[RFC PATCH 0/4] U-Boot verified boot basic support

[RFC PATCH 0/4] U-Boot verified boot basic support

[Yannick Gicquel]

Hello,

Please find a patchset proposal for U-Boot verified boot basic support.
Before submitting those, I would like to ask people on this list some feedbacks
on the way it's currently implemented.

The verified boot support principle is to sign a kernel fitImage, thanks to an
SSL keypair, and to append a public key in u-boot device tree blob to enable
software integrity check at runtime.

The proposal depends on the U-Boot CONFIG_OF_SEPARATE which in effect splits
U-Boot binaries allowing the DTB file to be outside the main u-boot binaries.

Thus, regarding the current fitImage generation, the following is proposed:

 - extend the generated fit-images.its file from kernel-fitimage.bbclass in
   order to add a 'signature' tag to the configuration section, then add a call
   to uboot-mkimage to sign the fitImage and append the public key to DTB file.

 - add a task in u-boot.inc 'do_assemble_dtb' which concatenates the device
   tree blob with public key to u-boot binary, and organize the u-boot and
   virtual/kernel recipes' tasks this way:

   u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage -> u-boot:do_assemble_dtb

To enable the verified boot, the following variables can be added in a 
configuration file:

   KERNEL_CLASSES ?= " kernel-fitimage "
   KERNEL_IMAGETYPE ?= "fitImage"
   UBOOT_SIGN_KEYDIR = "/signature/keys/directory"
   UBOOT_SIGN_KEYNAME = "dev"
   UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
   UBOOT_SIGN_ENABLE = "1"

Well, I don't know if these changes are the way to go, but at least I think
this limits the codes changes and it propagates the feature to BSP layers which
uses u-boot.inc. Anyway, I would be pleased to get feedback on this.

Best regards,
Yannick

Yannick Gicquel (4):
  u-boot: basic support of device tree blob reassembly
  u-boot: deploy u-boot nodtb and dtb files
  kernel: fitimage: support device tree compiler options
  kernel: fitimage: basic support for fitimage signature

 meta/classes/kernel-fitimage.bbclass    | 53 +++++++++++++++++++++++++++++++--
 meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++
 meta/recipes-bsp/u-boot/u-boot.inc      | 36 ++++++++++++++++++++++
 3 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc

-- 
1.9.1

[RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Yannick Gicquel]

This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
the 'cat' command and overrides the u-boot.bin file which is generated
at the compilation step.

This task is intended to be used in the verified-boot image generation process
after the kernel-fitimage class had appended a public key to the device tree
blob. It is placed after the do_deploy and before the do_install tasks and it
replaces the u-boot binaries in both deploy directory and build directory
in order to minimize the changes in later tasks.

Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
 meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot.inc      | 22 ++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc

diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
new file mode 100644
index 0000000..c88a2a1
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
@@ -0,0 +1,21 @@
+# This file is part of U-Boot verified boot support and is intended to be
+# included from u-boot recipe and from kernel-fitimage.bbclass
+#
+# The signature procedure requires the user to generate an RSA key and
+# certificate in a directory and to define the following variable:
+#
+# UBOOT_SIGN_KEYDIR = "/keys/directory"
+# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
+# UBOOT_SIGN_ENABLE = "1"
+#
+# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
+#
+# For more details, please refer to U-boot documentation.
+
+UBOOT_SIGN_ENABLE ?= "0"
+UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
+UBOOT_DTB_BINARY ?= "u-boot.dtb"
+UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
+UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
+UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
+UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 3ba866d..29b0b95 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
 UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
 UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
 
+# The use of verified boot requires to share environment variables with kernel
+# fitImage class as the mkimage call requires dtb filepath to append signature
+# public key.
+require u-boot-sign.inc
+
+do_assemble_dtb() {
+	# Concatenate U-Boot w/o DTB & DTB with public key
+	# (cf. kernel-fitimage.bbclass for more details)
+	cd ${DEPLOYDIR}
+	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
+		if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
+			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
+			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
+		else
+			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
+		fi
+	fi
+}
+
+addtask assemble_dtb after do_deploy before do_install
+do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
+
 do_compile () {
 	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
 		sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
-- 
1.9.1

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Otavio Salvador]

On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
<yannick.gicquel@iot.bzh> wrote:
> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
> the 'cat' command and overrides the u-boot.bin file which is generated
> at the compilation step.
>
> This task is intended to be used in the verified-boot image generation process
> after the kernel-fitimage class had appended a public key to the device tree
> blob. It is placed after the do_deploy and before the do_install tasks and it
> replaces the u-boot binaries in both deploy directory and build directory
> in order to minimize the changes in later tasks.
>
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
>  meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>  meta/recipes-bsp/u-boot/u-boot.inc      | 22 ++++++++++++++++++++++
>  2 files changed, 43 insertions(+)
>  create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>
> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> new file mode 100644
> index 0000000..c88a2a1
> --- /dev/null
> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc

I think it could be moved to a class, so the U-Boot can inherit it.

> @@ -0,0 +1,21 @@
> +# This file is part of U-Boot verified boot support and is intended to be
> +# included from u-boot recipe and from kernel-fitimage.bbclass
> +#
> +# The signature procedure requires the user to generate an RSA key and
> +# certificate in a directory and to define the following variable:
> +#
> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
> +# UBOOT_SIGN_ENABLE = "1"
> +#
> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
> +#
> +# For more details, please refer to U-boot documentation.
> +
> +UBOOT_SIGN_ENABLE ?= "0"
> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
> index 3ba866d..29b0b95 100644
> --- a/meta/recipes-bsp/u-boot/u-boot.inc
> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>  UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>  UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>
> +# The use of verified boot requires to share environment variables with kernel
> +# fitImage class as the mkimage call requires dtb filepath to append signature
> +# public key.
> +require u-boot-sign.inc
> +
> +do_assemble_dtb() {
> +       # Concatenate U-Boot w/o DTB & DTB with public key
> +       # (cf. kernel-fitimage.bbclass for more details)
> +       cd ${DEPLOYDIR}
> +       if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
> +               if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
> +                       cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
> +                       cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
> +               else
> +                       bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
> +               fi
> +       fi
> +}
> +
> +addtask assemble_dtb after do_deploy before do_install
> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
> +

This should be part of the class, not another .inc file.

>  do_compile () {
>         if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>                 sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core



-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Yannick GICQUEL]

Le 19/04/2016 15:30, Otavio Salvador a écrit :
> On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
> <yannick.gicquel@iot.bzh> wrote:
>> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
>> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
>> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
>> the 'cat' command and overrides the u-boot.bin file which is generated
>> at the compilation step.
>>
>> This task is intended to be used in the verified-boot image generation process
>> after the kernel-fitimage class had appended a public key to the device tree
>> blob. It is placed after the do_deploy and before the do_install tasks and it
>> replaces the u-boot binaries in both deploy directory and build directory
>> in order to minimize the changes in later tasks.
>>
>> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
>> ---
>>   meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>>   meta/recipes-bsp/u-boot/u-boot.inc      | 22 ++++++++++++++++++++++
>>   2 files changed, 43 insertions(+)
>>   create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>>
>> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> new file mode 100644
>> index 0000000..c88a2a1
>> --- /dev/null
>> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> I think it could be moved to a class, so the U-Boot can inherit it.
Ok
>
>> @@ -0,0 +1,21 @@
>> +# This file is part of U-Boot verified boot support and is intended to be
>> +# included from u-boot recipe and from kernel-fitimage.bbclass
>> +#
>> +# The signature procedure requires the user to generate an RSA key and
>> +# certificate in a directory and to define the following variable:
>> +#
>> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
>> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
>> +# UBOOT_SIGN_ENABLE = "1"
>> +#
>> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
>> +#
>> +# For more details, please refer to U-boot documentation.
>> +
>> +UBOOT_SIGN_ENABLE ?= "0"
>> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
>> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
>> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
>> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
>> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
>> index 3ba866d..29b0b95 100644
>> --- a/meta/recipes-bsp/u-boot/u-boot.inc
>> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
>> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>>   UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>>   UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>>
>> +# The use of verified boot requires to share environment variables with kernel
>> +# fitImage class as the mkimage call requires dtb filepath to append signature
>> +# public key.
>> +require u-boot-sign.inc
>> +
>> +do_assemble_dtb() {
>> +       # Concatenate U-Boot w/o DTB & DTB with public key
>> +       # (cf. kernel-fitimage.bbclass for more details)
>> +       cd ${DEPLOYDIR}
>> +       if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
>> +               if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
>> +                       cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
>> +                       cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
>> +               else
>> +                       bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
>> +               fi
>> +       fi
>> +}
>> +
>> +addtask assemble_dtb after do_deploy before do_install
>> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
>> +
> This should be part of the class, not another .inc file.
Ok, I understand your point and will move the whole dtb related parts in 
the class file.
Thanks,
>
>>   do_compile () {
>>          if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>>                  sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
>> --
>> 1.9.1
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Andreas Oberritter]

Hello Yannick,

On 19.04.2016 14:46, Yannick Gicquel wrote:
> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
> the 'cat' command and overrides the u-boot.bin file which is generated
> at the compilation step.
> 
> This task is intended to be used in the verified-boot image generation process
> after the kernel-fitimage class had appended a public key to the device tree
> blob. It is placed after the do_deploy and before the do_install tasks and it
> replaces the u-boot binaries in both deploy directory and build directory
> in order to minimize the changes in later tasks.
> 
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
>  meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>  meta/recipes-bsp/u-boot/u-boot.inc      | 22 ++++++++++++++++++++++
>  2 files changed, 43 insertions(+)
>  create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
> 
> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> new file mode 100644
> index 0000000..c88a2a1
> --- /dev/null
> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> @@ -0,0 +1,21 @@
> +# This file is part of U-Boot verified boot support and is intended to be
> +# included from u-boot recipe and from kernel-fitimage.bbclass
> +#
> +# The signature procedure requires the user to generate an RSA key and
> +# certificate in a directory and to define the following variable:
> +#
> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
> +# UBOOT_SIGN_ENABLE = "1"
> +#
> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
> +#
> +# For more details, please refer to U-boot documentation.
> +
> +UBOOT_SIGN_ENABLE ?= "0"
> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
> index 3ba866d..29b0b95 100644
> --- a/meta/recipes-bsp/u-boot/u-boot.inc
> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>  UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>  UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>  
> +# The use of verified boot requires to share environment variables with kernel
> +# fitImage class as the mkimage call requires dtb filepath to append signature
> +# public key.
> +require u-boot-sign.inc
> +
> +do_assemble_dtb() {
> +	# Concatenate U-Boot w/o DTB & DTB with public key
> +	# (cf. kernel-fitimage.bbclass for more details)
> +	cd ${DEPLOYDIR}
> +	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
> +		if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
> +			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
> +			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}

in general, you should avoid writing to ${S} (source). It's better to
write to ${B} (build).

> +		else
> +			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
> +		fi
> +	fi
> +}
> +
> +addtask assemble_dtb after do_deploy before do_install

The task do_deploy executes after do_install. Does it really work this
way? I think bitbake should try to detect this and error out.

Maybe you could just use do_install_append and add the dependency below
to do_install.

Regards,
Andreas

> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
> +
>  do_compile () {
>  	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>  		sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
> 

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Yannick GICQUEL]

[-- Attachment #1: Type: text/plain, Size: 5244 bytes --]


Le 19/04/2016 16:30, Andreas Oberritter a écrit :
> Hello Yannick,
Hi Andreas,
>
> On 19.04.2016 14:46, Yannick Gicquel wrote:
>> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
>> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
>> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
>> the 'cat' command and overrides the u-boot.bin file which is generated
>> at the compilation step.
>>
>> This task is intended to be used in the verified-boot image generation process
>> after the kernel-fitimage class had appended a public key to the device tree
>> blob. It is placed after the do_deploy and before the do_install tasks and it
>> replaces the u-boot binaries in both deploy directory and build directory
>> in order to minimize the changes in later tasks.
>>
>> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
>> ---
>>   meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>>   meta/recipes-bsp/u-boot/u-boot.inc      | 22 ++++++++++++++++++++++
>>   2 files changed, 43 insertions(+)
>>   create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>>
>> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> new file mode 100644
>> index 0000000..c88a2a1
>> --- /dev/null
>> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> @@ -0,0 +1,21 @@
>> +# This file is part of U-Boot verified boot support and is intended to be
>> +# included from u-boot recipe and from kernel-fitimage.bbclass
>> +#
>> +# The signature procedure requires the user to generate an RSA key and
>> +# certificate in a directory and to define the following variable:
>> +#
>> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
>> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
>> +# UBOOT_SIGN_ENABLE = "1"
>> +#
>> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
>> +#
>> +# For more details, please refer to U-boot documentation.
>> +
>> +UBOOT_SIGN_ENABLE ?= "0"
>> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
>> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
>> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
>> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
>> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
>> index 3ba866d..29b0b95 100644
>> --- a/meta/recipes-bsp/u-boot/u-boot.inc
>> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
>> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>>   UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>>   UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>>   
>> +# The use of verified boot requires to share environment variables with kernel
>> +# fitImage class as the mkimage call requires dtb filepath to append signature
>> +# public key.
>> +require u-boot-sign.inc
>> +
>> +do_assemble_dtb() {
>> +	# Concatenate U-Boot w/o DTB & DTB with public key
>> +	# (cf. kernel-fitimage.bbclass for more details)
>> +	cd ${DEPLOYDIR}
>> +	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
>> +		if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
>> +			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
>> +			cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
> in general, you should avoid writing to ${S} (source). It's better to
> write to ${B} (build).
Ok, I will change to ${B}
>
>> +		else
>> +			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
>> +		fi
>> +	fi
>> +}
>> +
>> +addtask assemble_dtb after do_deploy before do_install
> The task do_deploy executes after do_install. Does it really work this
> way? I think bitbake should try to detect this and error out.
I confirm do_deploy is executed before do_install.
It looks like it is schedule this way by the last line of the file:

addtask deploy before do_build after do_compile

(I attached the log.task_order for reference - FYI, behavior is the same on
jethro or today's master branch)

>
> Maybe you could just use do_install_append and add the dependency below
> to do_install.
Interesting.
After reviewing this more carefully, I agree with you and also think 
that a dedicated task is
finally not really needed for these actions. The point which matters is 
the task order
and the schedule required to add the public key to the DTB.
And regarding this task order it should be possible to place it in a 
"do_install_prepend".

I will sent a new version integrating comments from Otavio's and you.

Thanks

>
> Regards,
> Andreas
>
>> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
>> +
>>   do_compile () {
>>   	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>>   		sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
>>


[-- Attachment #2: log.task_order --]
[-- Type: text/plain, Size: 640 bytes --]

do_fetch (29836): log.do_fetch.29836
do_unpack (29844): log.do_unpack.29844
do_patch (30357): log.do_patch.30357
do_configure (30788): log.do_configure.30788
do_populate_lic (30789): log.do_populate_lic.30789
do_compile (30833): log.do_compile.30833
do_deploy (5656): log.do_deploy.5656
do_assemble_dtb (5766): log.do_assemble_dtb.5766
do_install (7724): log.do_install.7724
do_package (7877): log.do_package.7877
do_populate_sysroot (7878): log.do_populate_sysroot.7878
do_packagedata (9046): log.do_packagedata.9046
do_package_write_rpm (10190): log.do_package_write_rpm.10190
do_package_qa (10204): log.do_package_qa.10204

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Anders Darander]

Just a comment on task ordering. Not sure that it really matters
though...

* Yannick GICQUEL <yannick.gicquel@iot.bzh> [160420 10:28]:
> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
> >Hello Yannick,
> Hi Andreas,

> >On 19.04.2016 14:46, Yannick Gicquel wrote:
> >>+addtask assemble_dtb after do_deploy before do_install
> >The task do_deploy executes after do_install. Does it really work this
> >way? I think bitbake should try to detect this and error out.
> I confirm do_deploy is executed before do_install.
> It looks like it is schedule this way by the last line of the file:

> addtask deploy before do_build after do_compile

Well, if task do_deploy is scheduled before do_install, that's just by
luck.

The following line adds do_install:

addtask install after do_compile

Thus, the ordering between do_install and do_deploy isn't fixed. It
could be random, it could be based on alphabetical sorting, or the order
the tasks are added. However, it could easily change...

Cheers,
Anders

> (I attached the log.task_order for reference - FYI, behavior is the same on
> jethro or today's master branch)
-- 
Anders Darander, Senior System Architect
ChargeStorm AB / eStorm AB

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Yannick GICQUEL]

Le 20/04/2016 10:37, Anders Darander a écrit :
> Just a comment on task ordering. Not sure that it really matters
> though...
>
> * Yannick GICQUEL <yannick.gicquel@iot.bzh> [160420 10:28]:
>> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
>>> Hello Yannick,
>> Hi Andreas,
>>> On 19.04.2016 14:46, Yannick Gicquel wrote:
>>>> +addtask assemble_dtb after do_deploy before do_install
>>> The task do_deploy executes after do_install. Does it really work this
>>> way? I think bitbake should try to detect this and error out.
>> I confirm do_deploy is executed before do_install.
>> It looks like it is schedule this way by the last line of the file:
>> addtask deploy before do_build after do_compile
> Well, if task do_deploy is scheduled before do_install, that's just by
> luck.
>
> The following line adds do_install:
>
> addtask install after do_compile
>
> Thus, the ordering between do_install and do_deploy isn't fixed. It
> could be random, it could be based on alphabetical sorting, or the order
> the tasks are added. However, it could easily change...

Thanks for the precision.
I understand that ordering is not fixed as both tasks depends on do_compile.

I am on the way to send a v2 and the tasks are now sequenced as below :
    u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage -> 
u-boot:do_install

Best regards,

>
> Cheers,
> Anders
>
>> (I attached the log.task_order for reference - FYI, behavior is the same on
>> jethro or today's master branch)

Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly

[Andreas Oberritter]

On 20.04.2016 10:27, Yannick GICQUEL wrote:
> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
>> On 19.04.2016 14:46, Yannick Gicquel wrote:
[...]
>>> +addtask assemble_dtb after do_deploy before do_install
>> The task do_deploy executes after do_install. Does it really work this
>> way? I think bitbake should try to detect this and error out.
> I confirm do_deploy is executed before do_install.
> It looks like it is schedule this way by the last line of the file:
> 
> addtask deploy before do_build after do_compile
> 
> (I attached the log.task_order for reference - FYI, behavior is the same on
> jethro or today's master branch)

You're right, Yannick. I should have looked at u-boot.inc, instead of
assuming the behaviour of kernel.bbclass was generic.

Regards,
Andreas

[RFC PATCH 2/4] u-boot: deploy u-boot nodtb and dtb files

[Yannick Gicquel]

This enable the deployment of u-boot-nodtb.bin and u-boot.dtb files.

Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
 meta/recipes-bsp/u-boot/u-boot.inc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 29b0b95..749f8d8 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -239,6 +239,20 @@ do_deploy () {
         rm -f ${UBOOT_BINARY} ${UBOOT_SYMLINK}
         ln -sf ${UBOOT_IMAGE} ${UBOOT_SYMLINK}
         ln -sf ${UBOOT_IMAGE} ${UBOOT_BINARY}
+
+        # OF_SEPARATE generated files deployment
+        if [ -f ${S}/${UBOOT_DTB_BINARY} ]; then
+            install ${S}/${UBOOT_DTB_BINARY} ${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
+            rm -f ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SYMLINK}
+            ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_SYMLINK}
+            ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_BINARY}
+        fi
+        if [ -f ${S}/${UBOOT_NODTB_BINARY} ]; then
+            install ${S}/${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
+            rm -f ${UBOOT_NODTB_BINARY} ${UBOOT_NODTB_SYMLINK}
+            ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_SYMLINK}
+            ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_BINARY}
+        fi
    fi
 
     if [ "x${UBOOT_ELF}" != "x" ]
-- 
1.9.1

[RFC PATCH 3/4] kernel: fitimage: support device tree compiler options

[Yannick Gicquel]

This introduces a new variable to set the device tree compiler options while
calling mkimage ('-D' option). By default, this variable is not set but it can
be defined in a configuration file, as following example:

UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"

Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
 meta/classes/kernel-fitimage.bbclass | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index e5b75ed..62e0017 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -17,6 +17,9 @@ python __anonymous () {
             d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
 }
 
+# Options for the device tree compiler passed to mkimage '-D' feature:
+UBOOT_MKIMAGE_DTCOPTS ??= ""
+
 #
 # Emit the fitImage ITS header
 #
@@ -209,7 +212,10 @@ do_assemble_fitimage() {
 		#
 		# Step 4: Assemble the image
 		#
-		uboot-mkimage -f fit-image.its arch/${ARCH}/boot/fitImage
+		uboot-mkimage \
+			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+			-f fit-image.its \
+			arch/${ARCH}/boot/fitImage
 	fi
 }
 
-- 
1.9.1

[RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature

[Yannick Gicquel]

This is an initial support of fitImage signature to enable U-Boot verified
boot. This feature is implemented by adding a signature tag to the
configuration section of the generated fit-image.its file.

When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is
activated and performs a second call to mkimage to sign the fitImage file and
to include the public key in the deployed U-Boot device tree blob. (This
implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.)

As the U-Boot device tree blob is appended in the deploy dir, a dependency
on 'u-boot:do_deploy' is added when the feature is activated.

Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
 meta/classes/kernel-fitimage.bbclass | 45 +++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 62e0017..cbf07ba 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,8 @@
 inherit kernel-uboot
 
+# To resolve the following UBOOT_DTB_BINARY identifier
+require recipes-bsp/u-boot/u-boot-sign.inc
+
 python __anonymous () {
     kerneltype = d.getVar('KERNEL_IMAGETYPE', True)
     if kerneltype == 'fitImage':
@@ -15,6 +18,12 @@ python __anonymous () {
         image = d.getVar('INITRAMFS_IMAGE', True)
         if image:
             d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
+
+        # Verified boot will sign the fitImage and append the public key to
+        # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
+        # the fitImage:
+        if d.getVar('UBOOT_SIGN_ENABLE', True):
+            d.appendVarFlag('do_assemble_fitimage', 'depends', ' u-boot:do_deploy')
 }
 
 # Options for the device tree compiler passed to mkimage '-D' feature:
@@ -132,6 +141,9 @@ EOF
 fitimage_emit_section_config() {
 
 	conf_csum="sha1"
+	if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then
+		conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+	fi
 
 	# Test if we have any DTBs at all
 	if [ -z "${2}" ] ; then
@@ -152,6 +164,26 @@ fitimage_emit_section_config() {
                         hash@1 {
                                 algo = "${conf_csum}";
                         };
+EOF
+
+	if [ ! -z "${conf_sign_keyname}" ] ; then
+
+		if [ -z "${2}" ] ; then
+			sign_line="sign-images = \"kernel\";"
+		else
+			sign_line="sign-images = \"fdt\", \"kernel\";"
+		fi
+
+		cat << EOF >> fit-image.its
+                        signature@1 {
+                                algo = "${conf_csum},rsa2048";
+                                key-name-hint = "${conf_sign_keyname}";
+                                sign-images = "fdt", "kernel";
+                        };
+EOF
+	fi
+
+	cat << EOF >> fit-image.its
                 };
 EOF
 }
@@ -160,7 +192,7 @@ do_assemble_fitimage() {
 	if test "x${KERNEL_IMAGETYPE}" = "xfitImage" ; then
 		kernelcount=1
 		dtbcount=""
-		rm -f fit-image.its
+		rm -f fit-image.its arch/${ARCH}/boot/fitImage
 
 		fitimage_emit_fit_header
 
@@ -216,6 +248,17 @@ do_assemble_fitimage() {
 			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
 			-f fit-image.its \
 			arch/${ARCH}/boot/fitImage
+
+		#
+		# Step 5: Sign the image and add public key to U-Boot dtb
+		#
+		if test -n "${UBOOT_SIGN_ENABLE}"; then
+			uboot-mkimage \
+				${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+				-F -k "${UBOOT_SIGN_KEYDIR}" \
+				-K "${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_BINARY}" \
+				-r arch/${ARCH}/boot/fitImage
+		fi
 	fi
 }
 
-- 
1.9.1

Re: [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature

[Otavio Salvador]

On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
<yannick.gicquel@iot.bzh> wrote:
> This is an initial support of fitImage signature to enable U-Boot verified
> boot. This feature is implemented by adding a signature tag to the
> configuration section of the generated fit-image.its file.
>
> When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is
> activated and performs a second call to mkimage to sign the fitImage file and
> to include the public key in the deployed U-Boot device tree blob. (This
> implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.)
>
> As the U-Boot device tree blob is appended in the deploy dir, a dependency
> on 'u-boot:do_deploy' is added when the feature is activated.
>
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
>  meta/classes/kernel-fitimage.bbclass | 45 +++++++++++++++++++++++++++++++++++-
>  1 file changed, 44 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index 62e0017..cbf07ba 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -1,5 +1,8 @@
>  inherit kernel-uboot
>
> +# To resolve the following UBOOT_DTB_BINARY identifier
> +require recipes-bsp/u-boot/u-boot-sign.inc
> +

Again, use a class for it. inc files are being abused this way.


-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750