[PATCH v4 2/2] binman: expand test coverage to nxp_imx8mcst

Brian Ruley brian.ruley at gehealthcare.com
Tue Dec 3 12:44:19 CET 2024


Hi Simon,

On Wed, Nov 20, 2024 at 05:40:42AM -0700, Simon Glass wrote:
> 
> WARNING: This email originated from outside of GE HealthCare. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
> 
> Hi Brian,
> 
> On Mon, 4 Nov 2024 at 01:33, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
> >
> > On Wed, Oct 30, 2024 at 09:23:46AM -0300, Fabio Estevam wrote:
> > >
> > > WARNING: This email originated from outside of GE HealthCare. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
> > >
> > > Hi Brian,
> > >
> > > On Wed, Oct 30, 2024 at 5:08???AM Brian Ruley
> > > <brian.ruley at gehealthcare.com> wrote:
> > > >
> > > > Add coverage for IMX8M code siging. Create PKI tree and other assets
> > > > required by `cst' using `hab4_pki_tree.sh' script and `srktool' in
> > > > `cst_3.4.1' [1].
> > > >
> > > > [1] https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW
> > > >
> > > > Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
> > > > ---
> > > > Changes for v4:
> > > > - Rebased on master:
> > > >     340_nxp_imx8mcst.dts -> 343_nxp_imx8mcst.dts
> > > >     341_nxp_imx8mcst_fast_auth.dts -> 344_nxp_imx8mcst_fast_auth.dts
> > >
> > > Here is the result when I tried applying and testing this:
> > >
> > > $ git am ~/Downloads/v4-1-2-binman-nxp_imx8mcst-read-certificates-from-input-path.patch
> > > Applying: binman: nxp_imx8mcst: read certificates from input path
> > > Applying: binman: expand test coverage to nxp_imx8mcst
> > > .git/rebase-apply/patch:206: trailing whitespace.
> > >             X509v3 Basic Constraints:
> > > .git/rebase-apply/patch:208: trailing whitespace.
> > >             Netscape Comment:
> > > .git/rebase-apply/patch:210: trailing whitespace.
> > >             X509v3 Subject Key Identifier:
> > > .git/rebase-apply/patch:212: trailing whitespace.
> > >             X509v3 Authority Key Identifier:
> > > .git/rebase-apply/patch:333: trailing whitespace.
> > >             X509v3 Basic Constraints:
> > > warning: squelched 7 whitespace errors
> > > warning: 12 lines add whitespace errors.
> > >
> > >
> > > $ ./tools/binman/binman test testNxpImx8mCstFastAuth
> > > ======================== Running binman tests ========================
> > > E
> > > ======================================================================
> > > ERROR: testNxpImx8mCstFastAuth (binman.ftest.TestFunctional)
> > > Test that binman can sign an iMX8M image using fast authentication
> > > ----------------------------------------------------------------------
> > > ValueError: Error -11 running 'cst -i
> > > /tmp/binman.tf697xr9/nxp.csf-config-txt.nxp-imx8mcst -o
> > > /tmp/binman.tf697xr9/nxp.csf-output-blob.nxp-imx8mcst':
> > >
> > > ----------------------------------------------------------------------
> > > Ran 1 test in 1.318s
> > >
> > > FAILED (errors=1)
> > >
> > > Any ideas?
> >
> > Hi Fabio,
> >
> > Strange, but I don't have a clue. I was able to find the bit of Python
> > where things go wrong in my reply to Simon:
> >
> > > Odd, -11 means that is the resouce is temporarily unavailable, no? I
> > > don't see how that could be caused by my changes. I managed to trace it
> > > to line 367 in `tools/u_boot_pylib/tools.py`, which takes us to
> > > the run_pipe() function in `tools/u_boot_pylib/commands.py`, where we
> > > wait on a pipe:
> > >
> > >    108:    result.return_code = last_pipe.wait()
> >
> > I also described the environment I was running:
> >
> > > I've compiled the NXP Code Signing tool myself from version 3.4.1
> > > and added that to path. The system I'm running on is:
> > >
> > >    cat /etc/fedora-release && uname -msrv
> > >    Fedora release 40 (Forty)
> > >    Linux 6.10.12-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 30 21:38:25 UTC 2024 x86_64
> > >
> > > Also, prior to running any tests, I've built the `tools-only_defconfig`.
> > > I admit that I find the test suites sightly confusing, so I might have
> > > missed something.
> >
> > I can try to run it in different environment to see if I can reproduce
> > the issue.
> 
> I believe this is something wrong with the tool. This is on Ubuntu 22.04:
> 
> $ binman test -X testNxpImx8mCst
> ======================== Running binman tests ========================
> Preserving output dir: /tmp/binman.imy5s98_
> Preserving input dir: /tmp/binmant.izmi883v
> E
> ======================================================================
> ERROR: binman.ftest.TestFunctional.testNxpImx8mCst (subunit.RemotedTestCase)
> binman.ftest.TestFunctional.testNxpImx8mCst
> ----------------------------------------------------------------------
> testtools.testresult.real._StringException: Traceback (most recent call last):
> ValueError: Error -11 running 'cst -i
> /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o
> /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst':
> 
> 
> ----------------------------------------------------------------------
> Ran 1 test in 0.157s
> 
> FAILED (errors=1)
> 
> $ cst -i /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o
> /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst
> Install SRK
> Install CSFK
> Segmentation fault
> 
> So the tool is segfaulting, for some reason.

Yes, I've noticed that too.

I'd suggest compiling the tool yourself, you can get it from:

https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW

or:

https://gitlab.apertis.org/pkg/imx-code-signing-tool/

or use the .deb package from Debian unstable:

https://packages.debian.org/unstable/imx-code-signing-tool

Pick your poison :)

Best regards,
Brian


More information about the U-Boot mailing list