Hello Alexandre, On Sun, 2021-08-08 at 21:19 +0200, Alexandre Belloni wrote: > Hello, > > On 06/08/2021 18:10:38+0200, Thomas Perrot wrote: > > Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set > > to "conf" > > and no error will be raised in case of error. > > > > Signed-off-by: Thomas Perrot > > --- > >  meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++++++++-- > > -- > >  1 file changed, 35 insertions(+), 5 deletions(-) > > > > diff --git a/meta/classes/kernel-fitimage.bbclass > > b/meta/classes/kernel-fitimage.bbclass > > index a9d1002200c9..72f692e40e63 100644 > > --- a/meta/classes/kernel-fitimage.bbclass > > +++ b/meta/classes/kernel-fitimage.bbclass > > @@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for > > ${DISTRO_NAME}/${PV}/${MACHINE}" > >  # Sign individual images as well > >  FIT_SIGN_INDIVIDUAL ?= "0" > >   > > +# Keys used to sign individually images nodes. > > +# The keys to sign images nodes must be different from those used to > > sign > > +# configurations nodes, otherwise the "required" property, from > > +# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails > > on "image". > > +# Then images signature checking will not be mandatory and no error > > will be > > +# raised. > > +# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. > > "dev2.crt", "dev2.key") > > + > >  # > >  # Emit the fitImage ITS header > >  # > > @@ -121,7 +129,7 @@ fitimage_emit_section_kernel() { > >   > >         kernel_csum="${FIT_HASH_ALG}" > >         kernel_sign_algo="${FIT_SIGN_ALG}" > > -       kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}" > > +       kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" > >   > >         ENTRYPOINT="${UBOOT_ENTRYPOINT}" > >         if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then > > @@ -167,7 +175,7 @@ fitimage_emit_section_dtb() { > >   > >         dtb_csum="${FIT_HASH_ALG}" > >         dtb_sign_algo="${FIT_SIGN_ALG}" > > -       dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}" > > +       dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" > >   > >         dtb_loadline="" > >         dtb_ext=${DTB##*.} > > @@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() { > >   > >          bootscr_csum="${FIT_HASH_ALG}" > >         bootscr_sign_algo="${FIT_SIGN_ALG}" > > -       bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}" > > +       bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" > >   > >          cat << EOF >> ${1} > >                  bootscr-${2} { > > @@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() { > >   > >         ramdisk_csum="${FIT_HASH_ALG}" > >         ramdisk_sign_algo="${FIT_SIGN_ALG}" > > -       ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}" > > +       ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" > >         ramdisk_loadline="" > >         ramdisk_entryline="" > >   > > @@ -475,6 +483,10 @@ fitimage_assemble() { > >         bootscr_id="" > >         rm -f ${1} arch/${ARCH}/boot/${2} > >   > > +       if [ "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; > > then > > +               bbfatal "Keys used to sign images and configuration > > nodes must be different." > > This breaks oe-selftest, as seen in: > https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2383/steps/14/logs/stdio > Thank you for the feedback. The tests also need to be updated, so I will submit a v2, including the required changes on the test side. Best regards, Thomas Perrot > > > > -- Thomas Perrot, Bootlin Embedded Linux and kernel engineering https://bootlin.com