Both Torizon Core 7.0.0 and Torizon Core 7.1.0 fail to build when tdx-signed is declared in local.conf. Builds were successful until 6.8.0. 7.0.0 cannot evaluate secure boot, so please fix this issue ASAP. Please fix it as soon as possible.
Another error occurs and the build does not succeed.
another error log
ERROR: u-boot-toradex-1_2024.07-r0 do_patch: QA Issue: Fuzz detected:
Applying patch 0004-toradex-integrate-bootargs-protection-downstream.patch
patching file Kconfig
Hunk #1 succeeded at 762 (offset 14 lines).
Hunk #2 succeeded at 799 (offset 14 lines).
patching file boot/fdt_support.c
Hunk #1 succeeded at 27 with fuzz 2 (offset 4 lines).
Hunk #2 succeeded at 318 (offset 4 lines).
The context lines in the patches can be updated with devtool:
devtool modify u-boot-toradex
devtool finish --force-patch-refresh u-boot-toradex <layer_path>
Don't forget to review changes done by devtool!
Patch log indicates that patches do not apply cleanly. [patch-fuzz]
ERROR: u-boot-toradex-1_2024.07-r0 do_patch: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: /work/tcbuild/build-torizon/tmp/work/apalis_imx8-tdx-linux/u-boot-toradex/2024.07/temp/log.do_patch.24868
NOTE: recipe u-boot-toradex-1_2024.07-r0: task do_patch: Failed
ERROR: Task (/work/tcbuild/build-torizon/conf/../../layers/meta-toradex-bsp-common/recipes-bsp/u-boot/u-boot-toradex_2024.07.bb:do_patch) failed with exit code '1'
Both errors seem to be caused by the fact that Torizon Core 7.0.0 now builds v2024.07 into the u-boot version, but the meta-toradex-security patch has not been corrected to patch v2024.07 correctly.
Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!
Did you like my answer?
Hello,
It seems you’re encountering build errors with Torizon Core 7.0.0 and 7.1.0 when using the ‘tdx-signed’ class, which were not present in version 6.8.0. The errors are related to patch application failures in U-Boot, likely due to changes in the U-Boot version used in Torizon Core 7.x.
To address these issues, consider the following steps:
Patch Compatibility: Ensure that the patches applied to U-Boot are compatible with the version being used. The error indicates that the patch 0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch is failing. This might be due to changes in the U-Boot source code that make the patch incompatible.
Refreshing Patches: You can try refreshing the patches to ensure they apply cleanly to the new U-Boot version. This involves updating the patch context lines to match the current source code. The devtool command in Yocto can assist with this:
Use devtool modify u-boot-toradex to set up a workspace.
Apply the patch manually and resolve any conflicts.
Use devtool finish --force-patch-refresh u-boot-toradex <layer_path> to update the patch.
Check for Updates: Verify if there are any updates or new patches from Toradex that address these issues. Sometimes, the meta layers are updated to fix such compatibility problems.
Review Configuration: Double-check your local.conf and other configuration files to ensure they are set up correctly for the new version.
By following these steps, you should be able to resolve the patch application errors and successfully build Torizon Core 7.x with Secure Boot enabled.
Best regards,
Toradex AI Assistant
Please, also check if these links can help you solve your problem:
I just tried this build using our latest 7.X meta-layers and it succeeded fine on my end without issues. Also if you’re using the composefs (CFS) features then you should be inheriting torizon-signed instead of tdx-signed as documented here: Secure Boot | Toradex Developer Center
Though the most glaring issue and what I believe the cause of this is, is the fact that your build is using 2024.07 U-Boot for some reason. Based on your logs it appears you are building for the Apalis i.MX8, correct?
If that is true, then the build should be using the downstream 2024.04 U-Boot not the 2024.07, which is used for some of our other modules, but not the Apalis imx8. You can even see what the expected version is for U-Boot per module in our release matrix here: Release Matrix - Kernel/U-Boot Version | Toradex Developer Center
Based on your logs it appears you are building for the Apalis i.MX8, correct?
Yes, you are right. I specified apalis-imx8 in MACHINE before building. The build command in my first post was incomplete. I had correctly done the following.
You should review your machine configuration to make sure that the Apalis i.MX8 is using the expected 2024.04 U-Boot version. The patches for U-Boot are version specific, and for the Apalis i.MX8 we assume the version of U-Boot is 2024.04. If the version is anything else, as seems to be the case in your build, then the patches will obviously fail to apply properly as you saw.
I fixed the PREFERRED_VERSION_u-boot-toradex in apalis-imx8.conf and the build error was resolved. I found the same problem reported here.
Thanks to you I noticed the problem with the configuration file. Thank you very much.