xref: /OK3568_Linux_fs/yocto/poky/meta/classes/uboot-sign.bbclass (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1# This file is part of U-Boot verified boot support and is intended to be
2# inherited from u-boot recipe and from kernel-fitimage.bbclass.
3#
4# The signature procedure requires the user to generate an RSA key and
5# certificate in a directory and to define the following variable:
6#
7#   UBOOT_SIGN_KEYDIR = "/keys/directory"
8#   UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key")
9#   UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
10#   UBOOT_SIGN_ENABLE = "1"
11#
12# As verified boot depends on fitImage generation, following is also required:
13#
14#   KERNEL_CLASSES ?= " kernel-fitimage "
15#   KERNEL_IMAGETYPE ?= "fitImage"
16#
17# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot.
18#
19# The tasks sequence is set as below, using DEPLOY_IMAGE_DIR as common place to
20# treat the device tree blob:
21#
22# * u-boot:do_install:append
23#   Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
24#   signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
25#
26# * virtual/kernel:do_assemble_fitimage
27#   Sign the image
28#
29# * u-boot:do_deploy[postfuncs]
30#   Deploy files like UBOOT_DTB_IMAGE, UBOOT_DTB_SYMLINK and others.
31#
32# For more details on signature process, please refer to U-Boot documentation.
33
34# We need some variables from u-boot-config
35inherit uboot-config
36
37# Enable use of a U-Boot fitImage
38UBOOT_FITIMAGE_ENABLE ?= "0"
39
40# Signature activation - these require their respective fitImages
41UBOOT_SIGN_ENABLE ?= "0"
42SPL_SIGN_ENABLE ?= "0"
43
44# Default value for deployment filenames.
45UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
46UBOOT_DTB_BINARY ?= "u-boot.dtb"
47UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb"
48UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin"
49UBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin"
50UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin"
51UBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}"
52UBOOT_ITS ?= "u-boot.its"
53UBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}"
54UBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}"
55UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage"
56UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}"
57SPL_DIR ?= "spl"
58SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb"
59SPL_DTB_BINARY ?= "u-boot-spl.dtb"
60SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb"
61SPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin"
62SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
63SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin"
64
65# U-Boot fitImage description
66UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
67
68# Kernel / U-Boot fitImage Hash Algo
69FIT_HASH_ALG ?= "sha256"
70UBOOT_FIT_HASH_ALG ?= "sha256"
71
72# Kernel / U-Boot fitImage Signature Algo
73FIT_SIGN_ALG ?= "rsa2048"
74UBOOT_FIT_SIGN_ALG ?= "rsa2048"
75
76# Kernel / U-Boot fitImage Padding Algo
77FIT_PAD_ALG ?= "pkcs-1.5"
78
79# Generate keys for signing Kernel / U-Boot fitImage
80FIT_GENERATE_KEYS ?= "0"
81UBOOT_FIT_GENERATE_KEYS ?= "0"
82
83# Size of private keys in number of bits
84FIT_SIGN_NUMBITS ?= "2048"
85UBOOT_FIT_SIGN_NUMBITS ?= "2048"
86
87# args to openssl genrsa (Default is just the public exponent)
88FIT_KEY_GENRSA_ARGS ?= "-F4"
89UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
90
91# args to openssl req (Default is -batch for non interactive mode and
92# -new for new certificate)
93FIT_KEY_REQ_ARGS ?= "-batch -new"
94UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
95
96# Standard format for public key certificate
97FIT_KEY_SIGN_PKCS ?= "-x509"
98UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
99
100# Functions on this bbclass can apply to either U-boot or Kernel,
101# depending on the scenario
102UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}"
103KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}"
104
105# We need u-boot-tools-native if we're creating a U-Boot fitImage
106python() {
107    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1':
108        depends = d.getVar("DEPENDS")
109        depends = "%s u-boot-tools-native dtc-native" % depends
110        d.setVar("DEPENDS", depends)
111}
112
113concat_dtb_helper() {
114	if [ -e "${UBOOT_DTB_BINARY}" ]; then
115		ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY}
116		ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK}
117	fi
118
119	if [ -f "${UBOOT_NODTB_BINARY}" ]; then
120		install ${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}
121		ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK}
122		ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY}
123	fi
124
125	# If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB
126	# with public key (otherwise it will be deployed by the equivalent
127	# concat_spl_dtb_helper function - cf. kernel-fitimage.bbclass for more details)
128	if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then
129		deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}'
130		if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \
131			[ -e "$deployed_uboot_dtb_binary" ]; then
132			oe_runmake EXT_DTB=$deployed_uboot_dtb_binary
133			install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
134		elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then
135			cd ${DEPLOYDIR}
136			cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
137
138			if [ -n "${UBOOT_CONFIG}" ]
139			then
140				i=0
141				j=0
142				for config in ${UBOOT_MACHINE}; do
143					i=$(expr $i + 1);
144					for type in ${UBOOT_CONFIG}; do
145						j=$(expr $j + 1);
146						if [ $j -eq $i ]
147						then
148							cp ${UBOOT_IMAGE} ${B}/${CONFIG_B_PATH}/u-boot-$type.${UBOOT_SUFFIX}
149						fi
150					done
151				done
152			fi
153		else
154			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
155		fi
156	fi
157}
158
159concat_spl_dtb_helper() {
160
161	# We only deploy symlinks to the u-boot-spl.dtb,as the KERNEL_PN will
162	# be responsible for deploying the real file
163	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
164		ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK}
165		ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY}
166	fi
167
168	# Concatenate the SPL nodtb binary and u-boot.dtb
169	deployed_spl_dtb_binary='${DEPLOY_DIR_IMAGE}/${SPL_DTB_IMAGE}'
170	if [ -e "${DEPLOYDIR}/${SPL_NODTB_IMAGE}" -a -e "$deployed_spl_dtb_binary" ] ; then
171		cd ${DEPLOYDIR}
172		cat ${SPL_NODTB_IMAGE} $deployed_spl_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${SPL_BINARY} > ${SPL_IMAGE}
173	else
174		bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
175	fi
176}
177
178
179concat_dtb() {
180	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then
181		mkdir -p ${DEPLOYDIR}
182		if [ -n "${UBOOT_CONFIG}" ]; then
183			for config in ${UBOOT_MACHINE}; do
184				CONFIG_B_PATH="$config"
185				cd ${B}/$config
186				concat_dtb_helper
187			done
188		else
189			CONFIG_B_PATH=""
190			cd ${B}
191			concat_dtb_helper
192		fi
193	fi
194}
195
196concat_spl_dtb() {
197	if [ "${SPL_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${SPL_DTB_BINARY}" ]; then
198		mkdir -p ${DEPLOYDIR}
199		if [ -n "${UBOOT_CONFIG}" ]; then
200			for config in ${UBOOT_MACHINE}; do
201				CONFIG_B_PATH="$config"
202				cd ${B}/$config
203				concat_spl_dtb_helper
204			done
205		else
206			CONFIG_B_PATH=""
207			cd ${B}
208			concat_spl_dtb_helper
209		fi
210	fi
211}
212
213
214# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for
215# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it.
216install_helper() {
217	if [ -f "${UBOOT_DTB_BINARY}" ]; then
218		# UBOOT_DTB_BINARY is a symlink to UBOOT_DTB_IMAGE, so we
219		# need both of them.
220		install -Dm 0644 ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE}
221		ln -sf ${UBOOT_DTB_IMAGE} ${D}${datadir}/${UBOOT_DTB_BINARY}
222	else
223		bbwarn "${UBOOT_DTB_BINARY} not found"
224	fi
225}
226
227# Install SPL dtb and u-boot nodtb to datadir,
228install_spl_helper() {
229	if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
230		install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE}
231		ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY}
232	else
233		bbwarn "${SPL_DTB_BINARY} not found"
234	fi
235	if [ -f "${UBOOT_NODTB_BINARY}" ] ; then
236		install -Dm 0644 ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE}
237		ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY}
238	else
239		bbwarn "${UBOOT_NODTB_BINARY} not found"
240	fi
241
242	# We need to install a 'stub' u-boot-fitimage + its to datadir,
243	# so that the KERNEL_PN can use the correct filename when
244	# assembling and deploying them
245	touch ${D}/${datadir}/${UBOOT_FITIMAGE_IMAGE}
246	touch ${D}/${datadir}/${UBOOT_ITS_IMAGE}
247}
248
249do_install:append() {
250	if [ "${PN}" = "${UBOOT_PN}" ]; then
251		if [ -n "${UBOOT_CONFIG}" ]; then
252			for config in ${UBOOT_MACHINE}; do
253				cd ${B}/$config
254				if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
255					[ -n "${UBOOT_DTB_BINARY}" ]; then
256					install_helper
257				fi
258				if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
259					install_spl_helper
260				fi
261			done
262		else
263			cd ${B}
264			if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
265				[ -n "${UBOOT_DTB_BINARY}" ]; then
266				install_helper
267			fi
268			if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then
269				install_spl_helper
270			fi
271		fi
272	fi
273}
274
275do_uboot_generate_rsa_keys() {
276	if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
277		bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
278	fi
279
280	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
281
282		# Generate keys only if they don't already exist
283		if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
284			[ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
285
286			# make directory if it does not already exist
287			mkdir -p "${SPL_SIGN_KEYDIR}"
288
289			echo "Generating RSA private key for signing U-Boot fitImage"
290			openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
291				"${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
292				"${UBOOT_FIT_SIGN_NUMBITS}"
293
294			echo "Generating certificate for signing U-Boot fitImage"
295			openssl req ${UBOOT_FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
296				-key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
297				-out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
298		fi
299	fi
300
301}
302
303addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
304
305# Create a ITS file for the U-boot FIT, for use when
306# we want to sign it so that the SPL can verify it
307uboot_fitimage_assemble() {
308	uboot_its="$1"
309	uboot_nodtb_bin="$2"
310	uboot_dtb="$3"
311	uboot_bin="$4"
312	spl_dtb="$5"
313	uboot_csum="${UBOOT_FIT_HASH_ALG}"
314	uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
315	uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
316
317	rm -f $uboot_its $uboot_bin
318
319	# First we create the ITS script
320	cat << EOF >> $uboot_its
321/dts-v1/;
322
323/ {
324    description = "${UBOOT_FIT_DESC}";
325    #address-cells = <1>;
326
327    images {
328        uboot {
329            description = "U-Boot image";
330            data = /incbin/("$uboot_nodtb_bin");
331            type = "standalone";
332            os = "u-boot";
333            arch = "${UBOOT_ARCH}";
334            compression = "none";
335            load = <${UBOOT_LOADADDRESS}>;
336            entry = <${UBOOT_ENTRYPOINT}>;
337EOF
338
339	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
340		cat << EOF >> $uboot_its
341            signature {
342                algo = "$uboot_csum,$uboot_sign_algo";
343                key-name-hint = "$uboot_sign_keyname";
344            };
345EOF
346	fi
347
348	cat << EOF >> $uboot_its
349        };
350        fdt {
351            description = "U-Boot FDT";
352            data = /incbin/("$uboot_dtb");
353            type = "flat_dt";
354            arch = "${UBOOT_ARCH}";
355            compression = "none";
356EOF
357
358	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
359		cat << EOF >> $uboot_its
360            signature {
361                algo = "$uboot_csum,$uboot_sign_algo";
362                key-name-hint = "$uboot_sign_keyname";
363            };
364EOF
365	fi
366
367	cat << EOF >> $uboot_its
368        };
369    };
370
371    configurations {
372        default = "conf";
373        conf {
374            description = "Boot with signed U-Boot FIT";
375            loadables = "uboot";
376            fdt = "fdt";
377        };
378    };
379};
380EOF
381
382	#
383	# Assemble the U-boot FIT image
384	#
385	${UBOOT_MKIMAGE} \
386		${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
387		-f $uboot_its \
388		$uboot_bin
389
390	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
391		#
392		# Sign the U-boot FIT image and add public key to SPL dtb
393		#
394		${UBOOT_MKIMAGE_SIGN} \
395			${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
396			-F -k "${SPL_SIGN_KEYDIR}" \
397			-K "$spl_dtb" \
398			-r $uboot_bin \
399			${SPL_MKIMAGE_SIGN_ARGS}
400	fi
401
402}
403
404do_uboot_assemble_fitimage() {
405	# This function runs in KERNEL_PN context. The reason for that is that we need to
406	# support the scenario where UBOOT_SIGN_ENABLE is placing the Kernel fitImage's
407	# pubkey in the u-boot.dtb file, so that we can use it when building the U-Boot
408	# fitImage itself.
409	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
410	   [ -n "${SPL_DTB_BINARY}" -a "${PN}" = "${KERNEL_PN}" ] ; then
411		if [ "${UBOOT_SIGN_ENABLE}" != "1" ]; then
412			# If we're not signing the Kernel fitImage, that means
413			# we need to copy the u-boot.dtb from staging ourselves
414			cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
415		fi
416		# As we are in the kernel context, we need to copy u-boot-spl.dtb from staging first.
417		# Unfortunately, need to glob on top of ${SPL_DTB_BINARY} since _IMAGE and _SYMLINK
418		# will contain U-boot's PV
419		# Similarly, we need to get the filename for the 'stub' u-boot-fitimage + its in
420		# staging so that we can use it for creating the image with the correct filename
421		# in the KERNEL_PN context.
422		# As for the u-boot.dtb (with fitimage's pubkey), it should come from the dependent
423		# do_assemble_fitimage task
424		cp -P ${STAGING_DATADIR}/u-boot-spl*.dtb ${B}
425		cp -P ${STAGING_DATADIR}/u-boot-nodtb*.bin ${B}
426		rm -rf ${B}/u-boot-fitImage-* ${B}/u-boot-its-*
427		kernel_uboot_fitimage_name=`basename ${STAGING_DATADIR}/u-boot-fitImage-*`
428		kernel_uboot_its_name=`basename ${STAGING_DATADIR}/u-boot-its-*`
429		cd ${B}
430		uboot_fitimage_assemble $kernel_uboot_its_name ${UBOOT_NODTB_BINARY} \
431					${UBOOT_DTB_BINARY} $kernel_uboot_fitimage_name \
432					${SPL_DTB_BINARY}
433	fi
434}
435
436addtask uboot_assemble_fitimage before do_deploy after do_compile
437
438do_deploy:prepend:pn-${UBOOT_PN}() {
439	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
440		concat_dtb
441	fi
442
443	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
444	# Deploy the u-boot-nodtb binary and symlinks...
445		if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then
446			echo "Copying u-boot-nodtb binary..."
447			install -m 0644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${SPL_NODTB_IMAGE}
448			ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK}
449			ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY}
450		fi
451
452
453		# We only deploy the symlinks to the uboot-fitImage and uboot-its
454		# images, as the KERNEL_PN will take care of deploying the real file
455		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY}
456		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK}
457		ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS}
458		ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK}
459	fi
460
461	if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then
462		concat_spl_dtb
463	fi
464
465
466}
467
468do_deploy:append:pn-${UBOOT_PN}() {
469	# If we're creating a u-boot fitImage, point u-boot.bin
470	# symlink since it might get used by image recipes
471	if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then
472		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_BINARY}
473		ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_SYMLINK}
474	fi
475}
476
477python () {
478    if (   (d.getVar('UBOOT_SIGN_ENABLE') == '1'
479            or d.getVar('UBOOT_FITIMAGE_ENABLE') == '1')
480        and d.getVar('PN') == d.getVar('UBOOT_PN')
481        and d.getVar('UBOOT_DTB_BINARY')):
482
483        # Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb
484        # and/or the U-Boot fitImage
485        d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % d.getVar('KERNEL_PN'))
486
487    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' and d.getVar('PN') == d.getVar('KERNEL_PN'):
488        # As the U-Boot fitImage is created by the KERNEL_PN, we need
489        # to make sure that the u-boot-spl.dtb and u-boot-spl-nodtb.bin
490        # files are in the staging dir for it's use
491        d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % d.getVar('UBOOT_PN'))
492
493        # If the Kernel fitImage is being signed, we need to
494        # create the U-Boot fitImage after it
495        if d.getVar('UBOOT_SIGN_ENABLE') == '1':
496            d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage' % d.getVar('KERNEL_PN'))
497            d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage_initramfs' % d.getVar('KERNEL_PN'))
498
499}
500