diff --git a/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh b/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh index c92620ce7..d7884570f 100755 --- a/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh +++ b/meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh @@ -1,7 +1,7 @@ #!/bin/sh #=============================================================================== # -# Copyright (C) 2022-2023 by Digi International Inc. +# Copyright (C) 2022-2024 by Digi International Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or modify it @@ -13,121 +13,154 @@ # Script will be called by swupdate to install a new u-boot within linux. #=============================================================================== -UBOOT_FILE="$1" +UBOOT_NAME="$1" UBOOT_ENC="$2" -TFA_FILE="$4" +UBOOT_SEEK_KB="$3" +UBOOT_TFA_NAME="$4" +UBOOT_TFA_FILE="/tmp/${UBOOT_TFA_NAME}" +UBOOT_FILE="/tmp/${UBOOT_NAME}" +UBOOT_NAND_DUMP="/tmp/u-boot-dump.hex" +UBOOT_ENCRYPTED_DEK="/tmp/u-boot-encrypted-with-dek.imx" -echo "**** Start U-Boot update process *****" +DEK_FILE="/tmp/dek.bin" +DEK_KEY_SIZE="32" +DEK_BLOB_SIZE="$((DEK_KEY_SIZE + 56))" # DEK blob has an overhead of 56 bytes: header (8 bytes) + random AES-256 key (32 bytes) + MAC (16 bytes). +DEK_BLOB_HEADER="8100584" # The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions. -# need to mount debufs to remove some kobs-ng warnings -if ! grep -qs debugfs /proc/mounts; then - mount -t debugfs debugfs /sys/kernel/debug/ -fi +PLATFORM="$(tr -d '\0' "${DEK_FILE}" + local rc=$? + if [ "${rc}" -ne 0 ]; then + exit_error "## ERROR: DEK dump to file failed." "${rc}" + fi + # Validate the DEK blob. + if ! dd if="${DEK_FILE}" bs=1 count=4 2>/dev/null | hexdump -ve '1/1 "%.2X"' | grep -q "${DEK_BLOB_HEADER}"; then + exit_error "## ERROR: Could not find DEK blob." + fi +} dump_dek () { - echo "**** Get DEK and append to the new u-boot *****" - UBOOT_MTD_DEV="/dev/mtd0" - OUTPUT_FILE="/tmp/dek.bin" - KEY_SIZE_BYTES="32" - ENCRYPTED_UBOOT_DEK="u-boot-encrypted-with-dek.imx" - - #(The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions) - UBOOT_HEADER="d1 00 20 4" - DEK_BLOB_HEADER="81 00 58 4" - - uboot_start="0x$(nanddump ${UBOOT_MTD_DEV} | hexdump -C | grep -m 1 "${UBOOT_HEADER}" | head -1 | cut -c -8)" - if [ "${uboot_start}" = "0x" ]; then - echo "Could not find U-Boot on NAND" - return 78 - fi - - uboot_size_offset=$((uboot_start + 36)) - uboot_size=$(hexdump -n 4 -s ${uboot_size_offset} -e '/4 "0x%08x\t" "\n"' ${UBOOT_MTD_DEV}) - # dump start needs to be aligned (U-Boot always leaves 0x400 for DOS table) - dump_start=$((uboot_start - 0x400)) - # DEK blobs have an overhead of 56 bytes. - dek_blob_size=$((KEY_SIZE_BYTES + 56)) - - # remove the output DEK file before creating it. - # Since this function is called twice. - # For the actual upgrade and then for the validation after the upgrade. - rm -f ${OUTPUT_FILE} - # read the complete U-Boot (to skip alignment issues) and keep the dek_blob (which is at the end) - nanddump -s ${dump_start} -l ${uboot_size} ${UBOOT_MTD_DEV} | tail -c ${dek_blob_size} > ${OUTPUT_FILE} - rc=$? - if [ $rc -ne 0 ]; then - echo "DEK dump to the output file failed." - return $rc - fi - echo "dump_dek: output file has been created." - # Validate DEK blob - if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${DEK_BLOB_HEADER}")" ]; then - echo "Could not find DEK blob" - rm -rf ${OUTPUT_FILE} - return 60 - fi - echo "DEK blob correctly dumped" - return 0 + case "${PLATFORM}" in + ccimx6ul*) + dump_dek_ccimx6ul + ;; + *) + exit_error "## ERROR: Device not supported ${PLATFORM}." + ;; + esac } -install_fwu () +append_dek_ccimx6ul () { - FLASH_DEV="$1" - FW_FILE="$2" - - flash_eraseall ${FLASH_DEV} - rc=$? - if [ "$rc" -ne 0 ]; then - echo "U-Boot: erasing ${FLASH_DEV} failed" - exit $rc - fi - nandwrite -p ${FLASH_DEV} /tmp/${FW_FILE} - if [ "$rc" -ne 0 ]; then - echo "U-Boot: failed to write firmware to ${FLASH_DEV}" - exit $rc + cat "${UBOOT_FILE}" "${DEK_FILE}" > "${UBOOT_ENCRYPTED_DEK}" + local rc=$? + if [ "${rc}" -ne 0 ]; then + exit_error "## ERROR: Merging DEK with U-Boot image failed." "${rc}" fi } -COMP_CCMP1=$(cat /proc/device-tree/compatible | grep "\bdigi,ccmp1\b") +append_dek () +{ + dump_dek + case "${PLATFORM}" in + ccimx6ul*) + append_dek_ccimx6ul + ;; + *) + exit_error "## ERROR: Device not supported: ${PLATFORM}." + ;; + esac + UBOOT_FILE="${UBOOT_ENCRYPTED_DEK}" +} +write_file_to_nand () +{ + local FLASH_DEV="$1" + local FW_FILE="$2" + + # Sanity check. + if [ ! -c "${FLASH_DEV}" ]; then + exit_error "## ERROR: Invalid MTD partition: ${FLASH_DEV}." + fi + # Clean MTD partition. + flash_eraseall "${FLASH_DEV}" + local rc=$? + if [ "${rc}" -ne 0 ]; then + exit_error "## ERROR: Could not erase ${FLASH_DEV} partition." "${rc}" + fi + # Write file to NAND. + nandwrite -p "${FLASH_DEV}" "${FW_FILE}" + local rc=$? + if [ "${rc}" -ne 0 ]; then + exit_error "## ERROR: Could not write file to NAND." "${rc}" + fi +} + +get_mtd_number_from_partition () +{ + local PARTITION_NAME="$1" + local MTD_NUM="$(sed -ne "/${PARTITION_NAME}/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)" + + echo "${MTD_NUM}" +} + +# If U-Boot is encrypted, the DEK key blob needs to be extracted from existing U-Boot +# and appended to the new U-Boot before writing it. if [ "${UBOOT_ENC}" = "enc" ]; then - if [ "${COMP_CCMP1}" = "digi,ccmp1" ]; then - # Currently not supported for these platforms - echo "*** Encrypted U-boot currently not support for CCMP1 ***" - else - dump_dek - rc=$? - if [ "$rc" -ne 0 ]; then - echo "u-boot: DEK dump failed" - exit $rc - fi - cat $UBOOT_FILE $OUTPUT_FILE > /tmp/$ENCRYPTED_UBOOT_DEK - rc=$? - if [ "$rc" -ne 0 ]; then - echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = $UBOOT_FILE)" - exit $rc - fi - UBOOT_FILE="${ENCRYPTED_UBOOT_DEK}" + append_dek +fi +# Write U-Boot +if expr "${PLATFORM}" : "ccmp1.*" >/dev/null; then + # Install TFA file in fsbl1 partition. + write_file_to_nand "/dev/mtd$(get_mtd_number_from_partition fsbl1)" "${UBOOT_TFA_FILE}" + # Install U-Boot FIP file in fip-a partition. + write_file_to_nand "/dev/mtd$(get_mtd_number_from_partition fip-a)" "${UBOOT_FILE}" +else + # Mount debug file system to remove some kobs-ng warnings. + if ! grep -qs debugfs /proc/mounts; then + mount -t debugfs debugfs /sys/kernel/debug/ + fi + # Install U-Boot onto the Nand Flash using kobs-ng. + kobs-ng init -x -v "${UBOOT_FILE}" + rc=$? + if [ "${rc}" -ne 0 ]; then + exit_error "## ERROR: Could not write file to NAND." "${rc}" fi fi +# Clean intermediate artifacts. +clean_artifacts -if [ "${COMP_CCMP1}" = "digi,ccmp1" ]; then - # install TF-A onto fsbl1 partition - mtd_num="$(sed -ne "/fsbl1/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)" - TFA_DEV="/dev/mtd${mtd_num}" - install_fwu ${TFA_DEV} ${TFA_FILE} - # install U-Boot onto FIP-a partition - mtd_num="$(sed -ne "/fip-a/s,^mtd\([0-9]\+\).*,\1,g;T;p" /proc/mtd)" - FIP_DEV="/dev/mtd${mtd_num}" - install_fwu ${FIP_DEV} ${UBOOT_FILE} -else - # install U-Boot onto the Nand Flash - kobs-ng init -x -v /tmp/${UBOOT_FILE} -fi -rc=$? -if [ "$rc" -ne 0 ]; then - echo "u-Boot: Updating U-Boot partition failed" -else - echo "u-Boot: Updating U-Boot partition successful" -fi +exit 0