From 11c34bcbdb9e0d9ac18c91a07a57e6bcf050a178 Mon Sep 17 00:00:00 2001
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Fri, 23 May 2025 11:10:23 +0200
Subject: [PATCH] u-boot-dey: ccmp1/ccmp2: fix support for inserting signed
 keys into U-Boot DTB for FIT images

Since commit 29d32063ac0abb1017756f62f94aec22ce305b60 ("u-boot: kernel-fitimage:
Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled") in Poky layer,
the `kernel-fitimage` and `uboot-sign` classes are no longer explicitly
dependent. This change introduced a race condition when inserting the signed
RSA keys into the U-Boot DTB for FIT image verification.

This commit introduces a new step for `do_uboot_assemble_fitimage`, which is
now responsible for injecting the keys into the U-Boot DTB. This logic was
previously handled in the Linux kernel recipe via the `do_assemble_fitimage`
function in previous Yocto versions.

Additionally, a build-time dependency is added between the `do_uboot_assemble_fitimage()`
function and the kernel's `do_kernel_generate_rsa_keys()` task, which is
responsible for generating the RSA keys used to sign the FIT image.

https://onedigi.atlassian.net/browse/DEL-9634

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
 .../recipes-bsp/u-boot/u-boot-dey.inc         | 62 +++++++++++++------
 1 file changed, 44 insertions(+), 18 deletions(-)

diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
index 4fc8bd759..7c9291d50 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2024, Digi International Inc.
+# Copyright (C) 2018-2025, Digi International Inc.
 
 require recipes-bsp/u-boot/u-boot.inc
 
@@ -218,7 +218,7 @@ do_compile:append:ccmp1() {
 }
 
 BOOT_TOOLS = "imx-boot-tools"
-BOOT_TOOLS:ccmp1 = "u-boot"
+BOOT_TOOLS:stm32mpcommon = "u-boot"
 
 do_deploy:append:ccimx8m() {
 	# Deploy u-boot-nodtb.bin and ccimx8m[m|n]-dvk.dtb, to be packaged in boot binary by imx-boot
@@ -241,33 +241,59 @@ do_deploy:append:ccimx8m() {
 	fi
 }
 
-do_deploy:append:ccmp1() {
+do_deploy:append:stm32mpcommon() {
 	# Deploy u-boot-nodtb.bin and ccmp1x-dvk-xxxx.dtb, to be packaged in fip binary by tf-a
 	install -d ${DEPLOYDIR}/${BOOT_TOOLS}
 	if [ -n "${UBOOT_DEVICETREE}" ]; then
 		for devicetree in ${UBOOT_DEVICETREE}; do
 			# Install u-boot dtb
 			install -m 644 ${B}/${config}/arch/arm/dts/${devicetree}.dtb ${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${devicetree}.dtb
+
+			if [ "${UBOOT_SIGN_ENABLE}" = "1" ]; then
+				# Keep u-boot devicetree without signature
+				ubootdevicetree="${B}/${config}/arch/arm/dts/${devicetree}.dtb"
+				namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
+				# Install unsigned U-Boot dtb
+				install -m 644 ${namewithoutsignature} ${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${devicetree}-without-signature.dtb
+			fi
 		done
 	fi
 	install -m 0777 ${B}/${config}/u-boot-nodtb.bin  ${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-nodtb.bin
-
-	# Append signature to u-boot DT
-	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] && [ -n "${UBOOT_DEVICETREE}" ] ; then
-		for devicetree in ${UBOOT_DEVICETREE}; do
-			# get name of u-boot devicetree without signature
-			ubootdevicetree="${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${devicetree}.dtb"
-			namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
-			namewithsignature=`echo $ubootdevicetree | sed "s/\.dtb/-with-signature.dtb/g"`
-			mv $ubootdevicetree $namewithoutsignature
-			# get name of U-Boot device tree from DEPLOY_DIR
-			nameonkernel="${DEPLOY_DIR_IMAGE}/${FIP_UBOOT_DTB}-${devicetree}-with-signature.dtb"
-			cp $nameonkernel $namewithsignature
-			cp $nameonkernel $ubootdevicetree
-		done
-	fi
 }
 
+do_uboot_assemble_fitimage:append:stm32mpcommon() {
+	for config in ${UBOOT_MACHINE}; do
+		if [ -n "${UBOOT_DEVICETREE}" ] && [ "${UBOOT_SIGN_ENABLE}" = "1" ]; then
+			for devicetree in ${UBOOT_DEVICETREE}; do
+				# Keep u-boot devicetree without signature
+				ubootdevicetree="${B}/${config}/arch/arm/dts/${devicetree}.dtb"
+				namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
+				cp $ubootdevicetree $namewithoutsignature
+
+				# Add image public key in U-Boot dtb file
+				fdt_add_pubkey -a "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
+								-k "${UBOOT_SIGN_KEYDIR}" \
+								-n "${UBOOT_SIGN_IMG_KEYNAME}" \
+								-r "image" \
+								"${ubootdevicetree}"
+
+				# Add configuration public key in U-Boot dtb file
+				fdt_add_pubkey -a "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
+								-k "${UBOOT_SIGN_KEYDIR}" \
+								-n "${UBOOT_SIGN_KEYNAME}" \
+								-r "conf" \
+								"${ubootdevicetree}"
+			done
+		fi
+	done
+}
+# Add dependency to make sure that RSA keys generated to sign fitImage are available for u-boot
+do_uboot_assemble_fitimage[depends] += " \
+	${@'virtual/kernel:do_kernel_generate_rsa_keys' \
+	if "stm32mpcommon" in d.getVar('MACHINEOVERRIDES') \
+	and "fitImage" in d.getVar('KERNEL_IMAGETYPE') else ''} \
+"
+
 FIP_DIR_UBOOT  ?= "/u-boot"
 
 # Deploy u-boot artifacts, to be packaged in fip binary by fip-stm32mp recipe