swupdate: rework script to update U-Boot in NAND devices

Rework the script so that it has a similar structure as the MMC leaving it ready to integrate new platforms. Signed-off-by: David Escalona <david.escalona@digi.com>
2024-01-09 17:03:57 +01:00 · 2024-01-09 17:03:57 +01:00 · 6d898e51f9
parent e25f3e4f5f
commit 6d898e51f9
1 changed files with 135 additions and 102 deletions
--- a/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh
+++ b/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2022-2023 by Digi International Inc.
+#  Copyright (C) 2022-2024 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@ -13,121 +13,154 @@
 #    Script will be called by swupdate to install a new u-boot within linux.
 #===============================================================================

-UBOOT_FILE="$1"
+UBOOT_NAME="$1"
 UBOOT_ENC="$2"
-TFA_FILE="$4"
+UBOOT_SEEK_KB="$3"
+UBOOT_TFA_NAME="$4"
+UBOOT_TFA_FILE="/tmp/${UBOOT_TFA_NAME}"
+UBOOT_FILE="/tmp/${UBOOT_NAME}"
+UBOOT_NAND_DUMP="/tmp/u-boot-dump.hex"
+UBOOT_ENCRYPTED_DEK="/tmp/u-boot-encrypted-with-dek.imx"

-echo "**** Start U-Boot update process *****"
+DEK_FILE="/tmp/dek.bin"
+DEK_KEY_SIZE="32"
+DEK_BLOB_SIZE="$((DEK_KEY_SIZE + 56))"  # DEK blob has an overhead of 56 bytes: header (8 bytes) + random AES-256 key (32 bytes) + MAC (16 bytes).
+DEK_BLOB_HEADER="8100584"  # The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions.

-# need to mount debufs to remove some kobs-ng warnings
-if ! grep -qs debugfs /proc/mounts; then
-	mount -t debugfs debugfs /sys/kernel/debug/
-fi
+PLATFORM="$(tr -d '\0' </proc/device-tree/digi,machine,name)"
+
+clean_artifacts ()
+{
+	rm -f "${DEK_FILE}" "${UBOOT_NAND_DUMP}" "${UBOOT_ENCRYPTED_DEK}"
+}
+
+exit_error ()
+{
+	local ERROR_MESSAGE="$1"
+	local ERROR_CODE="$2"
+
+	echo "${ERROR_MESSAGE}"
+	clean_artifacts
+	[ -z "${ERROR_CODE}" ] && exit 1 || exit "${ERROR_CODE}"
+}
+
+dump_dek_ccimx6ul ()
+{
+	local IVT_HEADER="d1 00 20 4"  # The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions.
+	local UBOOT_MTD_DEV="/dev/mtd0"
+
+	# Look for U-Boot in the NAND. It starts with the IVT table header.
+	local UBOOT_START="0x$(hexdump -C "${UBOOT_MTD_DEV}" | grep -m 1 "${IVT_HEADER}" | head -1 | cut -c -8)"
+	if [ "${UBOOT_START}" = "0x" ]; then
+		exit_error "## ERROR: Could not find U-Boot on NAND."
+	fi
+	# DEK blob is located at the end of the image. Determine the total size of the image.
+	local DUMP_SIZE_OFFSET="$((UBOOT_START + 36))"  # Size is located at an offset of 36 (32 bytes of IVT header + 4 bytes of image destination).
+	local DUMP_SIZE="$(hexdump -n 4 -s "${DUMP_SIZE_OFFSET}" -e '/4 "0x%08x" "\n"' "${UBOOT_MTD_DEV}")"
+	# The dump start needs to be aligned (U-Boot always leaves 0x400 for DOS table).
+	local DUMP_START=$((UBOOT_START - 0x400))
+	# Read the complete image (to skip alignment issues) and keep only the DEK blob (which is at the end).
+	nanddump -s "${DUMP_START}" -l "${DUMP_SIZE}" "${UBOOT_MTD_DEV}" | tail -c "${DEK_BLOB_SIZE}" > "${DEK_FILE}"
+	local rc=$?
+	if [ "${rc}" -ne 0 ]; then
+		exit_error "## ERROR: DEK dump to file failed." "${rc}"
+	fi
+	# Validate the DEK blob.
+	if ! dd if="${DEK_FILE}" bs=1 count=4 2>/dev/null | hexdump -ve '1/1 "%.2X"' | grep -q "${DEK_BLOB_HEADER}"; then
+		exit_error "## ERROR: Could not find DEK blob."
+	fi
+}

 dump_dek ()
 {
-	echo "**** Get DEK and append to the new u-boot *****"
-	UBOOT_MTD_DEV="/dev/mtd0"
-	OUTPUT_FILE="/tmp/dek.bin"
-	KEY_SIZE_BYTES="32"
-	ENCRYPTED_UBOOT_DEK="u-boot-encrypted-with-dek.imx"
-
-	#(The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions)
-	UBOOT_HEADER="d1 00 20 4"
-	DEK_BLOB_HEADER="81 00 58 4"
-
-	uboot_start="0x$(nanddump ${UBOOT_MTD_DEV} | hexdump -C | grep -m 1 "${UBOOT_HEADER}" | head -1 | cut -c -8)"
-	if [ "${uboot_start}" = "0x" ]; then
-		echo "Could not find U-Boot on NAND"
-		return 78
-	fi
-
-	uboot_size_offset=$((uboot_start + 36))
-	uboot_size=$(hexdump -n 4 -s ${uboot_size_offset} -e '/4 "0x%08x\t" "\n"' ${UBOOT_MTD_DEV})
-	# dump start needs to be aligned (U-Boot always leaves 0x400 for DOS table)
-	dump_start=$((uboot_start - 0x400))
-	# DEK blobs have an overhead of 56 bytes.
-	dek_blob_size=$((KEY_SIZE_BYTES + 56))
-
-	# remove the output DEK file before creating it.
-	# Since this function is called twice.
-	# For the actual upgrade and then for the validation after the upgrade.
-	rm -f ${OUTPUT_FILE}
-	# read the complete U-Boot (to skip alignment issues) and keep the dek_blob (which is at the end)
-	nanddump -s ${dump_start} -l ${uboot_size} ${UBOOT_MTD_DEV} | tail -c ${dek_blob_size} > ${OUTPUT_FILE}
-	rc=$?
-	if [ $rc -ne 0 ]; then
-		echo "DEK dump to the output file failed."
-		return $rc
-	fi
-	echo "dump_dek: output file has been created."
-	# Validate DEK blob
-	if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${DEK_BLOB_HEADER}")" ]; then
-		echo "Could not find DEK blob"
-		rm -rf ${OUTPUT_FILE}
-		return 60
-	fi
-	echo "DEK blob correctly dumped"
-	return 0
+	case "${PLATFORM}" in
+		ccimx6ul*)
+			dump_dek_ccimx6ul
+		;;
+		*)
+			exit_error "## ERROR: Device not supported ${PLATFORM}."
+		;;
+	esac
 }

-install_fwu ()
+append_dek_ccimx6ul ()
 {
-	FLASH_DEV="$1"
-	FW_FILE="$2"
-
-	flash_eraseall ${FLASH_DEV}
-	rc=$?
-	if [ "$rc" -ne 0 ]; then
-		echo "U-Boot: erasing ${FLASH_DEV} failed"
-		exit $rc
-	fi
-	nandwrite -p ${FLASH_DEV} /tmp/${FW_FILE}
-	if [ "$rc" -ne 0 ]; then
-		echo "U-Boot: failed to write firmware to ${FLASH_DEV}"
-		exit $rc
+	cat "${UBOOT_FILE}" "${DEK_FILE}" > "${UBOOT_ENCRYPTED_DEK}"
+	local rc=$?
+	if [ "${rc}" -ne 0 ]; then
+		exit_error "## ERROR: Merging DEK with U-Boot image failed." "${rc}"
 	fi
 }

-COMP_CCMP1=$(cat /proc/device-tree/compatible | grep "\bdigi,ccmp1\b")
+append_dek ()
+{
+	dump_dek
+	case "${PLATFORM}" in
+		ccimx6ul*)
+			append_dek_ccimx6ul
+		;;
+		*)
+			exit_error "## ERROR: Device not supported: ${PLATFORM}."
+		;;
+	esac
+	UBOOT_FILE="${UBOOT_ENCRYPTED_DEK}"
+}

+write_file_to_nand ()
+{
+	local FLASH_DEV="$1"
+	local FW_FILE="$2"
+
+	# Sanity check.
+	if [ ! -c "${FLASH_DEV}" ]; then
+		exit_error "## ERROR: Invalid MTD partition: ${FLASH_DEV}."
+	fi
+	# Clean MTD partition.
+	flash_eraseall "${FLASH_DEV}"
+	local rc=$?
+	if [ "${rc}" -ne 0 ]; then
+		exit_error "## ERROR: Could not erase ${FLASH_DEV} partition." "${rc}"
+	fi
+	# Write file to NAND.
+	nandwrite -p "${FLASH_DEV}" "${FW_FILE}"
+	local rc=$?
+	if [ "${rc}" -ne 0 ]; then
+		exit_error "## ERROR: Could not write file to NAND." "${rc}"
+	fi
+}
+
+get_mtd_number_from_partition ()
+{
+	local PARTITION_NAME="$1"
+	local MTD_NUM="$(sed -ne "/${PARTITION_NAME}/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)"
+
+	echo "${MTD_NUM}"
+}
+
+# If U-Boot is encrypted, the DEK key blob needs to be extracted from existing U-Boot
+# and appended to the new U-Boot before writing it.
 if [ "${UBOOT_ENC}" = "enc" ]; then
-	if [ "${COMP_CCMP1}" = "digi,ccmp1" ]; then
-		# Currently not supported for these platforms
-		echo "*** Encrypted U-boot currently not support for CCMP1 ***" 
-	else
-		dump_dek
-		rc=$?
-		if [ "$rc" -ne 0 ]; then
-			echo "u-boot: DEK dump failed"
-			exit $rc
-		fi
-		cat $UBOOT_FILE $OUTPUT_FILE > /tmp/$ENCRYPTED_UBOOT_DEK
-		rc=$?
-		if [ "$rc" -ne 0 ]; then
-			echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = $UBOOT_FILE)"
-			exit $rc
-		fi
-		UBOOT_FILE="${ENCRYPTED_UBOOT_DEK}"
+	append_dek
+fi
+# Write U-Boot
+if expr "${PLATFORM}" : "ccmp1.*" >/dev/null; then
+	# Install TFA file in fsbl1 partition.
+	write_file_to_nand "/dev/mtd$(get_mtd_number_from_partition fsbl1)" "${UBOOT_TFA_FILE}"
+	# Install U-Boot FIP file in fip-a partition.
+	write_file_to_nand "/dev/mtd$(get_mtd_number_from_partition fip-a)" "${UBOOT_FILE}"
+else
+	# Mount debug file system to remove some kobs-ng warnings.
+	if ! grep -qs debugfs /proc/mounts; then
+		mount -t debugfs debugfs /sys/kernel/debug/
+	fi
+	# Install U-Boot onto the Nand Flash using kobs-ng.
+	kobs-ng init -x -v "${UBOOT_FILE}"
+	rc=$?
+	if [ "${rc}" -ne 0 ]; then
+		exit_error "## ERROR: Could not write file to NAND." "${rc}"
 	fi
 fi
+# Clean intermediate artifacts.
+clean_artifacts

-if [ "${COMP_CCMP1}" = "digi,ccmp1" ]; then
-	# install TF-A onto fsbl1 partition
-	mtd_num="$(sed -ne "/fsbl1/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)"
-	TFA_DEV="/dev/mtd${mtd_num}"
-	install_fwu ${TFA_DEV} ${TFA_FILE}
-	# install U-Boot onto FIP-a partition
-	mtd_num="$(sed -ne "/fip-a/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)"
-	FIP_DEV="/dev/mtd${mtd_num}"
-	install_fwu ${FIP_DEV} ${UBOOT_FILE}
-else
-	# install U-Boot onto the Nand Flash
-	kobs-ng init -x -v /tmp/${UBOOT_FILE}
-fi
-rc=$?
-if [ "$rc" -ne 0 ]; then
-	echo "u-Boot: Updating U-Boot partition failed"
-else
-	echo "u-Boot: Updating U-Boot partition successful"
-fi
+exit 0