archive mirror
 help / color / mirror / Atom feed
From: Richard Purdie <>
To: Klaus Heinrich Kiwi <>,
Subject: Re: [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot
Date: Tue, 06 Apr 2021 11:57:04 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote:
> This patch series aims at extending U-Boot's verified boot support to
> also include SPL.
> Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
> and kernel-fitimage to create and sign a Linux Kernel fitImage. This
> proposal introduces the variables UBOOT_FITIMAGE_ENABLE and
> SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot
> (proper) fitImage that the SPL can load (and verify if enabled)
> In order to accomplish this, the first patch moves some of necessary
> infrastructure (variables, functions) used to sign the Kernel
> fitImage to more common locations, and then essentially duplicates the
> method currently used to sign the Kernel fitImage to also sign the
> U-Boot fitImage.
> If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will
> copy the SPL files (nodtb image and dtb file) from the u-boot recipe to
> the staging area, so that the Kernel recipe can then create the U-Boot
> fitImage.
> In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using
> the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will
> auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and
> After the operations above, the Kernel recipe will deploy the (signed)
> U-Boot fitImage, the ITS script used to create it, as well as the SPL
> concatenated with the DTB containing the pubkey to the images directory.
> The reason why the U-Boot fitImage is created by the Kernel is in order
> to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel
> fitImage is signed), the U-Boot fitImage being created/signed contains
> the pubkey used by the Kernel recipe to sign the Kernel fitImage.
> I added oe-selftest testcases and also tested this on upstream OpenBMC
> with AST2600 BMC devices.
> Signed-off-by: Klaus Heinrich Kiwi <>

I've merged this, I wanted to say a big thanks for writing some test cases
for these code paths. It should start to help a lot in this area in the
future. I'm going to be asking that future fixes in this area add/improve 
test cases to cover issues too.



  parent reply	other threads:[~2021-04-06 10:57 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26 20:14 [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Klaus Heinrich Kiwi
2021-03-26 20:14 ` [PATCH v2 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi
2021-04-06 10:57 ` Richard Purdie [this message]
2021-04-06 13:21   ` [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-04-06 13:56     ` Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).