Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

uuu installer: remove -t option and determine by filename 

The `-t` option to program images with TrustFence didn't make
much sense because the install script is dynamically generated
at build-time with the name of the boot artifacts containing
"signed/encrypted" on their filenames.

This commit:
 - Removes `-t` option to simplify the script.
 - Determines if programming a signed/encrypted bootloader by
   looking at the bootloader filename.
 - For NXP platforms, reworks the function that updates the
   bootloader to properly program only-signed bootloaders (currently
   wrongly using `trustfence update`)

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit is contained in:
Hector Palacios 2025-06-27 21:21:06 +02:00
parent 1038192b11
commit 01107a1d87
8 changed files with 175 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2021-2024 by Digi International Inc. # Copyright (C) 2021-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -42,7 +42,6 @@ show_usage()
echo " -k <dek-filename> Update includes dek file." echo " -k <dek-filename> Update includes dek file."
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install Trustfence artifacts."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
exit 2 exit 2
@ -61,23 +60,27 @@ part_update()
echo "=====================================================================================" echo "====================================================================================="
echo "\033[0m" echo "\033[0m"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then if [ "${1}" = "bootloader" ]; then
uuu fb: download -f "${2}" if [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then uuu fb: download -f "${2}"
uuu fb: ucmd setenv uboot_size \${filesize} if [ -n "${DEK_FILE}" ]; then
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} # Encrypted bootloader + dek
uuu fb: download -f "${3}" uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu fb: download -f "${3}"
uuu fb: ucmd setenv dek_size \${filesize}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else
# Encrypted bootloader (re-use existing dek)
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi
else else
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} # Non-encrypted bootloader (can be signed or not)
uuu fb: flash "${1}" "${2}"
fi fi
else else
if [ "${1}" = "bootloader" ]; then # Non-bootloader image
uuu fb: flash "${1}" "${2}" uuu fb: flash -raw2sparse "${1}" "${2}"
else
uuu fb: flash -raw2sparse "${1}" "${2}"
fi
fi fi
} }
@ -91,7 +94,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhi:k:ntu:' c while getopts ':bdhi:k:nu:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -107,7 +110,6 @@ do
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
esac esac
done done
@ -161,6 +163,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
fi fi
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial

48
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2021-2024 by Digi International Inc. # Copyright (C) 2021-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -42,7 +42,6 @@ show_usage()
echo " -k <dek-filename> Update includes dek file." echo " -k <dek-filename> Update includes dek file."
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
exit 2 exit 2
@ -61,23 +60,27 @@ part_update()
echo "=====================================================================================" echo "====================================================================================="
echo "\033[0m" echo "\033[0m"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then if [ "${1}" = "bootloader" ]; then
uuu fb: download -f "${2}" if [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then uuu fb: download -f "${2}"
uuu fb: ucmd setenv uboot_size \${filesize} if [ -n "${DEK_FILE}" ]; then
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} # Encrypted bootloader + dek
uuu fb: download -f "${3}" uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu fb: download -f "${3}"
uuu fb: ucmd setenv dek_size \${filesize}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else
# Encrypted bootloader (re-use existing dek)
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi
else else
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} # Non-encrypted bootloader (can be signed or not)
uuu fb: flash "${1}" "${2}"
fi fi
else else
if [ "${1}" = "bootloader" ]; then # Non-bootloader image
uuu fb: flash "${1}" "${2}" uuu fb: flash -raw2sparse "${1}" "${2}"
else
uuu fb: flash -raw2sparse "${1}" "${2}"
fi
fi fi
} }
@ -91,7 +94,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhi:k:ntu:' c while getopts ':bdhi:k:nu:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -105,9 +108,8 @@ do
d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
esac esac
done done
@ -180,6 +182,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
fi fi
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial

21
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2020-2024 by Digi International Inc. # Copyright (C) 2020-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -42,7 +42,6 @@ show_usage()
echo " -k <dek-filename> Update includes dek file." echo " -k <dek-filename> Update includes dek file."
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
exit 2 exit 2
@ -74,17 +73,20 @@ part_update()
ERASE="-e" ERASE="-e"
fi fi
uuu fb: download -f "${2}" uuu fb: download -f "${2}"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "uboot" ]; then if [ "${1}" = "bootloader" ] && [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then if [ -n "${DEK_FILE}" ]; then
# Encrypted bootloader + dek
uuu fb: ucmd setenv uboot_size \${filesize} uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: download -f "${4}" uuu fb: download -f "${4}"
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv dek_size \${filesize}
uuu "fb[-t ${3}]:" ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu "fb[-t ${3}]:" ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else else
# Encrypted bootloader (re-use existing dek)
uuu "fb[-t ${3}]:" ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} uuu "fb[-t ${3}]:" ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi fi
else else
# Rest of images (including non-encrypted bootloader)
uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE} uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE}
fi fi
} }
@ -99,7 +101,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhi:k:ntu:' c while getopts ':bdhi:k:nu:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -113,9 +115,8 @@ do
d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
esac esac
done done
@ -184,6 +185,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
fi fi
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial

48
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2020-2024 by Digi International Inc. # Copyright (C) 2020-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -42,7 +42,6 @@ show_usage()
echo " -k <dek-filename> Update includes dek file." echo " -k <dek-filename> Update includes dek file."
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
exit 2 exit 2
@ -61,23 +60,27 @@ part_update()
echo "=====================================================================================" echo "====================================================================================="
echo "\033[0m" echo "\033[0m"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then if [ "${1}" = "bootloader" ]; then
uuu fb: download -f "${2}" if [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then uuu fb: download -f "${2}"
uuu fb: ucmd setenv uboot_size \${filesize} if [ -n "${DEK_FILE}" ]; then
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} # Encrypted bootloader + dek
uuu fb: download -f "${3}" uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu fb: download -f "${3}"
uuu fb: ucmd setenv dek_size \${filesize}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else
# Encrypted bootloader (re-use existing dek)
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi
else else
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} # Non-encrypted bootloader (can be signed or not)
uuu fb: flash "${1}" "${2}"
fi fi
else else
if [ "${1}" = "bootloader" ]; then # Non-bootloader image
uuu fb: flash "${1}" "${2}" uuu fb: flash -raw2sparse "${1}" "${2}"
else
uuu fb: flash -raw2sparse "${1}" "${2}"
fi
fi fi
} }
@ -91,7 +94,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhi:k:ntu:' c while getopts ':bdhi:k:nu:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -105,9 +108,8 @@ do
d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
esac esac
done done
@ -132,6 +134,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##.bin" INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##.bin"
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# Determine linux, recovery, and rootfs image filenames to update # Determine linux, recovery, and rootfs image filenames to update
if [ -z "${IMAGE_NAME}" ]; then if [ -z "${IMAGE_NAME}" ]; then
IMAGE_NAME="##DEFAULT_IMAGE_NAME##" IMAGE_NAME="##DEFAULT_IMAGE_NAME##"

48
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2020-2024 by Digi International Inc. # Copyright (C) 2020-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -42,7 +42,6 @@ show_usage()
echo " -k <dek-filename> Update includes dek file." echo " -k <dek-filename> Update includes dek file."
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
exit 2 exit 2
@ -61,23 +60,27 @@ part_update()
echo "=====================================================================================" echo "====================================================================================="
echo "\033[0m" echo "\033[0m"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then if [ "${1}" = "bootloader" ]; then
uuu fb: download -f "${2}" if [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then uuu fb: download -f "${2}"
uuu fb: ucmd setenv uboot_size \${filesize} if [ -n "${DEK_FILE}" ]; then
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} # Encrypted bootloader + dek
uuu fb: download -f "${3}" uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu fb: download -f "${3}"
uuu fb: ucmd setenv dek_size \${filesize}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else
# Encrypted bootloader (re-use existing dek)
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi
else else
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} # Non-encrypted bootloader (can be signed or not)
uuu fb: flash "${1}" "${2}"
fi fi
else else
if [ "${1}" = "bootloader" ]; then # Non-bootloader image
uuu fb: flash "${1}" "${2}" uuu fb: flash -raw2sparse "${1}" "${2}"
else
uuu fb: flash -raw2sparse "${1}" "${2}"
fi
fi fi
} }
@ -91,7 +94,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhi:k:ntu:' c while getopts ':bdhi:k:nu:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -105,9 +108,8 @@ do
d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
esac esac
done done
@ -136,6 +138,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##-${soc_rev}.bin" INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##-${soc_rev}.bin"
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial

50
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2020-2024 by Digi International Inc. # Copyright (C) 2020-2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -43,7 +43,6 @@ show_usage()
echo " (implies -t)." echo " (implies -t)."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -u <u-boot-filename> U-Boot filename." echo " -u <u-boot-filename> U-Boot filename."
echo " -t Install TrustFence artifacts."
echo " Auto-determined by variant if not provided." echo " Auto-determined by variant if not provided."
echo " -U Update redundant bootloader partition." echo " -U Update redundant bootloader partition."
@ -63,23 +62,27 @@ part_update()
echo "=====================================================================================" echo "====================================================================================="
echo "\033[0m" echo "\033[0m"
if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then if [ "${1}" = "bootloader" ] || [ "${1}" = "bootloader_redundant" ]; then
uuu fb: download -f "${2}" if [ "${ENCRYPTED}" = "true" ]; then
if [ -n "${DEK_FILE}" ]; then uuu fb: download -f "${2}"
uuu fb: ucmd setenv uboot_size \${filesize} if [ -n "${DEK_FILE}" ]; then
uuu fb: ucmd setenv fastboot_buffer \${initrd_addr} # Encrypted bootloader + dek
uuu fb: download -f "${3}" uuu fb: ucmd setenv uboot_size \${filesize}
uuu fb: ucmd setenv dek_size \${filesize} uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} uuu fb: download -f "${3}"
uuu fb: ucmd setenv dek_size \${filesize}
uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
else
# Encrypted bootloader (re-use existing dek)
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
fi
else else
uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} # Non-encrypted bootloader (can be signed or not)
uuu fb: flash "${1}" "${2}"
fi fi
else else
if [ "${1}" = "bootloader" ] || [ "${1}" = "bootloader_redundant" ]; then # Non-bootloader image
uuu fb: flash "${1}" "${2}" uuu fb: flash -raw2sparse "${1}" "${2}"
else
uuu fb: flash -raw2sparse "${1}" "${2}"
fi
fi fi
} }
@ -93,7 +96,7 @@ echo "############################################################"
# -i <image-name> # -i <image-name>
# -u <u-boot-filename> # -u <u-boot-filename>
# -k <dek-filename> # -k <dek-filename>
while getopts ':bdhti:nu:Uk:' c while getopts ':bdhi:nu:Uk:' c
do do
if [ "${c}" = ":" ]; then if [ "${c}" = ":" ]; then
c="${OPTARG}" c="${OPTARG}"
@ -107,10 +110,9 @@ do
d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;; k) DEK_FILE=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
t) TRUSTFENCE=true ;;
U) INSTALL_REDUNDANT_UBOOT=true ;; U) INSTALL_REDUNDANT_UBOOT=true ;;
esac esac
done done
@ -145,6 +147,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##${SOCREV}.bin" INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##${SOCREV}.bin"
fi fi
# Determine if bootloader is signed and/or encrypted
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
SIGNED=true
fi
if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
ENCRYPTED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial
@ -344,7 +354,7 @@ if [ -f ${COMPRESSED_ROOTFS_IMAGE} ] && [ -f ${INSTALL_ROOTFS_FILENAME} ]; then
rm -f "${INSTALL_ROOTFS_FILENAME}" rm -f "${INSTALL_ROOTFS_FILENAME}"
fi fi
# Set the dboot_kernel_var to fitimage if Trustfence is enabled # Set the dboot_kernel_var to fitimage if Trustfence is enabled
if [ "${TRUSTFENCE}" = "true" ] || echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed" -e "encrypted"; then if [ "${SIGNED}" = "true" || "${ENCRYPTED}" = "true" ]; then
uuu fb: ucmd setenv dboot_kernel_var fitimage uuu fb: ucmd setenv dboot_kernel_var fitimage
fi fi

11
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh
View File

@ -50,7 +50,6 @@ show_usage()
echo " 'dey-image-webkit', 'core-image-base'..." echo " 'dey-image-webkit', 'core-image-base'..."
echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
exit 2 exit 2
} }
@ -84,7 +83,7 @@ echo "############################################################"
# -b, -d, -n (booleans) # -b, -d, -n (booleans)
# -f <fip-filename> # -f <fip-filename>
# -i <image-name> # -i <image-name>
while getopts 'a:bdf:hi:nt' c while getopts 'a:bdf:hi:n' c
do do
case $c in case $c in
a) INSTALL_ATF_FILENAME=${OPTARG} ;; a) INSTALL_ATF_FILENAME=${OPTARG} ;;
@ -94,7 +93,6 @@ do
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
esac esac
done done
@ -137,6 +135,11 @@ if [ -z "${INSTALL_FIP_FILENAME}" ]; then
INSTALL_FIP_FILENAME="fip-##MACHINE##-${module_ram}-##BOOTSCHEME_DEFAULT##-nand##SIGNED##.bin" INSTALL_FIP_FILENAME="fip-##MACHINE##-${module_ram}-##BOOTSCHEME_DEFAULT##-nand##SIGNED##.bin"
fi fi
# Determine if boot artifacts are signed
if echo "$INSTALL_FIP_FILENAME" | grep -q -e "Signed"; then
SIGNED=true
fi
# Determine linux, recovery, and rootfs image filenames to update # Determine linux, recovery, and rootfs image filenames to update
if [ -z "${IMAGE_NAME}" ]; then if [ -z "${IMAGE_NAME}" ]; then
IMAGE_NAME="##DEFAULT_IMAGE_NAME##" IMAGE_NAME="##DEFAULT_IMAGE_NAME##"
@ -320,7 +323,7 @@ else
fi fi
# Set the dboot_kernel_var to fitimage if Trustfence is enabled # Set the dboot_kernel_var to fitimage if Trustfence is enabled
if [ "${TRUSTFENCE}" = "true" ] || echo "${INSTALL_FIP_FILENAME}" | grep -q -e "Signed"; then if [ "${SIGNED}" = "true" ]; then
uuu fb: ucmd setenv dboot_kernel_var fitimage uuu fb: ucmd setenv dboot_kernel_var fitimage
uuu fb: ucmd saveenv uuu fb: ucmd saveenv
fi fi

13
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp2/install_linux_fw_uuu.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2024 by Digi International Inc. # Copyright (C) 2024, 2025 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -44,7 +44,6 @@ show_usage()
echo " 'dey-image-webkit', 'core-image-base'..." echo " 'dey-image-webkit', 'core-image-base'..."
echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
echo " -n No wait. Skips 10 seconds delay to stop script." echo " -n No wait. Skips 10 seconds delay to stop script."
echo " -t Install TrustFence artifacts."
exit 2 exit 2
} }
@ -80,7 +79,7 @@ echo "############################################################"
# -b, -d, -n (booleans) # -b, -d, -n (booleans)
# -f <fip-filename> # -f <fip-filename>
# -i <image-name> # -i <image-name>
while getopts 'a:bdf:hi:nt' c while getopts 'a:bdf:hi:n' c
do do
case $c in case $c in
a) INSTALL_ATF_FILENAME=${OPTARG} ;; a) INSTALL_ATF_FILENAME=${OPTARG} ;;
@ -90,7 +89,6 @@ do
h) show_usage ;; h) show_usage ;;
i) IMAGE_NAME=${OPTARG} ;; i) IMAGE_NAME=${OPTARG} ;;
n) NOWAIT=true ;; n) NOWAIT=true ;;
t) TRUSTFENCE=true ;;
esac esac
done done
@ -117,6 +115,11 @@ if [ -z "${INSTALL_FIP_FILENAME}" ]; then
INSTALL_FIP_FILENAME="fip-##MACHINE##-optee-emmc##SIGNED##.bin" INSTALL_FIP_FILENAME="fip-##MACHINE##-optee-emmc##SIGNED##.bin"
fi fi
# Determine if boot artifacts are signed
if echo "$INSTALL_FIP_FILENAME" | grep -q -e "Signed"; then
SIGNED=true
fi
# remove redirect # remove redirect
uuu fb: ucmd setenv stdout serial uuu fb: ucmd setenv stdout serial
@ -306,7 +309,7 @@ else
fi fi
# Set the dboot_kernel_var to fitimage if Trustfence is enabled # Set the dboot_kernel_var to fitimage if Trustfence is enabled
if [ "${TRUSTFENCE}" = "true" ] || echo "${INSTALL_FIP_FILENAME}" | grep -q -e "Signed"; then if [ "${SIGNED}" = "true" ]; then
uuu fb: ucmd setenv dboot_kernel_var fitimage uuu fb: ucmd setenv dboot_kernel_var fitimage
uuu fb: ucmd saveenv uuu fb: ucmd saveenv
fi fi