
> > > Cc: Andrew Davis <afd@ti.com>
> > > Cc: Kamlesh Gurudasani <kamlesh@ti.com>
> > > ---
> > >  meta-ti-bsp/conf/machine/include/k3.inc | 6 ++++++
> > >  1 file changed, 6 insertions(+)
> > >
> > > diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc
> > > index fff1550564b3..ab7e45a8016f 100644
> > > --- a/meta-ti-bsp/conf/machine/include/k3.inc
> > > +++ b/meta-ti-bsp/conf/machine/include/k3.inc
> > > @@ -31,6 +31,12 @@ SPL_BINARY = "tispl.bin"
> > >  SPL_BINARYNAME = "tispl.bin"
> > >  UBOOT_SUFFIX = "img"
> > >
> > > +UBOOT_SIGN_ENABLE = "1"
> > > +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb"
> > > +UBOOT_SIGN_KEYNAME = "uboot_signing_dev_key"
> > > +UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}/u-boot-keys"
> >
> > How are the keys get into there? Are there extra docs/instructions?
> 
> FIT_GENERATE_KEYS set to 1 forces the key to be automatically
> generated by openembedded-core/meta/classes/uboot-sign.bbclass, so
> they are created during build time.
> 

Sure, would update the same, thanks!

Regards,
Manorit

> Cheers,
> -- 
> Ricardo Salveti