xref: /openbmc/openbmc/poky/meta/classes-recipe/uboot-sign.bbclass (revision c9537f57ab488bf5d90132917b0184e2527970a5) 
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: MIT
5#
6
7# This file is part of U-Boot verified boot support and is intended to be
8# inherited from the u-boot recipe.
9#
10# The signature procedure requires the user to generate an RSA key and
11# certificate in a directory and to define the following variable:
12#
13#   UBOOT_SIGN_KEYDIR = "/keys/directory"
14#   UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
15#   UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
16#   UBOOT_SIGN_ENABLE = "1"
17#
18# As verified boot depends on fitImage generation, following is also required:
19#
20#   KERNEL_CLASSES ?= " kernel-fitimage "
21#   KERNEL_IMAGETYPE ?= "fitImage"
22#
23# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
24#
25# For more details on signature process, please refer to U-Boot documentation.
26
27# We need some variables from u-boot-config
28inherit uboot-config
29require conf/image-fitimage.conf
30
31# Enable use of a U-Boot fitImage
32UBOOT_FITIMAGE_ENABLE ?= "0"
33
34# Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1"
35SPL_SIGN_ENABLE ?= "0"
36
37# Default value for deployment filenames.
38UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
39UBOOT_DTB_BINARY ?= "u-boot.dtb"
40UBOOT_DTB_SIGNED ?= "${UBOOT_DTB_BINARY}-signed"
41UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
42UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin"
43UBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin"
44UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin"
45UBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}"
46UBOOT_ITS ?= "u-boot.its"
47UBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}"
48UBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}"
49UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
50UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
51SPL_DIR ?= "spl"
52SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
53SPL_DTB_BINARY ?= "u-boot-spl.dtb"
54SPL_DTB_SIGNED ?= "${SPL_DTB_BINARY}-signed"
55SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
56SPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin"
57SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
58SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin"
59
60# U-Boot fitImage description
61UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
62
63# U-Boot fitImage Hash Algo
64UBOOT_FIT_HASH_ALG ?= "sha256"
65
66# U-Boot fitImage Signature Algo
67UBOOT_FIT_SIGN_ALG ?= "rsa2048"
68
69# Generate keys for signing U-Boot fitImage
70UBOOT_FIT_GENERATE_KEYS ?= "0"
71
72# Size of private keys in number of bits
73UBOOT_FIT_SIGN_NUMBITS ?= "2048"
74
75# args to openssl genrsa (Default is just the public exponent)
76UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
77
78# args to openssl req (Default is -batch for non interactive mode and
79# -new for new certificate)
80UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
81
82# Standard format for public key certificate
83UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
84
85# length of address in number of <u32> cells
86# ex: 1 32bits address, 2 64bits address
87UBOOT_FIT_ADDRESS_CELLS ?= "1"
88
89# ARM Trusted Firmware(ATF) is a reference implementation of secure world
90# software for Arm A-Profile architectures, (Armv8-A and Armv7-A), including
91# an Exception Level 3 (EL3) Secure Monitor.
92UBOOT_FIT_ARM_TRUSTED_FIRMWARE ?= "0"
93UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE ?= "bl31.bin"
94
95# A Trusted Execution Environment(TEE) is an environment for executing code,
96# in which those executing the code can have high levels of trust in the asset
97# management of that surrounding environment.
98UBOOT_FIT_TEE ?= "0"
99UBOOT_FIT_TEE_IMAGE ?= "tee-raw.bin"
100
101# User specific settings
102UBOOT_FIT_USER_SETTINGS ?= ""
103
104# Sets the firmware property to select the image to boot first.
105# If not set, the first entry in "loadables" is used instead.
106UBOOT_FIT_CONF_FIRMWARE ?= ""
107
108# Unit name containing a list of users additional binaries to be loaded.
109# It is a comma-separated list of strings.
110UBOOT_FIT_CONF_USER_LOADABLES ?= ''
111
112UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
113UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
114
115python() {
116    # We need u-boot-tools-native if we're creating a U-Boot fitImage
117    sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
118    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
119        d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
120    if d.getVar('FIT_GENERATE_KEYS') == '1' and sign:
121        d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys')
122}
123
124concat_dtb() {
125	type="$1"
126	binary="$2"
127
128	if [ -e "${UBOOT_DTB_BINARY}" ]; then
129		# Signing individual images is not recommended as that
130		# makes fitImage susceptible to mix-and-match attack.
131		#
132		# OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner,
133		# where the resulting signed fitImage contains both signed
134		# images and signed configurations. This is redundant. In
135		# order to prevent mix-and-match attack, it is sufficient
136		# to sign configurations. The FIT_SIGN_INDIVIDUAL = "1"
137		# support is kept to avoid breakage of existing layers, but
138		# it is highly recommended to avoid FIT_SIGN_INDIVIDUAL = "1",
139		# i.e. set FIT_SIGN_INDIVIDUAL = "0" .
140		if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then
141			# Sign dummy image images in order to
142			# add the image signing keys to our dtb
143			${UBOOT_MKIMAGE_SIGN} \
144				${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
145				-f auto \
146				-k "${UBOOT_SIGN_KEYDIR}" \
147				-o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
148				-g "${UBOOT_SIGN_IMG_KEYNAME}" \
149				-K "${UBOOT_DTB_BINARY}" \
150				-d /dev/null \
151				-r ${B}/unused.itb \
152				${UBOOT_MKIMAGE_SIGN_ARGS}
153		fi
154
155		# Sign dummy image configurations in order to
156		# add the configuration signing keys to our dtb
157		${UBOOT_MKIMAGE_SIGN} \
158			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
159			-f auto-conf \
160			-k "${UBOOT_SIGN_KEYDIR}" \
161			-o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
162			-g "${UBOOT_SIGN_KEYNAME}" \
163			-K "${UBOOT_DTB_BINARY}" \
164			-d /dev/null \
165			-r ${B}/unused.itb \
166			${UBOOT_MKIMAGE_SIGN_ARGS}
167
168		# Verify the dummy fitImage signature against u-boot.dtb
169		# augmented using public key material.
170		#
171		# This only works for FIT_SIGN_INDIVIDUAL = "0", because
172		# mkimage -f auto-conf does not support -F to extend the
173		# existing unused.itb , and instead rewrites unused.itb
174		# from scratch.
175		#
176		# Using two separate unused.itb for mkimage -f auto and
177		# mkimage -f auto-conf invocation above would not help, as
178		# the signature verification process below checks whether
179		# all keys inserted into u-boot.dtb /signature node pass
180		# the verification. Separate unused.itb would each miss one
181		# of the signatures.
182		#
183		# The FIT_SIGN_INDIVIDUAL = "1" support is kept to avoid
184		# breakage of existing layers, but it is highly recommended
185		# to not use FIT_SIGN_INDIVIDUAL = "1", i.e. set
186		# FIT_SIGN_INDIVIDUAL = "0" .
187		if [ "${FIT_SIGN_INDIVIDUAL}" != "1" ] ; then
188			${UBOOT_FIT_CHECK_SIGN} \
189				-k "${UBOOT_DTB_BINARY}" \
190				-f ${B}/unused.itb
191		fi
192		cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
193	fi
194
195	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
196	# with public key (otherwise U-Boot will be packaged by uboot_fitimage_assemble)
197	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
198		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
199			[ -e "${UBOOT_DTB_BINARY}" ]; then
200			oe_runmake EXT_DTB="${UBOOT_DTB_SIGNED}" ${UBOOT_MAKE_TARGET}
201			if [ -n "${binary}" ]; then
202				cp ${binary} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
203			fi
204		elif [ -e "${UBOOT_NODTB_BINARY}" -a -e "${UBOOT_DTB_BINARY}" ]; then
205			if [ -n "${binary}" ]; then
206				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} | tee ${binary} > \
207					${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
208			else
209				cat ${UBOOT_NODTB_BINARY} ${UBOOT_DTB_SIGNED} > ${UBOOT_BINARY}
210			fi
211		else
212			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
213		fi
214	fi
215}
216
217deploy_dtb() {
218	type="$1"
219
220	if [ -n "${type}" ]; then
221		uboot_dtb_binary="u-boot-${type}-${PV}-${PR}.dtb"
222		uboot_nodtb_binary="u-boot-nodtb-${type}-${PV}-${PR}.bin"
223	else
224		uboot_dtb_binary="${UBOOT_DTB_IMAGE}"
225		uboot_nodtb_binary="${UBOOT_NODTB_IMAGE}"
226	fi
227
228	if [ -e "${UBOOT_DTB_SIGNED}" ]; then
229		install -Dm644 ${UBOOT_DTB_SIGNED} ${DEPLOYDIR}/${uboot_dtb_binary}
230		if [ -n "${type}" ]; then
231			ln -sf ${uboot_dtb_binary} ${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
232		fi
233	fi
234
235	if [ -f "${UBOOT_NODTB_BINARY}" ]; then
236		install -Dm644 ${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${uboot_nodtb_binary}
237		if [ -n "${type}" ]; then
238			ln -sf ${uboot_nodtb_binary} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
239		fi
240	fi
241}
242
243concat_spl_dtb() {
244	if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
245		cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"
246	else
247		bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
248	fi
249}
250
251deploy_spl_dtb() {
252	type="$1"
253
254	if [ -n "${type}" ]; then
255		spl_dtb_binary="u-boot-spl-${type}-${PV}-${PR}.dtb"
256		spl_nodtb_binary="u-boot-spl-nodtb-${type}-${PV}-${PR}.bin"
257	else
258		spl_dtb_binary="${SPL_DTB_IMAGE}"
259		spl_nodtb_binary="${SPL_NODTB_IMAGE}"
260	fi
261
262	if [ -e "${SPL_DIR}/${SPL_DTB_SIGNED}" ] ; then
263		install -Dm644 ${SPL_DIR}/${SPL_DTB_SIGNED} ${DEPLOYDIR}/${spl_dtb_binary}
264		if [ -n "${type}" ]; then
265			ln -sf ${spl_dtb_binary} ${DEPLOYDIR}/${SPL_DTB_IMAGE}
266		fi
267	fi
268
269	if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then
270		install -Dm644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${spl_nodtb_binary}
271		if [ -n "${type}" ]; then
272			ln -sf ${spl_nodtb_binary} ${DEPLOYDIR}/${SPL_NODTB_IMAGE}
273		fi
274	fi
275
276	# For backwards compatibility...
277	install -Dm644 ${SPL_BINARY} ${DEPLOYDIR}/${SPL_IMAGE}
278}
279
280do_uboot_generate_rsa_keys() {
281	if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
282		bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
283	fi
284
285	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
286
287		# Generate keys only if they don't already exist
288		if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
289			[ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
290
291			# make directory if it does not already exist
292			mkdir -p "${SPL_SIGN_KEYDIR}"
293
294			echo "Generating RSA private key for signing U-Boot fitImage"
295			openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
296				"${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
297				"${UBOOT_FIT_SIGN_NUMBITS}"
298
299			echo "Generating certificate for signing U-Boot fitImage"
300			openssl req ${UBOOT_FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
301				-key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
302				-out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
303		fi
304	fi
305
306}
307
308addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
309
310# Create a ITS file for the atf
311uboot_fitimage_atf() {
312	cat << EOF >> ${UBOOT_ITS}
313        atf {
314            description = "ARM Trusted Firmware";
315            data = /incbin/("${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_IMAGE}");
316            type = "firmware";
317            arch = "${UBOOT_ARCH}";
318            os = "arm-trusted-firmware";
319            load = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_LOADADDRESS}>;
320            entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
321            compression = "none";
322EOF
323	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
324		cat << EOF >> ${UBOOT_ITS}
325            signature {
326                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
327                key-name-hint = "${SPL_SIGN_KEYNAME}";
328            };
329EOF
330	fi
331
332	cat << EOF >> ${UBOOT_ITS}
333        };
334EOF
335}
336
337# Create a ITS file for the tee
338uboot_fitimage_tee() {
339	cat << EOF >> ${UBOOT_ITS}
340        tee {
341            description = "Trusted Execution Environment";
342            data = /incbin/("${UBOOT_FIT_TEE_IMAGE}");
343            type = "tee";
344            arch = "${UBOOT_ARCH}";
345            os = "tee";
346            load = <${UBOOT_FIT_TEE_LOADADDRESS}>;
347            entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
348            compression = "none";
349EOF
350	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
351		cat << EOF >> ${UBOOT_ITS}
352            signature {
353                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
354                key-name-hint = "${SPL_SIGN_KEYNAME}";
355            };
356EOF
357	fi
358
359	cat << EOF >> ${UBOOT_ITS}
360        };
361EOF
362}
363
364# Create a ITS file for the U-boot FIT, for use when
365# we want to sign it so that the SPL can verify it
366uboot_fitimage_assemble() {
367	conf_loadables="\"uboot\""
368	conf_firmware=""
369	rm -f ${UBOOT_ITS} ${UBOOT_FITIMAGE_BINARY}
370
371	# First we create the ITS script
372	cat << EOF >> ${UBOOT_ITS}
373/dts-v1/;
374
375/ {
376    description = "${UBOOT_FIT_DESC}";
377    #address-cells = <${UBOOT_FIT_ADDRESS_CELLS}>;
378
379    images {
380        uboot {
381            description = "U-Boot image";
382            data = /incbin/("${UBOOT_NODTB_BINARY}");
383            type = "standalone";
384            os = "u-boot";
385            arch = "${UBOOT_ARCH}";
386            compression = "none";
387            load = <${UBOOT_FIT_UBOOT_LOADADDRESS}>;
388            entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>;
389EOF
390
391	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
392		cat << EOF >> ${UBOOT_ITS}
393            signature {
394                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
395                key-name-hint = "${SPL_SIGN_KEYNAME}";
396            };
397EOF
398	fi
399
400	cat << EOF >> ${UBOOT_ITS}
401        };
402        fdt {
403            description = "U-Boot FDT";
404            data = /incbin/("${UBOOT_DTB_BINARY}");
405            type = "flat_dt";
406            arch = "${UBOOT_ARCH}";
407            compression = "none";
408EOF
409
410	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
411		cat << EOF >> ${UBOOT_ITS}
412            signature {
413                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
414                key-name-hint = "${SPL_SIGN_KEYNAME}";
415            };
416EOF
417	fi
418
419	cat << EOF >> ${UBOOT_ITS}
420        };
421EOF
422	if [ "${UBOOT_FIT_TEE}" = "1" ] ; then
423		conf_loadables="\"tee\", ${conf_loadables}"
424		uboot_fitimage_tee
425	fi
426
427	if [ "${UBOOT_FIT_ARM_TRUSTED_FIRMWARE}" = "1" ] ; then
428		conf_loadables="\"atf\", ${conf_loadables}"
429		uboot_fitimage_atf
430	fi
431
432	if [ -n "${UBOOT_FIT_USER_SETTINGS}" ] ; then
433		printf "%b" "${UBOOT_FIT_USER_SETTINGS}" >> ${UBOOT_ITS}
434	fi
435
436	if [ -n "${UBOOT_FIT_CONF_USER_LOADABLES}" ] ; then
437		conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}"
438	fi
439
440	if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then
441		conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";"
442	fi
443
444	cat << EOF >> ${UBOOT_ITS}
445    };
446
447    configurations {
448        default = "conf";
449        conf {
450            description = "Boot with signed U-Boot FIT";
451            ${conf_firmware}
452            loadables = ${conf_loadables};
453            fdt = "fdt";
454        };
455    };
456};
457EOF
458
459	#
460	# Assemble the U-boot FIT image
461	#
462	${UBOOT_MKIMAGE} \
463		${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
464		-f ${UBOOT_ITS} \
465		${UBOOT_FITIMAGE_BINARY}
466
467	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
468		#
469		# Sign the U-boot FIT image and add public key to SPL dtb
470		#
471		${UBOOT_MKIMAGE_SIGN} \
472			${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
473			-F -k "${SPL_SIGN_KEYDIR}" \
474			-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
475			-r ${UBOOT_FITIMAGE_BINARY} \
476			${SPL_MKIMAGE_SIGN_ARGS}
477		#
478		# Verify the U-boot FIT image and SPL dtb
479		#
480		${UBOOT_FIT_CHECK_SIGN} \
481			-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
482			-f ${UBOOT_FITIMAGE_BINARY}
483	fi
484
485	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
486		cp ${SPL_DIR}/${SPL_DTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED}
487	fi
488}
489
490uboot_assemble_fitimage_helper() {
491	type="$1"
492	binary="$2"
493
494	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
495		concat_dtb "$type" "$binary"
496	fi
497
498	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
499		uboot_fitimage_assemble
500	fi
501
502	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
503		concat_spl_dtb
504	fi
505}
506
507do_uboot_assemble_fitimage() {
508	if [ -n "${UBOOT_CONFIG}" ]; then
509		unset i
510		for config in ${UBOOT_MACHINE}; do
511			unset j k
512			i=$(expr $i + 1);
513			for type in ${UBOOT_CONFIG}; do
514				j=$(expr $j + 1);
515				if [ $j -eq $i ]; then
516					break;
517				fi
518			done
519
520			for binary in ${UBOOT_BINARIES}; do
521				k=$(expr $k + 1);
522				if [ $k -eq $i ]; then
523					break;
524				fi
525			done
526
527			cd ${B}/${config}
528			uboot_assemble_fitimage_helper ${type} ${binary}
529		done
530	else
531		cd ${B}
532		uboot_assemble_fitimage_helper "" ${UBOOT_BINARY}
533	fi
534}
535
536addtask uboot_assemble_fitimage before do_install do_deploy after do_compile
537
538deploy_helper() {
539	type="$1"
540
541	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_SIGNED}" ] ; then
542		deploy_dtb $type
543	fi
544
545	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
546		if [ -n "${type}" ]; then
547			uboot_its_image="u-boot-its-${type}-${PV}-${PR}"
548			uboot_fitimage_image="u-boot-fitImage-${type}-${PV}-${PR}"
549		else
550			uboot_its_image="${UBOOT_ITS_IMAGE}"
551			uboot_fitimage_image="${UBOOT_FITIMAGE_IMAGE}"
552		fi
553
554		install -Dm644 ${UBOOT_FITIMAGE_BINARY} ${DEPLOYDIR}/$uboot_fitimage_image
555		install -Dm644 ${UBOOT_ITS} ${DEPLOYDIR}/$uboot_its_image
556
557		if [ -n "${type}" ]; then
558			ln -sf $uboot_its_image ${DEPLOYDIR}/${UBOOT_ITS_IMAGE}
559			ln -sf $uboot_fitimage_image ${DEPLOYDIR}/${UBOOT_FITIMAGE_IMAGE}
560		fi
561	fi
562
563	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_SIGNED}" ] ; then
564		deploy_spl_dtb $type
565	fi
566}
567
568do_deploy:prepend() {
569	if [ -n "${UBOOT_CONFIG}" ]; then
570		unset i j k
571		for config in ${UBOOT_MACHINE}; do
572			i=$(expr $i + 1);
573			for type in ${UBOOT_CONFIG}; do
574				j=$(expr $j + 1);
575				if [ $j -eq $i ]; then
576					cd ${B}/${config}
577					deploy_helper ${type}
578				fi
579			done
580			unset j
581		done
582		unset i
583	else
584		cd ${B}
585		deploy_helper ""
586	fi
587
588	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
589		ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
590		ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
591		ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
592		ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY}
593	fi
594
595	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
596		ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS}
597		ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK}
598		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY}
599		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
600	fi
601
602	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
603		ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
604		ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
605		ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}
606		ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY}
607	fi
608}
609
610do_deploy:append() {
611	# If we're creating a u-boot fitImage, point u-boot.bin
612	# symlink since it might get used by image recipes
613	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
614		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_BINARY}
615		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_SYMLINK}
616	fi
617}
618