Hi Tom Thanks for roping me in.
On Tue, 15 Apr 2025 at 01:53, Tom Rini <tr...@konsulko.com> wrote: > > On Sun, Apr 06, 2025 at 07:07:04AM +1200, Simon Glass wrote: > > > At present it is impossible to change the qemu_arm64 defconfig to > > obtain a devicetree from the U-Boot build. > > > > This is necessary for FIT validation, for example, where the signature > > node must be compiled into U-Boot. I'll repeat once more, that using the DT to store whatever random data you invent makes little sense. No one is obliged to follow internal U-Boot ABIs. Instead, it would make much more sense to store the data in the U-Boot binary somewhere and retrieve them. On top of that we now have proper memory permissions at least for arm64 and you can place certificates in .rodata. > > > > A proposed change to QEMU to allow device tree additions has been > > blocked for several years. It hasn't been blocked, it has been rejected. > The only known workaround is to use QEMU's > > dumpdtb option, merge in the signature node manually, disable > > OF_HAS_PRIOR_STAGE and then start QEMU with special arguments. This is > > complicated enough that it is documented in U-Boot[1]. > > This paragraph and then > > [snip] > > + Note: this work-around is necessary since Linaro has blocked Linaro hasn't blocked anything. The QEMU maintainers NAK'ed the patch multiple times for a very good reason. FWIW apart from the commit message being misleading once again, the overall architecture is just unnecessarily complicated. Cheers /Ilias > > + addition of a feature to support additions to the QEMU devicetree: > > This part of the help are overly antagonistic. > > [snip] > > diff --git a/dts/Kconfig b/dts/Kconfig > > index 2e88d210bb8..53f7e246a80 100644 > > --- a/dts/Kconfig > > +++ b/dts/Kconfig > > @@ -205,8 +205,13 @@ config OF_HAS_PRIOR_STAGE > > development purposes, but it is not recommended, and likely will not > > even work, for production systems. > > > > - Note: This option must be set in Kconfig and cannot be enabled or > > - disabled in the board's defconfig file. > > + Note: This option can be disabled for QEMU usiing QEMU_MANUAL_DTB > > thus > > + allowing QEMU to support FIT validation, where the devicetree must > > + include a public key. > > + > > + See also this for context: > > + > > + > > https://patchwork.kernel.org/project/qemu-devel/patch/20210926183410.256484-1-...@chromium.org/#24481799 > > And we don't need more wording here. The QEMU_MANUAL_DTB option itself > is enough. > > -- > Tom
