Re: [OE-core] [PATCH v2] u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled

["Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>]

On Tue Jan 14, 2025 at 2:01 AM CET, Marek Vasut via lists.openembedded.org wrote:
> In case both UBOOT_SIGN_ENABLE and UBOOT_ENV are enabled and
> kernel-fitimage.bbclass is in use to generate signed kernel
> fitImage, there is a circular dependency between uboot-sign
> and kernel-fitimage bbclasses . The loop looks like this:
>
> kernel-fitimage.bbclass:
> - do_populate_sysroot depends on do_assemble_fitimage
>   - do_assemble_fitimage depends on virtual/bootloader:do_populate_sysroot
>     - virtual/bootloader:do_populate_sysroot depends on virtual/bootloader:do_install
>       => The virtual/bootloader:do_install installs and the
>          virtual/bootloader:do_populate_sysroot places into
>          sysroot an U-Boot environment script embedded into
>          kernel fitImage during do_assemble_fitimage run .
>
> uboot-sign.bbclass:
> - DEPENDS on KERNEL_PN, which is really virtual/kernel. More accurately
>   - do_deploy depends on do_uboot_assemble_fitimage
>   - do_install depends on do_uboot_assemble_fitimage
>   - do_uboot_assemble_fitimage depends on virtual/kernel:do_populate_sysroot
>     => do_install depends on virtual/kernel:do_populate_sysroot
>
> => virtual/bootloader:do_install depends on virtual/kernel:do_populate_sysroot
>    virtual/kernel:do_populate_sysroot depends on virtual/bootloader:do_install
>
> Attempt to resolve the loop. Pull fitimage_assemble() into separate new bbclass
> kernel-fitimage-its.bbclass and split fitimage_assemble() into two functions,
> fitimage_assemble_its() to generate the fit-image.its and fitimage_assemble_itb()
> to run mkimage on fit-image.its and produce the final fitImage-none fitImage.
>
> Inherit kernel-fitimage-its.bbclass in uboot-sign.bbclass and use these two
> new functions to generate a dummy signed fitImage which, instead of containing
> any meaningful blobs as payloads contains a dummy u-boot.dtb as payload for
> every single blob included in the fitImage. The placement of signature {}
> nodes in this dummy signed fitImage exactly matches the final signed kernel
> fitImage, which is very important.
>
> The follow up mkimage invocation which inserts public key material into
> u-boot.dtb /signature {} node does not care about the content of the dummy
> signed fitImage blobs, that mkimage invocation only cares about the placement
> of signature {} nodes in that dummy signed fitImage. That mkimage invocation
> uses the placement of these signature {} nodes to construct u-boot.dtb
> /signature/<key> 'required' property content, which is used by U-Boot
> when authenticating blobs in the fitImage using the public <key> that
> was currently inserted into the u-boot.dtb by mkimage .
>
> Fixes: 5e12dc911d0c ("u-boot: Rework signing to remove interdependencies")
> Signed-off-by: Marek Vasut <marex@denx.de>
> ---

Hi Marek,

I believe this patch is breaking the oe-selftests on the autobuilder,
with the following error:

ERROR: linux-yocto-6.12.9+git-r0 do_assemble_fitimage: Execution of '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022' failed with exit code 127
ERROR: Logfile of failure stored in: /srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/log.do_assemble_fitimage.1950022
Log data follows:
| DEBUG: Executing shell function do_assemble_fitimage
| /srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022: line 150: fitimage_assemble: command not found
| WARNING: /srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022:150 exit 127 from 'fitimage_assemble fit-image.its fitImage-none ""'
| WARNING: Backtrace (BB generated script):
| 	#1: do_assemble_fitimage, /srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022, line 150
| 	#2: main, /srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-844261/tmp/work/qemux86_64-poky-linux/linux-yocto/6.12.9+git/temp/run.do_assemble_fitimage.1950022, line 157
NOTE: recipe linux-yocto-6.12.9+git-r0: task do_assemble_fitimage: Failed

https://valkyrie.yoctoproject.org/#/builders/48/builds/726/steps/14/logs/stdio

Can you have a look at this issue please ?

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com