[OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot

Richard Purdie richard.purdie at linuxfoundation.org
Tue Apr 6 20:57:04 AEST 2021 

On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote:
> This patch series aims at extending U-Boot's verified boot support to
> also include SPL.
> 
> Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
> and kernel-fitimage to create and sign a Linux Kernel fitImage. This
> proposal introduces the variables UBOOT_FITIMAGE_ENABLE and
> SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot
> (proper) fitImage that the SPL can load (and verify if enabled)
> 
> In order to accomplish this, the first patch moves some of necessary
> infrastructure (variables, functions) used to sign the Kernel
> fitImage to more common locations, and then essentially duplicates the
> method currently used to sign the Kernel fitImage to also sign the
> U-Boot fitImage.
> 
> If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will
> copy the SPL files (nodtb image and dtb file) from the u-boot recipe to
> the staging area, so that the Kernel recipe can then create the U-Boot
> fitImage.
> 
> In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using
> the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will
> auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and
> UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1".
> 
> After the operations above, the Kernel recipe will deploy the (signed)
> U-Boot fitImage, the ITS script used to create it, as well as the SPL
> concatenated with the DTB containing the pubkey to the images directory.
> 
> The reason why the U-Boot fitImage is created by the Kernel is in order
> to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel
> fitImage is signed), the U-Boot fitImage being created/signed contains
> the pubkey used by the Kernel recipe to sign the Kernel fitImage.
> 
> I added oe-selftest testcases and also tested this on upstream OpenBMC
> with AST2600 BMC devices.
> 
> Signed-off-by: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>

I've merged this, I wanted to say a big thanks for writing some test cases
for these code paths. It should start to help a lot in this area in the
future. I'm going to be asking that future fixes in this area add/improve 
test cases to cover issues too.

Cheers,

Richard

More information about the openbmc mailing list