[U-Boot] [U-Boot, 1/1] arm: mach-omap2: Fix secure file generation

Andrew F. Davis afd at ti.com
Fri Dec 9 21:05:29 CET 2016 

On 12/09/2016 01:59 PM, Tom Rini wrote:
> On Thu, Dec 08, 2016 at 04:48:07PM -0600, Andrew F. Davis wrote:
> 
>> When TI_SECURE_DEV_PKG is not defined we warn that the file '*_HS' was
>> not generated but generate an unsigned one anyway. When TI_SECURE_DEV_PKG
>> is exported and the user re-builds, make will detect this file as
>> unchangedand and so assume it does not need to be re-generated. This
>> causes it to pack unsigned files. Fix this by not generating these
>> fake unsigned *_HS files.
>>
>> Signed-off-by: Andrew F. Davis <afd at ti.com>
>> Reviewed-by: Tom Rini <trini at konsulko.com>
>> ---
>>  arch/arm/mach-omap2/config_secure.mk | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/arm/mach-omap2/config_secure.mk b/arch/arm/mach-omap2/config_secure.mk
>> index 1122439..33c7059 100644
>> --- a/arch/arm/mach-omap2/config_secure.mk
>> +++ b/arch/arm/mach-omap2/config_secure.mk
>> @@ -35,12 +35,12 @@ cmd_omapsecureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
>>  else
>>  cmd_omapsecureimg = echo "WARNING:" \
>>  	"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
>> -	"$@ was NOT created!"; cp $< $@
>> +	"$@ was NOT created!";
>>  endif
>>  else
>>  cmd_omapsecureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
>>  	"variable must be defined for TI secure devices." \
>> -	"$@ was NOT created!"; cp $< $@
>> +	"$@ was NOT created!";
>>  endif
>>  endif
> 
> OK, but now that I build test this (without the tools present) this is a
> NAK.  The root problem is that if we don't make that dummy file we then:
>        arm:  +   am57xx_hs_evm
> +(am57xx_hs_evm) ./tools/mkimage: Can't open u-boot-nodtb_HS.bin: No such file or directory
> +(am57xx_hs_evm) ./tools/mkimage: failed to build FIT
> +(am57xx_hs_evm) make[1]: *** [u-boot_HS.img] Error 1
> +(am57xx_hs_evm) make: *** [sub-make] Error 2
> 

Is this not okay? build *should* fail if TI_SECURE_DEV_PKG is not
defined. You cannot sign images that *need* to be signed to work on this
platform, making a fake un-bootable image instead of failing is a hack
and it confuses the make system when you do put the signing tool in-place.

> So perhaps we need to make use of some other logic to rebuild on
> TI_SECURE_DEV_PKG changing?
>

More information about the U-Boot mailing list