oe-selftest: fitimage: cleanup FIT_GENERATE_KEYS

It is closer to practice to use static and predictable keys to sign the FIT images. In addition, the new kernel-signing-keys-native is only reliable if the temporary directory is not deleted. However, depending on how this test suite is started, this can happen. There will therefore only be one test that uses the recipe to generate the keys, which ensures that the recipe works in principle. It is also ensured that no keys are present before the test and that the recipe runs safely and is not skipped by Bitbake. (From OE-Core rev: 97e58d7c2bc1943f0696fc72984788f459f7f7c4) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Adrian Freihofer <adrian.freihofer@siemens.com> 2025-06-03 10:23:19 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-06-05 11:02:21 +0100
commit: 1e29226879f739543531adb211f12ce1c6586002 (patch)
tree: b73223e1e0f6a3e4e90e5af0958c593a58cfb262
parent: d5c04a81ac0b3f983b78415d52af4a0bc3111f1b (diff)
download: poky-1e29226879f739543531adb211f12ce1c6586002.tar.gz
1 files changed, 8 insertions, 16 deletions
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 8a3eb7f8c1..fcba28b7b7 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -760,8 +760,7 @@ PREFERRED_PROVIDER_virtual/dtb = "bbb-dtbs-as-ext"
                     and the configuration nodes are signed correctly.
        Expected:    1) its and FIT image are built successfully
                     2) Scanning the its file indicates signing is enabled
-                        as requested by UBOOT_SIGN_ENABLE (using 1 key
+                        as requested by UBOOT_SIGN_ENABLE
-                        generated by the test not via FIT_GENERATE_KEYS)
                     3) Dumping the FIT image indicates signature values
                        are present (only for the configuration nodes as
                        FIT_SIGN_INDIVIDUAL is disabled)
@@ -792,10 +791,7 @@ FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb"
            'UBOOT_SIGN_KEYDIR',
        ])
-        # Do not use the random keys generated by FIT_GENERATE_KEYS.
-        # Using a static key is probably a more realistic scenario.
        self._gen_signing_key(bb_vars)
        self._test_fitimage(bb_vars)
    def test_sign_fit_image_individual(self):
@@ -804,11 +800,11 @@ FIT_CONF_DEFAULT_DTB = "am335x-bonegreen.dtb"
                     and all nodes are signed correctly.
        Expected:    1) its and FIT image are built successfully
                     2) Scanning the its file indicates signing is enabled
-                        as requested by UBOOT_SIGN_ENABLE (using 2 keys
+                        as requested by UBOOT_SIGN_ENABLE
-                        generated via FIT_GENERATE_KEYS)
                     3) Dumping the FIT image indicates signature values
                        are present (including for images as enabled via
                        FIT_SIGN_INDIVIDUAL)
+                        This also implies that FIT_GENERATE_KEYS = "1" works.
                     4) Verify the FIT image contains the comments passed via
                        UBOOT_MKIMAGE_SIGN_ARGS once per image and per
                        configuration node.
@@ -837,6 +833,10 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
        config = self._config_add_uboot_env(config)
        self.write_config(config)
        bb_vars = self._fit_get_bb_vars()
+        # Ensure new keys are generated and FIT_GENERATE_KEYS = "1" is tested
+        bitbake("kernel-signing-keys-native -c cleansstate")
        self._test_fitimage(bb_vars)
    def test_fit_image_sign_initramfs(self):
@@ -875,7 +875,6 @@ UBOOT_ARCH = "arm"
 UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
 UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
 UBOOT_EXTLINUX = "0"
-FIT_GENERATE_KEYS = "1"
 KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
 FIT_KERNEL_COMP_ALG = "none"
 FIT_HASH_ALG = "sha256"
@@ -892,10 +891,7 @@ FIT_HASH_ALG = "sha256"
            'UBOOT_SIGN_KEYDIR',
        ])
-        # Do not use the random keys generated by FIT_GENERATE_KEYS.
-        # Using a static key is probably a more realistic scenario.
        self._gen_signing_key(bb_vars)
        self._test_fitimage(bb_vars)
    def test_fit_image_sign_initramfs_bundle(self):
@@ -933,7 +929,6 @@ UBOOT_ARCH = "arm"
 UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
 UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
 UBOOT_EXTLINUX = "0"
-FIT_GENERATE_KEYS = "1"
 KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
 FIT_KERNEL_COMP_ALG = "none"
 FIT_HASH_ALG = "sha256"
@@ -941,6 +936,7 @@ FIT_HASH_ALG = "sha256"
        config = self._config_add_uboot_env(config)
        self.write_config(config)
        bb_vars = self._fit_get_bb_vars()
+        self._gen_signing_key(bb_vars)
        self._test_fitimage(bb_vars)
@@ -1345,9 +1341,7 @@ UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
        self.write_config(config)
        bb_vars = self._fit_get_bb_vars()
-        # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass
        self._gen_signing_key(bb_vars)
        self._test_fitimage(bb_vars)
        self._check_kernel_dtb(bb_vars)
@@ -1508,8 +1502,6 @@ FIT_SIGN_INDIVIDUAL = "1"
 """
        self.write_config(config)
        bb_vars = self._fit_get_bb_vars()
-        # Using a static key. FIT_GENERATE_KEYS = "1" does not work without kernel-fitimage.bbclass
        self._gen_signing_key(bb_vars)
        bitbake("virtual/bootloader")
author	Adrian Freihofer <adrian.freihofer@siemens.com>	2025-06-03 10:23:19 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-06-05 11:02:21 +0100
commit	1e29226879f739543531adb211f12ce1c6586002 (patch)
tree	b73223e1e0f6a3e4e90e5af0958c593a58cfb262
parent	d5c04a81ac0b3f983b78415d52af4a0bc3111f1b (diff)
download	poky-1e29226879f739543531adb211f12ce1c6586002.tar.gz