[PATCH 0/4] u-boot: Support for SPL verified boot

Klaus Heinrich Kiwi klaus at linux.vnet.ibm.com
Tue Mar 16 03:58:02 AEDT 2021


This patch series aims at extending U-Boot's verified boot support to
also include SPL.

Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign
and kernel-fitimage to create and sign a Linux Kernel fitImage. This
proposal introduces the variable SPL_SIGN_ENABLE that aims at (re-)
creating the U-Boot (proper) uImage fitImage and signing it.

In order to accomplish this, the first patch moves some of necessary
infrastructure (variables, functions) used to sign the Kernel
fitImage to more common locations, and then essentially duplicates the
method currently used to sign the Kernel fitImage to also sign the
U-Boot fitImage.

In the UBOOT_SIGN_ENABLE = "1" scenario, nothing really changes: The
Kernel fitImage is created, then signed, and the pubkey is added to
u-boot.dtb which is concatenated with the u-boot-nodtb.bin to create
the u-boot final image.

In case SPL_SIGN_ENABLE = "1", The U-Boot PN will take care of (re-)
creating the U-Boot fitImage (using custom .its script) after compile,
sign it, and contatenate the u-boot-spl.dtb (with the public key) with
u-boot-spl-nodtb.bin to create the final U-Boot SPl on deploy.

In case both UBOOT_SIGN_ENABLE and SPL_SIGN_ENABLE are set, the Kernel
PN will take care of creating and signing the U-Boot fitImage (becase
we need to also sign the FDT image containing the Kernel pubkey), and
take care of deploying it.

One caveat is that when moving between the scenarios above, the user
might need to remove the tmp/ directory, since there could be a
collision for some of the files deployed into the images directory,
since the configuration may determine which PN does that.

I added oe-selftest testcases and also tested this on upstream OpenBMC
with AST2600 BMC devices.


 meta/classes/kernel-fitimage.bbclass     |  69 +++-------------
 meta/classes/uboot-config.bbclass        |  58 +++++++++++++
 meta/classes/uboot-sign.bbclass          | 395
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 meta/lib/oeqa/selftest/cases/fitimage.py | 293
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot.inc       |  46 -----------
 5 files changed, 736 insertions(+), 125 deletions(-)


Signed-off-by: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>




More information about the openbmc mailing list