u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled

In case both UBOOT_SIGN_ENABLE and UBOOT_ENV are enabled and kernel-fitimage.bbclass is in use to generate signed kernel fitImage, there is a circular dependency between uboot-sign and kernel-fitimage bbclasses . The loop looks like this: kernel-fitimage.bbclass: - do_populate_sysroot depends on do_assemble_fitimage - do_assemble_fitimage depends on virtual/bootloader:do_populate_sysroot - virtual/bootloader:do_populate_sysroot depends on virtual/bootloader:do_install => The virtual/bootloader:do_install installs and the virtual/bootloader:do_populate_sysroot places into sysroot an U-Boot environment script embedded into kernel fitImage during do_assemble_fitimage run . uboot-sign.bbclass: - DEPENDS on KERNEL_PN, which is really virtual/kernel. More accurately - do_deploy depends on do_uboot_assemble_fitimage - do_install depends on do_uboot_assemble_fitimage - do_uboot_assemble_fitimage depends on virtual/kernel:do_populate_sysroot => do_install depends on virtual/kernel:do_populate_sysroot => virtual/bootloader:do_install depends on virtual/kernel:do_populate_sysroot virtual/kernel:do_populate_sysroot depends on virtual/bootloader:do_install Attempt to resolve the loop. Pull fitimage configuration options into separate new configuration file image-fitimage.conf so these configuration options can be shared by both uboot-sign.bbclass and kernel-fitimage.bbclass, and make use of mkimage -f auto-conf / mkimage -f auto option to insert /signature node key-* subnode into U-Boot control DT without depending on the layout of kernel fitImage itself. This is perfectly valid to do, because the U-Boot /signature node key-* subnodes 'required' property can contain either of two values, 'conf' or 'image' to authenticate either selected configuration or all of images when booting the fitImage. For details of the U-Boot fitImage signing process, see: https://docs.u-boot.org/en/latest/usage/fit/signature.html For details of mkimage -f auto-conf and -f auto, see: https://manpages.debian.org/experimental/u-boot-tools/mkimage.1.en.html#EXAMPLES Fixes: 5e12dc911d0c ("u-boot: Rework signing to remove interdependencies") Reviewed-by: Adrian Freihofer <adrian.freihofer@siemens.com> (From OE-Core rev: 259bfa86f384206f0d0a96a5b84887186c5f689e) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marek Vasut <marex@denx.de> 2025-01-21 22:20:52 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-01-22 13:20:29 +0000
commit: 3fb215a3af242e2016a146739a69be746ab8b722 (patch)
tree: 2d98520e45238acd68d6a9611b86a11786c85c0a /meta/classes-recipe/kernel-fitimage.bbclass
parent: 310f9cd967f81869b27c4542a0015cf76c3e2c84 (diff)
download: poky-3fb215a3af242e2016a146739a69be746ab8b722.tar.gz
1 files changed, 1 insertions, 52 deletions
diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass
index 67c98adb23..fe076badfa 100644
--- a/meta/classes-recipe/kernel-fitimage.bbclass
+++ b/meta/classes-recipe/kernel-fitimage.bbclass
@@ -5,6 +5,7 @@
 #
 inherit kernel-uboot kernel-artifact-names uboot-config
+require conf/image-fitimage.conf
 def get_fit_replacement_type(d):
    kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
@@ -52,58 +53,6 @@ python __anonymous () {
        d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree")
 }
-# Description string
-FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
-# Kernel fitImage Hash Algo
-FIT_HASH_ALG ?= "sha256"
-# Kernel fitImage Signature Algo
-FIT_SIGN_ALG ?= "rsa2048"
-# Kernel / U-Boot fitImage Padding Algo
-FIT_PAD_ALG ?= "pkcs-1.5"
-# Generate keys for signing Kernel fitImage
-FIT_GENERATE_KEYS ?= "0"
-# Size of private keys in number of bits
-FIT_SIGN_NUMBITS ?= "2048"
-# args to openssl genrsa (Default is just the public exponent)
-FIT_KEY_GENRSA_ARGS ?= "-F4"
-# args to openssl req (Default is -batch for non interactive mode and
-# -new for new certificate)
-FIT_KEY_REQ_ARGS ?= "-batch -new"
-# Standard format for public key certificate
-FIT_KEY_SIGN_PKCS ?= "-x509"
-# Sign individual images as well
-FIT_SIGN_INDIVIDUAL ?= "0"
-FIT_CONF_PREFIX ?= "conf-"
-FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name"
-FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio"
-# Allow user to select the default DTB for FIT image when multiple dtb's exists.
-FIT_CONF_DEFAULT_DTB ?= ""
-# length of address in number of <u32> cells
-# ex: 1 32bits address, 2 64bits address
-FIT_ADDRESS_CELLS ?= "1"
-# Keys used to sign individually image nodes.
-# The keys to sign image nodes must be different from those used to sign
-# configuration nodes, otherwise the "required" property, from
-# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
-# Then the images signature checking will not be mandatory and no error will be
-# raised in case of failure.
-# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
 #
 # Emit the fitImage ITS header
 #
author	Marek Vasut <marex@denx.de>	2025-01-21 22:20:52 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-01-22 13:20:29 +0000
commit	3fb215a3af242e2016a146739a69be746ab8b722 (patch)
tree	2d98520e45238acd68d6a9611b86a11786c85c0a /meta/classes-recipe/kernel-fitimage.bbclass
parent	310f9cd967f81869b27c4542a0015cf76c3e2c84 (diff)
download	poky-3fb215a3af242e2016a146739a69be746ab8b722.tar.gz

diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 67c98adb23..fe076badfa 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass
@@ -5,6 +5,7 @@
5	#	5	#
6		6
7	inherit kernel-uboot kernel-artifact-names uboot-config	7	inherit kernel-uboot kernel-artifact-names uboot-config
		8	require conf/image-fitimage.conf
8		9
9	def get_fit_replacement_type(d):	10	def get_fit_replacement_type(d):
10	kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""	11	kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
@@ -52,58 +53,6 @@ python __anonymous () {
52	d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree")	53	d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree")
53	}	54	}
54		55
55
56	# Description string
57	FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
58
59	# Kernel fitImage Hash Algo
60	FIT_HASH_ALG ?= "sha256"
61
62	# Kernel fitImage Signature Algo
63	FIT_SIGN_ALG ?= "rsa2048"
64
65	# Kernel / U-Boot fitImage Padding Algo
66	FIT_PAD_ALG ?= "pkcs-1.5"
67
68	# Generate keys for signing Kernel fitImage
69	FIT_GENERATE_KEYS ?= "0"
70
71	# Size of private keys in number of bits
72	FIT_SIGN_NUMBITS ?= "2048"
73
74	# args to openssl genrsa (Default is just the public exponent)
75	FIT_KEY_GENRSA_ARGS ?= "-F4"
76
77	# args to openssl req (Default is -batch for non interactive mode and
78	# -new for new certificate)
79	FIT_KEY_REQ_ARGS ?= "-batch -new"
80
81	# Standard format for public key certificate
82	FIT_KEY_SIGN_PKCS ?= "-x509"
83
84	# Sign individual images as well
85	FIT_SIGN_INDIVIDUAL ?= "0"
86
87	FIT_CONF_PREFIX ?= "conf-"
88	FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name"
89
90	FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio"
91
92	# Allow user to select the default DTB for FIT image when multiple dtb's exists.
93	FIT_CONF_DEFAULT_DTB ?= ""
94
95	# length of address in number of <u32> cells
96	# ex: 1 32bits address, 2 64bits address
97	FIT_ADDRESS_CELLS ?= "1"
98
99	# Keys used to sign individually image nodes.
100	# The keys to sign image nodes must be different from those used to sign
101	# configuration nodes, otherwise the "required" property, from
102	# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
103	# Then the images signature checking will not be mandatory and no error will be
104	# raised in case of failure.
105	# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
106
107	#	56	#
108	# Emit the fitImage ITS header	57	# Emit the fitImage ITS header
109	#	58	#