Re: [OE-core] [BACKPORT] uboot-sign: fix U-Boot binary with public key

[Denys Dmytriyenko <denis@denix.org>]

Clayton,

This is not the way to request backports. Please just read the list for past 
submissions and it will be clear how those should be made.


Steve,

Please do NOT backport this change to stable releases, as it seems incorrect 
and causes issues downstream and should probably get reverted from master. 

Thanks.



On Tue, Nov 26, 2024 at 08:17:34AM -0700, Clayton Casciato via lists.openembedded.org wrote:
> Hi, Steve!
> 
> I would like to backport this from master to Styhead and Scarthgap.
> 
> Thank you!
> 
> Clayton Casciato
> 
> --
> 
> commit 0d14e99aa18ee38293df63d585fafc270a4538be
> Author: Clayton Casciato <majortomtosourcecontrol@gmail.com>
> Date:   Fri Nov 22 08:00:00 2024 -0700
> 
>     uboot-sign: fix U-Boot binary with public key
>     
>     Fixes [YOCTO #15649]
>     
>     The U-Boot binary in the "deploy" directory is missing the public key
>     when the removed logic branch is used.
>     
>     The simple concatenation of the binary and DTB with public key works as
>     expected on a BeagleBone Black.
>     
>     Given:
>     MACHINE = beaglebone-yocto
>     UBOOT_SIGN_KEYNAME = "dev"
>     
>     Post-patch (poky/build/tmp/deploy/images/beaglebone-yocto):
>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot-beaglebone-yocto.dtb \
>     | tr -d '\n' | grep -o 'key-dev'
>     key-dev
>     
>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot.img \
>     | tr -d '\n' | grep -o 'key-dev'
>     key-dev
>     
>     Non-Poky BeagleBone Black testing (Scarthgap):
>     U-Boot 2024.01 [...]
>     [...]
>     Using 'conf-ti_omap_am335x-boneblack.dtb' configuration
>     Verifying Hash Integrity ... sha256,rsa4096:dev+ OK
>     Trying 'kernel-1' kernel subimage
>     [...]
>     
>     Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
>     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> 
> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
> index a17be745ce..7ee73b872a 100644
> --- a/meta/classes-recipe/uboot-sign.bbclass
> +++ b/meta/classes-recipe/uboot-sign.bbclass
> @@ -122,13 +122,7 @@ concat_dtb() {
>  	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
>  	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
>  	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
> -		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
> -			[ -e "${UBOOT_DTB_BINARY}" ]; then
> -			oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
> -			if [ -n "${binary}" ]; then
> -				cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
> -			fi
> -		elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
> +		if [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
>  			if [ -n "${binary}" ]; then
>  				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
>  					${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
>