oe-selftest: fitimage add more kernel tests

* Test with only one externally provided ssh key not only with two keys generated by the kernel-fitimage.bbclass itself. * Add a test which signs only the configuration but not the image nodes. There was no test case which covered the probably much more important use case of setting FIT_SIGN_INDIVIDUAL = "0". * Cover also the unbundled initramfs use case. Also this use case is probably much more relevant than the bundled initramnfs use case. (From OE-Core rev: 0a5b65b83dcd9f8d1d22d074fdfad1f1e472827c) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Adrian Freihofer <adrian.freihofer@gmail.com> 2025-03-10 10:35:49 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-03-11 11:20:34 +0000
commit: 840504e256ed16b2501748a9a075a2adfc940128 (patch)
tree: 99322f13ab38079b7cbef6f3a572ba08a01b184b /meta
parent: 2db2709b8b2404e847adb96bc417627cb43f415e (diff)
download: poky-840504e256ed16b2501748a9a075a2adfc940128.tar.gz
1 files changed, 149 insertions, 2 deletions
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 6f3bf296d5..721628d8e7 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -39,6 +39,52 @@ class FitImageTestCase(OESelftestTestCase):
    MKIMAGE_HASH_LENGTHS = { 'sha256': 64, 'sha384': 96, 'sha512': 128 }
    MKIMAGE_SIGNATURE_LENGTHS = { 'rsa2048': 512 }
+    def _gen_signing_key(self, bb_vars):
+        """Generate a key pair and a singing certificate
+        Generate a UBOOT_SIGN_KEYNAME in the UBOOT_SIGN_KEYDIR similar to what
+        the FIT_GENERATE_KEYS feature does. However, having a static key is
+        probably a more realistic use case than generating a random key with
+        each clean build. So this needs to be tested as well.
+        The FIT_GENERATE_KEYS generates 2 keys: The UBOOT_SIGN_KEYNAME and the
+        UBOOT_SIGN_IMG_KEYNAME. The UBOOT_SIGN_IMG_KEYNAME is used by the
+        FIT_SIGN_INDIVIDUAL feature only. Testing if everything is working if
+        there is only one key available is important as well. Therefore this
+        function generates only the keys which are really needed, not just two.
+        """
+        # Define some variables which are usually defined by the kernel-fitimage.bbclass.
+        # But for testing purpose check if the uboot-sign.bbclass is independent from
+        # the kernel-fitimage.bbclass
+        fit_sign_numbits = bb_vars['FIT_SIGN_NUMBITS'] or "2048"
+        fit_key_genrsa_args = bb_vars['FIT_KEY_GENRSA_ARGS'] or "-F4"
+        fit_key_req_args =  bb_vars['FIT_KEY_REQ_ARGS'] or "-batch -new"
+        fit_key_sign_pkcs = bb_vars['FIT_KEY_SIGN_PKCS'] or "-x509"
+        uboot_sign_keydir = bb_vars['UBOOT_SIGN_KEYDIR']
+        sign_keys = [bb_vars['UBOOT_SIGN_KEYNAME']]
+        if bb_vars['FIT_SIGN_INDIVIDUAL'] == "1":
+            sign_keys.append(bb_vars['UBOOT_SIGN_IMG_KEYNAME'])
+        for sign_key in sign_keys:
+            sing_key_path = os.path.join(uboot_sign_keydir, sign_key)
+            if not os.path.isdir(uboot_sign_keydir):
+                os.makedirs(uboot_sign_keydir)
+            openssl_bindir = FitImageTestCase._setup_native('openssl-native')
+            openssl_path = os.path.join(openssl_bindir, 'openssl')
+            runCmd("%s genrsa %s -out %s.key %s" % (
+                openssl_path,
+                fit_key_genrsa_args,
+                sing_key_path,
+                fit_sign_numbits
+            ))
+            runCmd("%s req %s %s -key %s.key -out %s.crt" % (
+                openssl_path,
+                fit_key_req_args,
+                fit_key_sign_pkcs,
+                sing_key_path,
+                sing_key_path
+            ))
    @staticmethod
    def _gen_random_file(file_path, num_bytes=65536):
        with open(file_path, 'wb') as file_out:
@@ -632,7 +678,50 @@ FIT_DESC = "A model description"
        self._test_fitimage(bb_vars)
-    def test_sign_fit_image(self):
+    def test_sign_fit_image_configurations(self):
+        """
+        Summary:     Check if FIT image and Image Tree Source (its) are created
+                     and the configuration nodes are signed correctly.
+        Expected:    1) its and FIT image are built successfully
+                     2) Scanning the its file indicates signing is enabled
+                        as requested by UBOOT_SIGN_ENABLE (using 1 key
+                        generated by the test not via FIT_GENERATE_KEYS)
+                     3) Dumping the FIT image indicates signature values
+                        are present (only for the configuration nodes as
+                        FIT_SIGN_INDIVIDUAL is disabled)
+                     4) Verify the FIT image contains the comments passed via
+                        UBOOT_MKIMAGE_SIGN_ARGS once per configuration node.
+        """
+        # Generate a configuration section which gets included into the local.conf file
+        config = """
+# Enable creation of fitImage
+MACHINE = "beaglebone-yocto"
+KERNEL_IMAGETYPES += " fitImage "
+KERNEL_CLASSES = " kernel-fitimage "
+UBOOT_SIGN_ENABLE = "1"
+UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
+UBOOT_SIGN_KEYNAME = "dev"
+UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
+"""
+        config = self._config_add_uboot_env(config)
+        self.write_config(config)
+        # Retrieve some variables from bitbake
+        bb_vars = self._fit_get_bb_vars([
+            'FIT_KEY_GENRSA_ARGS',
+            'FIT_KEY_REQ_ARGS',
+            'FIT_KEY_SIGN_PKCS',
+            'FIT_SIGN_NUMBITS',
+            'UBOOT_SIGN_KEYDIR',
+        ])
+        # Do not use the random keys generated by FIT_GENERATE_KEYS.
+        # Using a static key is probably a more realistic scenario.
+        self._gen_signing_key(bb_vars)
+        self._test_fitimage(bb_vars)
+    def test_sign_fit_image_individual(self):
        """
        Summary:     Check if FIT image and Image Tree Source (its) are created
                     and all nodes are signed correctly.
@@ -673,8 +762,66 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
        bb_vars = self._fit_get_bb_vars()
        self._test_fitimage(bb_vars)
+    def test_fit_image_sign_initramfs(self):
+        """
+        Summary:     Verifies the content of the initramfs node in the FIT Image Tree Source (its)
+                     The FIT settings are set by the test case.
+                     The machine used is beaglebone-yocto.
+        Expected:    1. The ITS is generated with initramfs support
+                     2. All the fields in the kernel node are as expected (matching the
+                        conf settings)
+                     3. The kernel is included in all the available configurations and
+                        its hash is included in the configuration signature
+        Product:     oe-core
+        Author:      Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
+        """
+        config = """
+DISTRO="poky"
+MACHINE = "beaglebone-yocto"
+INITRAMFS_IMAGE = "core-image-minimal-initramfs"
+INITRAMFS_SCRIPTS = ""
+UBOOT_MACHINE = "am335x_evm_defconfig"
+KERNEL_CLASSES = " kernel-fitimage "
+KERNEL_IMAGETYPES = "fitImage"
+UBOOT_SIGN_ENABLE = "1"
+UBOOT_SIGN_KEYNAME = "beaglebonekey"
+UBOOT_SIGN_KEYDIR ?= "${DEPLOY_DIR_IMAGE}"
+UBOOT_DTB_BINARY = "u-boot.dtb"
+UBOOT_ENTRYPOINT  = "0x80000000"
+UBOOT_LOADADDRESS = "0x80000000"
+UBOOT_RD_LOADADDRESS = "0x88000000"
+UBOOT_RD_ENTRYPOINT = "0x88000000"
+UBOOT_DTB_LOADADDRESS = "0x82000000"
+UBOOT_ARCH = "arm"
+UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
+UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
+UBOOT_EXTLINUX = "0"
+FIT_GENERATE_KEYS = "1"
+KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
+FIT_KERNEL_COMP_ALG = "none"
+FIT_HASH_ALG = "sha256"
+"""
+        config = self._config_add_uboot_env(config)
+        self.write_config(config)
+        # Retrieve some variables from bitbake
+        bb_vars = self._fit_get_bb_vars([
+            'FIT_KEY_GENRSA_ARGS',
+            'FIT_KEY_REQ_ARGS',
+            'FIT_KEY_SIGN_PKCS',
+            'FIT_SIGN_NUMBITS',
+            'UBOOT_SIGN_KEYDIR',
+        ])
+        # Do not use the random keys generated by FIT_GENERATE_KEYS.
+        # Using a static key is probably a more realistic scenario.
+        self._gen_signing_key(bb_vars)
+        self._test_fitimage(bb_vars)
-    def test_initramfs_bundle(self):
+    def test_fit_image_sign_initramfs_bundle(self):
        """
        Summary:     Verifies the content of the initramfs bundle node in the FIT Image Tree Source (its)
                     The FIT settings are set by the test case.
author	Adrian Freihofer <adrian.freihofer@gmail.com>	2025-03-10 10:35:49 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-03-11 11:20:34 +0000
commit	840504e256ed16b2501748a9a075a2adfc940128 (patch)
tree	99322f13ab38079b7cbef6f3a572ba08a01b184b /meta
parent	2db2709b8b2404e847adb96bc417627cb43f415e (diff)
download	poky-840504e256ed16b2501748a9a075a2adfc940128.tar.gz

diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py index 6f3bf296d5..721628d8e7 100644 --- a/meta/lib/oeqa/selftest/cases/fitimage.py +++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -39,6 +39,52 @@ class FitImageTestCase(OESelftestTestCase):
39	MKIMAGE_HASH_LENGTHS = { 'sha256': 64, 'sha384': 96, 'sha512': 128 }	39	MKIMAGE_HASH_LENGTHS = { 'sha256': 64, 'sha384': 96, 'sha512': 128 }
40	MKIMAGE_SIGNATURE_LENGTHS = { 'rsa2048': 512 }	40	MKIMAGE_SIGNATURE_LENGTHS = { 'rsa2048': 512 }
41		41
		42	def _gen_signing_key(self, bb_vars):
		43	"""Generate a key pair and a singing certificate
		44
		45	Generate a UBOOT_SIGN_KEYNAME in the UBOOT_SIGN_KEYDIR similar to what
		46	the FIT_GENERATE_KEYS feature does. However, having a static key is
		47	probably a more realistic use case than generating a random key with
		48	each clean build. So this needs to be tested as well.
		49	The FIT_GENERATE_KEYS generates 2 keys: The UBOOT_SIGN_KEYNAME and the
		50	UBOOT_SIGN_IMG_KEYNAME. The UBOOT_SIGN_IMG_KEYNAME is used by the
		51	FIT_SIGN_INDIVIDUAL feature only. Testing if everything is working if
		52	there is only one key available is important as well. Therefore this
		53	function generates only the keys which are really needed, not just two.
		54	"""
		55
		56	# Define some variables which are usually defined by the kernel-fitimage.bbclass.
		57	# But for testing purpose check if the uboot-sign.bbclass is independent from
		58	# the kernel-fitimage.bbclass
		59	fit_sign_numbits = bb_vars['FIT_SIGN_NUMBITS'] or "2048"
		60	fit_key_genrsa_args = bb_vars['FIT_KEY_GENRSA_ARGS'] or "-F4"
		61	fit_key_req_args = bb_vars['FIT_KEY_REQ_ARGS'] or "-batch -new"
		62	fit_key_sign_pkcs = bb_vars['FIT_KEY_SIGN_PKCS'] or "-x509"
		63
		64	uboot_sign_keydir = bb_vars['UBOOT_SIGN_KEYDIR']
		65	sign_keys = [bb_vars['UBOOT_SIGN_KEYNAME']]
		66	if bb_vars['FIT_SIGN_INDIVIDUAL'] == "1":
		67	sign_keys.append(bb_vars['UBOOT_SIGN_IMG_KEYNAME'])
		68	for sign_key in sign_keys:
		69	sing_key_path = os.path.join(uboot_sign_keydir, sign_key)
		70	if not os.path.isdir(uboot_sign_keydir):
		71	os.makedirs(uboot_sign_keydir)
		72	openssl_bindir = FitImageTestCase._setup_native('openssl-native')
		73	openssl_path = os.path.join(openssl_bindir, 'openssl')
		74	runCmd("%s genrsa %s -out %s.key %s" % (
		75	openssl_path,
		76	fit_key_genrsa_args,
		77	sing_key_path,
		78	fit_sign_numbits
		79	))
		80	runCmd("%s req %s %s -key %s.key -out %s.crt" % (
		81	openssl_path,
		82	fit_key_req_args,
		83	fit_key_sign_pkcs,
		84	sing_key_path,
		85	sing_key_path
		86	))
		87
42	@staticmethod	88	@staticmethod
43	def _gen_random_file(file_path, num_bytes=65536):	89	def _gen_random_file(file_path, num_bytes=65536):
44	with open(file_path, 'wb') as file_out:	90	with open(file_path, 'wb') as file_out:
@@ -632,7 +678,50 @@ FIT_DESC = "A model description"
632	self._test_fitimage(bb_vars)	678	self._test_fitimage(bb_vars)
633		679
634		680
635	def test_sign_fit_image(self):	681	def test_sign_fit_image_configurations(self):
		682	"""
		683	Summary: Check if FIT image and Image Tree Source (its) are created
		684	and the configuration nodes are signed correctly.
		685	Expected: 1) its and FIT image are built successfully
		686	2) Scanning the its file indicates signing is enabled
		687	as requested by UBOOT_SIGN_ENABLE (using 1 key
		688	generated by the test not via FIT_GENERATE_KEYS)
		689	3) Dumping the FIT image indicates signature values
		690	are present (only for the configuration nodes as
		691	FIT_SIGN_INDIVIDUAL is disabled)
		692	4) Verify the FIT image contains the comments passed via
		693	UBOOT_MKIMAGE_SIGN_ARGS once per configuration node.
		694	"""
		695	# Generate a configuration section which gets included into the local.conf file
		696	config = """
		697	# Enable creation of fitImage
		698	MACHINE = "beaglebone-yocto"
		699	KERNEL_IMAGETYPES += " fitImage "
		700	KERNEL_CLASSES = " kernel-fitimage "
		701	UBOOT_SIGN_ENABLE = "1"
		702	UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
		703	UBOOT_SIGN_KEYNAME = "dev"
		704	UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
		705	"""
		706	config = self._config_add_uboot_env(config)
		707	self.write_config(config)
		708
		709	# Retrieve some variables from bitbake
		710	bb_vars = self._fit_get_bb_vars([
		711	'FIT_KEY_GENRSA_ARGS',
		712	'FIT_KEY_REQ_ARGS',
		713	'FIT_KEY_SIGN_PKCS',
		714	'FIT_SIGN_NUMBITS',
		715	'UBOOT_SIGN_KEYDIR',
		716	])
		717
		718	# Do not use the random keys generated by FIT_GENERATE_KEYS.
		719	# Using a static key is probably a more realistic scenario.
		720	self._gen_signing_key(bb_vars)
		721
		722	self._test_fitimage(bb_vars)
		723
		724	def test_sign_fit_image_individual(self):
636	"""	725	"""
637	Summary: Check if FIT image and Image Tree Source (its) are created	726	Summary: Check if FIT image and Image Tree Source (its) are created
638	and all nodes are signed correctly.	727	and all nodes are signed correctly.
@@ -673,8 +762,66 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
673	bb_vars = self._fit_get_bb_vars()	762	bb_vars = self._fit_get_bb_vars()
674	self._test_fitimage(bb_vars)	763	self._test_fitimage(bb_vars)
675		764
		765	def test_fit_image_sign_initramfs(self):
		766	"""
		767	Summary: Verifies the content of the initramfs node in the FIT Image Tree Source (its)
		768	The FIT settings are set by the test case.
		769	The machine used is beaglebone-yocto.
		770	Expected: 1. The ITS is generated with initramfs support
		771	2. All the fields in the kernel node are as expected (matching the
		772	conf settings)
		773	3. The kernel is included in all the available configurations and
		774	its hash is included in the configuration signature
		775
		776	Product: oe-core
		777	Author: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
		778	"""
		779
		780	config = """
		781	DISTRO="poky"
		782	MACHINE = "beaglebone-yocto"
		783	INITRAMFS_IMAGE = "core-image-minimal-initramfs"
		784	INITRAMFS_SCRIPTS = ""
		785	UBOOT_MACHINE = "am335x_evm_defconfig"
		786	KERNEL_CLASSES = " kernel-fitimage "
		787	KERNEL_IMAGETYPES = "fitImage"
		788	UBOOT_SIGN_ENABLE = "1"
		789	UBOOT_SIGN_KEYNAME = "beaglebonekey"
		790	UBOOT_SIGN_KEYDIR ?= "${DEPLOY_DIR_IMAGE}"
		791	UBOOT_DTB_BINARY = "u-boot.dtb"
		792	UBOOT_ENTRYPOINT = "0x80000000"
		793	UBOOT_LOADADDRESS = "0x80000000"
		794	UBOOT_RD_LOADADDRESS = "0x88000000"
		795	UBOOT_RD_ENTRYPOINT = "0x88000000"
		796	UBOOT_DTB_LOADADDRESS = "0x82000000"
		797	UBOOT_ARCH = "arm"
		798	UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
		799	UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
		800	UBOOT_EXTLINUX = "0"
		801	FIT_GENERATE_KEYS = "1"
		802	KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
		803	FIT_KERNEL_COMP_ALG = "none"
		804	FIT_HASH_ALG = "sha256"
		805	"""
		806	config = self._config_add_uboot_env(config)
		807	self.write_config(config)
		808
		809	# Retrieve some variables from bitbake
		810	bb_vars = self._fit_get_bb_vars([
		811	'FIT_KEY_GENRSA_ARGS',
		812	'FIT_KEY_REQ_ARGS',
		813	'FIT_KEY_SIGN_PKCS',
		814	'FIT_SIGN_NUMBITS',
		815	'UBOOT_SIGN_KEYDIR',
		816	])
		817
		818	# Do not use the random keys generated by FIT_GENERATE_KEYS.
		819	# Using a static key is probably a more realistic scenario.
		820	self._gen_signing_key(bb_vars)
		821
		822	self._test_fitimage(bb_vars)
676		823
677	def test_initramfs_bundle(self):	824	def test_fit_image_sign_initramfs_bundle(self):
678	"""	825	"""
679	Summary: Verifies the content of the initramfs bundle node in the FIT Image Tree Source (its)	826	Summary: Verifies the content of the initramfs bundle node in the FIT Image Tree Source (its)
680	The FIT settings are set by the test case.	827	The FIT settings are set by the test case.