Merge tag 'dey-2.6-r3.1' into dey-2.6/master

Digi Embedded Yocto 2.6-r3.1 Manually changed recipes to use the master branches instead of the fixed SHA1 from the last release. Signed-off-by: Mike Engel <mike.engel@digi.com>
2020-02-20 12:02:26 +01:00 · 2020-02-20 12:02:26 +01:00 · 4ce67dac48
parent 1516bd03d0 1830798025
commit 4ce67dac48
19 changed files with 109 additions and 88 deletions
--- a/README.md
+++ b/README.md
@ -20,6 +20,12 @@ OS versions:

 Software for the following hardware platforms is in production support:

+## ConnectCore 8M Nano
+* ConnectCore 8M Nano System-on-Module (SOM)
+  * [CC-WMX-FS7D-NN](https://www.digi.com/cc8mnano)
+* ConnectCore 8M Nano Development Kit
+  * [CC-WMX8MN-KIT](https://www.digi.com/products/models/cc-wmx8mn-kit) ([Get Started](https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8mnano/yocto-gs_index))
+
 ## ConnectCore 8X
 * ConnectCore 8X System-on-Module (SOM)
  * [CC-WMX-JM8E-NN](https://www.digi.com/products/models/cc-wmx-jm8e-nn)
@ -86,11 +92,25 @@ Documentation is available online at https://www.digi.com/resources/documentatio

 # Downloads

-* Demo images: https://ftp1.digi.com/support/digiembeddedyocto/2.6/r2/images/
-* Software Development Kit (SDK): https://ftp1.digi.com/support/digiembeddedyocto/2.6/r2/sdk/
+* Demo images: https://ftp1.digi.com/support/digiembeddedyocto/2.6/r3/images/
+* Software Development Kit (SDK): https://ftp1.digi.com/support/digiembeddedyocto/2.6/r3/sdk/

 # Release Changelog

+## 2.6-r3
+
+* Release based on [Yocto 2.6 (Thud)](https://www.yoctoproject.org/software-overview/downloads) including:
+  * Package upgrades and security fixes
+* Added support for ConnectCore 8M Nano platform
+* Add TrustFence support (phase 1) for ConnectCore 8X platform
+  (with U-Boot v2019.04).
+* Updated kernel version to v4.14.170 for i.MX8X and i.MX6UL platforms
+* Updated kernel version to v4.9.212 for i.MX6 platforms
+* Updated U-Boot to version 2019.04-r1 for i.MX8X platform
+* Updated U-Boot to version 2017.03-r5 for i.MX6 and i.MX6UL platforms
+* Updated i.MX8 SCU firmware to v1.3.0 (see [important note](#scfw-note))
+* Updated QCA65x4 Wi-Fi and Bluetooth firmware
+
 ## 2.6-r2

 * Release based on [Yocto 2.6 (Thud)](https://www.yoctoproject.org/software-overview/downloads) including:
@ -99,7 +119,7 @@ Documentation is available online at https://www.digi.com/resources/documentatio
  * Updated busybox to v1.29.3
  * Updated OpenSSL to v1.1.1b
  * Package upgrades and security fixes
-* Added support for ConnetCore 6 and ConnectCore 6 Plus platforms
+* Added support for ConnectCore 6 and ConnectCore 6 Plus platforms
 * Updated kernel version to v4.14.141 for i.MX8X and i.MX6UL platforms
 * Updated kernel version to v4.9.190 for i.MX6 platforms
 * Updated U-Boot to version 2018.03-r2 for i.MX8X platform
@ -143,7 +163,15 @@ updated list can be found on the online documentation.
    (over 255 characters).
 * For P2P connections Digi recommends "Negotiated GO" modes. The QCA6564
  devices (ConnectCore 6UL, ConnectCore 6 Plus) fail to join autonomous groups.
-* Trustfence is not yet supported on U-Boot v2018.03.
+* Trustfence is not yet supported on the ConnectCore 8M Nano.
+
+## ConnectCore 8M Nano
+
+* ConnectCore 8M Nano System-on-Module (SOM)
+  * CPU wake-up sources are not yet supported
+* ConnectCore 8M Nano DVK
+  * The maximum bitrate for CAN interface is 125 Kbits/s. This is a software
+  limitation from the CAN controller.

 ## ConnectCore 8X

@ -155,22 +183,20 @@ updated list can be found on the online documentation.
    be met in future releases of the hardware.
  * BSDL operation is not supported. It will be available in future releases
    of the hardware.
-* Digi Embedded Yocto
-  * The following features are not supported in this release for the ConnectCore 8X platform:
-    * Trustfence (TM)

 <a name="scfw-note"></a>

 ---
- **IMPORTANT**: This release updates the firmware of the _System Control Unit_ (SCU).
- This is an NXP proprietary firmware and its last version is **not compatible** with
- the previous one released on DEY-2.6-r1. As a consequence:
+ **IMPORTANT**: DEY-2.6-r2 and DEY-2.6-r3 releases update the firmware of the
+ _System Control Unit_ (SCU).
+ This is an NXP proprietary firmware and its version in these releases is
+ **not compatible** with the one released on DEY-2.6-r1. As a consequence:

-* Old U-Boot v2018.03-r1 **cannot boot** images from this release DEY-2.6-r2.
-* New U-Boot v2018.03-r2 **cannot boot** images from previous release DEY-2.6-r1.
-
- To succesfully run DEY-2.6-r2 images you need to update the U-Boot on your device.
+* Old U-Boot v2018.03-r1 **cannot boot** images from DEY-2.6-r2 or newer releases.
+* U-Boot v2018.03-r2 or newer **cannot boot** images from release DEY-2.6-r1.

+ To successfully run DEY-2.6-r2 or newer images you need to update the U-Boot on
+ your device.
 ---

 ## ConnectCore 6UL
--- a/meta-digi-arm/classes/boot-artifacts.bbclass
+++ b/meta-digi-arm/classes/boot-artifacts.bbclass
@ -38,7 +38,7 @@ def get_bootable_artifacts(d):
    # For platforms without RAM_CONFIGS, build the artifacts from UBOOT_CONFIG
    if ram_configs == "":
        for t in types.split(" "):
-            artifacts.append("%s-%s.%s" % (uboot_prefix, t, uboot_suffix))
+            artifacts.append("%s-%s.%s" % (uboot_prefix, t.replace("_","-"), uboot_suffix))
        return " ".join(artifacts)
    else:
        machine = d.getVar('MACHINE', True) or ""
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -205,8 +205,9 @@ trustence_sign_cpio() {
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
+		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"

-		if [ "${SIGN_MODE}" = "AHAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
 			mv "${1}-mkimg" "${1}"
 		fi
@ -220,7 +221,7 @@ trustence_sign_cpio() {
 CONVERSIONTYPES += "tf"
 CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
 CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
-			    oe.utils.conditional('SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
+			    oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
 IMAGE_TYPES += "cpio.gz.u-boot.tf"

 ################################################################################
--- a/meta-digi-arm/conf/machine/include/ccimx6.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6.inc
@ -44,4 +44,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \

 MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"

-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@ -58,4 +58,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
 # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
 MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"

-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx8x.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc
@ -75,8 +75,11 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 # For i.MX 8 silicon chip revision
 MX8_CHIP_REV ?= "B0"
 MX8_SOC_VAR ?= "QX"
-SIGN_MODE = "AHAB"

+# TrustFence
+TRUSTFENCE_SIGN_MODE = "AHAB"
+# TODO: not yet supported
+TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
 # For Trustfence container header RAM locations
 RAM_CONTAINER_LOC_BOOT = "0x80280000"
 RAM_CONTAINER_LOC_DTB = "0x82000000"
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@ -160,7 +160,6 @@ do_deploy () {
 		install -m 0644 ${BOOT_STAGING}/m40_tcm.bin              ${DEPLOYDIR}/${BOOT_TOOLS}
 		install -m 0644 ${BOOT_STAGING}/m4_image.bin             ${DEPLOYDIR}/${BOOT_TOOLS}
 	fi
-	install -m 0755 ${S}/${TOOLS_NAME}                       ${DEPLOYDIR}/${BOOT_TOOLS}

 	# copy makefile (soc.mak) for reference
 	install -m 0644 ${BOOT_STAGING}/soc.mak     ${DEPLOYDIR}/${BOOT_TOOLS}
@ -205,20 +204,18 @@ do_deploy () {
 }

 do_deploy_append () {
-	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
+		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"

 		# Sign U-boot image
 		for ramc in ${RAM_CONFIGS}; do
-			trustfence-sign-ahab-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
+			trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
 		done

-		cd ${DEPLOYDIR}
-		cp ${B}/${config}SRK_efuses.bin ${DEPLOYDIR}
-		install ${B}/${config}SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
-		ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
+		cp ${B}/SRK_efuses.bin ${DEPLOYDIR}
 	fi
 }

--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend
@ -3,3 +3,9 @@
 # Use the v4.14 ga BSP branch
 SRCBRANCH = "imx_4.14.98_2.3.0"
 SRCREV = "2556000499f667123094af22326cfd8e4cbadaac"
+
+do_deploy_append () {
+    install -d ${DEPLOYDIR}/${BOOT_TOOLS}
+    install -m 0755 ${S}/iMX8M/mkimage_imx8 ${DEPLOYDIR}/${BOOT_TOOLS}/mkimage_imx8m
+    install -m 0755 ${S}/mkimage_imx8 ${DEPLOYDIR}/${BOOT_TOOLS}/mkimage_imx8
+}
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
@ -43,12 +43,12 @@ do_install() {
 	install -d ${D}${bindir}
 	install -m 0755 linux64/cst ${D}${bindir}/cst
 	install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
--- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
@ -8,7 +8,8 @@ LIC_FILES_CHKSUM = "file://Licenses/README;md5=a2c678cfd4a4d97135585cad908541c6"
 SECTION = "bootloaders"

 DEPENDS += "bc-native dtc-native u-boot-mkimage-native"
-DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
+			    oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"

 PROVIDES += "u-boot"

@ -79,7 +80,7 @@ do_compile () {
 					unset k

 					# Secure boot artifacts
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]
 					then
 						cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
 						cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@ -122,7 +123,7 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 						install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin

@ -159,9 +160,10 @@ do_deploy_append() {
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
+		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"

 		# Sign boot script
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
 			mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt
@ -32,10 +32,10 @@ else
 	if test -n "${module_variant}"; then
 		if test "${module_variant}" = "0x01"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_1GB_32bit.bin;
-		elif test "${module_variant}" = "0x02" ||
+		elif test "${module_variant}" = "0x02" || \
 		     test "${module_variant}" = "0x03"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_2GB_32bit.bin;
-		elif test "${module_variant}" = "0x04" ||
+		elif test "${module_variant}" = "0x04" || \
 		     test "${module_variant}" = "0x05"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_1GB_16bit.bin;
 		fi
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt
@ -32,10 +32,10 @@ else
 	if test -n "${module_variant}"; then
 		if test "${module_variant}" = "0x01"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_1GB_32bit.bin;
-		elif test "${module_variant}" = "0x02" ||
+		elif test "${module_variant}" = "0x02" || \
 		     test "${module_variant}" = "0x03"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_2GB_32bit.bin;
-		elif test "${module_variant}" = "0x04" ||
+		elif test "${module_variant}" = "0x04" || \
 		     test "${module_variant}" = "0x05"; then
 			setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_1GB_16bit.bin;
 		elif test "${module_variant}" = "0x06"; then
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@ -69,7 +69,7 @@ TARGET="$(readlink -m ${2})"

 # Negative offset with respect to CONFIG_RAM_START in which U-Boot
 # copies the DEK blob.
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 	CONFIG_CSF_SIZE="0x4000"
 fi
@ -83,7 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ -n "${CONFIG_DEK_PATH}" ]; then
 		if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 			echo "DEK not found. Generating random 256 bit DEK."
@ -129,14 +129,14 @@ fi
 CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"

 SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
 	CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
 fi

 n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
 		# PKI tree already exists.
 		echo "Using existing PKI tree"
@ -151,11 +151,11 @@ if [ "${SIGN_MODE}" = "HAB" ]; then
 		echo "Inconsistent CST folder."
 		exit 1
 	fi
-elif [ "${SIGN_MODE}" = "AHAB" ]; then
-	if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
+	if [ "${n_commas}" -eq 3 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# PKI tree already exists. Do nothing
 		echo "Using existing PKI tree"
-	elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# Generate PKI
 		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"

@ -167,11 +167,10 @@ elif [ "${SIGN_MODE}" = "AHAB" ]; then
 fi

 SRK_TABLE="$(pwd)/SRK_table.bin"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	HAB_VER="hab_ver 4"
 	DIGEST="digest"
 	DIGEST_ALGO="sha256"
-	SRK_EFUSES="/dev/null"

 	# Other constants
 	GAP_FILLER="0x00"
@ -243,8 +242,6 @@ if [ "${SIGN_MODE}" = "HAB" ]; then
 		"${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor
 	fi
 else
-	SRK_EFUSES="$(pwd)/SRK_efuses.bin"
-
 	# Other constants
 	KERNEL_START_OFFSET="0x0"
 	KERNEL_SIG_BLOCK_OFFSET="0x90"
@ -275,13 +272,13 @@ else
 fi

 # Generate SRK tables
-srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses "${SRK_EFUSES}" --${DIGEST} "${DIGEST_ALGO}"
+srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses /dev/null --${DIGEST} "${DIGEST_ALGO}"
 if [ $? -ne 0 ]; then
 	echo "[ERROR] Could not generate SRK tables"
 	exit 1
 fi

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	# Pad to IVT
 	objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"

--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -5,8 +5,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425

 DEPENDS = "trustfence-cst coreutils util-linux"

-SRCBRANCH = "v2017.03/master"
-SRCBRANCH_ccimx8x = "v2019.04/master"
+SRCBRANCH = "v2019.04/master"
 SRCREV = "${AUTOREV}"

 S = "${WORKDIR}"
@ -27,17 +26,16 @@ do_compile[noexec] = "1"

 do_install() {
 	install -d ${D}${bindir}/csf_templates
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
-		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
-		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
+	install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
 	install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
 }
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@ -5,7 +5,8 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"

 DEPENDS += "lzop-native bc-native"
-DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
+		oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"

 inherit kernel fsl-kernel-localversion

@ -22,9 +23,10 @@ trustfence_sign() {
 	export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 	[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
+	[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"

 	# Sign/encrypt the kernel images
-	if [ "${SIGN_MODE}" = "HAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
 			TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
@ -42,7 +44,7 @@ trustfence_sign() {
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
 			mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
 		done
-	elif [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		# Sign the kernel images
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
@ -64,7 +66,7 @@ trustfence_sign() {
 			rm -f ${DTB_IMAGE}-mkimg-signed
 		done
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 }
--- a/meta-digi-dey/classes/dey-image.bbclass
+++ b/meta-digi-dey/classes/dey-image.bbclass
@ -34,18 +34,15 @@ DEY_IMAGE_INSTALLER ?= "0"
 inherit ${@oe.utils.conditional("DEY_IMAGE_INSTALLER", "1", "dey-image-installer", "", d)}

 #
-# Create a dey-version file when populating the toolchain/SDK and modify the
-# default SDK installation path so it includes the proper 'IMAGE_BASENAME'
-# value.
+# Create a dey-version file when populating the toolchain/SDK
 #
 # 'SDK_POSTPROCESS_COMMAND' variable is originally defined in populate_sdk_base
 # class: poky/meta/classes/populate_sdk_base.bbclass
-# It is redefined here to be able to tweak the resulting SDK before and after
-# packaging, using the proper 'IMAGE_BASENAME' value.
+# It is redefined here to be able to tweak the resulting SDK before packaging,
+# using the proper 'IMAGE_BASENAME' value.
 #
 SDK_PREPACKAGING_COMMAND ?= "toolchain_create_sdk_dey_version"
-SDK_POSTPACKAGING_COMMAND ?= "toolchain_modify_default_path"
-SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; ${SDK_PREPACKAGING_COMMAND}; tar_sdk; ${SDK_PACKAGING_COMMAND} ${SDK_POSTPACKAGING_COMMAND}; "
+SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; ${SDK_PREPACKAGING_COMMAND}; tar_sdk; ${SDK_PACKAGING_COMMAND} "

 # This function creates a DEY version information file
 fakeroot toolchain_create_sdk_dey_version() {
@ -59,9 +56,3 @@ fakeroot toolchain_create_sdk_dey_version() {
 }
 toolchain_create_sdk_dey_version[vardepsexclude] = "DATETIME"

-# This function appends IMAGE_BASENAME to the default installation path
-fakeroot toolchain_modify_default_path() {
-	sed -i -e 's#^DEFAULT_INSTALL_DIR="${SDKPATH}"#DEFAULT_INSTALL_DIR="${SDKPATH}/${IMAGE_BASENAME}"#g' \
-		${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.sh
-}
-
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -63,11 +63,7 @@ python () {
        if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
-        if ("ccimx8x" in d.getVar("MACHINE", True)):
-            bb.fatal("Environment encryption is not currently supported on the ccimx8x SOM")
-            return
-        else:
-            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
+        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')

    # Provide sane default values for SWUPDATE class in case Trustfence is enabled
    if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
@ -84,7 +80,7 @@ python () {
        key_index_1 = key_index + 1

        # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
-        if (d.getVar("SIGN_MODE", "") == "AHAB"):
+        if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
            d.setVar("CONFIG_SIGN_MODE", "AHAB")
        else:
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@ -40,12 +40,12 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)

 		# Find the certificate to use.
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		elif [ "${SIGN_MODE}" = "AHAB" ]; then
+		elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
 		else
-			bberror "Unkown SIGN_MODE value"
+			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 			exit 1
 		fi

--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc
@ -15,13 +15,13 @@
 #
 #===============================================================================

-POWEROFF_TIME="10"
+HALT_TIME="10"

 error() {
 	[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
-	echo "The system will poweroff in ${POWEROFF_TIME} seconds"
-	sleep "${POWEROFF_TIME}"
-	sync && poweroff -f
+	echo "The system will halt in ${HALT_TIME} seconds"
+	sleep "${HALT_TIME}"
+	sync && busybox halt -f
 }

 # Main