* [PATCH 1/8] classes/kernel-fitimage: add variable for description
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 2/8] classes/kernel-fitimage: make fitimage_emit_section_config more readable Paul Eggleton
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
Add a FIT_DESC variable to make it possible to change how the
description is set in the FIT image.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index bb2f3c4..f121eee 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -72,6 +72,9 @@ FIT_KEY_REQ_ARGS ?= "-batch -new"
# Standard format for public key certificate
FIT_KEY_SIGN_PKCS ?= "-x509"
+# Description string
+FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
+
#
# Emit the fitImage ITS header
#
@@ -81,7 +84,7 @@ fitimage_emit_fit_header() {
/dts-v1/;
/ {
- description = "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}";
+ description = "${FIT_DESC}";
#address-cells = <1>;
EOF
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 2/8] classes/kernel-fitimage: make fitimage_emit_section_config more readable
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
2020-12-17 2:51 ` [PATCH 1/8] classes/kernel-fitimage: add variable for description Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 3/8] classes/kernel-fitimage: allow substituting mkimage command Paul Eggleton
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Easwar Hariharan <eahariha@microsoft.com>
fitimage_emit_section_config() has a number of arguments, add named
variables to make the function a bit more readable.
Signed-off-by: Easwar Hariharan <eahariha@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 53 ++++++++++++++++++++----------------
1 file changed, 30 insertions(+), 23 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index f121eee..f3d18e2 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -273,6 +273,13 @@ fitimage_emit_section_config() {
conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
fi
+ its_file="${1}"
+ kernel_id="${2}"
+ dtb_image="${3}"
+ ramdisk_id="${4}"
+ config_id="${5}"
+ default_flag="${6}"
+
# Test if we have any DTBs at all
sep=""
conf_desc=""
@@ -285,49 +292,49 @@ fitimage_emit_section_config() {
# conf node name is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
- if [ -n "${3}" ]; then
- conf_node=$conf_node${3}
+ if [ -n "${dtb_image}" ]; then
+ conf_node=$conf_node${dtb_image}
else
- conf_node=$conf_node${2}
+ conf_node=$conf_node${kernel_id}
fi
- if [ -n "${2}" ]; then
+ if [ -n "${kernel_id}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${2}\";"
+ kernel_line="kernel = \"kernel@${kernel_id}\";"
fi
- if [ -n "${3}" ]; then
+ if [ -n "${dtb_image}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${3}\";"
+ fdt_line="fdt = \"fdt@${dtb_image}\";"
fi
- if [ -n "${4}" ]; then
+ if [ -n "${ramdisk_id}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+ ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
fi
- if [ -n "${5}" ]; then
+ if [ -n "${config_id}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${5}\";"
+ setup_line="setup = \"setup@${config_id}\";"
fi
- if [ "${6}" = "1" ]; then
+ if [ "${default_flag}" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
- if [ -n "${3}" ]; then
- default_line="default = \"conf@${3}\";"
+ if [ -n "${dtb_image}" ]; then
+ default_line="default = \"conf@${dtb_image}\";"
else
- default_line="default = \"conf@${2}\";"
+ default_line="default = \"conf@${kernel_id}\";"
fi
fi
- cat << EOF >> ${1}
+ cat << EOF >> ${its_file}
${default_line}
$conf_node {
- description = "${6} ${conf_desc}";
+ description = "${default_flag} ${conf_desc}";
${kernel_line}
${fdt_line}
${ramdisk_line}
@@ -342,28 +349,28 @@ EOF
sign_line="sign-images = "
sep=""
- if [ -n "${2}" ]; then
+ if [ -n "${kernel_id}" ]; then
sign_line="${sign_line}${sep}\"kernel\""
sep=", "
fi
- if [ -n "${3}" ]; then
+ if [ -n "${dtb_image}" ]; then
sign_line="${sign_line}${sep}\"fdt\""
sep=", "
fi
- if [ -n "${4}" ]; then
+ if [ -n "${ramdisk_id}" ]; then
sign_line="${sign_line}${sep}\"ramdisk\""
sep=", "
fi
- if [ -n "${5}" ]; then
+ if [ -n "${config_id}" ]; then
sign_line="${sign_line}${sep}\"setup\""
fi
sign_line="${sign_line};"
- cat << EOF >> ${1}
+ cat << EOF >> ${its_file}
signature@1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
@@ -372,7 +379,7 @@ EOF
EOF
fi
- cat << EOF >> ${1}
+ cat << EOF >> ${its_file}
};
EOF
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 3/8] classes/kernel-fitimage: allow substituting mkimage command
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
2020-12-17 2:51 ` [PATCH 1/8] classes/kernel-fitimage: add variable for description Paul Eggleton
2020-12-17 2:51 ` [PATCH 2/8] classes/kernel-fitimage: make fitimage_emit_section_config more readable Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 4/8] classes/kernel-fitimage: add ability to add additional signing options Paul Eggleton
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
Add a UBOOT_MKIMAGE and UBOOT_MKIMAGE_SIGN variables to allow specifying
an alternative uboot-mkimage executable (or wrapper script/function).
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index f3d18e2..08b5db2 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -75,6 +75,10 @@ FIT_KEY_SIGN_PKCS ?= "-x509"
# Description string
FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
+# mkimage command
+UBOOT_MKIMAGE ?= "uboot-mkimage"
+UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
+
#
# Emit the fitImage ITS header
#
@@ -505,7 +509,7 @@ fitimage_assemble() {
#
# Step 6: Assemble the image
#
- uboot-mkimage \
+ ${UBOOT_MKIMAGE} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-f ${1} \
arch/${ARCH}/boot/${2}
@@ -521,7 +525,7 @@ fitimage_assemble() {
cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
add_key_to_u_boot="-K ${B}/${UBOOT_DTB_BINARY}"
fi
- uboot-mkimage \
+ ${UBOOT_MKIMAGE_SIGN} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${UBOOT_SIGN_KEYDIR}" \
$add_key_to_u_boot \
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 4/8] classes/kernel-fitimage: add ability to add additional signing options
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (2 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 3/8] classes/kernel-fitimage: allow substituting mkimage command Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 5/8] classes/kernel-fitimage: add ability to sign individual images Paul Eggleton
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
Add a UBOOT_MKIMAGE_SIGN_ARGS variable to enable passing additional
options to uboot-mkimage when it is run the second time to perform
signing.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 08b5db2..9661b4f 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -79,6 +79,9 @@ FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
UBOOT_MKIMAGE ?= "uboot-mkimage"
UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
+# Arguments passed to mkimage for signing
+UBOOT_MKIMAGE_SIGN_ARGS ?= ""
+
#
# Emit the fitImage ITS header
#
@@ -529,7 +532,8 @@ fitimage_assemble() {
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${UBOOT_SIGN_KEYDIR}" \
$add_key_to_u_boot \
- -r arch/${ARCH}/boot/${2}
+ -r arch/${ARCH}/boot/${2} \
+ ${UBOOT_MKIMAGE_SIGN_ARGS}
fi
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 5/8] classes/kernel-fitimage: add ability to sign individual images
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (3 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 4/8] classes/kernel-fitimage: add ability to add additional signing options Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 6/8] oe-selftest: move FIT image tests to their own module Paul Eggleton
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Luca Boccassi <luca.boccassi@microsoft.com>
Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 42 ++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 9661b4f..9fa302a 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -75,6 +75,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509"
# Description string
FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
+# Sign individual images as well
+FIT_SIGN_INDIVIDUAL ?= "0"
+
# mkimage command
UBOOT_MKIMAGE ?= "uboot-mkimage"
UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
@@ -142,6 +145,8 @@ EOF
fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
+ kernel_sign_algo="${FIT_SIGN_ALG}"
+ kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -164,6 +169,17 @@ fitimage_emit_section_kernel() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${kernel_csum},${kernel_sign_algo}";
+ key-name-hint = "${kernel_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
@@ -175,6 +191,8 @@ EOF
fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
+ dtb_sign_algo="${FIT_SIGN_ALG}"
+ dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
@@ -198,6 +216,17 @@ fitimage_emit_section_dtb() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${dtb_csum},${dtb_sign_algo}";
+ key-name-hint = "${dtb_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
@@ -236,6 +265,8 @@ EOF
fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
+ ramdisk_sign_algo="${FIT_SIGN_ALG}"
+ ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
@@ -261,6 +292,17 @@ fitimage_emit_section_ramdisk() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${ramdisk_csum},${ramdisk_sign_algo}";
+ key-name-hint = "${ramdisk_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 6/8] oe-selftest: move FIT image tests to their own module
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (4 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 5/8] classes/kernel-fitimage: add ability to sign individual images Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 7/8] oe-selftest: fitimage: Test for FIT_DESC Paul Eggleton
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
I'm about to add an additional test, and on the assumption that we might
also add more in future it seems reasonable to have the tests in their own
module.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/lib/oeqa/selftest/cases/fitimage.py | 84 +++++++++++++++++++++++++++
meta/lib/oeqa/selftest/cases/imagefeatures.py | 74 -----------------------
2 files changed, 84 insertions(+), 74 deletions(-)
create mode 100644 meta/lib/oeqa/selftest/cases/fitimage.py
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
new file mode 100644
index 0000000..2c3803d
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -0,0 +1,84 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, runqemu
+import os
+import json
+
+class FitImageTests(OESelftestTestCase):
+
+ def test_fit_image(self):
+ """
+ Summary: Check if FIT image and Image Tree Source (its) are built
+ and the Image Tree Source has the correct fields.
+ Expected: 1. fitImage and fitImage-its can be built
+ 2. The type, load address, entrypoint address and
+ default values of kernel and ramdisk are as expected
+ in the Image Tree Source. Not all the fields are tested,
+ only the key fields that wont vary between different
+ architectures.
+ Product: oe-core
+ Author: Usama Arif <usama.arif@arm.com>
+ """
+ config = """
+# Enable creation of fitImage
+KERNEL_IMAGETYPE = "Image"
+KERNEL_IMAGETYPES += " fitImage "
+KERNEL_CLASSES = " kernel-fitimage "
+
+# RAM disk variables including load address and entrypoint for kernel and RAM disk
+IMAGE_FSTYPES += "cpio.gz"
+INITRAMFS_IMAGE = "core-image-minimal"
+UBOOT_RD_LOADADDRESS = "0x88000000"
+UBOOT_RD_ENTRYPOINT = "0x88000000"
+UBOOT_LOADADDRESS = "0x80080000"
+UBOOT_ENTRYPOINT = "0x80080000"
+"""
+ self.write_config(config)
+
+ # fitImage is created as part of linux recipe
+ bitbake("virtual/kernel")
+
+ image_type = "core-image-minimal"
+ deploy_dir_image = get_bb_var('DEPLOY_DIR_IMAGE')
+ machine = get_bb_var('MACHINE')
+ fitimage_its_path = os.path.join(deploy_dir_image,
+ "fitImage-its-%s-%s-%s" % (image_type, machine, machine))
+ fitimage_path = os.path.join(deploy_dir_image,
+ "fitImage-%s-%s-%s" % (image_type, machine, machine))
+
+ self.assertTrue(os.path.exists(fitimage_its_path),
+ "%s image tree source doesn't exist" % (fitimage_its_path))
+ self.assertTrue(os.path.exists(fitimage_path),
+ "%s FIT image doesn't exist" % (fitimage_path))
+
+ # Check that the type, load address, entrypoint address and default
+ # values for kernel and ramdisk in Image Tree Source are as expected.
+ # The order of fields in the below array is important. Not all the
+ # fields are tested, only the key fields that wont vary between
+ # different architectures.
+ its_field_check = ['type = "kernel";',
+ 'load = <0x80080000>;',
+ 'entry = <0x80080000>;',
+ 'type = "ramdisk";',
+ 'load = <0x88000000>;',
+ 'entry = <0x88000000>;',
+ 'default = "conf@1";',
+ 'kernel = "kernel@1";',
+ 'ramdisk = "ramdisk@1";'
+ ]
+
+ with open(fitimage_its_path) as its_file:
+ field_index = 0
+ for line in its_file:
+ if field_index == len(its_field_check):
+ break
+ if its_field_check[field_index] in line:
+ field_index +=1
+
+ if field_index != len(its_field_check): # if its equal, the test passed
+ self.assertTrue(field_index == len(its_field_check),
+ "Fields in Image Tree Source File %s did not match, error in finding %s"
+ % (fitimage_its_path, its_field_check[field_index]))
diff --git a/meta/lib/oeqa/selftest/cases/imagefeatures.py b/meta/lib/oeqa/selftest/cases/imagefeatures.py
index 415e031..6723a81 100644
--- a/meta/lib/oeqa/selftest/cases/imagefeatures.py
+++ b/meta/lib/oeqa/selftest/cases/imagefeatures.py
@@ -264,80 +264,6 @@ PNBLACKLIST[busybox] = "Don't build this"
bitbake("--graphviz core-image-sato")
- def test_fit_image(self):
- """
- Summary: Check if FIT image and Image Tree Source (its) are built
- and the Image Tree Source has the correct fields.
- Expected: 1. fitImage and fitImage-its can be built
- 2. The type, load address, entrypoint address and
- default values of kernel and ramdisk are as expected
- in the Image Tree Source. Not all the fields are tested,
- only the key fields that wont vary between different
- architectures.
- Product: oe-core
- Author: Usama Arif <usama.arif@arm.com>
- """
- config = """
-# Enable creation of fitImage
-KERNEL_IMAGETYPE = "Image"
-KERNEL_IMAGETYPES += " fitImage "
-KERNEL_CLASSES = " kernel-fitimage "
-
-# RAM disk variables including load address and entrypoint for kernel and RAM disk
-IMAGE_FSTYPES += "cpio.gz"
-INITRAMFS_IMAGE = "core-image-minimal"
-UBOOT_RD_LOADADDRESS = "0x88000000"
-UBOOT_RD_ENTRYPOINT = "0x88000000"
-UBOOT_LOADADDRESS = "0x80080000"
-UBOOT_ENTRYPOINT = "0x80080000"
-"""
- self.write_config(config)
-
- # fitImage is created as part of linux recipe
- bitbake("virtual/kernel")
-
- image_type = "core-image-minimal"
- deploy_dir_image = get_bb_var('DEPLOY_DIR_IMAGE')
- machine = get_bb_var('MACHINE')
- fitimage_its_path = os.path.join(deploy_dir_image,
- "fitImage-its-%s-%s-%s" % (image_type, machine, machine))
- fitimage_path = os.path.join(deploy_dir_image,
- "fitImage-%s-%s-%s" % (image_type, machine, machine))
-
- self.assertTrue(os.path.exists(fitimage_its_path),
- "%s image tree source doesn't exist" % (fitimage_its_path))
- self.assertTrue(os.path.exists(fitimage_path),
- "%s FIT image doesn't exist" % (fitimage_path))
-
- # Check that the type, load address, entrypoint address and default
- # values for kernel and ramdisk in Image Tree Source are as expected.
- # The order of fields in the below array is important. Not all the
- # fields are tested, only the key fields that wont vary between
- # different architectures.
- its_field_check = ['type = "kernel";',
- 'load = <0x80080000>;',
- 'entry = <0x80080000>;',
- 'type = "ramdisk";',
- 'load = <0x88000000>;',
- 'entry = <0x88000000>;',
- 'default = "conf@1";',
- 'kernel = "kernel@1";',
- 'ramdisk = "ramdisk@1";'
- ]
-
- with open(fitimage_its_path) as its_file:
- field_index = 0
- for line in its_file:
- if field_index == len(its_field_check):
- break
- if its_field_check[field_index] in line:
- field_index +=1
-
- if field_index != len(its_field_check): # if its equal, the test passed
- self.assertTrue(field_index == len(its_field_check),
- "Fields in Image Tree Source File %s did not match, error in finding %s"
- % (fitimage_its_path, its_field_check[field_index]))
-
def test_image_gen_debugfs(self):
"""
Summary: Check debugfs generation
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 7/8] oe-selftest: fitimage: Test for FIT_DESC
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (5 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 6/8] oe-selftest: move FIT image tests to their own module Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2020-12-17 2:51 ` [PATCH 8/8] oe-selftest: fitimage: add test for signing FIT images Paul Eggleton
2021-01-01 13:33 ` [PATCH 0/8] kernel-fitimage extensions Usama Arif
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
Add verification of FIT_DESC to the existing test for kernel-fitimage.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/lib/oeqa/selftest/cases/fitimage.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 2c3803d..2a02c60 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -35,6 +35,7 @@ UBOOT_RD_LOADADDRESS = "0x88000000"
UBOOT_RD_ENTRYPOINT = "0x88000000"
UBOOT_LOADADDRESS = "0x80080000"
UBOOT_ENTRYPOINT = "0x80080000"
+FIT_DESC = "A model description"
"""
self.write_config(config)
@@ -59,7 +60,9 @@ UBOOT_ENTRYPOINT = "0x80080000"
# The order of fields in the below array is important. Not all the
# fields are tested, only the key fields that wont vary between
# different architectures.
- its_field_check = ['type = "kernel";',
+ its_field_check = [
+ 'description = "A model description";',
+ 'type = "kernel";',
'load = <0x80080000>;',
'entry = <0x80080000>;',
'type = "ramdisk";',
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH 8/8] oe-selftest: fitimage: add test for signing FIT images
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (6 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 7/8] oe-selftest: fitimage: Test for FIT_DESC Paul Eggleton
@ 2020-12-17 2:51 ` Paul Eggleton
2021-01-01 13:33 ` [PATCH 0/8] kernel-fitimage extensions Usama Arif
8 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2020-12-17 2:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Usama Arif
From: Paul Eggleton <paul.eggleton@microsoft.com>
Add a new test to verify signing FIT images. Also includes testing for
the newly introduced FIT_SIGN_INDIVIDUAL, UBOOT_MKIMAGE,
UBOOT_MKIMAGE_SIGN, and UBOOT_MKIMAGE_SIGN_ARGS variables.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta-selftest/classes/test-mkimage-wrapper.bbclass | 19 +++
meta/lib/oeqa/selftest/cases/fitimage.py | 146 +++++++++++++++++++++
2 files changed, 165 insertions(+)
create mode 100644 meta-selftest/classes/test-mkimage-wrapper.bbclass
diff --git a/meta-selftest/classes/test-mkimage-wrapper.bbclass b/meta-selftest/classes/test-mkimage-wrapper.bbclass
new file mode 100644
index 0000000..7c98d7b
--- /dev/null
+++ b/meta-selftest/classes/test-mkimage-wrapper.bbclass
@@ -0,0 +1,19 @@
+# Class to test UBOOT_MKIMAGE and UBOOT_MKIMAGE_SIGN
+# (in conjunction with kernel-fitimage.bbclass)
+#
+# SPDX-License-Identifier: MIT
+#
+
+UBOOT_MKIMAGE = "test_mkimage_wrapper"
+UBOOT_MKIMAGE_SIGN = "test_mkimage_signing_wrapper"
+
+test_mkimage_wrapper() {
+ echo "### uboot-mkimage wrapper message"
+ uboot-mkimage "$@"
+}
+
+test_mkimage_signing_wrapper() {
+ echo "### uboot-mkimage signing wrapper message"
+ uboot-mkimage "$@"
+}
+
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 2a02c60..19b9f53 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -6,6 +6,7 @@ from oeqa.selftest.case import OESelftestTestCase
from oeqa.utils.commands import runCmd, bitbake, get_bb_var, runqemu
import os
import json
+import re
class FitImageTests(OESelftestTestCase):
@@ -85,3 +86,148 @@ FIT_DESC = "A model description"
self.assertTrue(field_index == len(its_field_check),
"Fields in Image Tree Source File %s did not match, error in finding %s"
% (fitimage_its_path, its_field_check[field_index]))
+
+
+ def test_sign_fit_image(self):
+ """
+ Summary: Check if FIT image and Image Tree Source (its) are created
+ and signed correctly.
+ Expected: 1) its and FIT image are built successfully
+ 2) Scanning the its file indicates signing is enabled
+ as requested by UBOOT_SIGN_ENABLE (using keys generated
+ via FIT_GENERATE_KEYS)
+ 3) Dumping the FIT image indicates signature values
+ are present (including for images as enabled via
+ FIT_SIGN_INDIVIDUAL)
+ 4) Examination of the do_assemble_fitimage runfile/logfile
+ indicate that UBOOT_MKIMAGE, UBOOT_MKIMAGE_SIGN and
+ UBOOT_MKIMAGE_SIGN_ARGS are working as expected.
+ Product: oe-core
+ Author: Paul Eggleton <paul.eggleton@microsoft.com> based upon
+ work by Usama Arif <usama.arif@arm.com>
+ """
+ config = """
+# Enable creation of fitImage
+MACHINE = "beaglebone-yocto"
+KERNEL_IMAGETYPES += " fitImage "
+KERNEL_CLASSES = " kernel-fitimage test-mkimage-wrapper "
+UBOOT_SIGN_ENABLE = "1"
+FIT_GENERATE_KEYS = "1"
+UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
+UBOOT_SIGN_KEYNAME = "oe-selftest"
+FIT_SIGN_INDIVIDUAL = "1"
+UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
+"""
+ self.write_config(config)
+
+ # fitImage is created as part of linux recipe
+ bitbake("virtual/kernel")
+
+ image_type = "core-image-minimal"
+ deploy_dir_image = get_bb_var('DEPLOY_DIR_IMAGE')
+ machine = get_bb_var('MACHINE')
+ fitimage_its_path = os.path.join(deploy_dir_image,
+ "fitImage-its-%s" % (machine,))
+ fitimage_path = os.path.join(deploy_dir_image,
+ "fitImage-%s.bin" % (machine,))
+
+ self.assertTrue(os.path.exists(fitimage_its_path),
+ "%s image tree source doesn't exist" % (fitimage_its_path))
+ self.assertTrue(os.path.exists(fitimage_path),
+ "%s FIT image doesn't exist" % (fitimage_path))
+
+ req_itspaths = [
+ ['/', 'images', 'kernel@1'],
+ ['/', 'images', 'kernel@1', 'signature@1'],
+ ['/', 'images', 'fdt@am335x-boneblack.dtb'],
+ ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
+ ['/', 'configurations', 'conf@am335x-boneblack.dtb'],
+ ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
+ ]
+
+ itspath = []
+ itspaths = []
+ linect = 0
+ sigs = {}
+ with open(fitimage_its_path) as its_file:
+ linect += 1
+ for line in its_file:
+ line = line.strip()
+ if line.endswith('};'):
+ itspath.pop()
+ elif line.endswith('{'):
+ itspath.append(line[:-1].strip())
+ itspaths.append(itspath[:])
+ elif itspath and itspath[-1] == 'signature@1':
+ itsdotpath = '.'.join(itspath)
+ if not itsdotpath in sigs:
+ sigs[itsdotpath] = {}
+ if not '=' in line or not line.endswith(';'):
+ self.fail('Unexpected formatting in %s sigs section line %d:%s' % (fitimage_its_path, linect, line))
+ key, value = line.split('=', 1)
+ sigs[itsdotpath][key.rstrip()] = value.lstrip().rstrip(';')
+
+ for reqpath in req_itspaths:
+ if not reqpath in itspaths:
+ self.fail('Missing section in its file: %s' % reqpath)
+
+ reqsigvalues_image = {
+ 'algo': '"sha256,rsa2048"',
+ 'key-name-hint': '"oe-selftest"',
+ }
+ reqsigvalues_config = {
+ 'algo': '"sha256,rsa2048"',
+ 'key-name-hint': '"oe-selftest"',
+ 'sign-images': '"kernel", "fdt"',
+ }
+
+ for itspath, values in sigs.items():
+ if 'conf@' in itspath:
+ reqsigvalues = reqsigvalues_config
+ else:
+ reqsigvalues = reqsigvalues_image
+ for reqkey, reqvalue in reqsigvalues.items():
+ value = values.get(reqkey, None)
+ if value is None:
+ self.fail('Missing key "%s" in its file signature section %s' % (reqkey, itspath))
+ self.assertEqual(value, reqvalue)
+
+ # Dump the image to see if it really got signed
+ bitbake("u-boot-tools-native -c addto_recipe_sysroot")
+ result = runCmd('bitbake -e u-boot-tools-native | grep ^RECIPE_SYSROOT_NATIVE=')
+ recipe_sysroot_native = result.output.split('=')[1].strip('"')
+ dumpimage_path = os.path.join(recipe_sysroot_native, 'usr', 'bin', 'dumpimage')
+ result = runCmd('%s -l %s' % (dumpimage_path, fitimage_path))
+ in_signed = None
+ signed_sections = {}
+ for line in result.output.splitlines():
+ if line.startswith((' Configuration', ' Image')):
+ in_signed = re.search('\((.*)\)', line).groups()[0]
+ elif re.match('^ *', line) in (' ', ''):
+ in_signed = None
+ elif in_signed:
+ if not in_signed in signed_sections:
+ signed_sections[in_signed] = {}
+ key, value = line.split(':', 1)
+ signed_sections[in_signed][key.strip()] = value.strip()
+ self.assertIn('kernel@1', signed_sections)
+ self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
+ self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
+ for signed_section, values in signed_sections.items():
+ value = values.get('Sign algo', None)
+ self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
+ value = values.get('Sign value', None)
+ self.assertEqual(len(value), 512, 'Signature value for section %s not expected length' % signed_section)
+
+ # Check for UBOOT_MKIMAGE_SIGN_ARGS
+ result = runCmd('bitbake -e virtual/kernel | grep ^T=')
+ tempdir = result.output.split('=', 1)[1].strip().strip('')
+ result = runCmd('grep "a smart comment" %s/run.do_assemble_fitimage' % tempdir, ignore_status=True)
+ self.assertEqual(result.status, 0, 'UBOOT_MKIMAGE_SIGN_ARGS value did not get used')
+
+ # Check for evidence of test-mkimage-wrapper class
+ result = runCmd('grep "### uboot-mkimage wrapper message" %s/log.do_assemble_fitimage' % tempdir, ignore_status=True)
+ self.assertEqual(result.status, 0, 'UBOOT_MKIMAGE did not work')
+ result = runCmd('grep "### uboot-mkimage signing wrapper message" %s/log.do_assemble_fitimage' % tempdir, ignore_status=True)
+ self.assertEqual(result.status, 0, 'UBOOT_MKIMAGE_SIGN did not work')
+
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH 0/8] kernel-fitimage extensions
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
` (7 preceding siblings ...)
2020-12-17 2:51 ` [PATCH 8/8] oe-selftest: fitimage: add test for signing FIT images Paul Eggleton
@ 2021-01-01 13:33 ` Usama Arif
8 siblings, 0 replies; 10+ messages in thread
From: Usama Arif @ 2021-01-01 13:33 UTC (permalink / raw)
To: Paul Eggleton, openembedded-core
Hi,
I have reviewed the patches and they look good to me.
Thanks,
Usama
On 17/12/2020 02:51, Paul Eggleton wrote:
> Some minor extensions to the kernel-fitimage class, mostly for signing,
> with associated oe-selftest tests.
>
> (Separate docs patch is queued and will follow once these changes are
> pass review).
>
>
> The following changes since commit 6012fffa99b600956ea1076d60e050d0737b4c4f:
>
> systemd: Fix reallocarray check (2020-12-16 19:44:45 +0000)
>
> are available in the git repository at:
>
> git://git.openembedded.org/openembedded-core-contrib paule/fitimage
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=paule/fitimage
>
> Easwar Hariharan (1):
> classes/kernel-fitimage: make fitimage_emit_section_config more
> readable
>
> Luca Boccassi (1):
> classes/kernel-fitimage: add ability to sign individual images
>
> Paul Eggleton (6):
> classes/kernel-fitimage: add variable for description
> classes/kernel-fitimage: allow substituting mkimage command
> classes/kernel-fitimage: add ability to add additional signing options
> oe-selftest: move FIT image tests to their own module
> oe-selftest: fitimage: Test for FIT_DESC
> oe-selftest: fitimage: add test for signing FIT images
>
> meta-selftest/classes/test-mkimage-wrapper.bbclass | 19 ++
> meta/classes/kernel-fitimage.bbclass | 114 +++++++---
> meta/lib/oeqa/selftest/cases/fitimage.py | 233 +++++++++++++++++++++
> meta/lib/oeqa/selftest/cases/imagefeatures.py | 74 -------
> 4 files changed, 339 insertions(+), 101 deletions(-)
> create mode 100644 meta-selftest/classes/test-mkimage-wrapper.bbclass
> create mode 100644 meta/lib/oeqa/selftest/cases/fitimage.py
>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply [flat|nested] 10+ messages in thread