[RFC] qcom-capsule: integrate QDTE for OEM root cert injection (PoC)#2456
[RFC] qcom-capsule: integrate QDTE for OEM root cert injection (PoC)#2456Igor Opaniuk (igoropaniuk) wants to merge 3 commits into
Conversation
Package the upstream PyPI pyfdt 0.3 release (Neil 'Superna' Armstrong's pure-Python flattened device tree library) as a -native recipe, primarily to satisfy QDTE's dtwrapper.py at build time. Placed under dynamic-layers/openembedded-layer/recipes-devtools/python/ so the recipe is only loaded when meta-oe provides the openembedded-layer collection. Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
QDTE (https://github.com/qualcomm/DTE) is a Tkinter device tree editor with a --nogui mode for scripted DTB / xbl_config.elf modification. The next commit wires it into the capsule build pipeline to inject the OEM root CA certificate into the post-DDR DTB embedded in xbl_config.elf. Placed under dynamic-layers/openembedded-layer/recipes-devtools/ because the recipe depends on python3-pyfdt-native, which lives in the same dynamic layer; both come and go together. Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
Switch the QcCapsuleRootCert injection step in patch_xblconfig_cert() from cbsp-boot-utilities (dump / set-dtb- property / replace) to QDTE's qdte --nogui --modify, which disassembles xbl_config.elf, edits the named DTB property, and reassembles in a single invocation. Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
|
xueqnie Could you please verify whether the integration of the FMP root certificate into |
|
I've created qualcomm/DTE#5, that upstreams this series of patches to QDTE |
sure |
|
|
Hi xueqnie, Thanks a lot for testing and confirming that it works for you. I really appreciate your help here. To help this PR land faster, could you please take a look at qualcomm/DTE#5 and leave your review there? The current PR is blocked until the DTE PR lands. |
This PoR PR demonstrates that QDTE tool (https://github.com/qualcomm/DTE/) can replace the cbsp-boot-utilities cert-injection step in the UEFI capsule pipeline, it packages QDTE with 5 recipe-local patches that make
--noguirunnable on a minimal Yocto sysroot, but they haven't been sent upstream yet (no PRs created yet).Also, to make the integration cleaner, additional steps should be done in the QDTE project itself:
--noguifrom GUI properly. Patches 0001 and 0002 are stubs; the structural fix is movingcontroller.pyand friends out of the headless import path entirely (qdte/{core,gui,cli}/split). Patches 0001+0002 go away when this lands.pyproject.toml+ proper packaging. QDTE has nopyproject.toml/setup.py/ package init. Adding one with[project.scripts]lets the recipe collapse toinherit setuptools3 nativeand drops the hand-rolled wrapper + PYTHONPATH gymnastics.pythoninsubprocesswithsys.executable. ~17 sites acrossassemble.py,Autocmd.py,controller.py,non_hlos_parser.py,version_2_assemble.py,sign.py,XBLConfig/*.py. Modern sysroots ship onlypython3. The current recipe carries an ephemeralpython -> python3PATH shim, which ugly and Yocto-specific. Nicer fix would be droping the subprocess pattern entirely and import the target modules directly.I’d like to keep this RFC open for a while so it can serve as a reference for QDTE maintainers, outlining what we’re trying to achieve and the scope of work needed to make this integration cleaner.