wolfBoot: add Yocto/OE secure bootloader recipes#164
wolfBoot: add Yocto/OE secure bootloader recipes#164dgarske wants to merge 3 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces initial Yocto/OpenEmbedded support for wolfBoot inside meta-wolfssl, including recipes to build the bootloader, host-side key/sign tools, and a helper recipe/bbappend to produce and consume signed FIT images (notably for ZynqMP boot flows).
Changes:
- Add
wolfboot.incand recipes to buildwolfboot.elf, build native key/sign tooling, and sign the kernel FIT image. - Add a
xilinx-bootbinbbappend to swap the SSBL inBOOT.BINto wolfBoot when explicitly opted in viaEXTRA_IMAGEDEPENDS. - Register the new recipe globs and
PREFERRED_PROVIDER_wolfbootinconf/layer.conf.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| recipes-wolfssl/wolfboot/wolfboot_git.bb | Cross-compiles wolfboot.elf, generates keys, and deploys artifacts. |
| recipes-wolfssl/wolfboot/wolfboot.inc | Shared source/Licensing include with git fetch of wolfBoot + wolfSSL side-by-side. |
| recipes-wolfssl/wolfboot/wolfboot-signed-image.bb | Signs the kernel FIT image and deploys a versioned signed binary. |
| recipes-wolfssl/wolfboot/wolfboot-keytools-native_git.bb | Builds and installs wolfboot-keygen / wolfboot-sign as native tools. |
| recipes-wolfssl/wolfboot/README.md | Documents layer usage, workflow, and ZynqMP caveats. |
| recipes-bsp/bootbin/xilinx-bootbin_%.bbappend | Conditionally rewrites the BIF to use wolfboot.elf as SSBL on ZynqMP. |
| conf/layer.conf | Adds new BBFILES globs and sets PREFERRED_PROVIDER_wolfboot. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Would it make sense for wolfBoot to use That's BitBake's standard mechanism for swapping bootloaders - vanilla Yocto and PetaLinux default to U-Boot via Instead of I'm not sure exactly what artifacts/tasks BitBake expects from a virtual/bootloader provider (deploy outputs, |
dgarske
changed the title
dgarske
force-pushed
the
wolfboot_bb
branch
2 times, most recently
from
f9a731e to
cd53f08
Compare
dgarske
force-pushed
the
wolfboot_bb
branch
2 times, most recently
from
22c5183 to
96e8e2a
Compare
Add wolfBoot secure boot support to meta-wolfssl. Four new recipes
cross-compile wolfboot.elf, build host-side signing/keygen tools,
and sign kernel FIT images with RSA4096+SHA3-384 for verified boot.
New recipes:
wolfboot.inc - shared SRC_URI, LICENSE, SRCREVs
wolfboot_git.bb - cross-compiles wolfboot.elf from a
user-selected config/examples/ template;
embeds a user-supplied RSA4096 public key
wolfboot-keytools-native_git.bb - native wolfboot-keygen / wolfboot-sign
wolfboot-signed-image.bb - signs kernel FIT with RSA4096+SHA3-384
Supporting files:
xilinx-bootbin_%.bbappend - replaces U-Boot with wolfBoot in BOOT.BIN
on ZynqMP (gated by WOLFBOOT_ENABLE="1");
uses BBFILES_DYNAMIC for meta-xilinx-tools
conf/layer.conf - registers wolfboot BBFILES globs and
PREFERRED_PROVIDER
README.md - usage guide, key provisioning, ZynqMP notes
Design decisions:
- Signing key is user-supplied out-of-band (WOLFBOOT_SIGNING_KEY) to
avoid leaking private key material through sstate or DEPLOY_DIR_IMAGE.
- wolfboot_git.bb uses raw make (not oe_runmake) because wolfBoot is a
bare-metal bootloader with its own -nostdlib/-ffreestanding toolchain
flags that conflict with Yocto's CC/CFLAGS/LDFLAGS injection.
- SRCREVs use weak assignment (?=) so downstream users can override via
local.conf to track unreleased upstream fixes.
Tested on AMD/Xilinx ZCU102 hardware with PetaLinux 2025.2:
FSBL -> PMU FW -> ATF -> wolfBoot (EL2) -> signed FIT -> Linux
WOLFBOOT_CONFIG="zynqmp_sdcard.config"
WOLFBOOT_LINUX_BOOTARGS_ROOT="/dev/mmcblk0p4"
Bumps SRC_URI to dgarske/wolfBoot fit_compressed and updates SRCREVs to
pull in the FIT ramdisk extraction (RAMDISK build switch +
linux,initrd-{start,end} DTB fixup) and the gzip subimage decompression
work. Required by ZynqMP boards (e.g. Gilat ZCU102) that ship the
initramfs as a separate FIT ramdisk node rather than bundling it into
the kernel image.
wolfssl SRCREV pinned to v5.9.1-stable to match what fit_compressed
points at via lib/wolfssl.
Validated end-to-end on ZCU102: FSBL -> ATF -> wolfBoot loads kernel +
ramdisk to 0x40000000, patches /chosen/linux,initrd-{start,end}, signed
image (RSA4096+SHA3-384) verifies, kernel boots and unpacks initramfs.
Good suggestion. The reason it doesn't simplify our ZynqMP case (and won't help Versal either): Where
|
Summary
wolfboot.elf, native signing/keygen tools, and RSA4096+SHA3-384 FIT imagesigning
xilinx-bootbinbbappend to replace U-Boot with wolfBoot inBOOT.BINon AMD/Xilinx ZynqMP (opt-in via
WOLFBOOT_ENABLE="1")WOLFBOOT_SIGNING_KEY) keeps private keymaterial out of sstate and deploy artifacts
New files
recipes-wolfssl/wolfboot/wolfboot.increcipes-wolfssl/wolfboot/wolfboot_git.bbwolfboot.elf; seeds.configfromconfig/examples/${WOLFBOOT_CONFIG}recipes-wolfssl/wolfboot/wolfboot-keytools-native_git.bbwolfboot-keygenandwolfboot-signutilitiesrecipes-wolfssl/wolfboot/wolfboot-signed-image.bbimage_v<N>_signed.binrecipes-wolfssl/wolfboot/README.mdrecipes-bsp/bootbin/xilinx-bootbin_%.bbappendBOOT.BIN(ZynqMP only, gated)conf/layer.conf(modified)BBFILES_DYNAMICfor bootbin,PREFERRED_PROVIDERKey design points
Signing key isolation --
WOLFBOOT_SIGNING_KEYis a user-suppliedabsolute path to a pre-generated RSA4096 DER private key. Recipes never
auto-generate or deploy private key material. Public key is derived at build
time and compiled into
wolfboot.elfviasrc/keystore.c.Bare-metal cross-compilation --
wolfboot_git.bbuses rawmake(not
oe_runmake) and unsetsCFLAGS/LDFLAGSto avoid Yocto hostflags leaking into the freestanding bootloader build.
KEYGEN_TOOLisoverridden to point at the native keygen, preventing the Makefile from
trying to cross-compile and execute an AArch64 keygen binary on x86_64.
Conditional bootbin override -- The bbappend only activates when
WOLFBOOT_ENABLE="1"is set in configuration. UsesBBFILES_DYNAMICso the layer doesn't hard-depend on
meta-xilinx-tools.Overridable SRCREVs --
wolfboot.incuses weak assignment (?=) forSRCREVs so downstream users can pin to specific commits via
local.confwithout patching the layer.