Hello, I have a problem with U-Boot verified boot and the sstate caching of build artifacts.
On a clean rebuild (deleted sstate and tmp dir), the signed FIT image and U-Boot incl. the public key are correctly created. But when I delete the tmp dir and let bitbake recreate it from sstate, the public key in U-Boot is missing. The task sequence according to uboot-sign.bbclass is: # u-boot:do_deploy_dtb # u-boot:do_deploy # virtual/kernel:do_assemble_fitimage # u-boot:do_concat_dtb # u-boot:do_install The problem seems to be that while assembling the FIT image (from the kernel recipe), the U-Boot DTB in DEPLOY_IMAGE_DIR is modified and the public key is inserted. After that U-Boot and the new DTB are concatenated. This happens for the U-Boot image in DEPLOYDIR as well in DEPLOY_IMAGE_DIR. The problem now is, that the sstate caches the versions of U-Boot and DTB while deploying it. Since this happens before assembling the FIT image, the sstate now contains U-Boot and DTB without the public key. U-Boot unfortunately (silently!) disables verified boot when the public key is not available in the DTB. I already filed a bug (#12112) for this, but has anybody an idea how to easily fix this (other than cleaning the sstate of U-Boot/Kernel after deleting the tmp dir)? A possible solution would be to remove the dependency between kernel and U-Boot. But in this case it would be necessary to insert the public key into the DTB while building U-Boot without using the FIT image from the kernel build. Unfortunately uboot-mkimage does not support this at the moment. Regards Christian -- KOSTAL Industrie Elektrik GmbH www.kostal-industrie-elektrik.com KOSTAL Industrie Elektrik GmbH - Sitz Lüdenscheid, Registergericht Iserlohn HRB 3924 - USt-Id-Nr./Vat No.: DE 813742170 Postanschrift: An der Bellmerei 10, D-58513 Lüdenscheid * Telefon: +49 2351 16-0 * Telefax: +49 2351 16-2400 Werksanschrift: Lange Eck 11, D-58099 Hagen * Tel. +49 2331 8040-601 * Fax +49 2331 8040-602 Geschäftsführung: Dr.-Ing. Dipl.-Wirt.Ing. Manfred Gerhard, Dipl.-Ing. Marwin Kinzl, Dipl.-Oec. Andreas Kostal -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
