From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>,
openembedded-core@lists.openembedded.org
Cc: andrew@aj.id.au, openbmc@lists.ozlabs.org
Subject: Re: [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot
Date: Tue, 06 Apr 2021 11:57:04 +0100 [thread overview]
Message-ID: <f303476a66be3cc3beea01d3a71e2db1ef1d44c4.camel@linuxfoundation.org> (raw)
In-Reply-To: <20210326201410.13906-1-klaus@linux.vnet.ibm.com>
On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote:
> This patch series aims at extending U-Boot's verified boot support to
> also include SPL.
>
> Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
> and kernel-fitimage to create and sign a Linux Kernel fitImage. This
> proposal introduces the variables UBOOT_FITIMAGE_ENABLE and
> SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot
> (proper) fitImage that the SPL can load (and verify if enabled)
>
> In order to accomplish this, the first patch moves some of necessary
> infrastructure (variables, functions) used to sign the Kernel
> fitImage to more common locations, and then essentially duplicates the
> method currently used to sign the Kernel fitImage to also sign the
> U-Boot fitImage.
>
> If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will
> copy the SPL files (nodtb image and dtb file) from the u-boot recipe to
> the staging area, so that the Kernel recipe can then create the U-Boot
> fitImage.
>
> In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using
> the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will
> auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and
> UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1".
>
> After the operations above, the Kernel recipe will deploy the (signed)
> U-Boot fitImage, the ITS script used to create it, as well as the SPL
> concatenated with the DTB containing the pubkey to the images directory.
>
> The reason why the U-Boot fitImage is created by the Kernel is in order
> to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel
> fitImage is signed), the U-Boot fitImage being created/signed contains
> the pubkey used by the Kernel recipe to sign the Kernel fitImage.
>
> I added oe-selftest testcases and also tested this on upstream OpenBMC
> with AST2600 BMC devices.
>
> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
I've merged this, I wanted to say a big thanks for writing some test cases
for these code paths. It should start to help a lot in this area in the
future. I'm going to be asking that future fixes in this area add/improve
test cases to cover issues too.
Cheers,
Richard
next prev parent reply other threads:[~2021-04-06 10:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 20:14 [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi
2021-04-06 10:57 ` Richard Purdie [this message]
2021-04-06 13:21 ` [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-04-06 13:56 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f303476a66be3cc3beea01d3a71e2db1ef1d44c4.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=andrew@aj.id.au \
--cc=klaus@linux.vnet.ibm.com \
--cc=openbmc@lists.ozlabs.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).