u-boot-sign:uboot-config: support to verify signed FIT image

It does not verify the signed FIT image of kernel and uboot. To catch the unexpected errors as far as possible at the build time, add uboot-fit-check-sign tool which is provided by u-boot to verify the signed FIT image. (From OE-Core rev: 17d3c8315e7a7adbe27183e11e1b6d588c1a1784) Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-02 02:49:11 +00:00 · 2024-01-19 14:19:36 +08:00 · 2024-01-19 14:19:36 +08:00 · 06aab81591
commit 06aab81591
parent 338a96e7c3
2 changed files with 13 additions and 0 deletions
--- a/meta/classes-recipe/uboot-config.bbclass
+++ b/meta/classes-recipe/uboot-config.bbclass
@ -94,6 +94,9 @@ SPL_MKIMAGE_SIGN_ARGS ?= ""
 UBOOT_DTB ?= ""
 UBOOT_DTB_BINARY ??= ""

+# uboot-fit_check_sign command
+UBOOT_FIT_CHECK_SIGN ?= "uboot-fit_check_sign"
+
 python () {
    ubootmachine = d.getVar("UBOOT_MACHINE")
    ubootconfigflags = d.getVarFlags('UBOOT_CONFIG')
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@ -112,6 +112,10 @@ concat_dtb() {
 			-K "${UBOOT_DTB_BINARY}" \
 			-r ${B}/fitImage-linux \
 			${UBOOT_MKIMAGE_SIGN_ARGS}
+		# Verify the kernel image and u-boot dtb
+		${UBOOT_FIT_CHECK_SIGN} \
+			-k "${UBOOT_DTB_BINARY}" \
+			-f ${B}/fitImage-linux
 		cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
 	fi

@ -316,6 +320,12 @@ EOF
 			-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
 			-r ${UBOOT_FITIMAGE_BINARY} \
 			${SPL_MKIMAGE_SIGN_ARGS}
+		#
+		# Verify the U-boot FIT image and SPL dtb
+		#
+		${UBOOT_FIT_CHECK_SIGN} \
+			-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+			-f ${UBOOT_FITIMAGE_BINARY}
 	fi

 	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then