wolfBoot: initial Yocto/OE recipes

[dgarske]

Add wolfBoot support to meta-wolfssl alongside the existing wolfssl, wolftpm, wolfssh, etc. recipes.

recipes-wolfssl/wolfboot/
wolfboot.inc - shared SRC_URI / LICENSE
wolfboot_git.bb - cross-compiles wolfboot.elf,
generates RSA4096 signing keys,
seeds .config from
config/examples/${WOLFBOOT_CONFIG}
wolfboot-keytools-native_git.bb - host wolfboot-keygen / wolfboot-sign
wolfboot-signed-image.bb - signs the kernel FIT image with
RSA4096+SHA3-384 (configurable
KERNEL_PN / WOLFBOOT_FIT_IMAGE)
README.md - layer usage, ZynqMP caveats

recipes-bsp/bootbin/
xilinx-bootbin_%.bbappend - swaps U-Boot for wolfBoot.elf in
BOOT.BIN on ZynqMP; only activates
when wolfboot-signed-image is in
EXTRA_IMAGEDEPENDS

conf/layer.conf picks up the new BBFILES globs and registers PREFERRED_PROVIDER_wolfboot.

Tested on AMD/Xilinx ZCU102 + PetaLinux 2025.2: SD-card verified boot (FSBL -> PMU FW -> ATF -> wolfBoot -> signed FIT -> Linux login) using WOLFBOOT_CONFIG="zynqmp_sdcard.config" and
WOLFBOOT_LINUX_BOOTARGS_ROOT="/dev/mmcblk0p4".

[Copilot]

Pull request overview

This PR introduces initial Yocto/OpenEmbedded support for wolfBoot inside meta-wolfssl, including recipes to build the bootloader, host-side key/sign tools, and a helper recipe/bbappend to produce and consume signed FIT images (notably for ZynqMP boot flows).

Changes:

• Add wolfboot.inc and recipes to build wolfboot.elf, build native key/sign tooling, and sign the kernel FIT image.
• Add a xilinx-bootbin bbappend to swap the SSBL in BOOT.BIN to wolfBoot when explicitly opted in via EXTRA_IMAGEDEPENDS.
• Register the new recipe globs and PREFERRED_PROVIDER_wolfboot in conf/layer.conf.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
recipes-wolfssl/wolfboot/wolfboot_git.bb	Cross-compiles wolfboot.elf, generates keys, and deploys artifacts.
recipes-wolfssl/wolfboot/wolfboot.inc	Shared source/Licensing include with git fetch of wolfBoot + wolfSSL side-by-side.
recipes-wolfssl/wolfboot/wolfboot-signed-image.bb	Signs the kernel FIT image and deploys a versioned signed binary.
recipes-wolfssl/wolfboot/wolfboot-keytools-native_git.bb	Builds and installs wolfboot-keygen / wolfboot-sign as native tools.
recipes-wolfssl/wolfboot/README.md	Documents layer usage, workflow, and ZynqMP caveats.
recipes-bsp/bootbin/xilinx-bootbin_%.bbappend	Conditionally rewrites the BIF to use wolfboot.elf as SSBL on ZynqMP.
conf/layer.conf	Adds new BBFILES globs and sets PREFERRED_PROVIDER_wolfboot.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The key file pointed to by WOLFBOOT_SIGNING_KEY is an external input that BitBake will not checksum. If the key’s contents change without changing the path (e.g., overwriting the same .der file), sstate/stamps may allow reuse of an older wolfboot.elf/signed image built with the previous key. It would help to document that key rotation should use a new filename/path or that -c cleansstate is required for wolfboot and wolfboot-signed-image when reusing the same path.

Suggested change

	2. Update `WOLFBOOT_SIGNING_KEY` to the new private key path.
	3. Build: `wolfboot.elf` embeds the new public key, and
	`image_v<N>_signed.bin` is signed with the new private key.
	4. Flash the new `BOOT.BIN` (contains new `wolfboot.elf`) to the device,
	followed by a signed update image signed with the new key.
	2. Update `WOLFBOOT_SIGNING_KEY` to the new private key path. Prefer a
	**new filename/path** for each rotated key rather than overwriting an
	existing `.der` file in place.
	3. Build: `wolfboot.elf` embeds the new public key, and
	`image_v<N>_signed.bin` is signed with the new private key.
	4. Flash the new `BOOT.BIN` (contains new `wolfboot.elf`) to the device,
	followed by a signed update image signed with the new key.
	If you reuse the same `WOLFBOOT_SIGNING_KEY` path and only replace the
	file contents, BitBake may reuse prior sstate/stamps because the external
	key file contents are not checksummed automatically. In that case, run:
	`bitbake -c cleansstate wolfboot wolfboot-signed-image`
	before rebuilding, so both `wolfboot.elf` and the signed image are
	regenerated with the new key material.

[Copilot]

The wolfboot-keygen invocation is followed by || true, which will silently ignore any failure to generate/update src/keystore.c. That can produce a wolfboot.elf that verifies with an unexpected key (or with a stale keystore) without failing the build. Please remove the unconditional error suppression, or explicitly detect/handle the known non-fatal exit condition (e.g., by checking the expected output file was regenerated and failing otherwise).

Suggested change

	install -m 0600 ${WOLFBOOT_SIGNING_KEY} ${S}/wolfboot_signing_private_key.der
	wolfboot-keygen --rsa4096 -g ${S}/wolfboot_signing_private_key.der --nolocalkeys || true
	rm -f ${S}/wolfboot_signing_private_key.der
	WOLFBOOT_TMP_SIGNING_KEY="${S}/wolfboot_signing_private_key.der"
	install -m 0600 ${WOLFBOOT_SIGNING_KEY} ${WOLFBOOT_TMP_SIGNING_KEY}
	wolfboot-keygen --rsa4096 -g ${WOLFBOOT_TMP_SIGNING_KEY} --nolocalkeys
	if [ ! -s "${S}/src/keystore.c" ]; then
	rm -f ${WOLFBOOT_TMP_SIGNING_KEY}
	bbfatal "wolfboot-keygen did not generate a valid ${S}/src/keystore.c"
	fi
	rm -f ${WOLFBOOT_TMP_SIGNING_KEY}

[Copilot]

do_compile() writes the signed output alongside the input in DEPLOY_DIR_IMAGE (because wolfboot-sign emits next to the input). Modifying the shared deploy directory during do_compile can cause races/overwrites in parallel builds (or multiconfig) and makes the task less isolated/reproducible. Consider copying the FIT image into ${B} first and running wolfboot-sign on the local copy so all outputs are produced under ${WORKDIR} and only published in do_deploy().

Suggested change

	wolfboot-sign --rsa4096 --sha3 \
	${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE} \
	${WOLFBOOT_SIGNING_KEY} \
	${WOLFBOOT_IMAGE_VERSION}
	cp ${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE}_v${WOLFBOOT_IMAGE_VERSION}_signed.bin ${B}/
	# Copy the FIT image into ${B} first so signing outputs stay within the
	# recipe work directory; only do_deploy() should publish to deploy dirs.
	install -d ${B}
	cp ${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE} ${B}/
	wolfboot-sign --rsa4096 --sha3 \
	${B}/${WOLFBOOT_FIT_IMAGE} \
	${WOLFBOOT_SIGNING_KEY} \
	${WOLFBOOT_IMAGE_VERSION}

[Copilot]

Before invoking wolfboot-sign, consider validating that ${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE} exists and is a regular file (and emit a clear bbfatal if not). As written, a missing/renamed FIT image will fail with a less actionable error coming from the signing tool.

Suggested change

	# Sign the FIT image with RSA4096 + SHA3-384 using the user-supplied
	# signing key. wolfboot-sign emits:
	# <input>_v<version>_signed.bin alongside the input.
	wolfboot-sign --rsa4096 --sha3 \
	${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE} \
	fit_image="${DEPLOY_DIR_IMAGE}/${WOLFBOOT_FIT_IMAGE}"
	if [ ! -f "$fit_image" ]; then
	bbfatal "Expected FIT image '$fit_image' does not exist or is not a regular file. Check WOLFBOOT_FIT_IMAGE and ensure ${KERNEL_PN}:do_deploy produced the expected kernel FIT image."
	fi
	# Sign the FIT image with RSA4096 + SHA3-384 using the user-supplied
	# signing key. wolfboot-sign emits:
	# <input>_v<version>_signed.bin alongside the input.
	wolfboot-sign --rsa4096 --sha3 \
	"$fit_image" \

[Copilot]

The bbappend’s opt-in check relies on EXTRA_IMAGEDEPENDS being set in global configuration (e.g., local.conf). If a user sets EXTRA_IMAGEDEPENDS only inside an image recipe, that value will not be visible while parsing xilinx-bootbin, so the bbappend will stay inert and BOOT.BIN will still use U-Boot. Either document that this must be set in configuration, or switch the gating to a dedicated config variable intended for cross-recipe behavior (e.g., WOLFBOOT_ENABLE = "1").