* [RFC PATCH 0/4] U-Boot verified boot basic support
@ 2016-04-19 12:46 Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Yannick Gicquel @ 2016-04-19 12:46 UTC (permalink / raw)
To: openembedded-core
Hello,
Please find a patchset proposal for U-Boot verified boot basic support.
Before submitting those, I would like to ask people on this list some feedbacks
on the way it's currently implemented.
The verified boot support principle is to sign a kernel fitImage, thanks to an
SSL keypair, and to append a public key in u-boot device tree blob to enable
software integrity check at runtime.
The proposal depends on the U-Boot CONFIG_OF_SEPARATE which in effect splits
U-Boot binaries allowing the DTB file to be outside the main u-boot binaries.
Thus, regarding the current fitImage generation, the following is proposed:
- extend the generated fit-images.its file from kernel-fitimage.bbclass in
order to add a 'signature' tag to the configuration section, then add a call
to uboot-mkimage to sign the fitImage and append the public key to DTB file.
- add a task in u-boot.inc 'do_assemble_dtb' which concatenates the device
tree blob with public key to u-boot binary, and organize the u-boot and
virtual/kernel recipes' tasks this way:
u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage -> u-boot:do_assemble_dtb
To enable the verified boot, the following variables can be added in a
configuration file:
KERNEL_CLASSES ?= " kernel-fitimage "
KERNEL_IMAGETYPE ?= "fitImage"
UBOOT_SIGN_KEYDIR = "/signature/keys/directory"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"
Well, I don't know if these changes are the way to go, but at least I think
this limits the codes changes and it propagates the feature to BSP layers which
uses u-boot.inc. Anyway, I would be pleased to get feedback on this.
Best regards,
Yannick
Yannick Gicquel (4):
u-boot: basic support of device tree blob reassembly
u-boot: deploy u-boot nodtb and dtb files
kernel: fitimage: support device tree compiler options
kernel: fitimage: basic support for fitimage signature
meta/classes/kernel-fitimage.bbclass | 53 +++++++++++++++++++++++++++++++--
meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++
meta/recipes-bsp/u-boot/u-boot.inc | 36 ++++++++++++++++++++++
3 files changed, 108 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
--
1.9.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-19 12:46 [RFC PATCH 0/4] U-Boot verified boot basic support Yannick Gicquel
@ 2016-04-19 12:46 ` Yannick Gicquel
2016-04-19 13:30 ` Otavio Salvador
2016-04-19 14:30 ` Andreas Oberritter
2016-04-19 12:46 ` [RFC PATCH 2/4] u-boot: deploy u-boot nodtb and dtb files Yannick Gicquel
` (2 subsequent siblings)
3 siblings, 2 replies; 13+ messages in thread
From: Yannick Gicquel @ 2016-04-19 12:46 UTC (permalink / raw)
To: openembedded-core
This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
the 'cat' command and overrides the u-boot.bin file which is generated
at the compilation step.
This task is intended to be used in the verified-boot image generation process
after the kernel-fitimage class had appended a public key to the device tree
blob. It is placed after the do_deploy and before the do_install tasks and it
replaces the u-boot binaries in both deploy directory and build directory
in order to minimize the changes in later tasks.
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
new file mode 100644
index 0000000..c88a2a1
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
@@ -0,0 +1,21 @@
+# This file is part of U-Boot verified boot support and is intended to be
+# included from u-boot recipe and from kernel-fitimage.bbclass
+#
+# The signature procedure requires the user to generate an RSA key and
+# certificate in a directory and to define the following variable:
+#
+# UBOOT_SIGN_KEYDIR = "/keys/directory"
+# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
+# UBOOT_SIGN_ENABLE = "1"
+#
+# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
+#
+# For more details, please refer to U-boot documentation.
+
+UBOOT_SIGN_ENABLE ?= "0"
+UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
+UBOOT_DTB_BINARY ?= "u-boot.dtb"
+UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
+UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
+UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
+UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 3ba866d..29b0b95 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
+# The use of verified boot requires to share environment variables with kernel
+# fitImage class as the mkimage call requires dtb filepath to append signature
+# public key.
+require u-boot-sign.inc
+
+do_assemble_dtb() {
+ # Concatenate U-Boot w/o DTB & DTB with public key
+ # (cf. kernel-fitimage.bbclass for more details)
+ cd ${DEPLOYDIR}
+ if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
+ if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
+ cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
+ cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
+ else
+ bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
+ fi
+ fi
+}
+
+addtask assemble_dtb after do_deploy before do_install
+do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
+
do_compile () {
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 2/4] u-boot: deploy u-boot nodtb and dtb files
2016-04-19 12:46 [RFC PATCH 0/4] U-Boot verified boot basic support Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
@ 2016-04-19 12:46 ` Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 3/4] kernel: fitimage: support device tree compiler options Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature Yannick Gicquel
3 siblings, 0 replies; 13+ messages in thread
From: Yannick Gicquel @ 2016-04-19 12:46 UTC (permalink / raw)
To: openembedded-core
This enable the deployment of u-boot-nodtb.bin and u-boot.dtb files.
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
meta/recipes-bsp/u-boot/u-boot.inc | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 29b0b95..749f8d8 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -239,6 +239,20 @@ do_deploy () {
rm -f ${UBOOT_BINARY} ${UBOOT_SYMLINK}
ln -sf ${UBOOT_IMAGE} ${UBOOT_SYMLINK}
ln -sf ${UBOOT_IMAGE} ${UBOOT_BINARY}
+
+ # OF_SEPARATE generated files deployment
+ if [ -f ${S}/${UBOOT_DTB_BINARY} ]; then
+ install ${S}/${UBOOT_DTB_BINARY} ${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
+ rm -f ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SYMLINK}
+ ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_SYMLINK}
+ ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_BINARY}
+ fi
+ if [ -f ${S}/${UBOOT_NODTB_BINARY} ]; then
+ install ${S}/${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
+ rm -f ${UBOOT_NODTB_BINARY} ${UBOOT_NODTB_SYMLINK}
+ ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_SYMLINK}
+ ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_BINARY}
+ fi
fi
if [ "x${UBOOT_ELF}" != "x" ]
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 3/4] kernel: fitimage: support device tree compiler options
2016-04-19 12:46 [RFC PATCH 0/4] U-Boot verified boot basic support Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 2/4] u-boot: deploy u-boot nodtb and dtb files Yannick Gicquel
@ 2016-04-19 12:46 ` Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature Yannick Gicquel
3 siblings, 0 replies; 13+ messages in thread
From: Yannick Gicquel @ 2016-04-19 12:46 UTC (permalink / raw)
To: openembedded-core
This introduces a new variable to set the device tree compiler options while
calling mkimage ('-D' option). By default, this variable is not set but it can
be defined in a configuration file, as following example:
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
meta/classes/kernel-fitimage.bbclass | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index e5b75ed..62e0017 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -17,6 +17,9 @@ python __anonymous () {
d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
}
+# Options for the device tree compiler passed to mkimage '-D' feature:
+UBOOT_MKIMAGE_DTCOPTS ??= ""
+
#
# Emit the fitImage ITS header
#
@@ -209,7 +212,10 @@ do_assemble_fitimage() {
#
# Step 4: Assemble the image
#
- uboot-mkimage -f fit-image.its arch/${ARCH}/boot/fitImage
+ uboot-mkimage \
+ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+ -f fit-image.its \
+ arch/${ARCH}/boot/fitImage
fi
}
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature
2016-04-19 12:46 [RFC PATCH 0/4] U-Boot verified boot basic support Yannick Gicquel
` (2 preceding siblings ...)
2016-04-19 12:46 ` [RFC PATCH 3/4] kernel: fitimage: support device tree compiler options Yannick Gicquel
@ 2016-04-19 12:46 ` Yannick Gicquel
2016-04-19 13:33 ` Otavio Salvador
3 siblings, 1 reply; 13+ messages in thread
From: Yannick Gicquel @ 2016-04-19 12:46 UTC (permalink / raw)
To: openembedded-core
This is an initial support of fitImage signature to enable U-Boot verified
boot. This feature is implemented by adding a signature tag to the
configuration section of the generated fit-image.its file.
When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is
activated and performs a second call to mkimage to sign the fitImage file and
to include the public key in the deployed U-Boot device tree blob. (This
implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.)
As the U-Boot device tree blob is appended in the deploy dir, a dependency
on 'u-boot:do_deploy' is added when the feature is activated.
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
---
meta/classes/kernel-fitimage.bbclass | 45 +++++++++++++++++++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 62e0017..cbf07ba 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,8 @@
inherit kernel-uboot
+# To resolve the following UBOOT_DTB_BINARY identifier
+require recipes-bsp/u-boot/u-boot-sign.inc
+
python __anonymous () {
kerneltype = d.getVar('KERNEL_IMAGETYPE', True)
if kerneltype == 'fitImage':
@@ -15,6 +18,12 @@ python __anonymous () {
image = d.getVar('INITRAMFS_IMAGE', True)
if image:
d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
+
+ # Verified boot will sign the fitImage and append the public key to
+ # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
+ # the fitImage:
+ if d.getVar('UBOOT_SIGN_ENABLE', True):
+ d.appendVarFlag('do_assemble_fitimage', 'depends', ' u-boot:do_deploy')
}
# Options for the device tree compiler passed to mkimage '-D' feature:
@@ -132,6 +141,9 @@ EOF
fitimage_emit_section_config() {
conf_csum="sha1"
+ if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then
+ conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ fi
# Test if we have any DTBs at all
if [ -z "${2}" ] ; then
@@ -152,6 +164,26 @@ fitimage_emit_section_config() {
hash@1 {
algo = "${conf_csum}";
};
+EOF
+
+ if [ ! -z "${conf_sign_keyname}" ] ; then
+
+ if [ -z "${2}" ] ; then
+ sign_line="sign-images = \"kernel\";"
+ else
+ sign_line="sign-images = \"fdt\", \"kernel\";"
+ fi
+
+ cat << EOF >> fit-image.its
+ signature@1 {
+ algo = "${conf_csum},rsa2048";
+ key-name-hint = "${conf_sign_keyname}";
+ sign-images = "fdt", "kernel";
+ };
+EOF
+ fi
+
+ cat << EOF >> fit-image.its
};
EOF
}
@@ -160,7 +192,7 @@ do_assemble_fitimage() {
if test "x${KERNEL_IMAGETYPE}" = "xfitImage" ; then
kernelcount=1
dtbcount=""
- rm -f fit-image.its
+ rm -f fit-image.its arch/${ARCH}/boot/fitImage
fitimage_emit_fit_header
@@ -216,6 +248,17 @@ do_assemble_fitimage() {
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-f fit-image.its \
arch/${ARCH}/boot/fitImage
+
+ #
+ # Step 5: Sign the image and add public key to U-Boot dtb
+ #
+ if test -n "${UBOOT_SIGN_ENABLE}"; then
+ uboot-mkimage \
+ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+ -F -k "${UBOOT_SIGN_KEYDIR}" \
+ -K "${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_BINARY}" \
+ -r arch/${ARCH}/boot/fitImage
+ fi
fi
}
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
@ 2016-04-19 13:30 ` Otavio Salvador
2016-04-20 8:12 ` Yannick GICQUEL
2016-04-19 14:30 ` Andreas Oberritter
1 sibling, 1 reply; 13+ messages in thread
From: Otavio Salvador @ 2016-04-19 13:30 UTC (permalink / raw)
To: Yannick Gicquel; +Cc: Patches and discussions about the oe-core layer
On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
<yannick.gicquel@iot.bzh> wrote:
> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
> the 'cat' command and overrides the u-boot.bin file which is generated
> at the compilation step.
>
> This task is intended to be used in the verified-boot image generation process
> after the kernel-fitimage class had appended a public key to the device tree
> blob. It is placed after the do_deploy and before the do_install tasks and it
> replaces the u-boot binaries in both deploy directory and build directory
> in order to minimize the changes in later tasks.
>
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
> meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
> meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
> 2 files changed, 43 insertions(+)
> create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>
> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> new file mode 100644
> index 0000000..c88a2a1
> --- /dev/null
> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
I think it could be moved to a class, so the U-Boot can inherit it.
> @@ -0,0 +1,21 @@
> +# This file is part of U-Boot verified boot support and is intended to be
> +# included from u-boot recipe and from kernel-fitimage.bbclass
> +#
> +# The signature procedure requires the user to generate an RSA key and
> +# certificate in a directory and to define the following variable:
> +#
> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
> +# UBOOT_SIGN_ENABLE = "1"
> +#
> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
> +#
> +# For more details, please refer to U-boot documentation.
> +
> +UBOOT_SIGN_ENABLE ?= "0"
> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
> index 3ba866d..29b0b95 100644
> --- a/meta/recipes-bsp/u-boot/u-boot.inc
> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
> UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
> UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>
> +# The use of verified boot requires to share environment variables with kernel
> +# fitImage class as the mkimage call requires dtb filepath to append signature
> +# public key.
> +require u-boot-sign.inc
> +
> +do_assemble_dtb() {
> + # Concatenate U-Boot w/o DTB & DTB with public key
> + # (cf. kernel-fitimage.bbclass for more details)
> + cd ${DEPLOYDIR}
> + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
> + if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
> + else
> + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
> + fi
> + fi
> +}
> +
> +addtask assemble_dtb after do_deploy before do_install
> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
> +
This should be part of the class, not another .inc file.
> do_compile () {
> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
> sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature
2016-04-19 12:46 ` [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature Yannick Gicquel
@ 2016-04-19 13:33 ` Otavio Salvador
0 siblings, 0 replies; 13+ messages in thread
From: Otavio Salvador @ 2016-04-19 13:33 UTC (permalink / raw)
To: Yannick Gicquel; +Cc: Patches and discussions about the oe-core layer
On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
<yannick.gicquel@iot.bzh> wrote:
> This is an initial support of fitImage signature to enable U-Boot verified
> boot. This feature is implemented by adding a signature tag to the
> configuration section of the generated fit-image.its file.
>
> When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is
> activated and performs a second call to mkimage to sign the fitImage file and
> to include the public key in the deployed U-Boot device tree blob. (This
> implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.)
>
> As the U-Boot device tree blob is appended in the deploy dir, a dependency
> on 'u-boot:do_deploy' is added when the feature is activated.
>
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
> meta/classes/kernel-fitimage.bbclass | 45 +++++++++++++++++++++++++++++++++++-
> 1 file changed, 44 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index 62e0017..cbf07ba 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -1,5 +1,8 @@
> inherit kernel-uboot
>
> +# To resolve the following UBOOT_DTB_BINARY identifier
> +require recipes-bsp/u-boot/u-boot-sign.inc
> +
Again, use a class for it. inc files are being abused this way.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
2016-04-19 13:30 ` Otavio Salvador
@ 2016-04-19 14:30 ` Andreas Oberritter
2016-04-20 8:27 ` Yannick GICQUEL
1 sibling, 1 reply; 13+ messages in thread
From: Andreas Oberritter @ 2016-04-19 14:30 UTC (permalink / raw)
To: openembedded-core
Hello Yannick,
On 19.04.2016 14:46, Yannick Gicquel wrote:
> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
> the 'cat' command and overrides the u-boot.bin file which is generated
> at the compilation step.
>
> This task is intended to be used in the verified-boot image generation process
> after the kernel-fitimage class had appended a public key to the device tree
> blob. It is placed after the do_deploy and before the do_install tasks and it
> replaces the u-boot binaries in both deploy directory and build directory
> in order to minimize the changes in later tasks.
>
> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
> ---
> meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
> meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
> 2 files changed, 43 insertions(+)
> create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>
> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> new file mode 100644
> index 0000000..c88a2a1
> --- /dev/null
> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> @@ -0,0 +1,21 @@
> +# This file is part of U-Boot verified boot support and is intended to be
> +# included from u-boot recipe and from kernel-fitimage.bbclass
> +#
> +# The signature procedure requires the user to generate an RSA key and
> +# certificate in a directory and to define the following variable:
> +#
> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
> +# UBOOT_SIGN_ENABLE = "1"
> +#
> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
> +#
> +# For more details, please refer to U-boot documentation.
> +
> +UBOOT_SIGN_ENABLE ?= "0"
> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
> index 3ba866d..29b0b95 100644
> --- a/meta/recipes-bsp/u-boot/u-boot.inc
> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
> UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
> UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>
> +# The use of verified boot requires to share environment variables with kernel
> +# fitImage class as the mkimage call requires dtb filepath to append signature
> +# public key.
> +require u-boot-sign.inc
> +
> +do_assemble_dtb() {
> + # Concatenate U-Boot w/o DTB & DTB with public key
> + # (cf. kernel-fitimage.bbclass for more details)
> + cd ${DEPLOYDIR}
> + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
> + if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
in general, you should avoid writing to ${S} (source). It's better to
write to ${B} (build).
> + else
> + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
> + fi
> + fi
> +}
> +
> +addtask assemble_dtb after do_deploy before do_install
The task do_deploy executes after do_install. Does it really work this
way? I think bitbake should try to detect this and error out.
Maybe you could just use do_install_append and add the dependency below
to do_install.
Regards,
Andreas
> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
> +
> do_compile () {
> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
> sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-19 13:30 ` Otavio Salvador
@ 2016-04-20 8:12 ` Yannick GICQUEL
0 siblings, 0 replies; 13+ messages in thread
From: Yannick GICQUEL @ 2016-04-20 8:12 UTC (permalink / raw)
To: Otavio Salvador; +Cc: Patches and discussions about the oe-core layer
Le 19/04/2016 15:30, Otavio Salvador a écrit :
> On Tue, Apr 19, 2016 at 9:46 AM, Yannick Gicquel
> <yannick.gicquel@iot.bzh> wrote:
>> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
>> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
>> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
>> the 'cat' command and overrides the u-boot.bin file which is generated
>> at the compilation step.
>>
>> This task is intended to be used in the verified-boot image generation process
>> after the kernel-fitimage class had appended a public key to the device tree
>> blob. It is placed after the do_deploy and before the do_install tasks and it
>> replaces the u-boot binaries in both deploy directory and build directory
>> in order to minimize the changes in later tasks.
>>
>> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
>> ---
>> meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>> meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
>> 2 files changed, 43 insertions(+)
>> create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>>
>> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> new file mode 100644
>> index 0000000..c88a2a1
>> --- /dev/null
>> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
> I think it could be moved to a class, so the U-Boot can inherit it.
Ok
>
>> @@ -0,0 +1,21 @@
>> +# This file is part of U-Boot verified boot support and is intended to be
>> +# included from u-boot recipe and from kernel-fitimage.bbclass
>> +#
>> +# The signature procedure requires the user to generate an RSA key and
>> +# certificate in a directory and to define the following variable:
>> +#
>> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
>> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
>> +# UBOOT_SIGN_ENABLE = "1"
>> +#
>> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
>> +#
>> +# For more details, please refer to U-boot documentation.
>> +
>> +UBOOT_SIGN_ENABLE ?= "0"
>> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
>> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
>> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
>> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
>> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
>> index 3ba866d..29b0b95 100644
>> --- a/meta/recipes-bsp/u-boot/u-boot.inc
>> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
>> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>> UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>> UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>>
>> +# The use of verified boot requires to share environment variables with kernel
>> +# fitImage class as the mkimage call requires dtb filepath to append signature
>> +# public key.
>> +require u-boot-sign.inc
>> +
>> +do_assemble_dtb() {
>> + # Concatenate U-Boot w/o DTB & DTB with public key
>> + # (cf. kernel-fitimage.bbclass for more details)
>> + cd ${DEPLOYDIR}
>> + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
>> + if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
>> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
>> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
>> + else
>> + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
>> + fi
>> + fi
>> +}
>> +
>> +addtask assemble_dtb after do_deploy before do_install
>> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
>> +
> This should be part of the class, not another .inc file.
Ok, I understand your point and will move the whole dtb related parts in
the class file.
Thanks,
>
>> do_compile () {
>> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>> sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
>> --
>> 1.9.1
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-19 14:30 ` Andreas Oberritter
@ 2016-04-20 8:27 ` Yannick GICQUEL
2016-04-20 8:37 ` Anders Darander
2016-04-21 8:10 ` Andreas Oberritter
0 siblings, 2 replies; 13+ messages in thread
From: Yannick GICQUEL @ 2016-04-20 8:27 UTC (permalink / raw)
To: Andreas Oberritter, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 5244 bytes --]
Le 19/04/2016 16:30, Andreas Oberritter a écrit :
> Hello Yannick,
Hi Andreas,
>
> On 19.04.2016 14:46, Yannick Gicquel wrote:
>> This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
>> without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
>> Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
>> the 'cat' command and overrides the u-boot.bin file which is generated
>> at the compilation step.
>>
>> This task is intended to be used in the verified-boot image generation process
>> after the kernel-fitimage class had appended a public key to the device tree
>> blob. It is placed after the do_deploy and before the do_install tasks and it
>> replaces the u-boot binaries in both deploy directory and build directory
>> in order to minimize the changes in later tasks.
>>
>> Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
>> ---
>> meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
>> meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
>> 2 files changed, 43 insertions(+)
>> create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
>>
>> diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> new file mode 100644
>> index 0000000..c88a2a1
>> --- /dev/null
>> +++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
>> @@ -0,0 +1,21 @@
>> +# This file is part of U-Boot verified boot support and is intended to be
>> +# included from u-boot recipe and from kernel-fitimage.bbclass
>> +#
>> +# The signature procedure requires the user to generate an RSA key and
>> +# certificate in a directory and to define the following variable:
>> +#
>> +# UBOOT_SIGN_KEYDIR = "/keys/directory"
>> +# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
>> +# UBOOT_SIGN_ENABLE = "1"
>> +#
>> +# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
>> +#
>> +# For more details, please refer to U-boot documentation.
>> +
>> +UBOOT_SIGN_ENABLE ?= "0"
>> +UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
>> +UBOOT_DTB_BINARY ?= "u-boot.dtb"
>> +UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
>> +UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
>> +UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
>> diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
>> index 3ba866d..29b0b95 100644
>> --- a/meta/recipes-bsp/u-boot/u-boot.inc
>> +++ b/meta/recipes-bsp/u-boot/u-boot.inc
>> @@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
>> UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
>> UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
>>
>> +# The use of verified boot requires to share environment variables with kernel
>> +# fitImage class as the mkimage call requires dtb filepath to append signature
>> +# public key.
>> +require u-boot-sign.inc
>> +
>> +do_assemble_dtb() {
>> + # Concatenate U-Boot w/o DTB & DTB with public key
>> + # (cf. kernel-fitimage.bbclass for more details)
>> + cd ${DEPLOYDIR}
>> + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
>> + if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
>> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
>> + cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
> in general, you should avoid writing to ${S} (source). It's better to
> write to ${B} (build).
Ok, I will change to ${B}
>
>> + else
>> + bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
>> + fi
>> + fi
>> +}
>> +
>> +addtask assemble_dtb after do_deploy before do_install
> The task do_deploy executes after do_install. Does it really work this
> way? I think bitbake should try to detect this and error out.
I confirm do_deploy is executed before do_install.
It looks like it is schedule this way by the last line of the file:
addtask deploy before do_build after do_compile
(I attached the log.task_order for reference - FYI, behavior is the same on
jethro or today's master branch)
>
> Maybe you could just use do_install_append and add the dependency below
> to do_install.
Interesting.
After reviewing this more carefully, I agree with you and also think
that a dedicated task is
finally not really needed for these actions. The point which matters is
the task order
and the schedule required to add the public key to the DTB.
And regarding this task order it should be possible to place it in a
"do_install_prepend".
I will sent a new version integrating comments from Otavio's and you.
Thanks
>
> Regards,
> Andreas
>
>> +do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
>> +
>> do_compile () {
>> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
>> sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
>>
[-- Attachment #2: log.task_order --]
[-- Type: text/plain, Size: 640 bytes --]
do_fetch (29836): log.do_fetch.29836
do_unpack (29844): log.do_unpack.29844
do_patch (30357): log.do_patch.30357
do_configure (30788): log.do_configure.30788
do_populate_lic (30789): log.do_populate_lic.30789
do_compile (30833): log.do_compile.30833
do_deploy (5656): log.do_deploy.5656
do_assemble_dtb (5766): log.do_assemble_dtb.5766
do_install (7724): log.do_install.7724
do_package (7877): log.do_package.7877
do_populate_sysroot (7878): log.do_populate_sysroot.7878
do_packagedata (9046): log.do_packagedata.9046
do_package_write_rpm (10190): log.do_package_write_rpm.10190
do_package_qa (10204): log.do_package_qa.10204
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-20 8:27 ` Yannick GICQUEL
@ 2016-04-20 8:37 ` Anders Darander
2016-04-20 13:36 ` Yannick GICQUEL
2016-04-21 8:10 ` Andreas Oberritter
1 sibling, 1 reply; 13+ messages in thread
From: Anders Darander @ 2016-04-20 8:37 UTC (permalink / raw)
To: openembedded-core
Just a comment on task ordering. Not sure that it really matters
though...
* Yannick GICQUEL <yannick.gicquel@iot.bzh> [160420 10:28]:
> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
> >Hello Yannick,
> Hi Andreas,
> >On 19.04.2016 14:46, Yannick Gicquel wrote:
> >>+addtask assemble_dtb after do_deploy before do_install
> >The task do_deploy executes after do_install. Does it really work this
> >way? I think bitbake should try to detect this and error out.
> I confirm do_deploy is executed before do_install.
> It looks like it is schedule this way by the last line of the file:
> addtask deploy before do_build after do_compile
Well, if task do_deploy is scheduled before do_install, that's just by
luck.
The following line adds do_install:
addtask install after do_compile
Thus, the ordering between do_install and do_deploy isn't fixed. It
could be random, it could be based on alphabetical sorting, or the order
the tasks are added. However, it could easily change...
Cheers,
Anders
> (I attached the log.task_order for reference - FYI, behavior is the same on
> jethro or today's master branch)
--
Anders Darander, Senior System Architect
ChargeStorm AB / eStorm AB
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-20 8:37 ` Anders Darander
@ 2016-04-20 13:36 ` Yannick GICQUEL
0 siblings, 0 replies; 13+ messages in thread
From: Yannick GICQUEL @ 2016-04-20 13:36 UTC (permalink / raw)
To: openembedded-core, anders
Le 20/04/2016 10:37, Anders Darander a écrit :
> Just a comment on task ordering. Not sure that it really matters
> though...
>
> * Yannick GICQUEL <yannick.gicquel@iot.bzh> [160420 10:28]:
>> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
>>> Hello Yannick,
>> Hi Andreas,
>>> On 19.04.2016 14:46, Yannick Gicquel wrote:
>>>> +addtask assemble_dtb after do_deploy before do_install
>>> The task do_deploy executes after do_install. Does it really work this
>>> way? I think bitbake should try to detect this and error out.
>> I confirm do_deploy is executed before do_install.
>> It looks like it is schedule this way by the last line of the file:
>> addtask deploy before do_build after do_compile
> Well, if task do_deploy is scheduled before do_install, that's just by
> luck.
>
> The following line adds do_install:
>
> addtask install after do_compile
>
> Thus, the ordering between do_install and do_deploy isn't fixed. It
> could be random, it could be based on alphabetical sorting, or the order
> the tasks are added. However, it could easily change...
Thanks for the precision.
I understand that ordering is not fixed as both tasks depends on do_compile.
I am on the way to send a v2 and the tasks are now sequenced as below :
u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage ->
u-boot:do_install
Best regards,
>
> Cheers,
> Anders
>
>> (I attached the log.task_order for reference - FYI, behavior is the same on
>> jethro or today's master branch)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
2016-04-20 8:27 ` Yannick GICQUEL
2016-04-20 8:37 ` Anders Darander
@ 2016-04-21 8:10 ` Andreas Oberritter
1 sibling, 0 replies; 13+ messages in thread
From: Andreas Oberritter @ 2016-04-21 8:10 UTC (permalink / raw)
To: yannick.gicquel, openembedded-core
On 20.04.2016 10:27, Yannick GICQUEL wrote:
> Le 19/04/2016 16:30, Andreas Oberritter a écrit :
>> On 19.04.2016 14:46, Yannick Gicquel wrote:
[...]
>>> +addtask assemble_dtb after do_deploy before do_install
>> The task do_deploy executes after do_install. Does it really work this
>> way? I think bitbake should try to detect this and error out.
> I confirm do_deploy is executed before do_install.
> It looks like it is schedule this way by the last line of the file:
>
> addtask deploy before do_build after do_compile
>
> (I attached the log.task_order for reference - FYI, behavior is the same on
> jethro or today's master branch)
You're right, Yannick. I should have looked at u-boot.inc, instead of
assuming the behaviour of kernel.bbclass was generic.
Regards,
Andreas
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2016-04-21 8:11 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-19 12:46 [RFC PATCH 0/4] U-Boot verified boot basic support Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly Yannick Gicquel
2016-04-19 13:30 ` Otavio Salvador
2016-04-20 8:12 ` Yannick GICQUEL
2016-04-19 14:30 ` Andreas Oberritter
2016-04-20 8:27 ` Yannick GICQUEL
2016-04-20 8:37 ` Anders Darander
2016-04-20 13:36 ` Yannick GICQUEL
2016-04-21 8:10 ` Andreas Oberritter
2016-04-19 12:46 ` [RFC PATCH 2/4] u-boot: deploy u-boot nodtb and dtb files Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 3/4] kernel: fitimage: support device tree compiler options Yannick Gicquel
2016-04-19 12:46 ` [RFC PATCH 4/4] kernel: fitimage: basic support for fitimage signature Yannick Gicquel
2016-04-19 13:33 ` Otavio Salvador
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.