archive mirror
 help / color / mirror / Atom feed
From: Klaus Heinrich Kiwi <>
Subject: [PATCH v2 0/4] u-boot: Support for SPL verified boot
Date: Fri, 26 Mar 2021 17:14:06 -0300	[thread overview]
Message-ID: <> (raw)

This patch series aims at extending U-Boot's verified boot support to
also include SPL.

Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
and kernel-fitimage to create and sign a Linux Kernel fitImage. This
proposal introduces the variables UBOOT_FITIMAGE_ENABLE and
SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot
(proper) fitImage that the SPL can load (and verify if enabled)

In order to accomplish this, the first patch moves some of necessary
infrastructure (variables, functions) used to sign the Kernel
fitImage to more common locations, and then essentially duplicates the
method currently used to sign the Kernel fitImage to also sign the
U-Boot fitImage.

If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will
copy the SPL files (nodtb image and dtb file) from the u-boot recipe to
the staging area, so that the Kernel recipe can then create the U-Boot

In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using
the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will
auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and

After the operations above, the Kernel recipe will deploy the (signed)
U-Boot fitImage, the ITS script used to create it, as well as the SPL
concatenated with the DTB containing the pubkey to the images directory.

The reason why the U-Boot fitImage is created by the Kernel is in order
to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel
fitImage is signed), the U-Boot fitImage being created/signed contains
the pubkey used by the Kernel recipe to sign the Kernel fitImage.

I added oe-selftest testcases and also tested this on upstream OpenBMC
with AST2600 BMC devices.

Signed-off-by: Klaus Heinrich Kiwi <>

Changes since V1:

 * Separated SPL_SIGN_ENABLE from UBOOT_FITIMAGE_ENABLE so that an
   U-Boot fitImage can be created without a signature

 * Completely moved the task of creating/signing the U-Boot fitImage to
   the Kernel recipe, so that we don't get collisions when reusing the
   build tree while changing the configuration. This is apparently also
   necessary for testcases to be sane.

 * Testcases changes and additions, covering the above scenarios

 meta/classes/kernel-fitimage.bbclass     |  82 ++---
 meta/classes/uboot-config.bbclass        |  58 ++++
 meta/classes/uboot-sign.bbclass          | 407 +++++++++++++++++++++++--
 meta/lib/oeqa/selftest/cases/ | 468 +++++++++++++++++++++++++++++
 meta/recipes-bsp/u-boot/       |  46 ---
 5 files changed, 928 insertions(+), 133 deletions(-)

             reply	other threads:[~2021-03-26 20:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26 20:14 Klaus Heinrich Kiwi [this message]
2021-03-26 20:14 ` [PATCH v2 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi
2021-04-06 10:57 ` [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot Richard Purdie
2021-04-06 13:21   ` Klaus Heinrich Kiwi
2021-04-06 13:56     ` Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).