[PATCH v4 2/2] binman: expand test coverage to nxp_imx8mcst

Simon Glass sjg at chromium.org
Tue Dec 3 14:45:07 CET 2024 

Hi Brian,

On Tue, 3 Dec 2024 at 04:44, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
>
> Hi Simon,
>
> On Wed, Nov 20, 2024 at 05:40:42AM -0700, Simon Glass wrote:
> >
> > WARNING: This email originated from outside of GE HealthCare. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
> >
> > Hi Brian,
> >
> > On Mon, 4 Nov 2024 at 01:33, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
> > >
> > > On Wed, Oct 30, 2024 at 09:23:46AM -0300, Fabio Estevam wrote:
> > > >
> > > > WARNING: This email originated from outside of GE HealthCare. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
> > > >
> > > > Hi Brian,
> > > >
> > > > On Wed, Oct 30, 2024 at 5:08???AM Brian Ruley
> > > > <brian.ruley at gehealthcare.com> wrote:
> > > > >
> > > > > Add coverage for IMX8M code siging. Create PKI tree and other assets
> > > > > required by `cst' using `hab4_pki_tree.sh' script and `srktool' in
> > > > > `cst_3.4.1' [1].
> > > > >
> > > > > [1] https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW
> > > > >
> > > > > Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
> > > > > ---
> > > > > Changes for v4:
> > > > > - Rebased on master:
> > > > >     340_nxp_imx8mcst.dts -> 343_nxp_imx8mcst.dts
> > > > >     341_nxp_imx8mcst_fast_auth.dts -> 344_nxp_imx8mcst_fast_auth.dts
> > > >
> > > > Here is the result when I tried applying and testing this:
> > > >
> > > > $ git am ~/Downloads/v4-1-2-binman-nxp_imx8mcst-read-certificates-from-input-path.patch
> > > > Applying: binman: nxp_imx8mcst: read certificates from input path
> > > > Applying: binman: expand test coverage to nxp_imx8mcst
> > > > .git/rebase-apply/patch:206: trailing whitespace.
> > > >             X509v3 Basic Constraints:
> > > > .git/rebase-apply/patch:208: trailing whitespace.
> > > >             Netscape Comment:
> > > > .git/rebase-apply/patch:210: trailing whitespace.
> > > >             X509v3 Subject Key Identifier:
> > > > .git/rebase-apply/patch:212: trailing whitespace.
> > > >             X509v3 Authority Key Identifier:
> > > > .git/rebase-apply/patch:333: trailing whitespace.
> > > >             X509v3 Basic Constraints:
> > > > warning: squelched 7 whitespace errors
> > > > warning: 12 lines add whitespace errors.
> > > >
> > > >
> > > > $ ./tools/binman/binman test testNxpImx8mCstFastAuth
> > > > ======================== Running binman tests ========================
> > > > E
> > > > ======================================================================
> > > > ERROR: testNxpImx8mCstFastAuth (binman.ftest.TestFunctional)
> > > > Test that binman can sign an iMX8M image using fast authentication
> > > > ----------------------------------------------------------------------
> > > > ValueError: Error -11 running 'cst -i
> > > > /tmp/binman.tf697xr9/nxp.csf-config-txt.nxp-imx8mcst -o
> > > > /tmp/binman.tf697xr9/nxp.csf-output-blob.nxp-imx8mcst':
> > > >
> > > > ----------------------------------------------------------------------
> > > > Ran 1 test in 1.318s
> > > >
> > > > FAILED (errors=1)
> > > >
> > > > Any ideas?
> > >
> > > Hi Fabio,
> > >
> > > Strange, but I don't have a clue. I was able to find the bit of Python
> > > where things go wrong in my reply to Simon:
> > >
> > > > Odd, -11 means that is the resouce is temporarily unavailable, no? I
> > > > don't see how that could be caused by my changes. I managed to trace it
> > > > to line 367 in `tools/u_boot_pylib/tools.py`, which takes us to
> > > > the run_pipe() function in `tools/u_boot_pylib/commands.py`, where we
> > > > wait on a pipe:
> > > >
> > > >    108:    result.return_code = last_pipe.wait()
> > >
> > > I also described the environment I was running:
> > >
> > > > I've compiled the NXP Code Signing tool myself from version 3.4.1
> > > > and added that to path. The system I'm running on is:
> > > >
> > > >    cat /etc/fedora-release && uname -msrv
> > > >    Fedora release 40 (Forty)
> > > >    Linux 6.10.12-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 30 21:38:25 UTC 2024 x86_64
> > > >
> > > > Also, prior to running any tests, I've built the `tools-only_defconfig`.
> > > > I admit that I find the test suites sightly confusing, so I might have
> > > > missed something.
> > >
> > > I can try to run it in different environment to see if I can reproduce
> > > the issue.
> >
> > I believe this is something wrong with the tool. This is on Ubuntu 22.04:
> >
> > $ binman test -X testNxpImx8mCst
> > ======================== Running binman tests ========================
> > Preserving output dir: /tmp/binman.imy5s98_
> > Preserving input dir: /tmp/binmant.izmi883v
> > E
> > ======================================================================
> > ERROR: binman.ftest.TestFunctional.testNxpImx8mCst (subunit.RemotedTestCase)
> > binman.ftest.TestFunctional.testNxpImx8mCst
> > ----------------------------------------------------------------------
> > testtools.testresult.real._StringException: Traceback (most recent call last):
> > ValueError: Error -11 running 'cst -i
> > /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o
> > /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst':
> >
> >
> > ----------------------------------------------------------------------
> > Ran 1 test in 0.157s
> >
> > FAILED (errors=1)
> >
> > $ cst -i /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o
> > /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst
> > Install SRK
> > Install CSFK
> > Segmentation fault
> >
> > So the tool is segfaulting, for some reason.
>
> Yes, I've noticed that too.
>
> I'd suggest compiling the tool yourself, you can get it from:
>
> https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW
>
> or:
>
> https://gitlab.apertis.org/pkg/imx-code-signing-tool/
>
> or use the .deb package from Debian unstable:
>
> https://packages.debian.org/unstable/imx-code-signing-tool
>
> Pick your poison :)

The instructions in tools/binman/btool/cst.py install 'imx-code-signing-tool'

So I get this:

ii  imx-code-signing-tool 3.3.1+dfsg-2ubuntu1 amd64        code
signing tool for i.MX platform

I suppose we could adjust that to build the tool from source, instead?
We do that for fiptool, for example.

Regards,
Simon

More information about the U-Boot mailing list