[yocto] Public key for U-Boot verified boot is not inserted in DTB when rebuilding from sstate

Andersen, Christian c.andersen at kostal.com
Thu Sep 21 03:36:16 PDT 2017 

Hello,

I have a problem with U-Boot verified boot and the sstate caching of build artifacts.

On a clean rebuild (deleted sstate and tmp dir), the signed FIT image and U-Boot incl. the public key are correctly created.
But when I delete the tmp dir and let bitbake recreate it from sstate, the public key in U-Boot is missing.

The task sequence according to uboot-sign.bbclass is:

#   u-boot:do_deploy_dtb
#   u-boot:do_deploy
#   virtual/kernel:do_assemble_fitimage
#   u-boot:do_concat_dtb
#   u-boot:do_install

The problem seems to be that while assembling the FIT image (from the kernel recipe), the U-Boot DTB in DEPLOY_IMAGE_DIR is modified and the public key is inserted. After that U-Boot and the new DTB are concatenated. This happens for the U-Boot image in DEPLOYDIR as well in DEPLOY_IMAGE_DIR.

The problem now is, that the sstate caches the versions of U-Boot and DTB while deploying it. Since this happens before assembling the FIT image, the sstate now contains U-Boot and DTB without the public key.

U-Boot unfortunately (silently!) disables verified boot when the public key is not available in the DTB.

I already filed a bug (#12112) for this, but has anybody an idea how to easily fix this (other than cleaning the sstate of U-Boot/Kernel after deleting the tmp dir)?

A possible solution would be to remove the dependency between kernel and U-Boot. But in this case it would be necessary to insert the public key into the DTB while building U-Boot without using the FIT image from the kernel build. Unfortunately uboot-mkimage does not support this at the moment.


Regards
Christian

-- 
KOSTAL Industrie Elektrik GmbH
www.kostal-industrie-elektrik.com


KOSTAL Industrie Elektrik GmbH - Sitz Lüdenscheid, Registergericht Iserlohn HRB 3924 - USt-Id-Nr./Vat No.: DE 813742170
Postanschrift: An der Bellmerei 10, D-58513 Lüdenscheid * Telefon: +49  2351 16-0 * Telefax: +49  2351 16-2400
Werksanschrift: Lange Eck 11, D-58099 Hagen * Tel. +49 2331 8040-601 * Fax +49 2331 8040-602
Geschäftsführung: Dr.-Ing. Dipl.-Wirt.Ing. Manfred Gerhard, Dipl.-Ing. Marwin Kinzl, Dipl.-Oec. Andreas Kostal

More information about the yocto mailing list