blob: 107914e28cfba8dd85aed6f5a8c28f0d87be5fa6 [file] [log] [blame]
#
# Copyright OpenEmbedded Contributors
#
# SPDX-License-Identifier: MIT
#
inherit kernel-uboot kernel-artifact-names uboot-sign
def get_fit_replacement_type(d):
kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
replacementtype = ""
if 'fitImage' in kerneltypes.split():
uarch = d.getVar("UBOOT_ARCH")
if uarch == "arm64":
replacementtype = "Image"
elif uarch == "riscv":
replacementtype = "Image"
elif uarch == "mips":
replacementtype = "vmlinuz.bin"
elif uarch == "x86":
replacementtype = "bzImage"
elif uarch == "microblaze":
replacementtype = "linux.bin"
else:
replacementtype = "zImage"
return replacementtype
KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}"
DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}"
python __anonymous () {
# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
# to kernel.bbclass . We have to override it, since we pack zImage
# (at least for now) into the fitImage .
typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE") or ""
if 'fitImage' in typeformake.split():
d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', d.getVar('KERNEL_IMAGETYPE_REPLACEMENT')))
image = d.getVar('INITRAMFS_IMAGE')
if image:
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
ubootenv = d.getVar('UBOOT_ENV')
if ubootenv:
d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/bootloader:do_populate_sysroot')
#check if there are any dtb providers
providerdtb = d.getVar("PREFERRED_PROVIDER_virtual/dtb")
if providerdtb:
d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/dtb:do_populate_sysroot')
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' virtual/dtb:do_populate_sysroot')
d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree")
# Verified boot will sign the fitImage and append the public key to
# U-Boot dtb. We ensure the U-Boot dtb is deployed before assembling
# the fitImage:
if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
}
# Description string
FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
# Sign individual images as well
FIT_SIGN_INDIVIDUAL ?= "0"
FIT_CONF_PREFIX ?= "conf-"
FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name"
FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio"
# Keys used to sign individually image nodes.
# The keys to sign image nodes must be different from those used to sign
# configuration nodes, otherwise the "required" property, from
# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
# Then the images signature checking will not be mandatory and no error will be
# raised in case of failure.
# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
#
# Emit the fitImage ITS header
#
# $1 ... .its filename
fitimage_emit_fit_header() {
cat << EOF >> $1
/dts-v1/;
/ {
description = "${FIT_DESC}";
#address-cells = <1>;
EOF
}
#
# Emit the fitImage section bits
#
# $1 ... .its filename
# $2 ... Section bit type: imagestart - image section start
# confstart - configuration section start
# sectend - section end
# fitend - fitimage end
#
fitimage_emit_section_maint() {
case $2 in
imagestart)
cat << EOF >> $1
images {
EOF
;;
confstart)
cat << EOF >> $1
configurations {
EOF
;;
sectend)
cat << EOF >> $1
};
EOF
;;
fitend)
cat << EOF >> $1
};
EOF
;;
esac
}
#
# Emit the fitImage ITS kernel section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to kernel image
# $4 ... Compression type
fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
kernel_sign_algo="${FIT_SIGN_ALG}"
kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
ENTRYPOINT=`${HOST_PREFIX}nm vmlinux | \
awk '$3=="${UBOOT_ENTRYSYMBOL}" {print "0x"$1;exit}'`
fi
cat << EOF >> $1
kernel-$2 {
description = "Linux kernel";
data = /incbin/("$3");
type = "${UBOOT_MKIMAGE_KERNEL_TYPE}";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "$4";
load = <${UBOOT_LOADADDRESS}>;
entry = <$ENTRYPOINT>;
hash-1 {
algo = "$kernel_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$kernel_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$kernel_csum,$kernel_sign_algo";
key-name-hint = "$kernel_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS DTB section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to DTB image
fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
dtb_sign_algo="${FIT_SIGN_ALG}"
dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
if [ "${dtb_ext}" = "dtbo" ]; then
if [ -n "${UBOOT_DTBO_LOADADDRESS}" ]; then
dtb_loadline="load = <${UBOOT_DTBO_LOADADDRESS}>;"
fi
elif [ -n "${UBOOT_DTB_LOADADDRESS}" ]; then
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> $1
fdt-$2 {
description = "Flattened Device Tree blob";
data = /incbin/("$3");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
$dtb_loadline
hash-1 {
algo = "$dtb_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$dtb_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$dtb_csum,$dtb_sign_algo";
key-name-hint = "$dtb_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS u-boot script section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to boot script image
fitimage_emit_section_boot_script() {
bootscr_csum="${FIT_HASH_ALG}"
bootscr_sign_algo="${FIT_SIGN_ALG}"
bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
cat << EOF >> $1
bootscr-$2 {
description = "U-boot script";
data = /incbin/("$3");
type = "script";
arch = "${UBOOT_ARCH}";
compression = "none";
hash-1 {
algo = "$bootscr_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$bootscr_csum,$bootscr_sign_algo";
key-name-hint = "$bootscr_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS setup section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to setup image
fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> $1
setup-$2 {
description = "Linux setup.bin";
data = /incbin/("$3");
type = "x86_setup";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
hash-1 {
algo = "$setup_csum";
};
};
EOF
}
#
# Emit the fitImage ITS ramdisk section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to ramdisk image
fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_sign_algo="${FIT_SIGN_ALG}"
ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
if [ -n "${UBOOT_RD_LOADADDRESS}" ]; then
ramdisk_loadline="load = <${UBOOT_RD_LOADADDRESS}>;"
fi
if [ -n "${UBOOT_RD_ENTRYPOINT}" ]; then
ramdisk_entryline="entry = <${UBOOT_RD_ENTRYPOINT}>;"
fi
cat << EOF >> $1
ramdisk-$2 {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("$3");
type = "ramdisk";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "none";
$ramdisk_loadline
$ramdisk_entryline
hash-1 {
algo = "$ramdisk_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$ramdisk_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$ramdisk_csum,$ramdisk_sign_algo";
key-name-hint = "$ramdisk_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS configuration section
#
# $1 ... .its filename
# $2 ... Linux kernel ID
# $3 ... DTB image name
# $4 ... ramdisk ID
# $5 ... u-boot script ID
# $6 ... config ID
# $7 ... default flag
fitimage_emit_section_config() {
conf_csum="${FIT_HASH_ALG}"
conf_sign_algo="${FIT_SIGN_ALG}"
conf_padding_algo="${FIT_PAD_ALG}"
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
fi
its_file="$1"
kernel_id="$2"
dtb_image="$3"
ramdisk_id="$4"
bootscr_id="$5"
config_id="$6"
default_flag="$7"
# Test if we have any DTBs at all
sep=""
conf_desc=""
conf_node="${FIT_CONF_PREFIX}"
kernel_line=""
fdt_line=""
ramdisk_line=""
bootscr_line=""
setup_line=""
default_line=""
# conf node name is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "$dtb_image" ]; then
conf_node=$conf_node$dtb_image
else
conf_node=$conf_node$kernel_id
fi
if [ -n "$kernel_id" ]; then
conf_desc="Linux kernel"
sep=", "
kernel_line="kernel = \"kernel-$kernel_id\";"
fi
if [ -n "$dtb_image" ]; then
conf_desc="$conf_desc${sep}FDT blob"
sep=", "
fdt_line="fdt = \"fdt-$dtb_image\";"
fi
if [ -n "$ramdisk_id" ]; then
conf_desc="$conf_desc${sep}ramdisk"
sep=", "
ramdisk_line="ramdisk = \"ramdisk-$ramdisk_id\";"
fi
if [ -n "$bootscr_id" ]; then
conf_desc="$conf_desc${sep}u-boot script"
sep=", "
bootscr_line="bootscr = \"bootscr-$bootscr_id\";"
fi
if [ -n "$config_id" ]; then
conf_desc="$conf_desc${sep}setup"
setup_line="setup = \"setup-$config_id\";"
fi
if [ "$default_flag" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "$dtb_image" ]; then
default_line="default = \"${FIT_CONF_PREFIX}$dtb_image\";"
else
default_line="default = \"${FIT_CONF_PREFIX}$kernel_id\";"
fi
fi
cat << EOF >> $its_file
$default_line
$conf_node {
description = "$default_flag $conf_desc";
$kernel_line
$fdt_line
$ramdisk_line
$bootscr_line
$setup_line
hash-1 {
algo = "$conf_csum";
};
EOF
if [ -n "$conf_sign_keyname" ] ; then
sign_line="sign-images = "
sep=""
if [ -n "$kernel_id" ]; then
sign_line="$sign_line${sep}\"kernel\""
sep=", "
fi
if [ -n "$dtb_image" ]; then
sign_line="$sign_line${sep}\"fdt\""
sep=", "
fi
if [ -n "$ramdisk_id" ]; then
sign_line="$sign_line${sep}\"ramdisk\""
sep=", "
fi
if [ -n "$bootscr_id" ]; then
sign_line="$sign_line${sep}\"bootscr\""
sep=", "
fi
if [ -n "$config_id" ]; then
sign_line="$sign_line${sep}\"setup\""
fi
sign_line="$sign_line;"
cat << EOF >> $its_file
signature-1 {
algo = "$conf_csum,$conf_sign_algo";
key-name-hint = "$conf_sign_keyname";
padding = "$conf_padding_algo";
$sign_line
};
EOF
fi
cat << EOF >> $its_file
};
EOF
}
#
# Assemble fitImage
#
# $1 ... .its filename
# $2 ... fitImage name
# $3 ... include ramdisk
fitimage_assemble() {
kernelcount=1
dtbcount=""
DTBS=""
ramdiskcount=$3
setupcount=""
bootscr_id=""
rm -f $1 arch/${ARCH}/boot/$2
if [ -n "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
bbfatal "Keys used to sign images and configuration nodes must be different."
fi
fitimage_emit_fit_header $1
#
# Step 1: Prepare a kernel image section.
#
fitimage_emit_section_maint $1 imagestart
uboot_prep_kimage
fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"
#
# Step 2: Prepare a DTB image section
#
if [ -n "${KERNEL_DEVICETREE}" ]; then
dtbcount=1
for DTB in ${KERNEL_DEVICETREE}; do
if echo $DTB | grep -q '/dts/'; then
bbwarn "$DTB contains the full path to the the dts file, but only the dtb name should be used."
DTB=`basename $DTB | sed 's,\.dts$,.dtb,g'`
fi
# Skip ${DTB} if it's also provided in ${EXTERNAL_KERNEL_DEVICETREE}
if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ] && [ -s ${EXTERNAL_KERNEL_DEVICETREE}/${DTB} ]; then
continue
fi
DTB_PATH="arch/${ARCH}/boot/dts/$DTB"
if [ ! -e "$DTB_PATH" ]; then
DTB_PATH="arch/${ARCH}/boot/$DTB"
fi
DTB=$(echo "$DTB" | tr '/' '_')
# Skip DTB if we've picked it up previously
echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
DTBS="$DTBS $DTB"
fitimage_emit_section_dtb $1 $DTB $DTB_PATH
done
fi
if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ]; then
dtbcount=1
for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" \( -name '*.dtb' -o -name '*.dtbo' \) -printf '%P\n' | sort); do
DTB=$(echo "$DTB" | tr '/' '_')
# Skip DTB if we've picked it up previously
echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
DTBS="$DTBS $DTB"
fitimage_emit_section_dtb $1 $DTB "${EXTERNAL_KERNEL_DEVICETREE}/$DTB"
done
fi
#
# Step 3: Prepare a u-boot script section
#
if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
bootscr_id="${UBOOT_ENV_BINARY}"
fitimage_emit_section_boot_script $1 "$bootscr_id" ${UBOOT_ENV_BINARY}
else
bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
fi
fi
#
# Step 4: Prepare a setup section. (For x86)
#
if [ -e arch/${ARCH}/boot/setup.bin ]; then
setupcount=1
fitimage_emit_section_setup $1 $setupcount arch/${ARCH}/boot/setup.bin
fi
#
# Step 5: Prepare a ramdisk section.
#
if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
# Find and use the first initramfs image archive type we find
found=
for img in ${FIT_SUPPORTED_INITRAMFS_FSTYPES}; do
initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.$img"
if [ -e "$initramfs_path" ]; then
bbnote "Found initramfs image: $initramfs_path"
found=true
fitimage_emit_section_ramdisk $1 "$ramdiskcount" "$initramfs_path"
break
else
bbnote "Did not find initramfs image: $initramfs_path"
fi
done
if [ -z "$found" ]; then
bbfatal "Could not find a valid initramfs type for ${INITRAMFS_IMAGE_NAME}, the supported types are: ${FIT_SUPPORTED_INITRAMFS_FSTYPES}"
fi
fi
fitimage_emit_section_maint $1 sectend
# Force the first Kernel and DTB in the default config
kernelcount=1
if [ -n "$dtbcount" ]; then
dtbcount=1
fi
#
# Step 6: Prepare a configurations section
#
fitimage_emit_section_maint $1 confstart
# kernel-fitimage.bbclass currently only supports a single kernel (no less or
# more) to be added to the FIT image along with 0 or more device trees and
# 0 or 1 ramdisk.
# It is also possible to include an initramfs bundle (kernel and rootfs in one binary)
# When the initramfs bundle is used ramdisk is disabled.
# If a device tree is to be part of the FIT image, then select
# the default configuration to be used is based on the dtbcount. If there is
# no dtb present than select the default configuation to be based on
# the kernelcount.
if [ -n "$DTBS" ]; then
i=1
for DTB in ${DTBS}; do
dtb_ext=${DTB##*.}
if [ "$dtb_ext" = "dtbo" ]; then
fitimage_emit_section_config $1 "" "$DTB" "" "$bootscr_id" "" "`expr $i = $dtbcount`"
else
fitimage_emit_section_config $1 $kernelcount "$DTB" "$ramdiskcount" "$bootscr_id" "$setupcount" "`expr $i = $dtbcount`"
fi
i=`expr $i + 1`
done
else
defaultconfigcount=1
fitimage_emit_section_config $1 $kernelcount "" "$ramdiskcount" "$bootscr_id" "$setupcount" $defaultconfigcount
fi
fitimage_emit_section_maint $1 sectend
fitimage_emit_section_maint $1 fitend
#
# Step 7: Assemble the image
#
${UBOOT_MKIMAGE} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-f $1 \
arch/${ARCH}/boot/$2
#
# Step 8: Sign the image and add public key to U-Boot dtb
#
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
add_key_to_u_boot=""
if [ -n "${UBOOT_DTB_BINARY}" ]; then
# The u-boot.dtb is a symlink to UBOOT_DTB_IMAGE, so we need copy
# both of them, and don't dereference the symlink.
cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
add_key_to_u_boot="-K ${B}/${UBOOT_DTB_BINARY}"
fi
${UBOOT_MKIMAGE_SIGN} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${UBOOT_SIGN_KEYDIR}" \
$add_key_to_u_boot \
-r arch/${ARCH}/boot/$2 \
${UBOOT_MKIMAGE_SIGN_ARGS}
fi
}
do_assemble_fitimage() {
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
cd ${B}
fitimage_assemble fit-image.its fitImage ""
fi
}
addtask assemble_fitimage before do_install after do_compile
do_assemble_fitimage_initramfs() {
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
test -n "${INITRAMFS_IMAGE}" ; then
cd ${B}
if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
else
fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
fi
fi
}
addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
do_kernel_generate_rsa_keys() {
if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
fi
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
# Generate keys to sign configuration nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
# make directory if it does not already exist
mkdir -p "${UBOOT_SIGN_KEYDIR}"
bbnote "Generating RSA private key for signing fitImage"
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
"${FIT_SIGN_NUMBITS}"
bbnote "Generating certificate for signing fitImage"
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
fi
# Generate keys to sign image nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
# make directory if it does not already exist
mkdir -p "${UBOOT_SIGN_KEYDIR}"
bbnote "Generating RSA private key for signing fitImage"
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
"${FIT_SIGN_NUMBITS}"
bbnote "Generating certificate for signing fitImage"
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
fi
fi
}
addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
kernel_do_deploy[vardepsexclude] = "DATETIME"
kernel_do_deploy:append() {
# Update deploy directory
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
bbnote "Copying fit-image.its source file..."
install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
fi
bbnote "Copying linux.bin file..."
install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT}
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
fi
fi
if [ -n "${INITRAMFS_IMAGE}" ]; then
bbnote "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
fi
if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
bbnote "Copying fitImage-${INITRAMFS_IMAGE} file..."
install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT}"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
fi
fi
fi
fi
if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
[ -n "${UBOOT_DTB_BINARY}" ] ; then
# UBOOT_DTB_IMAGE is a realfile, but we can't use
# ${UBOOT_DTB_IMAGE} since it contains ${PV} which is aimed
# for u-boot, but we are in kernel env now.
install -m 0644 ${B}/u-boot-${MACHINE}*.dtb "$deployDir/"
fi
if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${UBOOT_BINARY}" -a -n "${SPL_DTB_BINARY}" ] ; then
# If we're also creating and/or signing the uboot fit, now we need to
# deploy it, it's its file, as well as u-boot-spl.dtb
install -m 0644 ${B}/u-boot-spl-${MACHINE}*.dtb "$deployDir/"
bbnote "Copying u-boot-fitImage file..."
install -m 0644 ${B}/u-boot-fitImage-* "$deployDir/"
bbnote "Copying u-boot-its file..."
install -m 0644 ${B}/u-boot-its-* "$deployDir/"
fi
}
# The function below performs the following in case of initramfs bundles:
# - Removes do_assemble_fitimage. FIT generation is done through
# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
# and should not be part of the tasks to be executed.
# - Since do_kernel_generate_rsa_keys is inserted by default
# between do_compile and do_assemble_fitimage, this is
# not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys
# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs.
python () {
if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
bb.build.deltask('do_assemble_fitimage', d)
bb.build.deltask('kernel_generate_rsa_keys', d)
bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d)
}