diff --git a/README.md b/README.md index afa831b3a..3b58d2ccc 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,12 @@ OS versions: Software for the following hardware platforms is in production support: +## ConnectCore 8M Nano +* ConnectCore 8M Nano System-on-Module (SOM) + * [CC-WMX-FS7D-NN](https://www.digi.com/cc8mnano) +* ConnectCore 8M Nano Development Kit + * [CC-WMX8MN-KIT](https://www.digi.com/products/models/cc-wmx8mn-kit) ([Get Started](https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8mnano/yocto-gs_index)) + ## ConnectCore 8X * ConnectCore 8X System-on-Module (SOM) * [CC-WMX-JM8E-NN](https://www.digi.com/products/models/cc-wmx-jm8e-nn) @@ -86,11 +92,25 @@ Documentation is available online at https://www.digi.com/resources/documentatio # Downloads -* Demo images: https://ftp1.digi.com/support/digiembeddedyocto/2.6/r2/images/ -* Software Development Kit (SDK): https://ftp1.digi.com/support/digiembeddedyocto/2.6/r2/sdk/ +* Demo images: https://ftp1.digi.com/support/digiembeddedyocto/2.6/r3/images/ +* Software Development Kit (SDK): https://ftp1.digi.com/support/digiembeddedyocto/2.6/r3/sdk/ # Release Changelog +## 2.6-r3 + +* Release based on [Yocto 2.6 (Thud)](https://www.yoctoproject.org/software-overview/downloads) including: + * Package upgrades and security fixes +* Added support for ConnectCore 8M Nano platform +* Add TrustFence support (phase 1) for ConnectCore 8X platform + (with U-Boot v2019.04). +* Updated kernel version to v4.14.170 for i.MX8X and i.MX6UL platforms +* Updated kernel version to v4.9.212 for i.MX6 platforms +* Updated U-Boot to version 2019.04-r1 for i.MX8X platform +* Updated U-Boot to version 2017.03-r5 for i.MX6 and i.MX6UL platforms +* Updated i.MX8 SCU firmware to v1.3.0 (see [important note](#scfw-note)) +* Updated QCA65x4 Wi-Fi and Bluetooth firmware + ## 2.6-r2 * Release based on [Yocto 2.6 (Thud)](https://www.yoctoproject.org/software-overview/downloads) including: @@ -99,7 +119,7 @@ Documentation is available online at https://www.digi.com/resources/documentatio * Updated busybox to v1.29.3 * Updated OpenSSL to v1.1.1b * Package upgrades and security fixes -* Added support for ConnetCore 6 and ConnectCore 6 Plus platforms +* Added support for ConnectCore 6 and ConnectCore 6 Plus platforms * Updated kernel version to v4.14.141 for i.MX8X and i.MX6UL platforms * Updated kernel version to v4.9.190 for i.MX6 platforms * Updated U-Boot to version 2018.03-r2 for i.MX8X platform @@ -143,7 +163,15 @@ updated list can be found on the online documentation. (over 255 characters). * For P2P connections Digi recommends "Negotiated GO" modes. The QCA6564 devices (ConnectCore 6UL, ConnectCore 6 Plus) fail to join autonomous groups. -* Trustfence is not yet supported on U-Boot v2018.03. +* Trustfence is not yet supported on the ConnectCore 8M Nano. + +## ConnectCore 8M Nano + +* ConnectCore 8M Nano System-on-Module (SOM) + * CPU wake-up sources are not yet supported +* ConnectCore 8M Nano DVK + * The maximum bitrate for CAN interface is 125 Kbits/s. This is a software + limitation from the CAN controller. ## ConnectCore 8X @@ -155,22 +183,20 @@ updated list can be found on the online documentation. be met in future releases of the hardware. * BSDL operation is not supported. It will be available in future releases of the hardware. -* Digi Embedded Yocto - * The following features are not supported in this release for the ConnectCore 8X platform: - * Trustfence (TM) --- - **IMPORTANT**: This release updates the firmware of the _System Control Unit_ (SCU). - This is an NXP proprietary firmware and its last version is **not compatible** with - the previous one released on DEY-2.6-r1. As a consequence: + **IMPORTANT**: DEY-2.6-r2 and DEY-2.6-r3 releases update the firmware of the + _System Control Unit_ (SCU). + This is an NXP proprietary firmware and its version in these releases is + **not compatible** with the one released on DEY-2.6-r1. As a consequence: -* Old U-Boot v2018.03-r1 **cannot boot** images from this release DEY-2.6-r2. -* New U-Boot v2018.03-r2 **cannot boot** images from previous release DEY-2.6-r1. - - To succesfully run DEY-2.6-r2 images you need to update the U-Boot on your device. +* Old U-Boot v2018.03-r1 **cannot boot** images from DEY-2.6-r2 or newer releases. +* U-Boot v2018.03-r2 or newer **cannot boot** images from release DEY-2.6-r1. + To successfully run DEY-2.6-r2 or newer images you need to update the U-Boot on + your device. --- ## ConnectCore 6UL diff --git a/meta-digi-arm/classes/boot-artifacts.bbclass b/meta-digi-arm/classes/boot-artifacts.bbclass index f0195bd8c..34ff5a307 100644 --- a/meta-digi-arm/classes/boot-artifacts.bbclass +++ b/meta-digi-arm/classes/boot-artifacts.bbclass @@ -38,7 +38,7 @@ def get_bootable_artifacts(d): # For platforms without RAM_CONFIGS, build the artifacts from UBOOT_CONFIG if ram_configs == "": for t in types.split(" "): - artifacts.append("%s-%s.%s" % (uboot_prefix, t, uboot_suffix)) + artifacts.append("%s-%s.%s" % (uboot_prefix, t.replace("_","-"), uboot_suffix)) return " ".join(artifacts) else: machine = d.getVar('MACHINE', True) or "" diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index dcb85f51d..a3e0a3f88 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -205,8 +205,9 @@ trustence_sign_cpio() { export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" - if [ "${SIGN_MODE}" = "AHAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then ${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg mv "${1}-mkimg" "${1}" fi @@ -220,7 +221,7 @@ trustence_sign_cpio() { CONVERSIONTYPES += "tf" CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}" CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \ - oe.utils.conditional('SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}" + oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}" IMAGE_TYPES += "cpio.gz.u-boot.tf" ################################################################################ diff --git a/meta-digi-arm/conf/machine/include/ccimx6.inc b/meta-digi-arm/conf/machine/include/ccimx6.inc index 0a4d41c03..25d68619f 100644 --- a/meta-digi-arm/conf/machine/include/ccimx6.inc +++ b/meta-digi-arm/conf/machine/include/ccimx6.inc @@ -44,4 +44,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \ MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci" -SIGN_MODE = "HAB" +# TrustFence +TRUSTFENCE_SIGN_MODE = "HAB" diff --git a/meta-digi-arm/conf/machine/include/ccimx6ul.inc b/meta-digi-arm/conf/machine/include/ccimx6ul.inc index be96b3aba..1c254af7a 100644 --- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc +++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc @@ -58,4 +58,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255" # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size. MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191" -SIGN_MODE = "HAB" +# TrustFence +TRUSTFENCE_SIGN_MODE = "HAB" diff --git a/meta-digi-arm/conf/machine/include/ccimx8x.inc b/meta-digi-arm/conf/machine/include/ccimx8x.inc index 81a3cddb3..77d8d7a5d 100644 --- a/meta-digi-arm/conf/machine/include/ccimx8x.inc +++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc @@ -75,8 +75,11 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts" # For i.MX 8 silicon chip revision MX8_CHIP_REV ?= "B0" MX8_SOC_VAR ?= "QX" -SIGN_MODE = "AHAB" +# TrustFence +TRUSTFENCE_SIGN_MODE = "AHAB" +# TODO: not yet supported +TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0" # For Trustfence container header RAM locations RAM_CONTAINER_LOC_BOOT = "0x80280000" RAM_CONTAINER_LOC_DTB = "0x82000000" diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend index ab0299104..5c184bc7a 100644 --- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend +++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend @@ -160,7 +160,6 @@ do_deploy () { install -m 0644 ${BOOT_STAGING}/m40_tcm.bin ${DEPLOYDIR}/${BOOT_TOOLS} install -m 0644 ${BOOT_STAGING}/m4_image.bin ${DEPLOYDIR}/${BOOT_TOOLS} fi - install -m 0755 ${S}/${TOOLS_NAME} ${DEPLOYDIR}/${BOOT_TOOLS} # copy makefile (soc.mak) for reference install -m 0644 ${BOOT_STAGING}/soc.mak ${DEPLOYDIR}/${BOOT_TOOLS} @@ -205,20 +204,18 @@ do_deploy () { } do_deploy_append () { - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign U-boot image for ramc in ${RAM_CONFIGS}; do - trustfence-sign-ahab-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin + trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin done - cd ${DEPLOYDIR} - cp ${B}/${config}SRK_efuses.bin ${DEPLOYDIR} - install ${B}/${config}SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin - ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin + cp ${B}/SRK_efuses.bin ${DEPLOYDIR} fi } diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend index 079e27b22..95f53f04c 100644 --- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend +++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-mkimage_%.bbappend @@ -3,3 +3,9 @@ # Use the v4.14 ga BSP branch SRCBRANCH = "imx_4.14.98_2.3.0" SRCREV = "2556000499f667123094af22326cfd8e4cbadaac" + +do_deploy_append () { + install -d ${DEPLOYDIR}/${BOOT_TOOLS} + install -m 0755 ${S}/iMX8M/mkimage_imx8 ${DEPLOYDIR}/${BOOT_TOOLS}/mkimage_imx8m + install -m 0755 ${S}/mkimage_imx8 ${DEPLOYDIR}/${BOOT_TOOLS}/mkimage_imx8 +} diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc index 9639c584a..0731dbfcf 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc @@ -43,12 +43,12 @@ do_install() { install -d ${D}${bindir} install -m 0755 linux64/cst ${D}${bindir}/cst install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool - if [ "${SIGN_MODE}" = "AHAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh - elif [ "${SIGN_MODE}" = "HAB" ]; then + elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh else - bberror "Unkown SIGN_MODE value" + bberror "Unkown TRUSTFENCE_SIGN_MODE value" exit 1 fi install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc index 68f14fc16..12c7edba3 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc @@ -8,7 +8,8 @@ LIC_FILES_CHKSUM = "file://Licenses/README;md5=a2c678cfd4a4d97135585cad908541c6" SECTION = "bootloaders" DEPENDS += "bc-native dtc-native u-boot-mkimage-native" -DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" +DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \ + oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}" PROVIDES += "u-boot" @@ -79,7 +80,7 @@ do_compile () { unset k # Secure boot artifacts - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ] + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] then cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} @@ -122,7 +123,7 @@ do_deploy_append() { cd ${DEPLOYDIR} rm -r ${UBOOT_BINARY}-${type} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin @@ -159,9 +160,10 @@ do_deploy_append() { export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign boot script - if [ "${SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt index 62501234a..feea47c06 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-express/install_linux_fw_sd.txt @@ -32,10 +32,10 @@ else if test -n "${module_variant}"; then if test "${module_variant}" = "0x01"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_1GB_32bit.bin; - elif test "${module_variant}" = "0x02" || + elif test "${module_variant}" = "0x02" || \ test "${module_variant}" = "0x03"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_2GB_32bit.bin; - elif test "${module_variant}" = "0x04" || + elif test "${module_variant}" = "0x04" || \ test "${module_variant}" = "0x05"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-express-1.2GHz_1GB_16bit.bin; fi diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt index cce9bf896..76ed5aa6a 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x-sbc-pro/install_linux_fw_sd.txt @@ -32,10 +32,10 @@ else if test -n "${module_variant}"; then if test "${module_variant}" = "0x01"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_1GB_32bit.bin; - elif test "${module_variant}" = "0x02" || + elif test "${module_variant}" = "0x02" || \ test "${module_variant}" = "0x03"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_2GB_32bit.bin; - elif test "${module_variant}" = "0x04" || + elif test "${module_variant}" = "0x04" || \ test "${module_variant}" = "0x05"; then setenv INSTALL_UBOOT_FILENAME imx-boot-ccimx8x-sbc-pro-1.2GHz_1GB_16bit.bin; elif test "${module_variant}" = "0x06"; then diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh index 9b25083c7..bdba4933a 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh @@ -69,7 +69,7 @@ TARGET="$(readlink -m ${2})" # Negative offset with respect to CONFIG_RAM_START in which U-Boot # copies the DEK blob. -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then DEK_BLOB_OFFSET="0x100" CONFIG_CSF_SIZE="0x4000" fi @@ -83,7 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then fi [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}" -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then if [ -n "${CONFIG_DEK_PATH}" ]; then if [ ! -f "${CONFIG_DEK_PATH}" ]; then echo "DEK not found. Generating random 256 bit DEK." @@ -129,14 +129,14 @@ fi CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))" SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)" fi n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)" -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then # PKI tree already exists. echo "Using existing PKI tree" @@ -151,11 +151,11 @@ if [ "${SIGN_MODE}" = "HAB" ]; then echo "Inconsistent CST folder." exit 1 fi -elif [ "${SIGN_MODE}" = "AHAB" ]; then - if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then +elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then + if [ "${n_commas}" -eq 3 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then # PKI tree already exists. Do nothing echo "Using existing PKI tree" - elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then + elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then # Generate PKI trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}" @@ -167,11 +167,10 @@ elif [ "${SIGN_MODE}" = "AHAB" ]; then fi SRK_TABLE="$(pwd)/SRK_table.bin" -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then HAB_VER="hab_ver 4" DIGEST="digest" DIGEST_ALGO="sha256" - SRK_EFUSES="/dev/null" # Other constants GAP_FILLER="0x00" @@ -243,8 +242,6 @@ if [ "${SIGN_MODE}" = "HAB" ]; then "${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor fi else - SRK_EFUSES="$(pwd)/SRK_efuses.bin" - # Other constants KERNEL_START_OFFSET="0x0" KERNEL_SIG_BLOCK_OFFSET="0x90" @@ -275,13 +272,13 @@ else fi # Generate SRK tables -srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses "${SRK_EFUSES}" --${DIGEST} "${DIGEST_ALGO}" +srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses /dev/null --${DIGEST} "${DIGEST_ALGO}" if [ $? -ne 0 ]; then echo "[ERROR] Could not generate SRK tables" exit 1 fi -if [ "${SIGN_MODE}" = "HAB" ]; then +if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then # Pad to IVT objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}" diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb index 5bdb19960..654e352b1 100644 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb @@ -5,8 +5,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425 DEPENDS = "trustfence-cst coreutils util-linux" -SRCBRANCH = "v2017.03/master" -SRCBRANCH_ccimx8x = "v2019.04/master" +SRCBRANCH = "v2019.04/master" SRCREV = "${AUTOREV}" S = "${WORKDIR}" @@ -27,17 +26,16 @@ do_compile[noexec] = "1" do_install() { install -d ${D}${bindir}/csf_templates - if [ "${SIGN_MODE}" = "AHAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -m 0755 sign_ahab ${D}${bindir}/csf_templates/ - install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh - elif [ "${SIGN_MODE}" = "HAB" ]; then + elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then install -m 0755 sign_hab ${D}${bindir}/csf_templates/ install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/ - install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh else - bberror "Unkown SIGN_MODE value" + bberror "Unkown TRUSTFENCE_SIGN_MODE value" exit 1 fi + install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/ install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates } diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 66db01319..f057b8344 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -5,7 +5,8 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" DEPENDS += "lzop-native bc-native" -DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" +DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \ + oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}" inherit kernel fsl-kernel-localversion @@ -22,9 +23,10 @@ trustfence_sign() { export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign/encrypt the kernel images - if [ "${SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then for type in ${KERNEL_IMAGETYPES}; do KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" @@ -42,7 +44,7 @@ trustfence_sign() { trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" done - elif [ "${SIGN_MODE}" = "AHAB" ]; then + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then # Sign the kernel images for type in ${KERNEL_IMAGETYPES}; do KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" @@ -64,7 +66,7 @@ trustfence_sign() { rm -f ${DTB_IMAGE}-mkimg-signed done else - bberror "Unkown SIGN_MODE value" + bberror "Unkown TRUSTFENCE_SIGN_MODE value" exit 1 fi } diff --git a/meta-digi-dey/classes/dey-image.bbclass b/meta-digi-dey/classes/dey-image.bbclass index 04690e451..a7679ca67 100644 --- a/meta-digi-dey/classes/dey-image.bbclass +++ b/meta-digi-dey/classes/dey-image.bbclass @@ -34,18 +34,15 @@ DEY_IMAGE_INSTALLER ?= "0" inherit ${@oe.utils.conditional("DEY_IMAGE_INSTALLER", "1", "dey-image-installer", "", d)} # -# Create a dey-version file when populating the toolchain/SDK and modify the -# default SDK installation path so it includes the proper 'IMAGE_BASENAME' -# value. +# Create a dey-version file when populating the toolchain/SDK # # 'SDK_POSTPROCESS_COMMAND' variable is originally defined in populate_sdk_base # class: poky/meta/classes/populate_sdk_base.bbclass -# It is redefined here to be able to tweak the resulting SDK before and after -# packaging, using the proper 'IMAGE_BASENAME' value. +# It is redefined here to be able to tweak the resulting SDK before packaging, +# using the proper 'IMAGE_BASENAME' value. # SDK_PREPACKAGING_COMMAND ?= "toolchain_create_sdk_dey_version" -SDK_POSTPACKAGING_COMMAND ?= "toolchain_modify_default_path" -SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; ${SDK_PREPACKAGING_COMMAND}; tar_sdk; ${SDK_PACKAGING_COMMAND} ${SDK_POSTPACKAGING_COMMAND}; " +SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; ${SDK_PREPACKAGING_COMMAND}; tar_sdk; ${SDK_PACKAGING_COMMAND} " # This function creates a DEY version information file fakeroot toolchain_create_sdk_dey_version() { @@ -59,9 +56,3 @@ fakeroot toolchain_create_sdk_dey_version() { } toolchain_create_sdk_dey_version[vardepsexclude] = "DATETIME" -# This function appends IMAGE_BASENAME to the default installation path -fakeroot toolchain_modify_default_path() { - sed -i -e 's#^DEFAULT_INSTALL_DIR="${SDKPATH}"#DEFAULT_INSTALL_DIR="${SDKPATH}/${IMAGE_BASENAME}"#g' \ - ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.sh -} - diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index c54b3b933..0ef382baa 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -63,11 +63,7 @@ python () { if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]): d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"): - if ("ccimx8x" in d.getVar("MACHINE", True)): - bb.fatal("Environment encryption is not currently supported on the ccimx8x SOM") - return - else: - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') + d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') # Provide sane default values for SWUPDATE class in case Trustfence is enabled if (d.getVar("TRUSTFENCE_SIGN", True) == "1"): @@ -84,7 +80,7 @@ python () { key_index_1 = key_index + 1 # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated. - if (d.getVar("SIGN_MODE", "") == "AHAB"): + if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"): d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem") d.setVar("CONFIG_SIGN_MODE", "AHAB") else: diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb index 2df871b24..a05db3d71 100644 --- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb +++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb @@ -40,12 +40,12 @@ do_install() { KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) # Find the certificate to use. - if [ "${SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" - elif [ "${SIGN_MODE}" = "AHAB" ]; then + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" else - bberror "Unkown SIGN_MODE value" + bberror "Unkown TRUSTFENCE_SIGN_MODE value" exit 1 fi diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc index ce5e3912f..a0d569e2d 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init_mmc @@ -15,13 +15,13 @@ # #=============================================================================== -POWEROFF_TIME="10" +HALT_TIME="10" error() { [ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}" - echo "The system will poweroff in ${POWEROFF_TIME} seconds" - sleep "${POWEROFF_TIME}" - sync && poweroff -f + echo "The system will halt in ${HALT_TIME} seconds" + sleep "${HALT_TIME}" + sync && busybox halt -f } # Main