blob: cef26b19be355ca969ccddc8509db7853dc5be53 [file] [log] [blame]
Patrick Williamsc0f7c042017-02-23 20:41:17 -06001# This file is part of U-Boot verified boot support and is intended to be
2# inherited from u-boot recipe and from kernel-fitimage.bbclass.
3#
4# The signature procedure requires the user to generate an RSA key and
5# certificate in a directory and to define the following variable:
6#
7# UBOOT_SIGN_KEYDIR = "/keys/directory"
8# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
9# UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
10# UBOOT_SIGN_ENABLE = "1"
11#
12# As verified boot depends on fitImage generation, following is also required:
13#
14# KERNEL_CLASSES ?= " kernel-fitimage "
15# KERNEL_IMAGETYPE ?= "fitImage"
16#
17# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
18#
19# The tasks sequence is set as below, using DEPLOY_IMAGE_DIR as common place to
20# treat the device tree blob:
21#
22# u-boot:do_deploy_dtb
23# u-boot:do_deploy
24# virtual/kernel:do_assemble_fitimage
25# u-boot:do_concat_dtb
26# u-boot:do_install
27#
28# For more details on signature process, please refer to U-boot documentation.
29
30# Signature activation.
31UBOOT_SIGN_ENABLE ?= "0"
32
33# Default value for deployment filenames.
34UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
35UBOOT_DTB_BINARY ?= "u-boot.dtb"
36UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
37UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}"
38UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}"
39UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}"
40
41#
42# Following is relevant only for u-boot recipes:
43#
44
45do_deploy_dtb () {
46 mkdir -p ${DEPLOYDIR}
47 cd ${DEPLOYDIR}
48
49 if [ -f ${B}/${UBOOT_DTB_BINARY} ]; then
50 install ${B}/${UBOOT_DTB_BINARY} ${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
51 rm -f ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SYMLINK}
52 ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_SYMLINK}
53 ln -sf ${UBOOT_DTB_IMAGE} ${UBOOT_DTB_BINARY}
54 fi
55 if [ -f ${B}/${UBOOT_NODTB_BINARY} ]; then
56 install ${B}/${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
57 rm -f ${UBOOT_NODTB_BINARY} ${UBOOT_NODTB_SYMLINK}
58 ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_SYMLINK}
59 ln -sf ${UBOOT_NODTB_IMAGE} ${UBOOT_NODTB_BINARY}
60 fi
61}
62
63do_concat_dtb () {
64 # Concatenate U-Boot w/o DTB & DTB with public key
65 # (cf. kernel-fitimage.bbclass for more details)
66 if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
67 if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
68 [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
69 cd ${B}
70 oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
Brad Bishop37a0e4d2017-12-04 01:01:44 -050071 install ${B}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
72 install ${B}/${UBOOT_BINARY} ${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE}
Patrick Williamsc0f7c042017-02-23 20:41:17 -060073 elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
74 cd ${DEPLOYDIR}
75 cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} | tee ${B}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
76 else
77 bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
78 fi
79 fi
80}
81
82python () {
83 uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot', True) or 'u-boot'
84 if d.getVar('UBOOT_SIGN_ENABLE', True) == '1' and d.getVar('PN', True) == uboot_pn:
85 kernel_pn = d.getVar('PREFERRED_PROVIDER_virtual/kernel', True)
86
87 # u-boot.dtb and u-boot-nodtb.bin are deployed _before_ do_deploy
88 # Thus, do_deploy_setscene will also populate them in DEPLOY_IMAGE_DIR
89 bb.build.addtask('do_deploy_dtb', 'do_deploy', 'do_compile', d)
90
91 # do_concat_dtb is scheduled _before_ do_install as it overwrite the
92 # u-boot.bin in both DEPLOYDIR and DEPLOY_IMAGE_DIR.
93 bb.build.addtask('do_concat_dtb', 'do_install', None, d)
94 d.appendVarFlag('do_concat_dtb', 'depends', ' %s:do_assemble_fitimage' % kernel_pn)
95}