On Fri, May 31, 2024 at 06:35:38PM +0100, Andre Przywara wrote: > Hi, > > some Allwinner devices use some kind of "secure boot", which requires the > SPL image to be build wrapped in a TOC0 format instead of the normal EGON > format. mkimage supports that for a while, but for that to work it > requires some private key in the current directory. This key is easily > generated with "openssl genrsa -out root_key.pem", and mkimage prints that > command when no file is found, so it's easy for users to comply. > > However this understandably upsets the gitlab CI, and breaks the build: > https://source.denx.de/u-boot/custodians/u-boot-sunxi/-/jobs/835423 > +mkimage (TOC0): error: Failed to read private key from 'root_key.pem' > +mkimage (TOC0): info: Try 'openssl genrsa -out root_key.pem' > +make[2]: *** [scripts/Makefile.spl:446: spl/sunxi-spl.bin] Error 1 > +make[2]: *** Deleting file 'spl/sunxi-spl.bin' > +make[1]: *** [Makefile:2089: spl/u-boot-spl] Error 2 > +make[1]: *** Deleting file 'spl/u-boot-spl' > +make: *** [Makefile:177: sub-make] Error 2 > > This prevents me from merging the defconfig for a device requiring secure > boot, so I was wondering what the solution would be? > The actual key is irrelevant for the build, so we could either insert > *some* root_key.pem into the CI build directory, or generate this key on > the fly, using openssl. > > I have no clue what would be best or easiest here, or how to pull this > off, so any suggestions are welcome.
The short answer would be that we should be using the same facility in binman to allow _this_ binary to be faked that we do for others? And the slightly longer answer is that if it must be in the source, not the object direcctory, then you're going to break Azure CI as the source directory is read only there. -- Tom
signature.asc
Description: PGP signature
