[meta-freescale] u-boot-fslc: migration from morty to pyro with a signed image using CST
Romain Bazile
romain.bazile at ubiant.com
Fri Jun 16 10:14:25 PDT 2017
Here is the bbappend for u-boot.
SRC_URI += "\
file://0001-Add-MMC-boot-support.patch \
file://0002-Add-MT41K128M16JT-125K-support.patch \
file://0003-Remove-video-support.patch \
file://0004-Ethernet-Use-ENET1.patch \
file://0005-Rename-DTB-file-used-to-imx6ul-aveli.dtb.patch \
file://0006-Add-PMIC-pf3001-support.patch \
file://0007-Disable-I2C2.patch \
file://0008-Add-USB-support-force-port-0-in-host-mode.patch \
file://0009-Only-use-default-env-var-and-import-bootpart-from-sd.patch \
file://0010-Add-bootcount-support.patch \
file://0011-hab-auth-zimage.patch \
file://0012-Load-uImage-and-DTB-present-at-mmc-address.patch \
file://0013-Verify-DTB-signature.patch \
file://0014-Add-active-passive-kernel-dtb-support.patch \
file://0016-Enable-watchdog.patch \
"
FILESEXTRAPATHS_append := "${THISDIR}/${PN}"
UBOOT_MAKE_TARGET = ""
UBOOT_BINARY = "u-boot-ivt.img"
addtask sign_uboot before do_build after do_deploy
do_sign_uboot () {
if [ -e ${CST_ROOT}/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem ] ; then
cd ${CST_ROOT}
bash mkfinalimage.sh ${CST_ROOT} ${DEPLOYDIR} ${DEPLOY_DIR_IMAGE} ${SPL_BINARYNAME} ${UBOOT_IMAGE}
else
if [ ! -d ${CST_ROOT} ] ; then
bberror "The CST Tool at path ${CST_ROOT} doesn't exist"
fi
bberror "The CST keys are not created yet"
fi
}
mkfinalimage.sh creates the signed copy of SPL and u-boot.img using the
Code Signing Tool from NXP.
I switched the UBOOT_BINARY variable to "u-boot-ivt.img" and u-boot
compiled well. However even if it boots for now, I'll have to test the
signature check.
What I meant with my question was that I don't know if my do_sign task
is redundant with compiling u-boot with the SECURE_BOOT activated (which
would sign the image no?).
Sincerely,
Romain Bazile
/Hardware R&D Engineer/
www.ubiant.com <http://www.ubiant.com>
Le 16/06/2017 à 17:04, Otavio Salvador a écrit :
> On Wed, Jun 14, 2017 at 1:45 PM, Romain Bazile <romain.bazile at ubiant.com> wrote:
> ...
>> We have in our bbappend a custom task, `sign_uboot`. This task uses the IMX
>> Code Signing Tool distributed by NXP to sign `u-boot.img` .
>>
>>
>> During the migration, I had a compilation problem. Basically, the build
>> system would complain that authenticate_image was an undefined reference.
>> When having a look at u-boot code, it seemed normal since it was not built
>> in the absence of `CONFIG_SECURE_BOOT`.
>> I added a patchfile changing this in `mx6ul_14x14_defconfig`, but now, a
>> different problem appears.
>>
>> Basically, the do_compile task is failing when it tries to copy `u-boot.img`
>> (as defined in my bbappend `UBOOT_BINARY`). This is "normal", since this
>> file is not in the filesystem, and likely not built. However, I do have a
>> `u-boot-ivt.img` (but this file is supposed to be created at a later stage
>> by the task `sign_uboot`).
>>
>> Also, just before, a couple of errors appears, where a script complains
>> about `bc` and `comm` not being found, except they are installed in the
>> build machine. This may not be related and not have consequences, I believe
>> this could be linked to the per-recipe sysroot.
>>
>>
>> Sorry for the long post, I can also share the details if needed (the task
>> `sign_uboot` and the scripts used to sign).
>>
>> My questions are as follows:
>> Do I still need to use this custom script if I use `CONFIG_SECURE_BOOT`?
>> How can I insure that u-boot-fslc will be correctly built?
> Please share the patch so we can look how it is done...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-freescale/attachments/20170616/883093d4/attachment.html>
More information about the meta-freescale
mailing list