[OE-core] [RFC PATCH 1/4] u-boot: basic support of device tree blob reassembly
Yannick Gicquel
yannick.gicquel at iot.bzh
Tue Apr 19 12:46:40 UTC 2016
This introduces a new task 'assemble_dtb' to handle the concatenation of U-Boot
without DTB and the compiled U-Boot DTB while using CONFIG_OF_SEPARATE.
Basically, this task merges the u-boot-nodtb.bin and the device tree blob using
the 'cat' command and overrides the u-boot.bin file which is generated
at the compilation step.
This task is intended to be used in the verified-boot image generation process
after the kernel-fitimage class had appended a public key to the device tree
blob. It is placed after the do_deploy and before the do_install tasks and it
replaces the u-boot binaries in both deploy directory and build directory
in order to minimize the changes in later tasks.
Signed-off-by: Yannick Gicquel <yannick.gicquel at iot.bzh>
---
meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot.inc | 22 ++++++++++++++++++++++
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc
diff --git a/meta/recipes-bsp/u-boot/u-boot-sign.inc b/meta/recipes-bsp/u-boot/u-boot-sign.inc
new file mode 100644
index 0000000..c88a2a1
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot-sign.inc
@@ -0,0 +1,21 @@
+# This file is part of U-Boot verified boot support and is intended to be
+# included from u-boot recipe and from kernel-fitimage.bbclass
+#
+# The signature procedure requires the user to generate an RSA key and
+# certificate in a directory and to define the following variable:
+#
+# UBOOT_SIGN_KEYDIR = "/keys/directory"
+# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
+# UBOOT_SIGN_ENABLE = "1"
+#
+# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
+#
+# For more details, please refer to U-boot documentation.
+
+UBOOT_SIGN_ENABLE ?= "0"
+UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
+UBOOT_DTB_BINARY ?= "u-boot.dtb"
+UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
+UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
+UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
+UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 3ba866d..29b0b95 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -65,6 +65,28 @@ UBOOT_ENV_BINARY ?= "${UBOOT_ENV}.${UBOOT_ENV_SUFFIX}"
UBOOT_ENV_IMAGE ?= "${UBOOT_ENV}-${MACHINE}-${PV}-${PR}.${UBOOT_ENV_SUFFIX}"
UBOOT_ENV_SYMLINK ?= "${UBOOT_ENV}-${MACHINE}.${UBOOT_ENV_SUFFIX}"
+# The use of verified boot requires to share environment variables with kernel
+# fitImage class as the mkimage call requires dtb filepath to append signature
+# public key.
+require u-boot-sign.inc
+
+do_assemble_dtb() {
+ # Concatenate U-Boot w/o DTB & DTB with public key
+ # (cf. kernel-fitimage.bbclass for more details)
+ cd ${DEPLOYDIR}
+ if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
+ if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then
+ cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${UBOOT_IMAGE}
+ cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} > ${S}/${UBOOT_BINARY}
+ else
+ bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
+ fi
+ fi
+}
+
+addtask assemble_dtb after do_deploy before do_install
+do_assemble_dtb[depends] += "${@' ${PREFERRED_PROVIDER_virtual/kernel}:do_assemble_fitimage' if '${UBOOT_SIGN_ENABLE}' == '1' else ''}"
+
do_compile () {
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', 'ld-is-gold', '', d)}" = "ld-is-gold" ] ; then
sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' config.mk
--
1.9.1
More information about the Openembedded-core
mailing list