Age | Commit message (Collapse) | Author |
|
Add the necessary infrastructure to create a U-boot proper fitimage,
sign it (using the same keys as the kernel-fitimage), and put the public
key in the SPL binary so that verified SPL boot can be accomplished.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Move some definitions from u-boot.inc into uboot-config.bbclass and
similarly from kernel-fitimage.bbclass into uboot-sign.bbclass, so that
they can be useful when signing the U-boot proper fitimage, for a
verified-boot SPL.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
KERNEL_DEVICETREE/EXTERNAL_KERNEL_DEVICETREE
There are user cases that a developer wants to add both in-tree and
out-of-tree devicetrees to fitimage, and this is quite normal, for
instance, a developer might need the devicetrees from kernel source
meanwhile maintaining his/her own devicetree overlays to be applied
on top of them.
To support that, we now allow KERNEL_DEVICETREE and
EXTERNAL_KERNEL_DEVICETREE to be both set in configuration files, and
the devicetrees in EXTERNAL_KERNEL_DEVICETREE have higher priority to
override the same names in KERNEL_DEVICETREE.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
8a2f4e143 added support for u-boot boot script but missed adding the
extra parameter to fitimage_emit_section_config on the dtbo branch
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This commit adds Initramfs bundle support to the FIT image in addition
to u-boot boot script capability.
These new features are selectable.
In case of Initramfs, the kernel is configured to be bundled with the rootfs
in the same binary (ie: zImage-initramfs-<machine>.bin). When the kernel is
copied to RAM and executed, it unpacks the Initramfs rootfs.
For more information about Initramfs please read:
https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt
For more details about the Initramfs bundle and boot script implementation
please check the kernel-fitimage.bbclass paragraph in Yocto reference
or mega manual.
Current limitations:
- Initramfs bundle FIT support has been tested on ARM 32-bit
- The kernel image type in case of ARM 32-bit is zImage
Change-Id: I901bfd899e8d733c5b9a2b6645b1d4748f4b1fda
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a UBOOT_MKIMAGE_SIGN_ARGS variable to enable passing additional
options to uboot-mkimage when it is run the second time to perform
signing.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a UBOOT_MKIMAGE and UBOOT_MKIMAGE_SIGN variables to allow specifying
an alternative uboot-mkimage executable (or wrapper script/function).
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fitimage_emit_section_config() has a number of arguments, add named
variables to make the function a bit more readable.
Signed-off-by: Easwar Hariharan <eahariha@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a FIT_DESC variable to make it possible to change how the
description is set in the FIT image.
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The keys are only generated if they dont exist. The key
generation can be turned off by setting FIT_GENERATE_KEYS to "0".
The default key length for private keys is 2048 and the default
format for public key certificate is x.509.
Signed-off-by: Usama Arif <usama.arif@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch adds support for adding configuration node even
when dtb is not part of the FIT image. The conf and default
node number are therefore changed to point to kernel ID rather
than dtb ID when dtb does not exist.
Signed-off-by: Usama Arif <usama.arif@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Ensure that the order of dtb/dtbo files in the generated fitimage is
reproducible.
Fixes: 71bfa9838cbf ("kernel-fitimage: Handle overlays in EXTERNAL_KERNEL_DEVICETREE")
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When using EXTERNAL_KERNEL_DEVICETREE, collect DTB overlays too (*.dtbo)
as well as iterating down into sub-directories so using the behaviour
for naming which matches KERNEL_DEVICETREE.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
make fitImage configuration signature algorithm selectable with
FIT_SIGN_ALG.
Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
kernel.bbclass installs non-standard kernels (where
KERNEL_PACKAGE_NAME is not "kernel") in a subdirectory of ${DEPLOYDIR}.
To achieve this kernel_do_deploy sets the deployDir shell variable to
${DEPLOYDIR} for the standard kernel or
${DEPLOYDIR}/${KERNEL_DEPLOYSUBDIR} for non-standard kernels.
kernel-fitimage.bbclass's kernel_do_deploy_append ought to do the same
and can do so by using the same shell variable.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
set in the ramdisk node the compression property
always to "none", as U-Boot nowadays since commit:
b1307f884a91 ("fit: Support compression for non-kernel components (e.g. FDT)")
decompress non kernel components. Setting compression
to the used comression algorithm now, will end in
fail of your kernel boot with the ramdisk.
This issue is fixed since commit:
bddd98573465 ("fit: Do not automatically decompress ramdisk images")
which now prints a warning in U-Boot, instead of decompressing
the ramdisk, but we should setup compression property correct.
Signed-off-by: Heiko Schocher <hs@denx.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
sanitize fitImage hash algorithm selection with FIT_HASH_ALG
switch default hash algorithm from sha1 to sha256
Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Since UBOOT_DTB_BINARY empty means we don't need to inject signatures
into the U-Boot DTB, we can remove the dependencies between consumers of
these two classes and resolve a circular dependency between u-boot and
kernel.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Support RISC-V kernel image, using the "Image" target.
This change allows RISC-V support for fitImage via the following
flow: OpenSBI -> u-boot (as payload) -> Linux kernel (as fitImage
with ramdisk and dtb).
This was tested using QEMU RISC-V 64-bit.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix:
WARNING: python should use 4 spaces indentation, but found tabs in kernel-fitimage.bbclass, line 33
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Currently kernel-fitimage gets the dtb from KERNEL_DEVICETREE, however
there are instances when the DTB file can be generated using other
recipes, provide a way to include the DTB instead of inkernel device
tree.
Add support for external device tree during the creation of fitimage. If
virtual/dtb is set using PREFERRED_PROVIDER_virtual/dtb = "devicetree", which
inherits the devicetree.bbclass then use the path provided in
EXTERNAL_KERNEL_DEVICETREE else use KERNEL_DEVICETREE during fitimage process
Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fitimage_initramfs
When building fitimage_initramfs, the correct depedency is to build
after do_bundle_initramfs. We can run into the following dependency
issue
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Executing shell function do_assemble_fitimage_initramfs
aarch64-xilinx-linux-objcopy: 'vmlinux': No such file
This happens because initramfs renames vmlinux to vmlinux.bak while
generating vmlinux.initramfs, there is a chance that fitimage_initramfs
can also start during this process and create the above issue.
This patch resolve the dependency issue by running fitimage_initramfs
task after do_bundle_initramfs
Signed-off-by: Varalaxmi Bingi<varalaxm@xilinx.com>
Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixed:
MACHINE = "beaglebone-yocto"
KERNEL_CLASSES += "kernel-fitimage"
KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"
UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/conf"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_SIGN_ENABLE = "1"
IMAGE_INSTALL_remove = "kernel-image-zimage"
$ cd conf
$ openssl genrsa -F4 -out dev.key 2048
$ openssl req -batch -new -x509 -key dev.key -out dev.crt
$ cd ../
$ bitbake u-boot linux-yocto
$ grep signature tmp/deploy/images/beaglebone-yocto/*.dtb
Binary file tmp/deploy/images/beaglebone-yocto/u-boot-beaglebone-yocto-2018.07-r0.dtb matches
Binary file tmp/deploy/images/beaglebone-yocto/u-boot-beaglebone-yocto.dtb matches
Binary file tmp/deploy/images/beaglebone-yocto/u-boot.dtb matches
And there would be no signature info when rebuild from sstate:
$ bitbake u-boot linux-yocto -cclean
$ bitbake u-boot linux-yocto
$ grep signature tmp/deploy/images/beaglebone-yocto/*.dtb
No result
This s because kernel directly edit ${DEPLOY_DIR_IMAGE}/u-boot.dtb, (Note, it
is global ${DEPLOY_DIR_IMAGE}, not recipe's DEPLOYDIR), so that the modified
info is not in sstate, and would be lost when rebuild from sstate.
There are other problems in previouse code:
- The u-boot.dtb is provided by u-boot, but edited by kernel during signing, so
it should be deployed by kernel rather than u-boot.
- The u-boot.do_concat_dtb directly install files to global ${DEPLOY_DIR_IMAGE},
this is incorrect, the ${DEPLOY_DIR_IMAGE} should be installed by do_deploy.
- It seems that it assumes do_deploy depends on do_install according the comments,
but they have no relationships:
# do_concat_dtb is scheduled _before_ do_install as it overwrite the
# u-boot.bin in both DEPLOYDIR and DEPLOY_IMAGE_DIR.
- The do_concat_dtb should be run after do_compile, but it doesn't have this
dependency.
Make u-boot install u-boot.dtb to ${datadir}, kernel copies u-boot.dtb from
${STAGING_DATADIR} to ${B} and deploy it can fix the problem.
[YOCTO #12112]
Reported-by: Christian Andersen <c.andersen@kostal.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix:
WARNING: python should use 4 spaces indentation, but found tabs in kernel-fitimage.bbclass, line 24
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This utility is used for creation of images containing
usable in run-time U-Boot environment.
As of today this utility is added per-board like here [1]
for Intel Edison board.
[1] http://git.yoctoproject.org/cgit/cgit.cgi/meta-intel-edison/tree/meta-intel-edison-bsp/recipes-bsp/u-boot/u-boot-tools_2014.04.bb
Given there're quite some U-Boot tools that we may want to add later
this recipe name switch from "u-boot-mkimage" to generic "u-boot-tools"
still for compatibility we provide "u-boot-mkimage" with help
of PROVIDES as well as proposed "u-boot-mkenvimage".
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Otavio Salvador <otavio@ossystems.com.br>
Cc: Martin Jansa <martin.jansa@gmail.com>
Cc: Ross Burton <ross.burton@intel.com>
Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When deploying the its file, the target of the symlink is missing the its
extension, add it here.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
*_BASE_NAME to *_NAME
* for consistency with IMAGE_NAME and IMAGE_LINK_NAME
and to avoid confusion with IMAGE_BASENAME (which is the
actual name of the artifact, e.g. PN while KERNEL_IMAGE_BASE_NAME
was only the version suffix)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
KERNEL_FIT_SYMLINK_NAME variables
* use the same naming scheme for fitImage files like all other deployed artifacts
* remove unnecessary cd to DEPLOYDIR
* remove unnecessary cd to B
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Chunrong Guo <chunrong.guo@nxp.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
If UBOOT_DTB_BINARY is empty, then don't try inserting the U-Boot
signing keys into the DTB. In this configuration the keys are expected
to be already present in U-Boot's DTB.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
When generating overlay DTB configuration sections, U-Boot doesn't want
the kernel specified again as we already have that in our base DTB. Add
support for this to allow bootm to process overlay configuration sections.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Introduce UBOOT_DTB_LOADADDRESS and UBOOT_DTBO_LOADADDRESS so that you
can set where U-Boot loads full and overlay DTBs. This is required when
using bootm's overlay support to construct the final DTB.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
64 bit entry point should be passed in 2 literals ( "0x1 0x00008000"
).ENTRYPOINT is assigned with first half only and erroring out as
'command not found' for the second half. Adding quotes while assignment fixes the
issue.
Signed-off-by: Vineeth Chowdary Karumanchi <vineethchowz.chowdary@xilinx.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When using kernel-fitimage class with microblaze, the image type has to be
linux.bin not zImage. This patch fixes the bad image type replacement
for microblaze
Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When using kernel-fitimage class with aarch64, the image type has to be
Image not zImage. This patch fixes the bad image type replacement for
aarch64
Signed-off-by: Thomas Perrot <thomas.perrot@tupi.fr>
Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
On MIPS, the compressed kernel image target is vmlinuz.bin
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
- vmlinux is located in ${B}, not ${S}.
- parsing of nm output got broken completely in commit
b406a89935f148779569fa3770776e009dd51f13 ("kernel-fitimage: add
initramfs support"), commit ec755d2524fcbd9dfded23a576f25c990d405a6c
in yocto
While at it, make awk exit on match to save a few CPU cycles.
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
We can't build fitImages for MIPS any more:
| Error: fit-image.its:21.27-28 syntax error
| FATAL ERROR: Unable to parse input tree
| uboot-mkimage: Can't read arch/mips/boot/fitImage.tmp: Invalid argument
Since commit cd2ed7f80b555add07795cc0cbaee866e6c193a3
("kernel-fitimage: dtb sections named by their filenames
and one config section for each dtb"), commit
1ec405ef5df82884c8997878bbe6c66d924b5127 in yocto, dtb
sections are named by the DTB filename, but the filename
can legally be in a subdirectory below
arch/$arch/boot/dts/, and on MIPS all DTBs are actually
in a subdirectory.
If so, mkimage fails with the above error message.
Unbreak this by replacing the offending character
(directory separator /)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
It defaults to ${INITRAMFS_IMAGE}-${MACHINE} if INITRAMFS_IMAGE is not
empty.
This allows the end users to be able to override the initramfs image
name with a customized value.
Signed-off-by: Ming Liu <peter.x.liu@external.atlascopco.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In entire meta/classes/ directory, replace shell tests of the form
"if test -? ..." with POSIX tests of the form "if [ -? ...
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
section for each dtb
Before this, dtb sections were named by their position index in KERNEL_DEVICETREE. Also there was only one item in the config section, so only the first dtb was seen by the bootloader.
This patch adds a config section for each dtb named by the dtb filename. This is what bootloaders usually know about the machine they run on.
Signed-off-by: Florian Wickert <fw@javox-solutions.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
U-Boot people are amazingly pedantic in their insistence on proper
spelling of "U-Boot", so humour them.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
kernel-fitimage:fitimage_assemble() was calling copy_initramfs from
kernel.bbclass which decompresses the initramfs cpio. Assume that if
INITRAMFS_FSTYPES includes a compressed cpio, that is what it desired in
the FIT image.
Signed-off-by: Rick Altherr <raltherr@google.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Check the value of UBOOT_SIGN_ENABLE, as it is defaulted to "0" which
for matches as True in python due to being a non-empty string.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The name of the output image for a fitImage that contains a ramdisk
should match the same as for the fitImage that does not contain a
ramdisk. As such it should not be assumed that KERNEL_IMAGETYPE is
"fitImage". This change explicitly sets the name of the output
ramdisk/initramfs to start with fitImage as does the non-ramdisk output.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Allow the load and entry addresses to remain unset if the UBOOT_RD_*
variables are also unset for ramdisk entries in the image tree. This
allows for U-Boot to decide dynamically where to load the ramdisk.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
For x86, bzImage must be built instead of zImage.
Include setup.bin (which is required to boot the kernel) in the fitimage
and always use a load/boot address of 0x00090000.
For details see:
http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/x86-fit-boot.txt
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|