Skip to content

[RFC] qcom-capsule: integrate QDTE for OEM root cert injection (PoC)#2456

Open
Igor Opaniuk (igoropaniuk) wants to merge 3 commits into
qualcomm-linux:masterfrom
igoropaniuk:feat/qdte-capsule-cert-injection
Open

[RFC] qcom-capsule: integrate QDTE for OEM root cert injection (PoC)#2456
Igor Opaniuk (igoropaniuk) wants to merge 3 commits into
qualcomm-linux:masterfrom
igoropaniuk:feat/qdte-capsule-cert-injection

Conversation

@igoropaniuk

@igoropaniuk Igor Opaniuk (igoropaniuk) commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PoR PR demonstrates that QDTE tool (https://github.com/qualcomm/DTE/) can replace the cbsp-boot-utilities cert-injection step in the UEFI capsule pipeline, it packages QDTE with 5 recipe-local patches that make --nogui runnable on a minimal Yocto sysroot, but they haven't been sent upstream yet (no PRs created yet).

Also, to make the integration cleaner, additional steps should be done in the QDTE project itself:

  1. Decouple --nogui from GUI properly. Patches 0001 and 0002 are stubs; the structural fix is moving controller.py and friends out of the headless import path entirely (qdte/{core,gui,cli}/ split). Patches 0001+0002 go away when this lands.
  2. Add pyproject.toml + proper packaging. QDTE has no pyproject.toml / setup.py / package init. Adding one with [project.scripts] lets the recipe collapse to inherit setuptools3 native and drops the hand-rolled wrapper + PYTHONPATH gymnastics.
  3. Resolve the pyfdt API divergence. QDTE expects an internal pyfdt fork that's never been published. PyPI pyfdt 0.3 (Neil Armstrong, 2014) is the only public release and is effectively unmaintained. My plan is to make transition to libfdt package.
  4. Replace bare python in subprocess with sys.executable. ~17 sites across assemble.py, Autocmd.py, controller.py, non_hlos_parser.py, version_2_assemble.py, sign.py, XBLConfig/*.py. Modern sysroots ship only python3. The current recipe carries an ephemeral python -> python3 PATH shim, which ugly and Yocto-specific. Nicer fix would be droping the subprocess pattern entirely and import the target modules directly.

I’d like to keep this RFC open for a while so it can serve as a reference for QDTE maintainers, outlining what we’re trying to achieve and the scope of work needed to make this integration cleaner.

Package the upstream PyPI pyfdt 0.3 release (Neil 'Superna'
Armstrong's pure-Python flattened device tree library) as a -native
recipe, primarily to satisfy QDTE's dtwrapper.py at build time.

Placed under dynamic-layers/openembedded-layer/recipes-devtools/python/
so the recipe is only loaded when meta-oe provides the
openembedded-layer collection.

Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
QDTE (https://github.com/qualcomm/DTE) is a Tkinter device tree
editor with a --nogui mode for scripted DTB / xbl_config.elf
modification.  The next commit wires it into the capsule build
pipeline to inject the OEM root CA certificate into the post-DDR
DTB embedded in xbl_config.elf.

Placed under dynamic-layers/openembedded-layer/recipes-devtools/
because the recipe depends on python3-pyfdt-native, which lives in
the same dynamic layer; both come and go together.

Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
Switch the QcCapsuleRootCert injection step in
patch_xblconfig_cert() from cbsp-boot-utilities (dump / set-dtb-
property / replace) to QDTE's qdte --nogui --modify, which
disassembles xbl_config.elf, edits the named DTB property, and
reassembles in a single invocation.

Signed-off-by: Igor Opaniuk <igor.opaniuk@oss.qualcomm.com>
@igoropaniuk

Copy link
Copy Markdown
Contributor Author

xueqnie Could you please verify whether the integration of the FMP root certificate into uefi_dtbs.elf works as expected on your end, and confirm that the Hamoa platform still boots successfully? Unfortunately, I don't have access to a Hamoa device to test this myself

@igoropaniuk

Copy link
Copy Markdown
Contributor Author

I've created qualcomm/DTE#5, that upstreams this series of patches to QDTE

@xueqnie

xueqnie commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

xueqnie Could you please verify whether the integration of the FMP root certificate into uefi_dtbs.elf works as expected on your end, and confirm that the Hamoa platform still boots successfully? Unfortunately, I don't have access to a Hamoa device to test this myself

sure

@xueqnie

xueqnie commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

xueqnie Could you please verify whether the integration of the FMP root certificate into uefi_dtbs.elf works as expected on your end, and confirm that the Hamoa platform still boots successfully? Unfortunately, I don't have access to a Hamoa device to test this myself

sure
Test completed — certificate injection via QTDE and capsule update succeeded. Two commits were added on top of your PR to provide support.

@igoropaniuk

Copy link
Copy Markdown
Contributor Author

Hi xueqnie,

Thanks a lot for testing and confirming that it works for you. I really appreciate your help here.

To help this PR land faster, could you please take a look at qualcomm/DTE#5 and leave your review there? The current PR is blocked until the DTE PR lands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants