Re: [OE-core] [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: <rybczynska@gmail.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images
Date: Wed, 27 May 2026 08:58:20 +0200	[thread overview]
Message-ID: <DIT9IRDXGA86.1L3TDJD2YLDWY@bootlin.com> (raw)
In-Reply-To: <20260526094042.54135-1-marta.rybczynska@ygreky.com>

On Tue May 26, 2026 at 11:40 AM CEST, Marta Rybczynska via lists.openembedded.org wrote:
> From: Marta Rybczynska <rybczynska@gmail.com>
>
> The SPL FIT signing path was signing individual images, but not the configuration.
>
> Introduce signing of configuration with images under a separate option SPL_SIGN_CONF,
> enabled by default. It implies changes in the DTB content.
>
> The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be removed in
> a subsequent patch.
>
> Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>

Hi Marta,

Thanks for the new version. I believe we still have two selftest
failures because of it:

2026-05-26 16:34:33,908 - oe-selftest - INFO - fitimage.UBootFitImageTests.test_sign_standalone_uboot_atf_tee_fit_image (subunit.RemotedTestCase)
2026-05-26 16:34:33,909 - oe-selftest - INFO -  ... FAIL
...
ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3572291' failed with exit code 1
...
| Signature written to 'u-boot-fitImage', node '/configurations/conf/signature'
| Public key written to 'spl/u-boot-spl.dtb', node '/signature/key-spl-oe-selftest'
| Signature check bad (error 1)
| Verifying Hash Integrity for node 'conf'... sha256,rsa2048:spl-oe-selftest+
| sha256,rsa2048:spl-oe-selftest-
|  error!
| Verification failed for '(null)' hash node in 'conf' config node
| Failed to verify required signature 'key-spl-cascaded-oe-selftest'
| WARNING: exit code 1 from a shell command.
...
2026-05-26 16:35:33,469 - oe-selftest - INFO - fitimage.UBootFitImageTests.test_sign_standalone_uboot_fit_image (subunit.RemotedTestCase)
2026-05-26 16:35:33,469 - oe-selftest - INFO -  ... FAIL
...
ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3689059' failed with exit code 1
...
| Signature written to 'u-boot-fitImage', node '/configurations/conf/signature'
| Public key written to 'spl/u-boot-spl.dtb', node '/signature/key-spl-oe-selftest'
| Signature check bad (error 1)
| Verifying Hash Integrity for node 'conf'... sha256,rsa2048:spl-oe-selftest+
| sha256,rsa2048:spl-oe-selftest-
|  error!
| Verification failed for '(null)' hash node in 'conf' config node
| Failed to verify required signature 'key-spl-cascaded-oe-selftest'
| WARNING: exit code 1 from a shell command.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3999
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3905
https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3770

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2026-05-27  6:58 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-26  9:40 [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images Marta Rybczynska
2026-05-26  9:40 ` [PATCH v2 2/2] oe-selftest: fitimage: support new schema for uboot configuration signing Marta Rybczynska
2026-05-27  6:58 ` Mathieu Dubois-Briand [this message]
2026-05-27  9:39   ` [OE-core] [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images Marta Rybczynska

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DIT9IRDXGA86.1L3TDJD2YLDWY@bootlin.com \
    --to=mathieu.dubois-briand@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=rybczynska@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox