openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>,
	 openembedded-core@lists.openembedded.org
Cc: andrew@aj.id.au, openbmc@lists.ozlabs.org
Subject: Re: [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot
Date: Tue, 06 Apr 2021 11:57:04 +0100	[thread overview]
Message-ID: <f303476a66be3cc3beea01d3a71e2db1ef1d44c4.camel@linuxfoundation.org> (raw)
In-Reply-To: <20210326201410.13906-1-klaus@linux.vnet.ibm.com>

On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote:
> This patch series aims at extending U-Boot's verified boot support to
> also include SPL.
> 
> Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
> and kernel-fitimage to create and sign a Linux Kernel fitImage. This
> proposal introduces the variables UBOOT_FITIMAGE_ENABLE and
> SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot
> (proper) fitImage that the SPL can load (and verify if enabled)
> 
> In order to accomplish this, the first patch moves some of necessary
> infrastructure (variables, functions) used to sign the Kernel
> fitImage to more common locations, and then essentially duplicates the
> method currently used to sign the Kernel fitImage to also sign the
> U-Boot fitImage.
> 
> If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will
> copy the SPL files (nodtb image and dtb file) from the u-boot recipe to
> the staging area, so that the Kernel recipe can then create the U-Boot
> fitImage.
> 
> In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using
> the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will
> auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and
> UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1".
> 
> After the operations above, the Kernel recipe will deploy the (signed)
> U-Boot fitImage, the ITS script used to create it, as well as the SPL
> concatenated with the DTB containing the pubkey to the images directory.
> 
> The reason why the U-Boot fitImage is created by the Kernel is in order
> to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel
> fitImage is signed), the U-Boot fitImage being created/signed contains
> the pubkey used by the Kernel recipe to sign the Kernel fitImage.
> 
> I added oe-selftest testcases and also tested this on upstream OpenBMC
> with AST2600 BMC devices.
> 
> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>

I've merged this, I wanted to say a big thanks for writing some test cases
for these code paths. It should start to help a lot in this area in the
future. I'm going to be asking that future fixes in this area add/improve 
test cases to cover issues too.

Cheers,

Richard


  parent reply	other threads:[~2021-04-06 10:57 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26 20:14 [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi
2021-04-06 10:57 ` Richard Purdie [this message]
2021-04-06 13:21   ` [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-04-06 13:56     ` Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f303476a66be3cc3beea01d3a71e2db1ef1d44c4.camel@linuxfoundation.org \
    --to=richard.purdie@linuxfoundation.org \
    --cc=andrew@aj.id.au \
    --cc=klaus@linux.vnet.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).