[BACKPORT] uboot-sign: fix U-Boot binary with public key

[BACKPORT] uboot-sign: fix U-Boot binary with public key

[Clayton Casciato]

Hi, Steve!

I would like to backport this from master to Styhead and Scarthgap.

Thank you!

Clayton Casciato

--

commit 0d14e99aa18ee38293df63d585fafc270a4538be
Author: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Date:   Fri Nov 22 08:00:00 2024 -0700

    uboot-sign: fix U-Boot binary with public key
    
    Fixes [YOCTO #15649]
    
    The U-Boot binary in the "deploy" directory is missing the public key
    when the removed logic branch is used.
    
    The simple concatenation of the binary and DTB with public key works as
    expected on a BeagleBone Black.
    
    Given:
    MACHINE = beaglebone-yocto
    UBOOT_SIGN_KEYNAME = "dev"
    
    Post-patch (poky/build/tmp/deploy/images/beaglebone-yocto):
    $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot-beaglebone-yocto.dtb \
    | tr -d '\n' | grep -o 'key-dev'
    key-dev
    
    $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot.img \
    | tr -d '\n' | grep -o 'key-dev'
    key-dev
    
    Non-Poky BeagleBone Black testing (Scarthgap):
    U-Boot 2024.01 [...]
    [...]
    Using 'conf-ti_omap_am335x-boneblack.dtb' configuration
    Verifying Hash Integrity ... sha256,rsa4096:dev+ OK
    Trying 'kernel-1' kernel subimage
    [...]
    
    Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
    Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index a17be745ce..7ee73b872a 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -122,13 +122,7 @@ concat_dtb() {
 	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
 	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
 	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
-		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
-			[ -e "${UBOOT_DTB_BINARY}" ]; then
-			oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
-			if [ -n "${binary}" ]; then
-				cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
-			fi
-		elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
+		if [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
 			if [ -n "${binary}" ]; then
 				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
 					${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}

Patchtest results for [BACKPORT] uboot-sign: fix U-Boot binary with public key

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 3196 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/BACKPORT-uboot-sign-fix-U-Boot-binary-with-public-key.patch

FAIL: test Signed-off-by presence: Mbox is missing Signed-off-by. Add it manually or with "git commit --amend -s" (test_mbox.TestMbox.test_signed_off_by_presence)

PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

Re: Patchtest results for [BACKPORT] uboot-sign: fix U-Boot binary with public key

[Clayton Casciato]

> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
> 
> ---
> Testing patch /home/patchtest/share/mboxes/BACKPORT-uboot-sign-fix-U-Boot-binary-with-public-key.patch
> 
> FAIL: test Signed-off-by presence: Mbox is missing Signed-off-by. Add it manually or with "git commit --amend -s" (test_mbox.TestMbox.test_signed_off_by_presence)

This is a backport request and references a commit in master (which has the appropriate signoffs).

I am happy to change my backport request formatting as needed to avoid this false positive.

> 
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
> PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
> 
> SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
> SKIP: pretest src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
> SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore)
> SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
> SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
> SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
> SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test lic files chksum modified not mentioned: No modified recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
> SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
> SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
> SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
> SKIP: test src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.test_src_uri_left_files)
> SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
> 
> ---
> 
> Please address the issues identified and
> submit a new revision of the patch, or alternatively, reply to this
> email with an explanation of why the patch should be accepted. If you
> believe these results are due to an error in patchtest, please submit a
> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
> under 'Yocto Project Subprojects'). For more information on specific
> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> you!

Re: [OE-core] [BACKPORT] uboot-sign: fix U-Boot binary with public key

[Denys Dmytriyenko]

Clayton,

This is not the way to request backports. Please just read the list for past 
submissions and it will be clear how those should be made.


Steve,

Please do NOT backport this change to stable releases, as it seems incorrect 
and causes issues downstream and should probably get reverted from master. 

Thanks.



On Tue, Nov 26, 2024 at 08:17:34AM -0700, Clayton Casciato via lists.openembedded.org wrote:
> Hi, Steve!
> 
> I would like to backport this from master to Styhead and Scarthgap.
> 
> Thank you!
> 
> Clayton Casciato
> 
> --
> 
> commit 0d14e99aa18ee38293df63d585fafc270a4538be
> Author: Clayton Casciato <majortomtosourcecontrol@gmail.com>
> Date:   Fri Nov 22 08:00:00 2024 -0700
> 
>     uboot-sign: fix U-Boot binary with public key
>     
>     Fixes [YOCTO #15649]
>     
>     The U-Boot binary in the "deploy" directory is missing the public key
>     when the removed logic branch is used.
>     
>     The simple concatenation of the binary and DTB with public key works as
>     expected on a BeagleBone Black.
>     
>     Given:
>     MACHINE = beaglebone-yocto
>     UBOOT_SIGN_KEYNAME = "dev"
>     
>     Post-patch (poky/build/tmp/deploy/images/beaglebone-yocto):
>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot-beaglebone-yocto.dtb \
>     | tr -d '\n' | grep -o 'key-dev'
>     key-dev
>     
>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot.img \
>     | tr -d '\n' | grep -o 'key-dev'
>     key-dev
>     
>     Non-Poky BeagleBone Black testing (Scarthgap):
>     U-Boot 2024.01 [...]
>     [...]
>     Using 'conf-ti_omap_am335x-boneblack.dtb' configuration
>     Verifying Hash Integrity ... sha256,rsa4096:dev+ OK
>     Trying 'kernel-1' kernel subimage
>     [...]
>     
>     Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
>     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> 
> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
> index a17be745ce..7ee73b872a 100644
> --- a/meta/classes-recipe/uboot-sign.bbclass
> +++ b/meta/classes-recipe/uboot-sign.bbclass
> @@ -122,13 +122,7 @@ concat_dtb() {
>  	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
>  	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
>  	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
> -		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
> -			[ -e "${UBOOT_DTB_BINARY}" ]; then
> -			oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
> -			if [ -n "${binary}" ]; then
> -				cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
> -			fi
> -		elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
> +		if [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
>  			if [ -n "${binary}" ]; then
>  				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
>  					${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
> 

Re: [OE-core] [BACKPORT] uboot-sign: fix U-Boot binary with public key

[Clayton Casciato]

On 12/6/24 4:30 PM, Denys Dmytriyenko wrote:
> Clayton,

Hi, Denys

> 
> This is not the way to request backports. Please just read the list for past 
> submissions and it will be clear how those should be made.

Steve has previously communicated this is an acceptable format.
Please see https://lists.openembedded.org/g/openembedded-core/message/207185

I take it you would prefer to see a distinct request for each branch.

> 
> 
> Steve,
> 
> Please do NOT backport this change to stable releases, as it seems incorrect 
> and causes issues downstream and should probably get reverted from master.

I agree given the feedback.

> 
> Thanks.

Thank you!

> 
> 
> 
> On Tue, Nov 26, 2024 at 08:17:34AM -0700, Clayton Casciato via lists.openembedded.org wrote:
>> Hi, Steve!
>>
>> I would like to backport this from master to Styhead and Scarthgap.
>>
>> Thank you!
>>
>> Clayton Casciato
>>
>> --
>>
>> commit 0d14e99aa18ee38293df63d585fafc270a4538be
>> Author: Clayton Casciato <majortomtosourcecontrol@gmail.com>
>> Date:   Fri Nov 22 08:00:00 2024 -0700
>>
>>     uboot-sign: fix U-Boot binary with public key
>>     
>>     Fixes [YOCTO #15649]
>>     
>>     The U-Boot binary in the "deploy" directory is missing the public key
>>     when the removed logic branch is used.
>>     
>>     The simple concatenation of the binary and DTB with public key works as
>>     expected on a BeagleBone Black.
>>     
>>     Given:
>>     MACHINE = beaglebone-yocto
>>     UBOOT_SIGN_KEYNAME = "dev"
>>     
>>     Post-patch (poky/build/tmp/deploy/images/beaglebone-yocto):
>>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot-beaglebone-yocto.dtb \
>>     | tr -d '\n' | grep -o 'key-dev'
>>     key-dev
>>     
>>     $ hexdump -e "16 \"%_p\" \"\\n\"" u-boot.img \
>>     | tr -d '\n' | grep -o 'key-dev'
>>     key-dev
>>     
>>     Non-Poky BeagleBone Black testing (Scarthgap):
>>     U-Boot 2024.01 [...]
>>     [...]
>>     Using 'conf-ti_omap_am335x-boneblack.dtb' configuration
>>     Verifying Hash Integrity ... sha256,rsa4096:dev+ OK
>>     Trying 'kernel-1' kernel subimage
>>     [...]
>>     
>>     Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
>>     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>>
>> diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
>> index a17be745ce..7ee73b872a 100644
>> --- a/meta/classes-recipe/uboot-sign.bbclass
>> +++ b/meta/classes-recipe/uboot-sign.bbclass
>> @@ -122,13 +122,7 @@ concat_dtb() {
>>  	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
>>  	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
>>  	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
>> -		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
>> -			[ -e "${UBOOT_DTB_BINARY}" ]; then
>> -			oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
>> -			if [ -n "${binary}" ]; then
>> -				cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
>> -			fi
>> -		elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
>> +		if [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
>>  			if [ -n "${binary}" ]; then
>>  				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
>>  					${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
>>