Hi Brian, On Tue, 3 Dec 2024 at 04:44, Brian Ruley <brian.ru...@gehealthcare.com> wrote: > > Hi Simon, > > On Wed, Nov 20, 2024 at 05:40:42AM -0700, Simon Glass wrote: > > > > WARNING: This email originated from outside of GE HealthCare. Please > > validate the sender's email address before clicking on links or attachments > > as they may not be safe. > > > > Hi Brian, > > > > On Mon, 4 Nov 2024 at 01:33, Brian Ruley <brian.ru...@gehealthcare.com> > > wrote: > > > > > > On Wed, Oct 30, 2024 at 09:23:46AM -0300, Fabio Estevam wrote: > > > > > > > > WARNING: This email originated from outside of GE HealthCare. Please > > > > validate the sender's email address before clicking on links or > > > > attachments as they may not be safe. > > > > > > > > Hi Brian, > > > > > > > > On Wed, Oct 30, 2024 at 5:08???AM Brian Ruley > > > > <brian.ru...@gehealthcare.com> wrote: > > > > > > > > > > Add coverage for IMX8M code siging. Create PKI tree and other assets > > > > > required by `cst' using `hab4_pki_tree.sh' script and `srktool' in > > > > > `cst_3.4.1' [1]. > > > > > > > > > > [1] https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW > > > > > > > > > > Signed-off-by: Brian Ruley <brian.ru...@gehealthcare.com> > > > > > --- > > > > > Changes for v4: > > > > > - Rebased on master: > > > > > 340_nxp_imx8mcst.dts -> 343_nxp_imx8mcst.dts > > > > > 341_nxp_imx8mcst_fast_auth.dts -> 344_nxp_imx8mcst_fast_auth.dts > > > > > > > > Here is the result when I tried applying and testing this: > > > > > > > > $ git am > > > > ~/Downloads/v4-1-2-binman-nxp_imx8mcst-read-certificates-from-input-path.patch > > > > Applying: binman: nxp_imx8mcst: read certificates from input path > > > > Applying: binman: expand test coverage to nxp_imx8mcst > > > > .git/rebase-apply/patch:206: trailing whitespace. > > > > X509v3 Basic Constraints: > > > > .git/rebase-apply/patch:208: trailing whitespace. > > > > Netscape Comment: > > > > .git/rebase-apply/patch:210: trailing whitespace. > > > > X509v3 Subject Key Identifier: > > > > .git/rebase-apply/patch:212: trailing whitespace. > > > > X509v3 Authority Key Identifier: > > > > .git/rebase-apply/patch:333: trailing whitespace. > > > > X509v3 Basic Constraints: > > > > warning: squelched 7 whitespace errors > > > > warning: 12 lines add whitespace errors. > > > > > > > > > > > > $ ./tools/binman/binman test testNxpImx8mCstFastAuth > > > > ======================== Running binman tests ======================== > > > > E > > > > ====================================================================== > > > > ERROR: testNxpImx8mCstFastAuth (binman.ftest.TestFunctional) > > > > Test that binman can sign an iMX8M image using fast authentication > > > > ---------------------------------------------------------------------- > > > > ValueError: Error -11 running 'cst -i > > > > /tmp/binman.tf697xr9/nxp.csf-config-txt.nxp-imx8mcst -o > > > > /tmp/binman.tf697xr9/nxp.csf-output-blob.nxp-imx8mcst': > > > > > > > > ---------------------------------------------------------------------- > > > > Ran 1 test in 1.318s > > > > > > > > FAILED (errors=1) > > > > > > > > Any ideas? > > > > > > Hi Fabio, > > > > > > Strange, but I don't have a clue. I was able to find the bit of Python > > > where things go wrong in my reply to Simon: > > > > > > > Odd, -11 means that is the resouce is temporarily unavailable, no? I > > > > don't see how that could be caused by my changes. I managed to trace it > > > > to line 367 in `tools/u_boot_pylib/tools.py`, which takes us to > > > > the run_pipe() function in `tools/u_boot_pylib/commands.py`, where we > > > > wait on a pipe: > > > > > > > > 108: result.return_code = last_pipe.wait() > > > > > > I also described the environment I was running: > > > > > > > I've compiled the NXP Code Signing tool myself from version 3.4.1 > > > > and added that to path. The system I'm running on is: > > > > > > > > cat /etc/fedora-release && uname -msrv > > > > Fedora release 40 (Forty) > > > > Linux 6.10.12-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 30 > > > > 21:38:25 UTC 2024 x86_64 > > > > > > > > Also, prior to running any tests, I've built the `tools-only_defconfig`. > > > > I admit that I find the test suites sightly confusing, so I might have > > > > missed something. > > > > > > I can try to run it in different environment to see if I can reproduce > > > the issue. > > > > I believe this is something wrong with the tool. This is on Ubuntu 22.04: > > > > $ binman test -X testNxpImx8mCst > > ======================== Running binman tests ======================== > > Preserving output dir: /tmp/binman.imy5s98_ > > Preserving input dir: /tmp/binmant.izmi883v > > E > > ====================================================================== > > ERROR: binman.ftest.TestFunctional.testNxpImx8mCst (subunit.RemotedTestCase) > > binman.ftest.TestFunctional.testNxpImx8mCst > > ---------------------------------------------------------------------- > > testtools.testresult.real._StringException: Traceback (most recent call > > last): > > ValueError: Error -11 running 'cst -i > > /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o > > /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst': > > > > > > ---------------------------------------------------------------------- > > Ran 1 test in 0.157s > > > > FAILED (errors=1) > > > > $ cst -i /tmp/binman.imy5s98_/nxp.csf-config-txt.nxp-imx8mcst -o > > /tmp/binman.imy5s98_/nxp.csf-output-blob.nxp-imx8mcst > > Install SRK > > Install CSFK > > Segmentation fault > > > > So the tool is segfaulting, for some reason. > > Yes, I've noticed that too. > > I'd suggest compiling the tool yourself, you can get it from: > > https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW > > or: > > https://gitlab.apertis.org/pkg/imx-code-signing-tool/ > > or use the .deb package from Debian unstable: > > https://packages.debian.org/unstable/imx-code-signing-tool > > Pick your poison :)
The instructions in tools/binman/btool/cst.py install 'imx-code-signing-tool' So I get this: ii imx-code-signing-tool 3.3.1+dfsg-2ubuntu1 amd64 code signing tool for i.MX platform I suppose we could adjust that to build the tool from source, instead? We do that for fiptool, for example. Regards, Simon
