On 9/26/19 8:59 AM, Westermann, Oliver wrote: > Hey, > > > > I’m trying to implement a bootloader-signing mechanism within yocto for > extended > secure-boot support. The bootloader and it’s recipes are provided by NXP (in > this case it’s the imx-boot_*.bb recipe from meta-freescale) and I want to > use a > secondary recipe which I am creating to sign the resulting boot binary. My > issue > is that the NXP code signing tool needs some info about the binary to sign. > These details are send to stdout by imx-mkimage tool, which is called by the > imx > boot makefile (used here: > https://github.com/Freescale/meta-freescale/blob/master/recipes-bsp/imx-mkimage/imx-boot_0.2.bb#L104). >
In the cases I know of, most code signing is either done in the recipe itself (via an added task from a special class after install and prior to packaging) or it's being done at rootfs/image generation time. > > I can override the compile step of imx-boot to save stdout into a file, deploy > this file and later parse it to extract the offset dump, but that feels “ugly” > and the file is by no means a output of the imx-boot recipe for the target > system, but for another step. Is there any recommended way to parse such > variable metadata between recipes? Namespace is local to a recipe. The only way you can share from one namespace to another is write the data into a file, and then load it in the second. That is done occasionally for link time settings and such. (i.e. pkgconfig). --Mark > > > Olli > > > > -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
