Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

swupdate: add support to update U-Boot to boot1 partition in mmc devices 

While on it, enable support to update encrypted U-Boot for all mmc platforms
supporting it. The install script extracts the DEK blob from the installed
U-Boot and appends it to the new U-Boot before flashing it.

Signed-off-by: David Escalona <david.escalona@digi.com>
This commit is contained in:
David Escalona 2023-12-11 09:46:27 +01:00
parent 76e2672b22
commit 10b22aea64
2 changed files with 246 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
meta-digi-dey/classes/dey-swupdate-common.bbclass
View File

@ -1,4 +1,4 @@
# Copyright (C) 2023 Digi International. # Copyright (C) 2023-2024 Digi International.
# #
####################################### #######################################
@ -90,14 +90,26 @@ SWUPDATE_IS_IMAGES_UPDATE = "${@update_based_on_images(d)}"
SWUPDATE_UBOOT_SCRIPT = "${@oe.utils.conditional('STORAGE_MEDIA', 'mmc', 'swupdate_uboot_mmc.sh', 'swupdate_uboot_nand.sh', d)}" SWUPDATE_UBOOT_SCRIPT = "${@oe.utils.conditional('STORAGE_MEDIA', 'mmc', 'swupdate_uboot_mmc.sh', 'swupdate_uboot_nand.sh', d)}"
SWUPDATE_UBOOT_SCRIPT_NAME = "${@os.path.basename(d.getVar('SWUPDATE_UBOOT_SCRIPT'))}" SWUPDATE_UBOOT_SCRIPT_NAME = "${@os.path.basename(d.getVar('SWUPDATE_UBOOT_SCRIPT'))}"
SWUPDATE_UBOOT_PREFIX ?= "${UBOOT_PREFIX}" # Retrieve the correct U-Boot prefix.
SWUPDATE_UBOOT_PREFIX:ccmp1 ?= "fip" def get_uboot_prefix(d):
prefix = d.getVar('UBOOT_PREFIX')
if d.getVar('DEY_SOC_VENDOR') == "NXP" and d.getVar('TRUSTFENCE_SIGN') == "1":
if "ccimx6" in d.getVar('MACHINE'):
prefix = f"{prefix}-dtb"
if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0":
prefix = f"{prefix}-encrypted"
else:
prefix = f"{prefix}-signed"
return prefix
SWUPDATE_UBOOT_PREFIX ?= "${@get_uboot_prefix(d)}"
SWUPDATE_UBOOT_PREFIX_TFA ?= "tf-a" SWUPDATE_UBOOT_PREFIX_TFA ?= "tf-a"
SWUPDATE_UBOOT_EXT ?= ".${UBOOT_SUFFIX}" SWUPDATE_UBOOT_EXT ?= ".${UBOOT_SUFFIX}"
SWUPDATE_UBOOT_EXT_TFA ?= ".stm32" SWUPDATE_UBOOT_EXT_TFA ?= ".stm32"
SWUPDATE_UBOOT_NAME ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}${SWUPDATE_UBOOT_EXT}" SWUPDATE_UBOOT_NAME ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}${SWUPDATE_UBOOT_EXT}"
SWUPDATE_UBOOT_NAME:ccimx6sbc ?= "${SWUPDATE_UBOOT_PREFIX}-ccimx6qsbc${SWUPDATE_UBOOT_EXT}"
SWUPDATE_UBOOT_NAME:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}-optee${FIP_SIGN_SUFFIX}${SWUPDATE_UBOOT_EXT}" SWUPDATE_UBOOT_NAME:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}-optee${FIP_SIGN_SUFFIX}${SWUPDATE_UBOOT_EXT}"
SWUPDATE_UBOOT_NAME_TFA ?= "" SWUPDATE_UBOOT_NAME_TFA ?= ""
SWUPDATE_UBOOT_NAME_TFA:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX_TFA}-${MACHINE}-nand${SWUPDATE_UBOOT_EXT_TFA}${TFA_SIGN_SUFFIX}" SWUPDATE_UBOOT_NAME_TFA:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX_TFA}-${MACHINE}-nand${SWUPDATE_UBOOT_EXT_TFA}${TFA_SIGN_SUFFIX}"

409
meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_mmc.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#=============================================================================== #===============================================================================
# #
# Copyright (C) 2022 by Digi International Inc. # Copyright (C) 2022-2024 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -13,199 +13,252 @@
# Script will be called by swupdate to install a new u-boot within linux. # Script will be called by swupdate to install a new u-boot within linux.
#=============================================================================== #===============================================================================
UBOOT_FILE="$1" UBOOT_NAME="$1"
UBOOT_ENC="$2" UBOOT_ENC="$2"
uboot_seek_kb="$3" UBOOT_SEEK_KB="$3"
UBOOT_FILE="/tmp/${UBOOT_NAME}"
UBOOT_BLOCK_MAIN="mmcblk0boot0"
UBOOT_MMC_DEV_MAIN="/dev/${UBOOT_BLOCK_MAIN}"
UBOOT_MMC_DUMP="/tmp/u-boot-dump.hex"
UBOOT_ENCRYPTED_DEK="/tmp/u-boot-encrypted-with-dek.imx"
echo "**** Start U-Boot update process *****" DEK_FILE="/tmp/dek.bin"
DEK_KEY_SIZE="32"
DEK_BLOB_SIZE="$((DEK_KEY_SIZE + 56))" # DEK blob has an overhead of 56 bytes: header (8 bytes) + random AES-256 key (32 bytes)+ MAC (16 bytes).
DEK_BLOB_HEADER_CCIMX6="8100584"
DEK_BLOB_HEADER_CCIMX8M="8100484"
DEK_BLOB_HEADER_CCIMX8X="00580081"
PLATFORM="$(cat /proc/device-tree/digi,machine,name)" PLATFORM="$(tr -d '\0' </proc/device-tree/digi,machine,name)"
UBOOT_MMC_DEV="/dev/mmcblk0boot0" if expr "${PLATFORM}" : "ccimx8m.*" >/dev/null; then
# CCIMX8M platforms have a hardcoded DEK blob size of 96 bytes.
DEK_BLOB_SIZE="96"
fi
if expr "${PLATFORM}" : "ccimx8x.*" >/dev/null; then
# The U-Boot seek variable depends on the hardware variant of the i.MX8X module.
SOC_REV="$(fw_printenv -n soc_rev)"
if [ -n "${SOC_REV}" ]; then
case "${SOC_REV}" in
A0)
UBOOT_SEEK_KB="33"
;;
B0)
UBOOT_SEEK_KB="32"
;;
*)
UBOOT_SEEK_KB="0"
;;
esac
fi
fi
dump_dek () clean_artifacts ()
{ {
OUTPUT_FILE="/tmp/dek.bin" rm -f "${DEK_FILE}" "${UBOOT_MMC_DUMP}" "${UBOOT_ENCRYPTED_DEK}"
KEY_SIZE_BYTES="32" }
ENCRYPTED_UBOOT_DEK="u-boot-encrypted-with-dek.imx"
UBOOT_MMC_DUMP="/tmp/u-boot-dump.hex"
# ConnectCore 8X exit_error ()
if [ "${PLATFORM}" = "ccimx8x-sbc-pro" ] || [ "${PLATFORM}" = "ccimx8x-sbc-express" ]; then {
AHAB_AUTH_CONTAINER_TAG="87" local ERROR_MESSAGE="$1"
AHAB_AUTH_SIG_BLOCK_TAG="90" local ERROR_CODE="$2"
AHAB_AUTH_BLOB_TAG="00 58 00 81"
AHAB_VERSION="00"
CONT_HEADER_OFFSET="0x400"
dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=100 bs=1K skip=${uboot_seek_kb} 2>/dev/null echo "${ERROR_MESSAGE}"
auth_container_tag=$(hexdump -C "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $2 $5}') clean_artifacts
echo "auth_container_tag ${auth_container_tag}" [ -z "${ERROR_CODE}" ] && exit 1 || exit "${ERROR_CODE}"
if [ "${auth_container_tag}" = "${AHAB_VERSION}${AHAB_AUTH_CONTAINER_TAG}" ]; then }
sig_block_offset="0x$(hexdump -C "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $13 $14}')"
echo " ++++ signature block offset ${sig_block_offset} "
nd_sig_block="$((CONT_HEADER_OFFSET + sig_block_offset))" dump_dek_ccimx8x ()
printf '++++ header offset 0x%x\n' ${nd_sig_block} {
auth_sig_block_tag=$(hexdump -C -s "${nd_sig_block}" "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_SIG_BLOCK_TAG}" | awk '{print $2 $5}') local AHAB_AUTH_CONTAINER_TAG="87"
echo "auth_sig_block_tag ${auth_sig_block_tag}" local AHAB_AUTH_SIG_BLOCK_TAG="90"
if [ "${auth_sig_block_tag}" = "${AHAB_VERSION}${AHAB_AUTH_SIG_BLOCK_TAG}" ]; then local AHAB_VERSION="00"
blob_offset="0x$(hexdump -C -s "${nd_sig_block}" "${UBOOT_MMC_DUMP}" -n 16 | awk '{print $13 $12}')" local CONT_HEADER_OFFSET="0x400"
printf " ++++ blob offset 0x%x\n" ${blob_offset}
dek_blob="$((nd_sig_block + blob_offset))"
printf " ++++ dek_blob offset 0x%x\n" ${dek_blob}
# DEK blobs have an overhead of 56 bytes. # Dump U-Boot first 100Kb to file. The second AHAB container, which contains the DEK blob is there.
dek_blob_size=$((KEY_SIZE_BYTES + 56)) dd if="${UBOOT_MMC_DEV_MAIN}" of="${UBOOT_MMC_DUMP}" count=100 bs=1K skip="${UBOOT_SEEK_KB}" 2>/dev/null
# Look for second AHAB authentication container. Second Container Header is set with a 1KB padding (0x400)
# Dump dek blob into to a file local AUTH_CONTAINER_TAG="$(hexdump -C "${UBOOT_MMC_DUMP}" -s "${CONT_HEADER_OFFSET}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $2 $5}')"
dd of=${OUTPUT_FILE} if=${UBOOT_MMC_DUMP} count=${dek_blob_size} bs=1 skip=${dek_blob} 2>/dev/null if [ "${AUTH_CONTAINER_TAG}" = "${AHAB_VERSION}${AHAB_AUTH_CONTAINER_TAG}" ]; then
rc=$? # Determine second signature block relative and final offset.
if [ $rc -ne 0 ]; then local SECOND_SIG_BLOCK_OFFSET="0x$(hexdump -C -s "${CONT_HEADER_OFFSET}" "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $15 $14}')"
echo "DEK dump to the output file failed." local SECOND_SIG_BLOCK="$((CONT_HEADER_OFFSET + SECOND_SIG_BLOCK_OFFSET))"
return $rc # Validate second signature block.
fi local AUTH_SIG_BLOCK_TAG="$(hexdump -C -s "${SECOND_SIG_BLOCK}" "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_SIG_BLOCK_TAG}" | awk '{print $2 $5}')"
echo "dump_dek: output file has been created." if [ "${AUTH_SIG_BLOCK_TAG}" = "${AHAB_VERSION}${AHAB_AUTH_SIG_BLOCK_TAG}" ]; then
# Validate DEK blob # Determine DEK blob relative and final offset.
if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${AHAB_AUTH_BLOB_TAG}")" ]; then local DEK_BLOB_RELATIVE_OFFSET="0x$(hexdump -C -s "${SECOND_SIG_BLOCK}" "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_SIG_BLOCK_TAG}" | awk '{print $13 $12}')"
echo "Could not find DEK blob" DEK_AHAB_OFFSET="$((SECOND_SIG_BLOCK + DEK_BLOB_RELATIVE_OFFSET))"
rm -rf ${OUTPUT_FILE} # Dump DEK blob into to a file.
return 1 dd if="${UBOOT_MMC_DUMP}" of="${DEK_FILE}" count="${DEK_BLOB_SIZE}" bs=1 skip="${DEK_AHAB_OFFSET}" 2>/dev/null
fi local rc=$?
echo "DEK blob correctly dumped" if [ "${rc}" -ne 0 ]; then
else exit_error "## ERROR: DEK dump to file failed." "${rc}"
echo "## ERROR: AHAB authentication signature block tag not found." fi
# Validate DEK blob.
if ! dd if="${DEK_FILE}" bs=1 count=4 2>/dev/null | hexdump -ve '1/1 "%.2X"' | grep -q "${DEK_BLOB_HEADER_CCIMX8X}"; then
exit_error "## ERROR: Could not find DEK blob."
fi fi
else else
echo "## ERROR: AHAB authentication container tag not found." exit_error "## ERROR: AHAB authentication signature block tag not found."
return 1
fi fi
else else
#(The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions) exit_error "## ERROR: AHAB authentication container tag not found."
UBOOT_HEADER="d1 00 20 4"
if [ "${PLATFORM}" = "ccimx8mn-dvk" ] || [ "${PLATFORM}" = "ccimx8mm-dvk" ]; then
SKIP_BLOCKS="0"
DEK_BLOB_HEADER="81 00 48 4"
else
SKIP_BLOCKS="2"
DEK_BLOB_HEADER="81 00 58 4"
fi
dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=1 skip=${SKIP_BLOCKS} 2>/dev/null
uboot_start="0x$(hexdump -C ${UBOOT_MMC_DUMP} | grep -m 1 "${UBOOT_HEADER}" | head -1 | cut -c -8)"
echo "++++ ${uboot_start} +++"
if [ "${uboot_start}" = "0x" ]; then
echo "Could not find U-Boot on MMC"
return 1
fi
uboot_size_offset="$((uboot_start + 36))"
uboot_size=$(hexdump -n 4 -s ${uboot_size_offset} -e '/4 "%d\t" "\n"' ${UBOOT_MMC_DUMP})
# DEK blobs have an overhead of 56 bytes.
dek_blob_size="$((KEY_SIZE_BYTES + 56))"
# remove the output DEK file before creating it.
# Since this function is called twice.
# For the actual upgrade and then for the validation after the upgrade.
rm -f ${OUTPUT_FILE}
dump_size="$((uboot_size / 512))"
echo "++++ ${dump_size} +++"
dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=${dump_size} skip=${SKIP_BLOCKS} conv=fsync 2>/dev/null
dek_start=$(hexdump -C ${UBOOT_MMC_DUMP} | grep -m 1 "${DEK_BLOB_HEADER}" | head -1 | cut -c -8)
echo "++++ dek_start ${dek_start} +++"
dek_start="$((16#${dek_start} + 8))"
echo "++++ dek_start ${dek_start} +++"
dd of=${OUTPUT_FILE} if=${UBOOT_MMC_DUMP} count=${dek_blob_size} bs=1 skip=${dek_start} 2>/dev/null
rc=$?
if [ $rc -ne 0 ]; then
echo "DEK dump to the output file failed."
return $rc
fi
echo "dump_dek: output file has been created."
# Validate DEK blob
if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${DEK_BLOB_HEADER}")" ]; then
echo "Could not find DEK blob"
rm -rf ${OUTPUT_FILE}
return 1
fi
echo "DEK blob correctly dumped"
rm -f ${UBOOT_MMC_DUMP}
return 0
fi fi
} }
if [ "${UBOOT_ENC}" = "enc" ]; then dump_dek_ccimx8m_ccimx6 ()
{
local IVT_HEADER="d1 00 20 4" # The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions.
local DEK_BLOB_HEADER="$1"
# Look for U-Boot in the eMMC. It starts with the IVT table header.
dd if="${UBOOT_MMC_DEV_MAIN}" of="${UBOOT_MMC_DUMP}" bs=1k skip="${UBOOT_SEEK_KB}" 2>/dev/null
local UBOOT_START="0x$(hexdump -C "${UBOOT_MMC_DUMP}" | grep -m 1 "${IVT_HEADER}" | head -1 | cut -c -8)"
if [ "${UBOOT_START}" = "0x" ]; then
exit_error "## ERROR: Could not find U-Boot on MMC."
fi
# DEK blob must be extracted from the SPL image. First determine SPL image size.
local SPL_SIZE_OFFSET="$((UBOOT_START + 36))" # Size information is at offset 36.
local SPL_SIZE="$(hexdump -n 4 -s "${SPL_SIZE_OFFSET}" -e '/4 "%d\t" "\n"' "${UBOOT_MMC_DUMP}")"
# Determine SPL size in blocks of 1Kb. Round up division if it is not exact.
local DUMP_SIZE="$(( (SPL_SIZE + 1023) / 1024 ))"
# Dump SPL image to file.
dd if="${UBOOT_MMC_DEV_MAIN}" of="${UBOOT_MMC_DUMP}" bs=1k count="${DUMP_SIZE}" skip="${UBOOT_SEEK_KB}" conv=fsync 2>/dev/null
# Look for the DEK blob in SPL image.
DEK_SPL_OFFSET="$(hexdump -ve '1/1 "%.2X"' ${UBOOT_MMC_DUMP} | awk -v pattern="${DEK_BLOB_HEADER}" 'BEGIN{IGNORECASE=1} {pos=index($0, pattern)} pos {print (pos-1)/2}')"
# Dump the DEK blob to file.
dd if="${UBOOT_MMC_DUMP}" of="${DEK_FILE}" count="${DEK_BLOB_SIZE}" bs=1 skip="${DEK_SPL_OFFSET}" 2>/dev/null
local rc=$?
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: DEK dump to file failed." "${rc}"
fi
# Validate DEK blob.
if ! dd if="${DEK_FILE}" bs=1 count=4 2>/dev/null | hexdump -ve '1/1 "%.2X"' | grep -q "${DEK_BLOB_HEADER}"; then
exit_error "## ERROR: Could not find DEK blob."
fi
}
dump_dek_ccimx93 ()
{
exit_error "## ERROR: DEK support not implemented yet for CCIMX93."
}
dump_dek ()
{
case "${PLATFORM}" in
ccimx8x*)
dump_dek_ccimx8x
;;
ccimx8m*)
dump_dek_ccimx8m_ccimx6 "${DEK_BLOB_HEADER_CCIMX8M}"
;;
ccimx6*)
dump_dek_ccimx8m_ccimx6 "${DEK_BLOB_HEADER_CCIMX6}"
;;
ccimx93*)
dump_dek_ccimx93
;;
*)
exit_error "## ERROR: Device not supported ${PLATFORM}."
;;
esac
}
append_dek_ccimx8x ()
{
cp "${UBOOT_FILE}" "${UBOOT_ENCRYPTED_DEK}"
# Insert the DEK blob into the AHAB container.
dd if="${DEK_FILE}" of="${UBOOT_ENCRYPTED_DEK}" bs=1 seek="${DEK_AHAB_OFFSET}" conv=notrunc 2>/dev/null
local rc=$?
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: Merging DEK with AHAB container failed." "${rc}"
fi
}
append_dek_ccimx8m ()
{
cp "${UBOOT_FILE}" "${UBOOT_ENCRYPTED_DEK}"
# Insert the DEK blob into the SPL image.
dd if="${DEK_FILE}" of="${UBOOT_ENCRYPTED_DEK}" bs=1 seek="${DEK_SPL_OFFSET}" conv=notrunc 2>/dev/null
local rc=$?
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: Merging DEK with SPL image failed." "${rc}"
fi
# Get total iMX-Boot file size.
local UBOOT_FILE_SIZE="$(stat -L -c %s "${UBOOT_FILE}")"
# Determine FIT DEK blob offset.
local DEK_FIT_OFFSET="$((UBOOT_FILE_SIZE - DEK_BLOB_SIZE))"
# Insert the DEK blob into the FIT image.
dd if="${DEK_FILE}" of="${UBOOT_ENCRYPTED_DEK}" bs=1 seek="${DEK_FIT_OFFSET}" conv=notrunc 2>/dev/null
local rc=$?
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: Merging DEK with FIT image failed." "${rc}"
fi
}
append_dek_ccimx6 ()
{
cat "${UBOOT_FILE}" "${DEK_FILE}" > "${UBOOT_ENCRYPTED_DEK}"
local rc=$?
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: Merging DEK with U-Boot image failed." "${rc}"
fi
}
append_dek_ccimx93 ()
{
exit_error "## ERROR: DEK support not implemented yet for CCIMX93."
}
append_dek ()
{
dump_dek dump_dek
rc=$? case "${PLATFORM}" in
if [ "$rc" -ne 0 ]; then ccimx8x*)
echo "u-boot: DEK dump failed" append_dek_ccimx8x
exit $rc ;;
ccimx8m*)
append_dek_ccimx8m
;;
ccimx6*)
append_dek_ccimx6
;;
ccimx93*)
append_dek_ccimx93
;;
*)
exit_error "## ERROR: Device not supported: ${PLATFORM}."
;;
esac
UBOOT_FILE="${UBOOT_ENCRYPTED_DEK}"
}
write_uboot_emmc ()
{
local UBOOT_BLOCK="$1"
# Enable write access in the U-Boot partition.
echo 0 > "/sys/block/${UBOOT_BLOCK}/force_ro"
# Write the U-Boot into the eMMC.
dd if="${UBOOT_FILE}" of="/dev/${UBOOT_BLOCK}" seek="${UBOOT_SEEK_KB}" bs=1K 2>/dev/null
local rc=$?
# Disable write access in U-Boot partition.
echo 1 > "/sys/block/${UBOOT_BLOCK}/force_ro"
# Check update operation result.
if [ "${rc}" -ne 0 ]; then
exit_error "## ERROR: failed to write file ${UBOOT_FILE} to /dev/${UBOOT_BLOCK}" "${rc}"
fi fi
if [ "${PLATFORM}" = "ccimx8x-sbc-pro" ] || [ "${PLATFORM}" = "ccimx8x-sbc-express" ]; then echo "U-Boot successfully writen to /dev/${UBOOT_BLOCK}"
cp /tmp/${UBOOT_FILE} /tmp/${ENCRYPTED_UBOOT_DEK} }
# insert the dek_blob into the AHAB container
dd if=${OUTPUT_FILE} of=/tmp/${ENCRYPTED_UBOOT_DEK} bs=1 seek=${dek_blob} conv=notrunc 2>/dev/null # If U-Boot is encrypted, the DEK key blob needs to be extracted from existing U-Boot
rc=$? # and appended to the new U-Boot before writing it.
if [ "$rc" -ne 0 ]; then if [ "${UBOOT_ENC}" = "enc" ]; then
echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)" append_dek
exit $rc
fi
elif [ "${PLATFORM}" = "ccimx8mn-dvk" ] || [ "${PLATFORM}" = "ccimx8mm-dvk" ]; then
FIT_DEK_BLOB_SIZE="96";
cp /tmp/${UBOOT_FILE} /tmp/${ENCRYPTED_UBOOT_DEK}
# insert the dek_blob into the SPL
dd if=${OUTPUT_FILE} of=/tmp/${ENCRYPTED_UBOOT_DEK} bs=1 seek=${dek_start} conv=notrunc 2>/dev/null
rc=$?
if [ "$rc" -ne 0 ]; then
echo "u-boot: Merging DEK with SPL image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
exit $rc
fi
# get u-boot image file size
uboot_file_size="$(stat -L -c %s /tmp/${UBOOT_FILE})"
echo " ++++ uboot_file_size ${uboot_file_size} ***"
uboot_dek_blob_offset="$((uboot_file_size - FIT_DEK_BLOB_SIZE))"
echo " ----- uboot_dek_blob_offset ${uboot_dek_blob_offset} **"
# insert the dek_blob at the end of the bootloader
dd of=/tmp/${ENCRYPTED_UBOOT_DEK} if=${OUTPUT_FILE} bs=1 seek=${uboot_dek_blob_offset} conv=notrunc 2>/dev/null
rc=$?
if [ "$rc" -ne 0 ]; then
echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
exit $rc
fi
else
cat /tmp/${UBOOT_FILE} ${OUTPUT_FILE} > /tmp/${ENCRYPTED_UBOOT_DEK}
rc=$?
if [ "$rc" -ne 0 ]; then
echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
exit $rc
fi
fi
# enable write access
echo 0 > /sys/block/mmcblk0boot0/force_ro
UBOOT_FILE="/tmp/${ENCRYPTED_UBOOT_DEK}"
# write the encrypted u-boot into the MMC
dd if=${UBOOT_FILE} of=${UBOOT_MMC_DEV} seek=${uboot_seek_kb} bs=1K
rc=$? 2>/dev/null
if [ "$rc" -ne 0 ]; then
echo "u-boot: failed to write file ${UBOOT_FILE}"
else
echo "u-boot: successfully written file ${UBOOT_FILE}"
fi
# disable write access
echo 1 > /sys/block/mmcblk0boot0/force_ro
rm -f ${UBOOT_FILE} ${OUTPUT_FILE}
else
# enable write access
echo 0 > /sys/block/mmcblk0boot0/force_ro
# write the u-boot into the MMC
dd if=${UBOOT_FILE} of=${UBOOT_MMC_DEV} seek=${uboot_seek_kb} bs=1K 2>/dev/null
rc=$?
if [ "$rc" -ne 0 ]; then
echo "u-boot: failed to write file ${UBOOT_FILE}"
else
echo "u-boot: successfully written file ${UBOOT_FILE}"
fi
# disable write access
echo 1 > /sys/block/mmcblk0boot0/force_ro
rm -f ${UBOOT_FILE} ${OUTPUT_FILE}
fi fi
# Write U-Boot
write_uboot_emmc ${UBOOT_BLOCK_MAIN}
# Clean intermediate artifacts.
clean_artifacts
exit 0