Hi Kever,
Am Donnerstag, 30. April 2020, 11:03:38 CEST schrieb Kever Yang:
This patch will cause build fail on sandbox_spl_defconfig:
dtc: option requires an argument -- 'p'
sandbox_spl is confusing on first glance, it enables the spl_fit-options but does not define any fit sources.
But I also found a general issue with my code below, and by fixing that one sandbox_spl also gets happy again.
On 2020/4/21 上午8:23, Heiko Stuebner wrote:
From: Heiko Stuebner heiko.stuebner@theobroma-systems.com
With SPL_FIT_SIGNATURE enabled we will likely want a generated u-boot.itb to be signed and the key stores so that the spl can reach it.
So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks into the Makefile to have mkimage sign the .itb and store the used key into the spl dtb file.
The added dependencies should make sure that the u-boot.itb gets generated before the spl-binary gets build, so that there is the necessary space for the key to get included.
Signed-off-by: Heiko Stuebner heiko.stuebner@theobroma-systems.com Reviewed-by: Philipp Tomsich philipp.tomsich@theobroma-systems.com
Kconfig | 8 ++++++++ Makefile | 11 ++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/Kconfig b/Kconfig index 4051746319..15a783a67d 100644 --- a/Kconfig +++ b/Kconfig @@ -451,6 +451,14 @@ config SPL_FIT_SIGNATURE select SPL_RSA_VERIFY select IMAGE_SIGN_INFO
+config SPL_FIT_SIGNATURE_KEY_DIR
- string "key directory for signing U-Boot FIT image"
- depends on SPL_FIT_SIGNATURE
- default "keys"
- help
The directory to give to mkimage to retrieve keys from whengenerating a signed U-Boot FIT image.- config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" select SPL_FIT
diff --git a/Makefile b/Makefile index 26307fd4a6..8e7a7cb50e 100644 --- a/Makefile +++ b/Makefile @@ -1394,6 +1394,14 @@ MKIMAGEFLAGS_u-boot.itb = else MKIMAGEFLAGS_u-boot.itb = -E endif +ifdef CONFIG_SPL_FIT_SIGNATURE +ifdef CONFIG_SPL_OF_CONTROL +MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r +ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"") +MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR) +endif +endif +endif
u-boot.itb: u-boot-nodtb.bin \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \ @@ -1913,7 +1921,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl
spl/u-boot-spl: tools prepare \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \
$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb)
$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \$(if $(CONFIG_SPL_FIT_GENERATOR),u-boot.itb FORCE)
I now realized that this is the wrong check ... i.e. it only checks for SPL_FIT_GENERATOR but that is a string so always defined if SPL_LOAD_FIT is enabled ... also this doesn't take into account SPL_FIT_SOURCE, so the way to go seems to be to check against $U_BOOT_ITS and CONFIG_SPL_FIT_SIGNATZRE instead which gets defined if a suitable fit source is available.
Background for this dependency is that the signature must be done before the spl-binary gets build, because mkimage for the .itb needs to write the key to the spl dtb.
I'll send an updated patch as a reply to this mail.
Heiko