1 files changed, 505 insertions, 0 deletions
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
new file mode 100644
index 0000000000..debbf23ec6
--- /dev/null
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -0,0 +1,505 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+# This file is part of U-Boot verified boot support and is intended to be
+# inherited from u-boot recipe and from kernel-fitimage.bbclass.
+#
+# The signature procedure requires the user to generate an RSA key and
+# certificate in a directory and to define the following variable:
+#
+#   UBOOT_SIGN_KEYDIR = "/keys/directory"
+#   UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
+#   UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
+#   UBOOT_SIGN_ENABLE = "1"
+#
+# As verified boot depends on fitImage generation, following is also required:
+#
+#   KERNEL_CLASSES ?= " kernel-fitimage "
+#   KERNEL_IMAGETYPE ?= "fitImage"
+#
+# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
+#
+# The tasks sequence is set as below, using DEPLOY_IMAGE_DIR as common place to
+# treat the device tree blob:
+#
+# * u-boot:do_install:append
+#   Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
+#   signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
+#
+# * virtual/kernel:do_assemble_fitimage
+#   Sign the image
+#
+# * u-boot:do_deploy[postfuncs]
+#   Deploy files like UBOOT_DTB_IMAGE, UBOOT_DTB_SYMLINK and others.
+#
+# For more details on signature process, please refer to U-Boot documentation.
+# We need some variables from u-boot-config
+inherit uboot-config
+# Enable use of a U-Boot fitImage
+UBOOT_FITIMAGE_ENABLE ?= "0"
+# Signature activation - these require their respective fitImages
+UBOOT_SIGN_ENABLE ?= "0"
+SPL_SIGN_ENABLE ?= "0"
+# Default value for deployment filenames.
+UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
+UBOOT_DTB_BINARY ?= "u-boot.dtb"
+UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
+UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin"
+UBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin"
+UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin"
+UBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}"
+UBOOT_ITS ?= "u-boot.its"
+UBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}"
+UBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}"
+UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
+UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
+SPL_DIR ?= "spl"
+SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
+SPL_DTB_BINARY ?= "u-boot-spl.dtb"
+SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
+SPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin"
+SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
+SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin"
+# U-Boot fitImage description
+UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
+# Kernel / U-Boot fitImage Hash Algo
+FIT_HASH_ALG ?= "sha256"
+UBOOT_FIT_HASH_ALG ?= "sha256"
+# Kernel / U-Boot fitImage Signature Algo
+FIT_SIGN_ALG ?= "rsa2048"
+UBOOT_FIT_SIGN_ALG ?= "rsa2048"
+# Kernel / U-Boot fitImage Padding Algo
+FIT_PAD_ALG ?= "pkcs-1.5"
+# Generate keys for signing Kernel / U-Boot fitImage
+FIT_GENERATE_KEYS ?= "0"
+UBOOT_FIT_GENERATE_KEYS ?= "0"
+# Size of private keys in number of bits
+FIT_SIGN_NUMBITS ?= "2048"
+UBOOT_FIT_SIGN_NUMBITS ?= "2048"
+# args to openssl genrsa (Default is just the public exponent)
+FIT_KEY_GENRSA_ARGS ?= "-F4"
+UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
+# args to openssl req (Default is -batch for non interactive mode and
+# -new for new certificate)
+FIT_KEY_REQ_ARGS ?= "-batch -new"
+UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
+# Standard format for public key certificate
+FIT_KEY_SIGN_PKCS ?= "-x509"
+UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
+# Functions on this bbclass can apply to either U-boot or Kernel,
+# depending on the scenario
+UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}"
+KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}"
+# We need u-boot-tools-native if we're creating a U-Boot fitImage
+python() {
+    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1':
+        depends = d.getVar("DEPENDS")
+        depends = "%s u-boot-tools-native dtc-native" % depends
+        d.setVar("DEPENDS", depends)
+}
+concat_dtb_helper() {
+        if [ -e "${UBOOT_DTB_BINARY}" ]; then
+                ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
+                ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
+        fi
+        if [ -f "${UBOOT_NODTB_BINARY}" ]; then
+                install ${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
+                ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
+                ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY}
+        fi
+        # If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
+        # with public key (otherwise it will be deployed by the equivalent
+        # concat_spl_dtb_helper function - cf. kernel-fitimage.bbclass for more details)
+        if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
+                deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}'
+                if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
+                        [ -e "$deployed_uboot_dtb_binary" ]; then
+                        oe_runmake EXT_DTB=$deployed_uboot_dtb_binary
+                        install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
+                elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then
+                        cd ${DEPLOYDIR}
+                        cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
+                        if [ -n "${UBOOT_CONFIG}" ]
+                        then
+                                i=0
+                                j=0
+                                for config in ${UBOOT_MACHINE}; do
+                                        i=$(expr $i + 1);
+                                        for type in ${UBOOT_CONFIG}; do
+                                                j=$(expr $j + 1);
+                                                if [ $j -eq $i ]
+                                                then
+                                                        cp ${UBOOT_IMAGE} ${B}/${CONFIG_B_PATH}/u-boot-$type.${UBOOT_SUFFIX}
+                                                fi
+                                        done
+                                done
+                        fi
+                else
+                        bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
+                fi
+        fi
+}
+concat_spl_dtb_helper() {
+        # We only deploy symlinks to the u-boot-spl.dtb,as the KERNEL_PN will
+        # be responsible for deploying the real file
+        if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
+                ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
+                ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
+        fi
+        # Concatenate the SPL nodtb binary and u-boot.dtb
+        deployed_spl_dtb_binary='${DEPLOY_DIR_IMAGE}/${SPL_DTB_IMAGE}'
+        if [ -e "${DEPLOYDIR}/${SPL_NODTB_IMAGE}" -a -e "$deployed_spl_dtb_binary" ] ; then
+                cd ${DEPLOYDIR}
+                cat ${SPL_NODTB_IMAGE} $deployed_spl_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${SPL_BINARY} > ${SPL_IMAGE}
+        else
+                bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
+        fi
+}
+concat_dtb() {
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then
+                mkdir -p ${DEPLOYDIR}
+                if [ -n "${UBOOT_CONFIG}" ]; then
+                        for config in ${UBOOT_MACHINE}; do
+                                CONFIG_B_PATH="$config"
+                                cd ${B}/$config
+                                concat_dtb_helper
+                        done
+                else
+                        CONFIG_B_PATH=""
+                        cd ${B}
+                        concat_dtb_helper
+                fi
+        fi
+}
+concat_spl_dtb() {
+        if [ "${SPL_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${SPL_DTB_BINARY}" ]; then
+                mkdir -p ${DEPLOYDIR}
+                if [ -n "${UBOOT_CONFIG}" ]; then
+                        for config in ${UBOOT_MACHINE}; do
+                                CONFIG_B_PATH="$config"
+                                cd ${B}/$config
+                                concat_spl_dtb_helper
+                        done
+                else
+                        CONFIG_B_PATH=""
+                        cd ${B}
+                        concat_spl_dtb_helper
+                fi
+        fi
+}
+# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
+# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
+install_helper() {
+        if [ -f "${UBOOT_DTB_BINARY}" ]; then
+                # UBOOT_DTB_BINARY is a symlink to UBOOT_DTB_IMAGE, so we
+                # need both of them.
+                install -Dm 0644 ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE}
+                ln -sf ${UBOOT_DTB_IMAGE} ${D}${datadir}/${UBOOT_DTB_BINARY}
+        else
+                bbwarn "${UBOOT_DTB_BINARY} not found"
+        fi
+}
+# Install SPL dtb and u-boot nodtb to datadir,
+install_spl_helper() {
+        if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
+                install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE}
+                ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY}
+        else
+                bbwarn "${SPL_DTB_BINARY} not found"
+        fi
+        if [ -f "${UBOOT_NODTB_BINARY}" ] ; then
+                install -Dm 0644 ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE}
+                ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY}
+        else
+                bbwarn "${UBOOT_NODTB_BINARY} not found"
+        fi
+        # We need to install a 'stub' u-boot-fitimage + its to datadir,
+        # so that the KERNEL_PN can use the correct filename when
+        # assembling and deploying them
+        touch ${D}/${datadir}/${UBOOT_FITIMAGE_IMAGE}
+        touch ${D}/${datadir}/${UBOOT_ITS_IMAGE}
+}
+do_install:append() {
+        if [ "${PN}" = "${UBOOT_PN}" ]; then
+                if [ -n "${UBOOT_CONFIG}" ]; then
+                        for config in ${UBOOT_MACHINE}; do
+                                cd ${B}/$config
+                                if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
+                                        [ -n "${UBOOT_DTB_BINARY}" ]; then
+                                        install_helper
+                                fi
+                                if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
+                                        install_spl_helper
+                                fi
+                        done
+                else
+                        cd ${B}
+                        if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
+                                [ -n "${UBOOT_DTB_BINARY}" ]; then
+                                install_helper
+                        fi
+                        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
+                                install_spl_helper
+                        fi
+                fi
+        fi
+}
+do_uboot_generate_rsa_keys() {
+        if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
+                bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
+        fi
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
+                # Generate keys only if they don't already exist
+                if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
+                        [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
+                        # make directory if it does not already exist
+                        mkdir -p "${SPL_SIGN_KEYDIR}"
+                        echo "Generating RSA private key for signing U-Boot fitImage"
+                        openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
+                                "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+                                "${UBOOT_FIT_SIGN_NUMBITS}"
+                        echo "Generating certificate for signing U-Boot fitImage"
+                        openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
+                                -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+                                -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
+                fi
+        fi
+}
+addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
+# Create a ITS file for the U-boot FIT, for use when
+# we want to sign it so that the SPL can verify it
+uboot_fitimage_assemble() {
+        uboot_its="$1"
+        uboot_nodtb_bin="$2"
+        uboot_dtb="$3"
+        uboot_bin="$4"
+        spl_dtb="$5"
+        uboot_csum="${UBOOT_FIT_HASH_ALG}"
+        uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
+        uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
+        rm -f $uboot_its $uboot_bin
+        # First we create the ITS script
+        cat << EOF >> $uboot_its
+/dts-v1/;
+/ {
+    description = "${UBOOT_FIT_DESC}";
+    #address-cells = <1>;
+    images {
+        uboot {
+            description = "U-Boot image";
+            data = /incbin/("$uboot_nodtb_bin");
+            type = "standalone";
+            os = "u-boot";
+            arch = "${UBOOT_ARCH}";
+            compression = "none";
+            load = <${UBOOT_LOADADDRESS}>;
+            entry = <${UBOOT_ENTRYPOINT}>;
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> $uboot_its
+            signature {
+                algo = "$uboot_csum,$uboot_sign_algo";
+                key-name-hint = "$uboot_sign_keyname";
+            };
+EOF
+        fi
+        cat << EOF >> $uboot_its
+        };
+        fdt {
+            description = "U-Boot FDT";
+            data = /incbin/("$uboot_dtb");
+            type = "flat_dt";
+            arch = "${UBOOT_ARCH}";
+            compression = "none";
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> $uboot_its
+            signature {
+                algo = "$uboot_csum,$uboot_sign_algo";
+                key-name-hint = "$uboot_sign_keyname";
+            };
+EOF
+        fi
+        cat << EOF >> $uboot_its
+        };
+    };
+    configurations {
+        default = "conf";
+        conf {
+            description = "Boot with signed U-Boot FIT";
+            loadables = "uboot";
+            fdt = "fdt";
+        };
+    };
+};
+EOF
+        #
+        # Assemble the U-boot FIT image
+        #
+        ${UBOOT_MKIMAGE} \
+                ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+                -f $uboot_its \
+                $uboot_bin
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                #
+                # Sign the U-boot FIT image and add public key to SPL dtb
+                #
+                ${UBOOT_MKIMAGE_SIGN} \
+                        ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+                        -F -k "${SPL_SIGN_KEYDIR}" \
+                        -K "$spl_dtb" \
+                        -r $uboot_bin \
+                        ${SPL_MKIMAGE_SIGN_ARGS}
+        fi
+}
+do_uboot_assemble_fitimage() {
+        # This function runs in KERNEL_PN context. The reason for that is that we need to
+        # support the scenario where UBOOT_SIGN_ENABLE is placing the Kernel fitImage's
+        # pubkey in the u-boot.dtb file, so that we can use it when building the U-Boot
+        # fitImage itself.
+        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
+           [ -n "${SPL_DTB_BINARY}" -a "${PN}" = "${KERNEL_PN}" ] ; then
+                if [ "${UBOOT_SIGN_ENABLE}" != "1" ]; then
+                        # If we're not signing the Kernel fitImage, that means
+                        # we need to copy the u-boot.dtb from staging ourselves
+                        cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
+                fi
+                # As we are in the kernel context, we need to copy u-boot-spl.dtb from staging first.
+                # Unfortunately, need to glob on top of ${SPL_DTB_BINARY} since _IMAGE and _SYMLINK
+                # will contain U-boot's PV
+                # Similarly, we need to get the filename for the 'stub' u-boot-fitimage + its in
+                # staging so that we can use it for creating the image with the correct filename
+                # in the KERNEL_PN context.
+                # As for the u-boot.dtb (with fitimage's pubkey), it should come from the dependent
+                # do_assemble_fitimage task
+                cp -P ${STAGING_DATADIR}/u-boot-spl*.dtb ${B}
+                cp -P ${STAGING_DATADIR}/u-boot-nodtb*.bin ${B}
+                rm -rf ${B}/u-boot-fitImage-* ${B}/u-boot-its-*
+                kernel_uboot_fitimage_name=`basename ${STAGING_DATADIR}/u-boot-fitImage-*`
+                kernel_uboot_its_name=`basename ${STAGING_DATADIR}/u-boot-its-*`
+                cd ${B}
+                uboot_fitimage_assemble $kernel_uboot_its_name ${UBOOT_NODTB_BINARY} \
+                                        ${UBOOT_DTB_BINARY} $kernel_uboot_fitimage_name \
+                                        ${SPL_DTB_BINARY}
+        fi
+}
+addtask uboot_assemble_fitimage before do_deploy after do_compile
+do_deploy:prepend:pn-${UBOOT_PN}() {
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
+                concat_dtb
+        fi
+        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
+        # Deploy the u-boot-nodtb binary and symlinks...
+                if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then
+                        echo "Copying u-boot-nodtb binary..."
+                        install -m 0644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${SPL_NODTB_IMAGE}
+                        ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}
+                        ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY}
+                fi
+                # We only deploy the symlinks to the uboot-fitImage and uboot-its
+                # images, as the KERNEL_PN will take care of deploying the real file
+                ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY}
+                ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
+                ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS}
+                ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK}
+        fi
+        if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
+                concat_spl_dtb
+        fi
+}
+do_deploy:append:pn-${UBOOT_PN}() {
+        # If we're creating a u-boot fitImage, point u-boot.bin
+        # symlink since it might get used by image recipes
+        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
+                ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_BINARY}
+                ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_SYMLINK}
+        fi
+}
+python () {
+    if (   (d.getVar('UBOOT_SIGN_ENABLE') == '1'
+            or d.getVar('UBOOT_FITIMAGE_ENABLE') == '1')
+        and d.getVar('PN') == d.getVar('UBOOT_PN')
+        and d.getVar('UBOOT_DTB_BINARY')):
+        # Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb
+        # and/or the U-Boot fitImage
+        d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % d.getVar('KERNEL_PN'))
+    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' and d.getVar('PN') == d.getVar('KERNEL_PN'):
+        # As the U-Boot fitImage is created by the KERNEL_PN, we need
+        # to make sure that the u-boot-spl.dtb and u-boot-spl-nodtb.bin
+        # files are in the staging dir for it's use
+        d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % d.getVar('UBOOT_PN'))
+        # If the Kernel fitImage is being signed, we need to
+        # create the U-Boot fitImage after it
+        if d.getVar('UBOOT_SIGN_ENABLE') == '1':
+            d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage' % d.getVar('KERNEL_PN'))
+            d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage_initramfs' % d.getVar('KERNEL_PN'))
+}

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass new file mode 100644 index 0000000000..debbf23ec6 --- /dev/null +++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -0,0 +1,505 @@
	1	#
	2	# Copyright OpenEmbedded Contributors
	3	#
	4	# SPDX-License-Identifier: MIT
	5	#
	6
	7	# This file is part of U-Boot verified boot support and is intended to be
	8	# inherited from u-boot recipe and from kernel-fitimage.bbclass.
	9	#
	10	# The signature procedure requires the user to generate an RSA key and
	11	# certificate in a directory and to define the following variable:
	12	#
	13	# UBOOT_SIGN_KEYDIR = "/keys/directory"
	14	# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
	15	# UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
	16	# UBOOT_SIGN_ENABLE = "1"
	17	#
	18	# As verified boot depends on fitImage generation, following is also required:
	19	#
	20	# KERNEL_CLASSES ?= " kernel-fitimage "
	21	# KERNEL_IMAGETYPE ?= "fitImage"
	22	#
	23	# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
	24	#
	25	# The tasks sequence is set as below, using DEPLOY_IMAGE_DIR as common place to
	26	# treat the device tree blob:
	27	#
	28	# * u-boot:do_install:append
	29	# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
	30	# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
	31	#
	32	# * virtual/kernel:do_assemble_fitimage
	33	# Sign the image
	34	#
	35	# * u-boot:do_deploy[postfuncs]
	36	# Deploy files like UBOOT_DTB_IMAGE, UBOOT_DTB_SYMLINK and others.
	37	#
	38	# For more details on signature process, please refer to U-Boot documentation.
	39
	40	# We need some variables from u-boot-config
	41	inherit uboot-config
	42
	43	# Enable use of a U-Boot fitImage
	44	UBOOT_FITIMAGE_ENABLE ?= "0"
	45
	46	# Signature activation - these require their respective fitImages
	47	UBOOT_SIGN_ENABLE ?= "0"
	48	SPL_SIGN_ENABLE ?= "0"
	49
	50	# Default value for deployment filenames.
	51	UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
	52	UBOOT_DTB_BINARY ?= "u-boot.dtb"
	53	UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
	54	UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin"
	55	UBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin"
	56	UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin"
	57	UBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}"
	58	UBOOT_ITS ?= "u-boot.its"
	59	UBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}"
	60	UBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}"
	61	UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
	62	UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
	63	SPL_DIR ?= "spl"
	64	SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
	65	SPL_DTB_BINARY ?= "u-boot-spl.dtb"
	66	SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
	67	SPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin"
	68	SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
	69	SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin"
	70
	71	# U-Boot fitImage description
	72	UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
	73
	74	# Kernel / U-Boot fitImage Hash Algo
	75	FIT_HASH_ALG ?= "sha256"
	76	UBOOT_FIT_HASH_ALG ?= "sha256"
	77
	78	# Kernel / U-Boot fitImage Signature Algo
	79	FIT_SIGN_ALG ?= "rsa2048"
	80	UBOOT_FIT_SIGN_ALG ?= "rsa2048"
	81
	82	# Kernel / U-Boot fitImage Padding Algo
	83	FIT_PAD_ALG ?= "pkcs-1.5"
	84
	85	# Generate keys for signing Kernel / U-Boot fitImage
	86	FIT_GENERATE_KEYS ?= "0"
	87	UBOOT_FIT_GENERATE_KEYS ?= "0"
	88
	89	# Size of private keys in number of bits
	90	FIT_SIGN_NUMBITS ?= "2048"
	91	UBOOT_FIT_SIGN_NUMBITS ?= "2048"
	92
	93	# args to openssl genrsa (Default is just the public exponent)
	94	FIT_KEY_GENRSA_ARGS ?= "-F4"
	95	UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
	96
	97	# args to openssl req (Default is -batch for non interactive mode and
	98	# -new for new certificate)
	99	FIT_KEY_REQ_ARGS ?= "-batch -new"
	100	UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
	101
	102	# Standard format for public key certificate
	103	FIT_KEY_SIGN_PKCS ?= "-x509"
	104	UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
	105
	106	# Functions on this bbclass can apply to either U-boot or Kernel,
	107	# depending on the scenario
	108	UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}"
	109	KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}"
	110
	111	# We need u-boot-tools-native if we're creating a U-Boot fitImage
	112	python() {
	113	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1':
	114	depends = d.getVar("DEPENDS")
	115	depends = "%s u-boot-tools-native dtc-native" % depends
	116	d.setVar("DEPENDS", depends)
	117	}
	118
	119	concat_dtb_helper() {
	120	if [ -e "${UBOOT_DTB_BINARY}" ]; then
	121	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
	122	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
	123	fi
	124
	125	if [ -f "${UBOOT_NODTB_BINARY}" ]; then
	126	install ${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
	127	ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
	128	ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY}
	129	fi
	130
	131	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
	132	# with public key (otherwise it will be deployed by the equivalent
	133	# concat_spl_dtb_helper function - cf. kernel-fitimage.bbclass for more details)
	134	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
	135	deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}'
	136	if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
	137	[ -e "$deployed_uboot_dtb_binary" ]; then
	138	oe_runmake EXT_DTB=$deployed_uboot_dtb_binary
	139	install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
	140	elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then
	141	cd ${DEPLOYDIR}
	142	cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary \| tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
	143
	144	if [ -n "${UBOOT_CONFIG}" ]
	145	then
	146	i=0
	147	j=0
	148	for config in ${UBOOT_MACHINE}; do
	149	i=$(expr $i + 1);
	150	for type in ${UBOOT_CONFIG}; do
	151	j=$(expr $j + 1);
	152	if [ $j -eq $i ]
	153	then
	154	cp ${UBOOT_IMAGE} ${B}/${CONFIG_B_PATH}/u-boot-$type.${UBOOT_SUFFIX}
	155	fi
	156	done
	157	done
	158	fi
	159	else
	160	bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
	161	fi
	162	fi
	163	}
	164
	165	concat_spl_dtb_helper() {
	166
	167	# We only deploy symlinks to the u-boot-spl.dtb,as the KERNEL_PN will
	168	# be responsible for deploying the real file
	169	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
	170	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
	171	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
	172	fi
	173
	174	# Concatenate the SPL nodtb binary and u-boot.dtb
	175	deployed_spl_dtb_binary='${DEPLOY_DIR_IMAGE}/${SPL_DTB_IMAGE}'
	176	if [ -e "${DEPLOYDIR}/${SPL_NODTB_IMAGE}" -a -e "$deployed_spl_dtb_binary" ] ; then
	177	cd ${DEPLOYDIR}
	178	cat ${SPL_NODTB_IMAGE} $deployed_spl_dtb_binary \| tee ${B}/${CONFIG_B_PATH}/${SPL_BINARY} > ${SPL_IMAGE}
	179	else
	180	bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
	181	fi
	182	}
	183
	184
	185	concat_dtb() {
	186	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then
	187	mkdir -p ${DEPLOYDIR}
	188	if [ -n "${UBOOT_CONFIG}" ]; then
	189	for config in ${UBOOT_MACHINE}; do
	190	CONFIG_B_PATH="$config"
	191	cd ${B}/$config
	192	concat_dtb_helper
	193	done
	194	else
	195	CONFIG_B_PATH=""
	196	cd ${B}
	197	concat_dtb_helper
	198	fi
	199	fi
	200	}
	201
	202	concat_spl_dtb() {
	203	if [ "${SPL_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${SPL_DTB_BINARY}" ]; then
	204	mkdir -p ${DEPLOYDIR}
	205	if [ -n "${UBOOT_CONFIG}" ]; then
	206	for config in ${UBOOT_MACHINE}; do
	207	CONFIG_B_PATH="$config"
	208	cd ${B}/$config
	209	concat_spl_dtb_helper
	210	done
	211	else
	212	CONFIG_B_PATH=""
	213	cd ${B}
	214	concat_spl_dtb_helper
	215	fi
	216	fi
	217	}
	218
	219
	220	# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
	221	# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
	222	install_helper() {
	223	if [ -f "${UBOOT_DTB_BINARY}" ]; then
	224	# UBOOT_DTB_BINARY is a symlink to UBOOT_DTB_IMAGE, so we
	225	# need both of them.
	226	install -Dm 0644 ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE}
	227	ln -sf ${UBOOT_DTB_IMAGE} ${D}${datadir}/${UBOOT_DTB_BINARY}
	228	else
	229	bbwarn "${UBOOT_DTB_BINARY} not found"
	230	fi
	231	}
	232
	233	# Install SPL dtb and u-boot nodtb to datadir,
	234	install_spl_helper() {
	235	if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
	236	install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE}
	237	ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY}
	238	else
	239	bbwarn "${SPL_DTB_BINARY} not found"
	240	fi
	241	if [ -f "${UBOOT_NODTB_BINARY}" ] ; then
	242	install -Dm 0644 ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE}
	243	ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY}
	244	else
	245	bbwarn "${UBOOT_NODTB_BINARY} not found"
	246	fi
	247
	248	# We need to install a 'stub' u-boot-fitimage + its to datadir,
	249	# so that the KERNEL_PN can use the correct filename when
	250	# assembling and deploying them
	251	touch ${D}/${datadir}/${UBOOT_FITIMAGE_IMAGE}
	252	touch ${D}/${datadir}/${UBOOT_ITS_IMAGE}
	253	}
	254
	255	do_install:append() {
	256	if [ "${PN}" = "${UBOOT_PN}" ]; then
	257	if [ -n "${UBOOT_CONFIG}" ]; then
	258	for config in ${UBOOT_MACHINE}; do
	259	cd ${B}/$config
	260	if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
	261	[ -n "${UBOOT_DTB_BINARY}" ]; then
	262	install_helper
	263	fi
	264	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
	265	install_spl_helper
	266	fi
	267	done
	268	else
	269	cd ${B}
	270	if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
	271	[ -n "${UBOOT_DTB_BINARY}" ]; then
	272	install_helper
	273	fi
	274	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
	275	install_spl_helper
	276	fi
	277	fi
	278	fi
	279	}
	280
	281	do_uboot_generate_rsa_keys() {
	282	if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
	283	bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
	284	fi
	285
	286	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
	287
	288	# Generate keys only if they don't already exist
	289	if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] \|\| \
	290	[ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
	291
	292	# make directory if it does not already exist
	293	mkdir -p "${SPL_SIGN_KEYDIR}"
	294
	295	echo "Generating RSA private key for signing U-Boot fitImage"
	296	openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
	297	"${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
	298	"${UBOOT_FIT_SIGN_NUMBITS}"
	299
	300	echo "Generating certificate for signing U-Boot fitImage"
	301	openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
	302	-key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
	303	-out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
	304	fi
	305	fi
	306
	307	}
	308
	309	addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
	310
	311	# Create a ITS file for the U-boot FIT, for use when
	312	# we want to sign it so that the SPL can verify it
	313	uboot_fitimage_assemble() {
	314	uboot_its="$1"
	315	uboot_nodtb_bin="$2"
	316	uboot_dtb="$3"
	317	uboot_bin="$4"
	318	spl_dtb="$5"
	319	uboot_csum="${UBOOT_FIT_HASH_ALG}"
	320	uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
	321	uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
	322
	323	rm -f $uboot_its $uboot_bin
	324
	325	# First we create the ITS script
	326	cat << EOF >> $uboot_its
	327	/dts-v1/;
	328
	329	/ {
	330	description = "${UBOOT_FIT_DESC}";
	331	#address-cells = <1>;
	332
	333	images {
	334	uboot {
	335	description = "U-Boot image";
	336	data = /incbin/("$uboot_nodtb_bin");
	337	type = "standalone";
	338	os = "u-boot";
	339	arch = "${UBOOT_ARCH}";
	340	compression = "none";
	341	load = <${UBOOT_LOADADDRESS}>;
	342	entry = <${UBOOT_ENTRYPOINT}>;
	343	EOF
	344
	345	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
	346	cat << EOF >> $uboot_its
	347	signature {
	348	algo = "$uboot_csum,$uboot_sign_algo";
	349	key-name-hint = "$uboot_sign_keyname";
	350	};
	351	EOF
	352	fi
	353
	354	cat << EOF >> $uboot_its
	355	};
	356	fdt {
	357	description = "U-Boot FDT";
	358	data = /incbin/("$uboot_dtb");
	359	type = "flat_dt";
	360	arch = "${UBOOT_ARCH}";
	361	compression = "none";
	362	EOF
	363
	364	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
	365	cat << EOF >> $uboot_its
	366	signature {
	367	algo = "$uboot_csum,$uboot_sign_algo";
	368	key-name-hint = "$uboot_sign_keyname";
	369	};
	370	EOF
	371	fi
	372
	373	cat << EOF >> $uboot_its
	374	};
	375	};
	376
	377	configurations {
	378	default = "conf";
	379	conf {
	380	description = "Boot with signed U-Boot FIT";
	381	loadables = "uboot";
	382	fdt = "fdt";
	383	};
	384	};
	385	};
	386	EOF
	387
	388	#
	389	# Assemble the U-boot FIT image
	390	#
	391	${UBOOT_MKIMAGE} \
	392	${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
	393	-f $uboot_its \
	394	$uboot_bin
	395
	396	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
	397	#
	398	# Sign the U-boot FIT image and add public key to SPL dtb
	399	#
	400	${UBOOT_MKIMAGE_SIGN} \
	401	${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
	402	-F -k "${SPL_SIGN_KEYDIR}" \
	403	-K "$spl_dtb" \
	404	-r $uboot_bin \
	405	${SPL_MKIMAGE_SIGN_ARGS}
	406	fi
	407
	408	}
	409
	410	do_uboot_assemble_fitimage() {
	411	# This function runs in KERNEL_PN context. The reason for that is that we need to
	412	# support the scenario where UBOOT_SIGN_ENABLE is placing the Kernel fitImage's
	413	# pubkey in the u-boot.dtb file, so that we can use it when building the U-Boot
	414	# fitImage itself.
	415	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
	416	[ -n "${SPL_DTB_BINARY}" -a "${PN}" = "${KERNEL_PN}" ] ; then
	417	if [ "${UBOOT_SIGN_ENABLE}" != "1" ]; then
	418	# If we're not signing the Kernel fitImage, that means
	419	# we need to copy the u-boot.dtb from staging ourselves
	420	cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
	421	fi
	422	# As we are in the kernel context, we need to copy u-boot-spl.dtb from staging first.
	423	# Unfortunately, need to glob on top of ${SPL_DTB_BINARY} since _IMAGE and _SYMLINK
	424	# will contain U-boot's PV
	425	# Similarly, we need to get the filename for the 'stub' u-boot-fitimage + its in
	426	# staging so that we can use it for creating the image with the correct filename
	427	# in the KERNEL_PN context.
	428	# As for the u-boot.dtb (with fitimage's pubkey), it should come from the dependent
	429	# do_assemble_fitimage task
	430	cp -P ${STAGING_DATADIR}/u-boot-spl*.dtb ${B}
	431	cp -P ${STAGING_DATADIR}/u-boot-nodtb*.bin ${B}
	432	rm -rf ${B}/u-boot-fitImage-* ${B}/u-boot-its-*
	433	kernel_uboot_fitimage_name=`basename ${STAGING_DATADIR}/u-boot-fitImage-*`
	434	kernel_uboot_its_name=`basename ${STAGING_DATADIR}/u-boot-its-*`
	435	cd ${B}
	436	uboot_fitimage_assemble $kernel_uboot_its_name ${UBOOT_NODTB_BINARY} \
	437	${UBOOT_DTB_BINARY} $kernel_uboot_fitimage_name \
	438	${SPL_DTB_BINARY}
	439	fi
	440	}
	441
	442	addtask uboot_assemble_fitimage before do_deploy after do_compile
	443
	444	do_deploy:prepend:pn-${UBOOT_PN}() {
	445	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
	446	concat_dtb
	447	fi
	448
	449	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
	450	# Deploy the u-boot-nodtb binary and symlinks...
	451	if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then
	452	echo "Copying u-boot-nodtb binary..."
	453	install -m 0644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${SPL_NODTB_IMAGE}
	454	ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}
	455	ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY}
	456	fi
	457
	458
	459	# We only deploy the symlinks to the uboot-fitImage and uboot-its
	460	# images, as the KERNEL_PN will take care of deploying the real file
	461	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY}
	462	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
	463	ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS}
	464	ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK}
	465	fi
	466
	467	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
	468	concat_spl_dtb
	469	fi
	470
	471
	472	}
	473
	474	do_deploy:append:pn-${UBOOT_PN}() {
	475	# If we're creating a u-boot fitImage, point u-boot.bin
	476	# symlink since it might get used by image recipes
	477	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
	478	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_BINARY}
	479	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_SYMLINK}
	480	fi
	481	}
	482
	483	python () {
	484	if ( (d.getVar('UBOOT_SIGN_ENABLE') == '1'
	485	or d.getVar('UBOOT_FITIMAGE_ENABLE') == '1')
	486	and d.getVar('PN') == d.getVar('UBOOT_PN')
	487	and d.getVar('UBOOT_DTB_BINARY')):
	488
	489	# Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb
	490	# and/or the U-Boot fitImage
	491	d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % d.getVar('KERNEL_PN'))
	492
	493	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' and d.getVar('PN') == d.getVar('KERNEL_PN'):
	494	# As the U-Boot fitImage is created by the KERNEL_PN, we need
	495	# to make sure that the u-boot-spl.dtb and u-boot-spl-nodtb.bin
	496	# files are in the staging dir for it's use
	497	d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % d.getVar('UBOOT_PN'))
	498
	499	# If the Kernel fitImage is being signed, we need to
	500	# create the U-Boot fitImage after it
	501	if d.getVar('UBOOT_SIGN_ENABLE') == '1':
	502	d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage' % d.getVar('KERNEL_PN'))
	503	d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage_initramfs' % d.getVar('KERNEL_PN'))
	504
	505	}