[OE-core][PATCH] uboot-sign: Rebuild binman image with configuration signing keys

[OE-core][PATCH] uboot-sign: Rebuild binman image with configuration signing keys

[Kory Maincent]

When using binman to generate U-Boot images, the configuration signing
keys are not included in the final image. This occurs because the binman
image is not regenerated after the configuration signing keys are added
to the device tree.

In case binman is used, regenerate the image with the updated device tree
containing the configuration signing keys. This ensures the signed
configuration is properly included in the final U-Boot image.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 9cb5c6ccf3..9268bfc451 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -192,6 +192,15 @@ concat_dtb() {
 				-k "${UBOOT_DTB_BINARY}" \
 				-f ${B}/unused.itb
 		fi
+
+		# Regenerate binman image with the newly signed key
+		if [ "${UBOOT_BINMAN_IMAGE}" = "1" ] && [ -f "..binman_stamp.cmd" ]; then
+			binman_cmd=$(sed -n 's/^cmd_[^:]*:= *//p' ..binman_stamp.cmd)
+			dtb_binary=$(basename ${UBOOT_DTB_BINARY} .dtb)
+			binman_cmd="${binman_cmd} -a of-list=\"${dtb_binary}\" -a default-dt=\"${dtb_binary}\""
+			eval ${binman_cmd}
+		fi
+
 		cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
 	fi
 
-- 
2.43.0