Visitor II

Solved

Deceptive default behavior from cert_create and fiptool bbclass.

Forum|Forum|3 years ago
September 6, 2022
6 replies
2159 views

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/kirkstone/classes/fip-utils-stm32mp.bbclass

FIP_SIGN_KEY is used to specify the rot key.

But if that key is not found (wrong path for example),

the bbclass and cert_create silently creates a new rot key,

which obviously doesn't match whatever you were using.

This is a bit annoying. If a key is specified, there is no use in believing that

the user wants a generated rot key...

If rot keys are not stored and presented during build, and for whatever reason export of keys failed or path seems wrong, this will go undetected.

Your build will succeed, but won't start.

What's worse is that you'll be stuck without a functioning fip...

This topic has been closed for replies.

Best answer by Kevin HUBER

Hello @milkylainen ,

After several test, this problem is not present on maintained OSTL linux version, Ecosystem :

- v3.1

-v4.0.

To be more explicit, if we face this case, Yocto/bitbake returns a such following error:

ERROR: tf-a-stm32mp-v2.6-stm32mp-r1-r0 do_deploy:

Not able to find "key/stm32mp15/wrong_folder/privateKey00.pem" path from current BBPATH var:

Thanks again for your post.

Best Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

J

Jean-Marc S

ST Employee

Hello

Thanks for your feedback.

We will report this to the owner of this script for analysis and fix if needed.

JM

(for ST internal tracking only: Ticket 134397 - fip-utils: new rot keys generated when FIP_SIGN_KEY rot key not found )

J

Jean-Marc S

ST Employee

Feedback from development team is that they will propose a patch to raise an error message if the external key path is wrong, and then highlight the fact the configuration of the customer has an issue.

Thanks

JM

M

milkylainenAuthor

Visitor II

Sounds good. :thumbs_up:

E

Erwan SZYMANSKI

Technical Moderator

@milkylainen ,

Just to be sure to well understand your remark.

Do you say that when you put a wrong path for FIP_SIGN_KEY, bitbake does not return you an error ?

Don't you see something like:

ERROR:<...>/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb: : 0:01:21

Not able to find "key/stm32mp15/privateKey01.pem" path from current BBPATH var

Considering that the path of the key is wrong for this variable, you should observe something like this isn't it ?

This is to well target your use case for the patch.

Kind regards,

Erwan.

E

Erwan SZYMANSKI

Technical Moderator

@milkylainen ,

Can you also give me the OSTL version on which you work please ?

Kind regards,

Erwan.

M

milkylainenAuthor

Visitor II

@Erwan SZYMANSKI

Hi.

Using ecosystem v3.0.0 and openstlinux-5.10-dunfell-mp1-21-03-31.

Regards,

Christian

K

Kevin HUBERAnswer

Technical Moderator

Hello @milkylainen ,

After several test, this problem is not present on maintained OSTL linux version, Ecosystem :

- v3.1

-v4.0.

To be more explicit, if we face this case, Yocto/bitbake returns a such following error:

ERROR: tf-a-stm32mp-v2.6-stm32mp-r1-r0 do_deploy:

Not able to find "key/stm32mp15/wrong_folder/privateKey00.pem" path from current BBPATH var:

Thanks again for your post.

Best Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded