1 files changed, 213 insertions, 51 deletions
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index c8e097f2f2..0f387a3a3e 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -26,6 +26,7 @@
 # We need some variables from u-boot-config
 inherit uboot-config
+require conf/image-fitimage.conf
 # Enable use of a U-Boot fitImage
 UBOOT_FITIMAGE_ENABLE ?= "0"
@@ -49,6 +50,8 @@ UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
 UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
 SPL_DIR ?= "spl"
 SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
+# When SPL is not used, set SPL_DTB_BINARY ?= "" to explicitly indicate
+# that no SPL DTB should be created or signed.
 SPL_DTB_BINARY ?= "u-boot-spl.dtb"
 SPL_DTB_SIGNED ?= "${SPL_DTB_BINARY}-signed"
 SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
@@ -85,19 +88,40 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
 # ex: 1 32bits address, 2 64bits address
 UBOOT_FIT_ADDRESS_CELLS ?= "1"
-# This is only necessary for determining the signing configuration
+# ARM Trusted Firmware(ATF) is a reference implementation of secure world
-KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"
+# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including
+# an Exception Level 3 (EL3) Secure Monitor.
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0"
+UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
+# A Trusted Execution Environment(TEE) is an environment for executing code,
+# in which those executing the code can have high levels of trust in the asset
+# management of that surrounding environment.
+UBOOT_FIT_TEE ?= "0"
+UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
+# User specific settings
+UBOOT_FIT_USER_SETTINGS ?= ""
+# Sets the firmware property to select the image to boot first.
+# If not set, the first entry in "loadables" is used instead.
+UBOOT_FIT_CONF_FIRMWARE ?= ""
+# Unit name containing a list of users additional binaries to be loaded.
+# It is a comma-separated list of strings.
+UBOOT_FIT_CONF_USER_LOADABLES ?= ''
 UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
 UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
+DEPENDS:append = " ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''}"
 python() {
    # We need u-boot-tools-native if we're creating a U-Boot fitImage
    sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
        d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
-    if sign:
-        d.appendVar('DEPENDS', " " + d.getVar('KERNEL_PN'))
 }
 concat_dtb() {
@@ -105,38 +129,92 @@ concat_dtb() {
        binary="$2"
        if [ -e "${UBOOT_DTB_BINARY}" ]; then
-                # Re-sign the kernel in order to add the keys to our dtb
+                # Signing individual images is not recommended as that
+                # makes fitImage susceptible to mix-and-match attack.
+                #
+                # OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner,
+                # where the resulting signed fitImage contains both signed
+                # images and signed configurations. This is redundant. In
+                # order to prevent mix-and-match attack, it is sufficient
+                # to sign configurations. The FIT_SIGN_INDIVIDUAL = "1"
+                # support is kept to avoid breakage of existing layers, but
+                # it is highly recommended to avoid FIT_SIGN_INDIVIDUAL = "1",
+                # i.e. set FIT_SIGN_INDIVIDUAL = "0" .
+                if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then
+                        # Sign dummy image images in order to
+                        # add the image signing keys to our dtb
+                        ${UBOOT_MKIMAGE_SIGN} \
+                                ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+                                -f auto \
+                                -k "${UBOOT_SIGN_KEYDIR}" \
+                                -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
+                                -g "${UBOOT_SIGN_IMG_KEYNAME}" \
+                                -K "${UBOOT_DTB_BINARY}" \
+                                -d /dev/null \
+                                -r ${B}/unused.itb \
+                                ${UBOOT_MKIMAGE_SIGN_ARGS}
+                fi
+                # Sign dummy image configurations in order to
+                # add the configuration signing keys to our dtb
                ${UBOOT_MKIMAGE_SIGN} \
                        ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-                        -F -k "${UBOOT_SIGN_KEYDIR}" \
+                        -f auto-conf \
+                        -k "${UBOOT_SIGN_KEYDIR}" \
+                        -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
+                        -g "${UBOOT_SIGN_KEYNAME}" \
                        -K "${UBOOT_DTB_BINARY}" \
-                        -r ${B}/fitImage-linux \
+                        -d /dev/null \
+                        -r ${B}/unused.itb \
                        ${UBOOT_MKIMAGE_SIGN_ARGS}
-                # Verify the kernel image and u-boot dtb
-                ${UBOOT_FIT_CHECK_SIGN} \
+                # Verify the dummy fitImage signature against u-boot.dtb
-                        -k "${UBOOT_DTB_BINARY}" \
+                # augmented using public key material.
-                        -f ${B}/fitImage-linux
+                #
+                # This only works for FIT_SIGN_INDIVIDUAL = "0", because
+                # mkimage -f auto-conf does not support -F to extend the
+                # existing unused.itb , and instead rewrites unused.itb
+                # from scratch.
+                #
+                # Using two separate unused.itb for mkimage -f auto and
+                # mkimage -f auto-conf invocation above would not help, as
+                # the signature verification process below checks whether
+                # all keys inserted into u-boot.dtb /signature node pass
+                # the verification. Separate unused.itb would each miss one
+                # of the signatures.
+                #
+                # The FIT_SIGN_INDIVIDUAL = "1" support is kept to avoid
+                # breakage of existing layers, but it is highly recommended
+                # to not use FIT_SIGN_INDIVIDUAL = "1", i.e. set
+                # FIT_SIGN_INDIVIDUAL = "0" .
+                if [ "${FIT_SIGN_INDIVIDUAL}" != "1" ] ; then
+                        ${UBOOT_FIT_CHECK_SIGN} \
+                                -k "${UBOOT_DTB_BINARY}" \
+                                -f ${B}/unused.itb
+                fi
                cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
        fi
        # If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
        # with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
        if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
-                if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
+                if [ ! -e "${UBOOT_DTB_BINARY}" ]; then
-                        [ -e "${UBOOT_DTB_BINARY}" ]; then
+                        bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
+                        return
+                fi
+                if [ "x${UBOOT_SUFFIX}" = "ximg" ] || [ "x${UBOOT_SUFFIX}" = "xrom" ]; then
                        oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
                        if [ -n "${binary}" ]; then
                                cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
                        fi
-                elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
+                elif [ -e "${UBOOT_NODTB_BINARY}" ]; then
                        if [ -n "${binary}" ]; then
                                cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
                                        ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
                        else
                                cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} > ${UBOOT_BINARY}
                        fi
-                else
-                        bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
                fi
        fi
 }
@@ -168,7 +246,7 @@ deploy_dtb() {
 }
 concat_spl_dtb() {
-        if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
+        if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" ] && [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
                cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"
        else
                bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
@@ -234,9 +312,65 @@ do_uboot_generate_rsa_keys() {
 addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
+# Create a ITS file for the atf
+uboot_fitimage_atf() {
+        cat << EOF >> ${UBOOT_ITS}
+        atf {
+            description = "ARM Trusted Firmware";
+            data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}");
+            type = "firmware";
+            arch = "${UBOOT_ARCH}";
+            os = "arm-trusted-firmware";
+            load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
+            compression = "none";
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+        fi
+        cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+}
+# Create a ITS file for the tee
+uboot_fitimage_tee() {
+        cat << EOF >> ${UBOOT_ITS}
+        tee {
+            description = "Trusted Execution Environment";
+            data = /incbin/("${UBOOT_FIT_TEE_IMAGE}");
+            type = "tee";
+            arch = "${UBOOT_ARCH}";
+            os = "tee";
+            load = <${UBOOT_FIT_TEE_LOADADDRESS}>;
+            entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
+            compression = "none";
+EOF
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+                cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+            };
+EOF
+        fi
+        cat << EOF >> ${UBOOT_ITS}
+        };
+EOF
+}
 # Create a ITS file for the U-boot FIT, for use when
 # we want to sign it so that the SPL can verify it
 uboot_fitimage_assemble() {
+        conf_loadables="\"uboot\""
+        conf_firmware=""
        rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
        # First we create the ITS script
@@ -289,13 +423,38 @@ EOF
        cat << EOF >> ${UBOOT_ITS}
        };
+EOF
+        if [ "${UBOOT_FIT_TEE}" = "1" ] ; then
+                conf_loadables="\"tee\", ${conf_loadables}"
+                uboot_fitimage_tee
+        fi
+        if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then
+                conf_loadables="\"atf\", ${conf_loadables}"
+                uboot_fitimage_atf
+        fi
+        if [ -n "${UBOOT_FIT_USER_SETTINGS}" ] ; then
+                printf "%b" "${UBOOT_FIT_USER_SETTINGS}" >> ${UBOOT_ITS}
+        fi
+        if [ -n "${UBOOT_FIT_CONF_USER_LOADABLES}" ] ; then
+                conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}"
+        fi
+        if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then
+                conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";"
+        fi
+        cat << EOF >> ${UBOOT_ITS}
    };
    configurations {
        default = "conf";
        conf {
            description = "Boot with signed U-Boot FIT";
-            loadables = "uboot";
+            ${conf_firmware}
+            loadables = ${conf_loadables};
            fdt = "fdt";
        };
    };
@@ -311,25 +470,31 @@ EOF
                ${UBOOT_FITIMAGE_BINARY}
        if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
-                #
+                if [ -n "${SPL_DTB_BINARY}" ] ; then
-                # Sign the U-boot FIT image and add public key to SPL dtb
+                        #
-                #
+                        # Sign the U-boot FIT image and add public key to SPL dtb
-                ${UBOOT_MKIMAGE_SIGN} \
+                        #
-                        ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+                        ${UBOOT_MKIMAGE_SIGN} \
-                        -F -k "${SPL_SIGN_KEYDIR}" \
+                                ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
-                        -K "${SPL_DIR}/${SPL_DTB_BINARY}" \
+                                -F -k "${SPL_SIGN_KEYDIR}" \
-                        -r ${UBOOT_FITIMAGE_BINARY} \
+                                -K "${SPL_DIR}/${SPL_DTB_BINARY}" \
-                        ${SPL_MKIMAGE_SIGN_ARGS}
+                                -r ${UBOOT_FITIMAGE_BINARY} \
-                #
+                                ${SPL_MKIMAGE_SIGN_ARGS}
-                # Verify the U-boot FIT image and SPL dtb
-                #
+                        # Verify the U-boot FIT image and SPL dtb
-                ${UBOOT_FIT_CHECK_SIGN} \
+                        ${UBOOT_FIT_CHECK_SIGN} \
-                        -k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+                                -k "${SPL_DIR}/${SPL_DTB_BINARY}" \
-                        -f ${UBOOT_FITIMAGE_BINARY}
+                                -f ${UBOOT_FITIMAGE_BINARY}
-        fi
+                        cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
-        if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
+                else
-                cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
+                        # Sign the U-boot FIT image
+                        ${UBOOT_MKIMAGE_SIGN} \
+                                ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+                                -F -k "${SPL_SIGN_KEYDIR}" \
+                                -r ${UBOOT_FITIMAGE_BINARY} \
+                                ${SPL_MKIMAGE_SIGN_ARGS}
+                fi
        fi
 }
@@ -337,27 +502,24 @@ uboot_assemble_fitimage_helper() {
        type="$1"
        binary="$2"
-        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then
-                concat_dtb $type $binary
+                concat_dtb "$type" "$binary"
        fi
-        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
+        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then
                uboot_fitimage_assemble
        fi
-        if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
                concat_spl_dtb
        fi
 }
 do_uboot_assemble_fitimage() {
-        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
-                cp "${STAGING_DIR_HOST}/sysroot-only/fitImage" "${B}/fitImage-linux"
-        fi
        if [ -n "${UBOOT_CONFIG}" ]; then
-                unset i j k
+                unset i
                for config in ${UBOOT_MACHINE}; do
+                        unset j k
                        i=$(expr $i + 1);
                        for type in ${UBOOT_CONFIG}; do
                                j=$(expr $j + 1);
@@ -387,11 +549,11 @@ addtask uboot_assemble_fitimage before do_install do_deploy after do_compile
 deploy_helper() {
        type="$1"
-        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_SIGNED}" ] ; then
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_SIGNED}" ] ; then
                deploy_dtb $type
        fi
-        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
+        if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then
                if [ -n "${type}" ]; then
                        uboot_its_image="u-boot-its-${type}-${PV}-${PR}"
                        uboot_fitimage_image="u-boot-fitImage-${type}-${PV}-${PR}"
@@ -409,7 +571,7 @@ deploy_helper() {
                fi
        fi
-        if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_SIGNED}" ] ; then
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
                deploy_spl_dtb $type
        fi
 }
@@ -434,7 +596,7 @@ do_deploy:prepend() {
                deploy_helper ""
        fi
-        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then
                ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
                ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
                ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
@@ -448,7 +610,7 @@ do_deploy:prepend() {
                ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
        fi
-        if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
+        if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
                ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
                ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
                ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index c8e097f2f2..0f387a3a3e 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -26,6 +26,7 @@
26		26
27	# We need some variables from u-boot-config	27	# We need some variables from u-boot-config
28	inherit uboot-config	28	inherit uboot-config
		29	require conf/image-fitimage.conf
29		30
30	# Enable use of a U-Boot fitImage	31	# Enable use of a U-Boot fitImage
31	UBOOT_FITIMAGE_ENABLE ?= "0"	32	UBOOT_FITIMAGE_ENABLE ?= "0"
@@ -49,6 +50,8 @@ UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
49	UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"	50	UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
50	SPL_DIR ?= "spl"	51	SPL_DIR ?= "spl"
51	SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"	52	SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
		53	# When SPL is not used, set SPL_DTB_BINARY ?= "" to explicitly indicate
		54	# that no SPL DTB should be created or signed.
52	SPL_DTB_BINARY ?= "u-boot-spl.dtb"	55	SPL_DTB_BINARY ?= "u-boot-spl.dtb"
53	SPL_DTB_SIGNED ?= "${SPL_DTB_BINARY}-signed"	56	SPL_DTB_SIGNED ?= "${SPL_DTB_BINARY}-signed"
54	SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"	57	SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
@@ -85,19 +88,40 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
85	# ex: 1 32bits address, 2 64bits address	88	# ex: 1 32bits address, 2 64bits address
86	UBOOT_FIT_ADDRESS_CELLS ?= "1"	89	UBOOT_FIT_ADDRESS_CELLS ?= "1"
87		90
88	# This is only necessary for determining the signing configuration	91	# ARM Trusted Firmware(ATF) is a reference implementation of secure world
89	KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}"	92	# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including
		93	# an Exception Level 3 (EL3) Secure Monitor.
		94	UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0"
		95	UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
		96
		97	# A Trusted Execution Environment(TEE) is an environment for executing code,
		98	# in which those executing the code can have high levels of trust in the asset
		99	# management of that surrounding environment.
		100	UBOOT_FIT_TEE ?= "0"
		101	UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
		102
		103	# User specific settings
		104	UBOOT_FIT_USER_SETTINGS ?= ""
		105
		106	# Sets the firmware property to select the image to boot first.
		107	# If not set, the first entry in "loadables" is used instead.
		108	UBOOT_FIT_CONF_FIRMWARE ?= ""
		109
		110	# Unit name containing a list of users additional binaries to be loaded.
		111	# It is a comma-separated list of strings.
		112	UBOOT_FIT_CONF_USER_LOADABLES ?= ''
90		113
91	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"	114	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
92	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"	115	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
93		116
		117
		118	DEPENDS:append = " ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''}"
		119
94	python() {	120	python() {
95	# We need u-boot-tools-native if we're creating a U-Boot fitImage	121	# We need u-boot-tools-native if we're creating a U-Boot fitImage
96	sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'	122	sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
97	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:	123	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
98	d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")	124	d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
99	if sign:
100	d.appendVar('DEPENDS', " " + d.getVar('KERNEL_PN'))
101	}	125	}
102		126
103	concat_dtb() {	127	concat_dtb() {
@@ -105,38 +129,92 @@ concat_dtb() {
105	binary="$2"	129	binary="$2"
106		130
107	if [ -e "${UBOOT_DTB_BINARY}" ]; then	131	if [ -e "${UBOOT_DTB_BINARY}" ]; then
108	# Re-sign the kernel in order to add the keys to our dtb	132	# Signing individual images is not recommended as that
		133	# makes fitImage susceptible to mix-and-match attack.
		134	#
		135	# OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner,
		136	# where the resulting signed fitImage contains both signed
		137	# images and signed configurations. This is redundant. In
		138	# order to prevent mix-and-match attack, it is sufficient
		139	# to sign configurations. The FIT_SIGN_INDIVIDUAL = "1"
		140	# support is kept to avoid breakage of existing layers, but
		141	# it is highly recommended to avoid FIT_SIGN_INDIVIDUAL = "1",
		142	# i.e. set FIT_SIGN_INDIVIDUAL = "0" .
		143	if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then
		144	# Sign dummy image images in order to
		145	# add the image signing keys to our dtb
		146	${UBOOT_MKIMAGE_SIGN} \
		147	${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
		148	-f auto \
		149	-k "${UBOOT_SIGN_KEYDIR}" \
		150	-o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
		151	-g "${UBOOT_SIGN_IMG_KEYNAME}" \
		152	-K "${UBOOT_DTB_BINARY}" \
		153	-d /dev/null \
		154	-r ${B}/unused.itb \
		155	${UBOOT_MKIMAGE_SIGN_ARGS}
		156	fi
		157
		158	# Sign dummy image configurations in order to
		159	# add the configuration signing keys to our dtb
109	${UBOOT_MKIMAGE_SIGN} \	160	${UBOOT_MKIMAGE_SIGN} \
110	${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \	161	${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
111	-F -k "${UBOOT_SIGN_KEYDIR}" \	162	-f auto-conf \
		163	-k "${UBOOT_SIGN_KEYDIR}" \
		164	-o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
		165	-g "${UBOOT_SIGN_KEYNAME}" \
112	-K "${UBOOT_DTB_BINARY}" \	166	-K "${UBOOT_DTB_BINARY}" \
113	-r ${B}/fitImage-linux \	167	-d /dev/null \
		168	-r ${B}/unused.itb \
114	${UBOOT_MKIMAGE_SIGN_ARGS}	169	${UBOOT_MKIMAGE_SIGN_ARGS}
115	# Verify the kernel image and u-boot dtb	170
116	${UBOOT_FIT_CHECK_SIGN} \	171	# Verify the dummy fitImage signature against u-boot.dtb
117	-k "${UBOOT_DTB_BINARY}" \	172	# augmented using public key material.
118	-f ${B}/fitImage-linux	173	#
		174	# This only works for FIT_SIGN_INDIVIDUAL = "0", because
		175	# mkimage -f auto-conf does not support -F to extend the
		176	# existing unused.itb , and instead rewrites unused.itb
		177	# from scratch.
		178	#
		179	# Using two separate unused.itb for mkimage -f auto and
		180	# mkimage -f auto-conf invocation above would not help, as
		181	# the signature verification process below checks whether
		182	# all keys inserted into u-boot.dtb /signature node pass
		183	# the verification. Separate unused.itb would each miss one
		184	# of the signatures.
		185	#
		186	# The FIT_SIGN_INDIVIDUAL = "1" support is kept to avoid
		187	# breakage of existing layers, but it is highly recommended
		188	# to not use FIT_SIGN_INDIVIDUAL = "1", i.e. set
		189	# FIT_SIGN_INDIVIDUAL = "0" .
		190	if [ "${FIT_SIGN_INDIVIDUAL}" != "1" ] ; then
		191	${UBOOT_FIT_CHECK_SIGN} \
		192	-k "${UBOOT_DTB_BINARY}" \
		193	-f ${B}/unused.itb
		194	fi
119	cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}	195	cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
120	fi	196	fi
121		197
122	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB	198	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
123	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)	199	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
124	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then	200	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
125	if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \	201	if [ ! -e "${UBOOT_DTB_BINARY}" ]; then
126	[ -e "${UBOOT_DTB_BINARY}" ]; then	202	bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
		203	return
		204	fi
		205
		206	if [ "x${UBOOT_SUFFIX}" = "ximg" ] \|\| [ "x${UBOOT_SUFFIX}" = "xrom" ]; then
127	oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}	207	oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
128	if [ -n "${binary}" ]; then	208	if [ -n "${binary}" ]; then
129	cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}	209	cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
130	fi	210	fi
131	elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then	211	elif [ -e "${UBOOT_NODTB_BINARY}" ]; then
132	if [ -n "${binary}" ]; then	212	if [ -n "${binary}" ]; then
133	cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} \| tee ${binary} > \	213	cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} \| tee ${binary} > \
134	${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}	214	${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
135	else	215	else
136	cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} > ${UBOOT_BINARY}	216	cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} > ${UBOOT_BINARY}
137	fi	217	fi
138	else
139	bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
140	fi	218	fi
141	fi	219	fi
142	}	220	}
@@ -168,7 +246,7 @@ deploy_dtb() {
168	}	246	}
169		247
170	concat_spl_dtb() {	248	concat_spl_dtb() {
171	if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then	249	if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" ] && [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
172	cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"	250	cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"
173	else	251	else
174	bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."	252	bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
@@ -234,9 +312,65 @@ do_uboot_generate_rsa_keys() {
234		312
235	addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile	313	addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
236		314
		315	# Create a ITS file for the atf
		316	uboot_fitimage_atf() {
		317	cat << EOF >> ${UBOOT_ITS}
		318	atf {
		319	description = "ARM Trusted Firmware";
		320	data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}");
		321	type = "firmware";
		322	arch = "${UBOOT_ARCH}";
		323	os = "arm-trusted-firmware";
		324	load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>;
		325	entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
		326	compression = "none";
		327	EOF
		328	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
		329	cat << EOF >> ${UBOOT_ITS}
		330	signature {
		331	algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
		332	key-name-hint = "${SPL_SIGN_KEYNAME}";
		333	};
		334	EOF
		335	fi
		336
		337	cat << EOF >> ${UBOOT_ITS}
		338	};
		339	EOF
		340	}
		341
		342	# Create a ITS file for the tee
		343	uboot_fitimage_tee() {
		344	cat << EOF >> ${UBOOT_ITS}
		345	tee {
		346	description = "Trusted Execution Environment";
		347	data = /incbin/("${UBOOT_FIT_TEE_IMAGE}");
		348	type = "tee";
		349	arch = "${UBOOT_ARCH}";
		350	os = "tee";
		351	load = <${UBOOT_FIT_TEE_LOADADDRESS}>;
		352	entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
		353	compression = "none";
		354	EOF
		355	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
		356	cat << EOF >> ${UBOOT_ITS}
		357	signature {
		358	algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
		359	key-name-hint = "${SPL_SIGN_KEYNAME}";
		360	};
		361	EOF
		362	fi
		363
		364	cat << EOF >> ${UBOOT_ITS}
		365	};
		366	EOF
		367	}
		368
237	# Create a ITS file for the U-boot FIT, for use when	369	# Create a ITS file for the U-boot FIT, for use when
238	# we want to sign it so that the SPL can verify it	370	# we want to sign it so that the SPL can verify it
239	uboot_fitimage_assemble() {	371	uboot_fitimage_assemble() {
		372	conf_loadables="\"uboot\""
		373	conf_firmware=""
240	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}	374	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
241		375
242	# First we create the ITS script	376	# First we create the ITS script
@@ -289,13 +423,38 @@ EOF
289		423
290	cat << EOF >> ${UBOOT_ITS}	424	cat << EOF >> ${UBOOT_ITS}
291	};	425	};
		426	EOF
		427	if [ "${UBOOT_FIT_TEE}" = "1" ] ; then
		428	conf_loadables="\"tee\", ${conf_loadables}"
		429	uboot_fitimage_tee
		430	fi
		431
		432	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then
		433	conf_loadables="\"atf\", ${conf_loadables}"
		434	uboot_fitimage_atf
		435	fi
		436
		437	if [ -n "${UBOOT_FIT_USER_SETTINGS}" ] ; then
		438	printf "%b" "${UBOOT_FIT_USER_SETTINGS}" >> ${UBOOT_ITS}
		439	fi
		440
		441	if [ -n "${UBOOT_FIT_CONF_USER_LOADABLES}" ] ; then
		442	conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}"
		443	fi
		444
		445	if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then
		446	conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";"
		447	fi
		448
		449	cat << EOF >> ${UBOOT_ITS}
292	};	450	};
293		451
294	configurations {	452	configurations {
295	default = "conf";	453	default = "conf";
296	conf {	454	conf {
297	description = "Boot with signed U-Boot FIT";	455	description = "Boot with signed U-Boot FIT";
298	loadables = "uboot";	456	${conf_firmware}
		457	loadables = ${conf_loadables};
299	fdt = "fdt";	458	fdt = "fdt";
300	};	459	};
301	};	460	};
@@ -311,25 +470,31 @@ EOF
311	${UBOOT_FITIMAGE_BINARY}	470	${UBOOT_FITIMAGE_BINARY}
312		471
313	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then	472	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
314	#	473	if [ -n "${SPL_DTB_BINARY}" ] ; then
315	# Sign the U-boot FIT image and add public key to SPL dtb	474	#
316	#	475	# Sign the U-boot FIT image and add public key to SPL dtb
317	${UBOOT_MKIMAGE_SIGN} \	476	#
318	${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \	477	${UBOOT_MKIMAGE_SIGN} \
319	-F -k "${SPL_SIGN_KEYDIR}" \	478	${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
320	-K "${SPL_DIR}/${SPL_DTB_BINARY}" \	479	-F -k "${SPL_SIGN_KEYDIR}" \
321	-r ${UBOOT_FITIMAGE_BINARY} \	480	-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
322	${SPL_MKIMAGE_SIGN_ARGS}	481	-r ${UBOOT_FITIMAGE_BINARY} \
323	#	482	${SPL_MKIMAGE_SIGN_ARGS}
324	# Verify the U-boot FIT image and SPL dtb	483
325	#	484	# Verify the U-boot FIT image and SPL dtb
326	${UBOOT_FIT_CHECK_SIGN} \	485	${UBOOT_FIT_CHECK_SIGN} \
327	-k "${SPL_DIR}/${SPL_DTB_BINARY}" \	486	-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
328	-f ${UBOOT_FITIMAGE_BINARY}	487	-f ${UBOOT_FITIMAGE_BINARY}
329	fi	488
330		489	cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
331	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then	490	else
332	cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}	491	# Sign the U-boot FIT image
		492	${UBOOT_MKIMAGE_SIGN} \
		493	${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
		494	-F -k "${SPL_SIGN_KEYDIR}" \
		495	-r ${UBOOT_FITIMAGE_BINARY} \
		496	${SPL_MKIMAGE_SIGN_ARGS}
		497	fi
333	fi	498	fi
334	}	499	}
335		500
@@ -337,27 +502,24 @@ uboot_assemble_fitimage_helper() {
337	type="$1"	502	type="$1"
338	binary="$2"	503	binary="$2"
339		504
340	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then	505	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then
341	concat_dtb $type $binary	506	concat_dtb "$type" "$binary"
342	fi	507	fi
343		508
344	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then	509	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then
345	uboot_fitimage_assemble	510	uboot_fitimage_assemble
346	fi	511	fi
347		512
348	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then	513	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
349	concat_spl_dtb	514	concat_spl_dtb
350	fi	515	fi
351	}	516	}
352		517
353	do_uboot_assemble_fitimage() {	518	do_uboot_assemble_fitimage() {
354	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
355	cp "${STAGING_DIR_HOST}/sysroot-only/fitImage" "${B}/fitImage-linux"
356	fi
357
358	if [ -n "${UBOOT_CONFIG}" ]; then	519	if [ -n "${UBOOT_CONFIG}" ]; then
359	unset i j k	520	unset i
360	for config in ${UBOOT_MACHINE}; do	521	for config in ${UBOOT_MACHINE}; do
		522	unset j k
361	i=$(expr $i + 1);	523	i=$(expr $i + 1);
362	for type in ${UBOOT_CONFIG}; do	524	for type in ${UBOOT_CONFIG}; do
363	j=$(expr $j + 1);	525	j=$(expr $j + 1);
@@ -387,11 +549,11 @@ addtask uboot_assemble_fitimage before do_install do_deploy after do_compile
387	deploy_helper() {	549	deploy_helper() {
388	type="$1"	550	type="$1"
389		551
390	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_SIGNED}" ] ; then	552	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_SIGNED}" ] ; then
391	deploy_dtb $type	553	deploy_dtb $type
392	fi	554	fi
393		555
394	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then	556	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ]; then
395	if [ -n "${type}" ]; then	557	if [ -n "${type}" ]; then
396	uboot_its_image="u-boot-its-${type}-${PV}-${PR}"	558	uboot_its_image="u-boot-its-${type}-${PV}-${PR}"
397	uboot_fitimage_image="u-boot-fitImage-${type}-${PV}-${PR}"	559	uboot_fitimage_image="u-boot-fitImage-${type}-${PV}-${PR}"
@@ -409,7 +571,7 @@ deploy_helper() {
409	fi	571	fi
410	fi	572	fi
411		573
412	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_SIGNED}" ] ; then	574	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
413	deploy_spl_dtb $type	575	deploy_spl_dtb $type
414	fi	576	fi
415	}	577	}
@@ -434,7 +596,7 @@ do_deploy:prepend() {
434	deploy_helper ""	596	deploy_helper ""
435	fi	597	fi
436		598
437	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then	599	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ -n "${UBOOT_DTB_BINARY}" ] ; then
438	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}	600	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
439	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}	601	ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
440	ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}	602	ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
@@ -448,7 +610,7 @@ do_deploy:prepend() {
448	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}	610	ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
449	fi	611	fi
450		612
451	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then	613	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ -n "${SPL_DTB_BINARY}" ] ; then
452	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}	614	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
453	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}	615	ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
454	ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}	616	ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}