FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Deceptive default behavior from cert_create and fiptool bbclass.

Go to solution
milkylainen
Associate III

‎2022-09-06 12:02 AM

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/kirkstone/classes/fip-utils-stm32mp.bbclass

FIP_SIGN_KEY is used to specify the rot key.

But if that key is not found (wrong path for example),

the bbclass and cert_create silently creates a new rot key,

which obviously doesn't match whatever you were using.

This is a bit annoying. If a key is specified, there is no use in believing that

the user wants a generated rot key...

If rot keys are not stored and presented during build, and for whatever reason export of keys failed or path seems wrong, this will go undetected.

Your build will succeed, but won't start.

What's worse is that you'll be stuck without a functioning fip...

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Kevin HUBER
ST Employee

‎2022-10-04 02:38 AM

Hello @milkylainen​ ,

After several test, this problem is not present on maintained OSTL linux version, Ecosystem :

- v3.1

-v4.0.

To be more explicit, if we face this case, Yocto/bitbake returns a such following error:

ERROR: tf-a-stm32mp-v2.6-stm32mp-r1-r0 do_deploy:

Not able to find "key/stm32mp15/wrong_folder/privateKey00.pem" path from current BBPATH var:

Thanks again for your post.

Best Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

0 Kudos
7 REPLIES 7
Go to solution
Jean-Marc S
ST Employee

‎2022-09-09 06:18 AM

Hello

Thanks for your feedback.

We will report this to the owner of this script for analysis and fix if needed.

JM

(for ST internal tracking only: Ticket 134397 - fip-utils: new rot keys generated when FIP_SIGN_KEY rot key not found )

0 Kudos
Go to solution
Jean-Marc S
ST Employee

‎2022-09-12 01:41 AM

Feedback from development team is that they will propose a patch to raise an error message if the external key path is wrong, and then highlight the fact the configuration of the customer has an issue.

Thanks

JM

0 Kudos
Go to solution
milkylainen
Associate III
In response to Jean-Marc S

‎2022-09-12 04:46 AM

Sounds good. :thumbs_up:

0 Kudos
Go to solution
Erwan SZYMANSKI
ST Employee

‎2022-09-13 01:50 AM

@milkylainen​ ,

Just to be sure to well understand your remark.

Do you say that when you put a wrong path for FIP_SIGN_KEY, bitbake does not return you an error ?

Don't you see something like:

ERROR:<...>/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb: : 0:01:21

Not able to find "key/stm32mp15/privateKey01.pem" path from current BBPATH var

Considering that the path of the key is wrong for this variable, you should observe something like this isn't it ?

This is to well target your use case for the patch.

Kind regards,

Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
Erwan SZYMANSKI
ST Employee

‎2022-09-13 02:02 AM

@milkylainen​ ,

Can you also give me the OSTL version on which you work please ?

Kind regards,

Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
milkylainen
Associate III

‎2022-09-14 05:20 AM

@Erwan SZYMANSKI​ 

Hi.

Using ecosystem v3.0.0 and openstlinux-5.10-dunfell-mp1-21-03-31.

Regards,

Christian

0 Kudos
Go to solution
Kevin HUBER
ST Employee

‎2022-10-04 02:38 AM

Hello @milkylainen​ ,

After several test, this problem is not present on maintained OSTL linux version, Ecosystem :

- v3.1

-v4.0.

To be more explicit, if we face this case, Yocto/bitbake returns a such following error:

ERROR: tf-a-stm32mp-v2.6-stm32mp-r1-r0 do_deploy:

Not able to find "key/stm32mp15/wrong_folder/privateKey00.pem" path from current BBPATH var:

Thanks again for your post.

Best Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
Top