Rasmus Villemoes rasmus.villemoes at prevas.dk
Mon Oct 25 09:27:22 CEST 2021

On 28/09/2021 10.56, Rasmus Villemoes wrote:
> The build system already automatically looks for and includes an
> in-tree *-u-boot.dtsi when building the control .dtb. However, there
> are some things that are awkward to maintain in such an in-tree file,
> most notably the metadata associated to public keys used for verified
> boot.
> The only "official" API to get that metadata into the .dtb is via
> mkimage, as a side effect of building an actual signed image. But
> there are multiple problems with that. First of all, the final U-Boot
> (be it U-Boot proper or an SPL) image is built based on a binary
> image, the .dtb, and possibly some other binary artifacts. So
> modifying the .dtb after the build requires the meta-buildsystem
> (Yocto, buildroot, whatnot) to know about and repeat some of the steps
> that are already known to and handled by U-Boot's build system,
> resulting in needless duplication of code.

I should add that it's one thing when dealing with U-Boot proper and
that just needs to be generated by cat'ing u-boot-nodtb.bin and a
modified .dtb. But when the final generation is more complicated than
that, e.g. involving black magic binman (which doesn't care to write out
.cmd files so one can figure out what exactly happened under the hood),
it's really really cumbersome.

It's also somewhat annoying
> and inconsistent to have a .dtb file in the build folder which is not
> generated by the command listed in the corresponding .cmd file (that
> of course applies to any generated file).
> So the contents of the /signature node really needs to be baked into
> the .dtb file when it is first created, which means providing the
> relevant data in the form of a .dtsi file. One could in theory put
> that data into the *-u-boot.dtsi file, but it's more convenient to be
> able to provide it externally: For example, when developing for a
> customer, it's common to use a set of dummy keys for development,
> while the consultants do not (and should not) have access to the
> actual keys used in production. For such a setup, it's easier if the
> keys used are chosen via the meta-buildsystem and the path(s) patched
> in during the configure step. And of course, nothing prevents anybody
> from having DEVICE_TREE_INCLUDES point at files maintained in git, or
> for that matter from including the public key metadata in the
> *-u-boot.dtsi directly and ignore this feature.
> There are other uses for this, e.g. in combination with ENV_IMPORT_FDT
> it can be used for providing the contents of the /config/environment
> node, so I don't want to tie this exclusively to use for verified
> boot.


More information about the U-Boot mailing list