diff options
| author | Rogerio Guerra Borin <rogerio.borin@toradex.com> | 2025-05-23 14:06:03 -0300 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-06-02 07:12:34 -0700 |
| commit | 339fe2fe1ce3893b45e60e0a2392b000ff787d80 (patch) | |
| tree | 2b32b09e7959e9a1cefcce7b61ff1ddf5714790f | |
| parent | 09edf92b0ddfa5d3af5aefd829fd9feb8f2e4b98 (diff) | |
| download | poky-339fe2fe1ce3893b45e60e0a2392b000ff787d80.tar.gz | |
u-boot: ensure keys are generated before assembling U-Boot FIT image
Add the task dependency:
do_uboot_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys
to ensure the kernel FIT image signing keys are available when creating
the U-Boot DTB. This is done only if the signing of the kernel FIT image
is enabled (UBOOT_SIGN_ENABLE="1").
The lack of the dependency causes build errors when executing a build
with no kernel FIT keys initially present in the keys directory. In such
cases one would see an output like this in the Bitbake logs:
Log data follows:
| DEBUG: Executing shell function do_uboot_assemble_fitimage
| Couldn't open RSA private key: '/workdir/build/keys/fit/dev.key': No such file or directory
| Failed to sign 'signature' signature node in 'conf-1' conf node
| FIT description: Kernel Image image with one or more FDT blobs
| ...
This issue was introduced by commit 259bfa86f384 where the dependency
between U-Boot and the kernel was removed (for good reasons). Before
that commit the dependency was set via DEPENDS so that, in terms of
tasks, one had:
u-boot:do_configure -> virtual/kernel:do_populate_sysroot
and the chain leading to the key generation was:
virtual/kernel:do_populate_sysroot -> virtual/kernel:do_install
virtual/kernel:do_install -> virtual/kernel:do_assemble_fitimage
virtual/kernel:do_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys
With the removal of the first dependency, no more guarantees exist that
the keys would be present when assembling the U-Boot FIT image. That's
the situation we are solving with the present commit.
(From OE-Core rev: 036f20156b3c7d0a8b912e90aa29a9b986106d5a)
Fixes: d7bd9c627661 ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled")
(From OE-Core rev: 56431a98ac661eaa42803e83a9ede6eae0b72b67)
Signed-off-by: Rogerio Guerra Borin <rogerio.borin@toradex.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/classes-recipe/uboot-sign.bbclass | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 5c579a9fb0..699db248e1 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass | |||
| @@ -94,6 +94,8 @@ python() { | |||
| 94 | sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' | 94 | sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' |
| 95 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: | 95 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: |
| 96 | d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") | 96 | d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") |
| 97 | if d.getVar('FIT_GENERATE_KEYS') == '1' and sign: | ||
| 98 | d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys') | ||
| 97 | } | 99 | } |
| 98 | 100 | ||
| 99 | concat_dtb() { | 101 | concat_dtb() { |