diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc index 75199b0b0..9d92fdc40 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc @@ -81,6 +81,26 @@ build_uboot_scripts() { -e 's,##GRAPHICAL_IMAGES##,${GRAPHICAL_IMAGES},g' \ -e 's,##DEFAULT_IMAGE_NAME##,${DEFAULT_IMAGE_NAME},g' \ ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + # Change the u-boot name when TrustFence is enabled + if [ "${TRUSTFENCE_SIGN}" == "1" ]; then + if [ "${DEY_SOC_VENDOR}" == "NXP" ]; then + if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + sed -e 's,##SIGNED##,-encrypted,g' \ + ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + else + sed -e 's,##SIGNED##,-signed,g' \ + ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + fi + else + sed -e 's,##SIGNED##,_Signed,g' \ + ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + sed -e 's,##SIGNED_TFA##,_signed,g' \ + ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + fi + else + sed -e 's,##SIGNED##,,g' \ + ${WORKDIR}/${f} > ${TMP_INSTALL_SCR} + fi if [ "${f_ext}" = "txt" ]; then mkimage -T script -n "DEY firmware install script" -C none -d ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f%.*}.scr else diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh index 7ece2d006..db5f31316 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh @@ -39,7 +39,10 @@ show_usage() echo " -i Image name that prefixes the image filenames, such as 'dey-image-qt', " echo " 'dey-image-webkit', 'core-image-base'..." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." + echo " -k Update includes dek blob file." + echo " (requires -t)." echo " -n No wait. Skips 10 seconds delay to stop script." + echo " -t Install Trustfence artifacts." echo " -u U-Boot filename." echo " Auto-determined by variant if not provided." exit 2 @@ -49,6 +52,7 @@ show_usage() # Params: # 1. partition # 2. file +# 3. dek blob file when updating an encrypted bootloader part_update() { echo "\033[36m" @@ -57,10 +61,23 @@ part_update() echo "=====================================================================================" echo "\033[0m" - if [ "${1}" = "bootloader" ]; then - uuu fb: flash "${1}" "${2}" + if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then + uuu fb: download -f "${2}" + if [ -n "${DEK_BLOB_FILE}" ]; then + uuu fb: ucmd setenv uboot_size $filesize + uuu fb: ucmd setenv fastboot_buffer $initrd_addr + uuu fb: download -f "${3}" + uuu fb: ucmd setenv dek_size $filesize + uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} + else + uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} + fi else - uuu fb: flash -raw2sparse "${1}" "${2}" + if [ "${1}" = "bootloader" ]; then + uuu fb: flash "${1}" "${2}" + else + uuu fb: flash -raw2sparse "${1}" "${2}" + fi fi } @@ -73,14 +90,16 @@ echo "############################################################" # -b, -d, -n (booleans) # -i # -u -while getopts 'bdhi:nu:' c +while getopts 'bdhi:k:ntu:' c do case $c in b) BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; h) show_usage ;; i) IMAGE_NAME=${OPTARG} ;; + k) DEK_BLOB_FILE=${OPTARG} ;; n) NOWAIT=true ;; + t) TRUSTFENCE=true ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; esac done @@ -243,7 +262,7 @@ fi uuu fb: ucmd setenv forced_update 1 # Update U-Boot -part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" +part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_FILE}" # Set MMC to boot from BOOT1 partition uuu fb: ucmd mmc partconf 0 1 1 1 diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh index 940bf8a40..8403a19b7 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh @@ -39,7 +39,10 @@ show_usage() echo " -i Image name that prefixes the image filenames, such as 'dey-image-qt', " echo " 'dey-image-webkit', 'core-image-base'..." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." + echo " -k Update includes dek blob file." + echo " (requires -t)." echo " -n No wait. Skips 10 seconds delay to stop script." + echo " -t Install Trustfence artifacts." echo " -u U-Boot filename." echo " Auto-determined by variant if not provided." exit 2 @@ -49,6 +52,7 @@ show_usage() # Params: # 1. partition # 2. file +# 3. dek blob file when updating an encrypted bootloader part_update() { echo "\033[36m" @@ -57,10 +61,23 @@ part_update() echo "=====================================================================================" echo "\033[0m" - if [ "${1}" = "bootloader" ]; then - uuu fb: flash "${1}" "${2}" + if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then + uuu fb: download -f "${2}" + if [ -n "${DEK_BLOB_FILE}" ]; then + uuu fb: ucmd setenv uboot_size $filesize + uuu fb: ucmd setenv fastboot_buffer $initrd_addr + uuu fb: download -f "${3}" + uuu fb: ucmd setenv dek_size $filesize + uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} + else + uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} + fi else - uuu fb: flash -raw2sparse "${1}" "${2}" + if [ "${1}" = "bootloader" ]; then + uuu fb: flash "${1}" "${2}" + else + uuu fb: flash -raw2sparse "${1}" "${2}" + fi fi } @@ -73,14 +90,17 @@ echo "############################################################" # -b, -d, -n (booleans) # -i # -u -while getopts 'bdhi:nu:' c +# -k +while getopts 'bdhi:k:ntu:' c do case $c in b) BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; h) show_usage ;; i) IMAGE_NAME=${OPTARG} ;; + k) DEK_BLOB_FILE=${OPTARG} ;; n) NOWAIT=true ;; + t) TRUSTFENCE=true ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; esac done @@ -262,7 +282,7 @@ fi uuu fb: ucmd setenv forced_update 1 # Update U-Boot -part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" +part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_FILE}" # Set MMC to boot from BOOT1 partition uuu fb: ucmd mmc partconf 0 1 1 1 diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh index cc34c97ae..446ccc150 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh @@ -39,7 +39,10 @@ show_usage() echo " -i Image name that prefixes the image filenames, such as 'dey-image-qt', " echo " 'dey-image-webkit', 'core-image-base'..." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." + echo " -k Update includes dek blob file." + echo " (requires -t)." echo " -n No wait. Skips 10 seconds delay to stop script." + echo " -t Install Trustfence artifacts." echo " -u U-Boot filename." echo " Auto-determined by variant if not provided." exit 2 @@ -53,6 +56,7 @@ show_usage() # Description: # - downloads image to RAM # - runs 'update' command from RAM +# 4. dek blob file when updating an encrypted u-boot part_update() { echo "\033[36m" @@ -70,7 +74,19 @@ part_update() ERASE="-e" fi uuu fb: download -f "${2}" - uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE} + if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "uboot" ]; then + if [ -n "${DEK_BLOB_FILE}" ]; then + uuu fb: ucmd setenv uboot_size $filesize + uuu fb: ucmd setenv fastboot_buffer $initrd_addr + uuu fb: download -f "${4}" + uuu fb: ucmd setenv dek_size $filesize + uuu "fb[-t ${3}]:" ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} + else + uuu "fb[-t ${3}]:" ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes} + fi + else + uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE} + fi } clear @@ -82,14 +98,17 @@ echo "############################################################" # -b, -d, -n (booleans) # -i # -u -while getopts 'bdhi:nu:' c +# -k +while getopts 'bdhi:k:ntu:' c do case $c in b) BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; h) show_usage ;; i) IMAGE_NAME=${OPTARG} ;; + k) DEK_BLOB_FILE=${OPTARG} ;; n) NOWAIT=true ;; + t) TRUSTFENCE=true ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; esac done @@ -119,7 +138,7 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then if [ -n "$module_variant" ]; then if [ "$module_variant" = "0x08" ] || \ [ "$module_variant" = "0x0a" ]; then - INSTALL_UBOOT_FILENAME="u-boot-##MACHINE##512MB.imx" + INSTALL_UBOOT_FILENAME="u-boot-##SIGNED##-##MACHINE##512MB.imx" elif [ "$module_variant" = "0x04" ] || \ [ "$module_variant" = "0x05" ] || \ [ "$module_variant" = "0x07" ]; then @@ -260,7 +279,7 @@ uuu fb: ucmd setenv fastboot_buffer \${loadaddr} uuu fb: ucmd setenv forced_update 1 # Update U-Boot -part_update "uboot" "${INSTALL_UBOOT_FILENAME}" 5000 +part_update "uboot" "${INSTALL_UBOOT_FILENAME}" 5000 "${DEK_BLOB_FILE}" # Set 'bootcmd' for the second part of the script that will # - Reset environment to defaults diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh index aceb658e1..6e93187c6 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh @@ -39,7 +39,10 @@ show_usage() echo " -i Image name that prefixes the image filenames, such as 'dey-image-qt', " echo " 'dey-image-webkit', 'core-image-base'..." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." + echo " -k Update includes dek blob file." + echo " (requires -t)." echo " -n No wait. Skips 10 seconds delay to stop script." + echo " -t Install Trustfence artifacts." echo " -u U-Boot filename." echo " Auto-determined by variant if not provided." exit 2 @@ -49,6 +52,7 @@ show_usage() # Params: # 1. partition # 2. file +# 3. dek blob file when updating an encrypted bootloader part_update() { echo "\033[36m" @@ -57,10 +61,24 @@ part_update() echo "=====================================================================================" echo "\033[0m" - if [ "${1}" = "bootloader" ]; then - uuu fb: flash "${1}" "${2}" + if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then + uuu fb: download -f "${2}" + if [ -n "${DEK_BLOB_KEY}" ]; then + uuu fb: ucmd setenv uboot_size $filesize + uuu fb: ucmd setenv fastboot_buffer $initrd_addr + uuu fb: download -f "${3}" + uuu fb: ucmd setenv dek_size $filesize + uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} + else + uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} + fi + fi else - uuu fb: flash -raw2sparse "${1}" "${2}" + if [ "${1}" = "bootloader" ]; then + uuu fb: flash "${1}" "${2}" + else + uuu fb: flash -raw2sparse "${1}" "${2}" + fi fi } @@ -73,14 +91,17 @@ echo "############################################################" # -b, -d, -n (booleans) # -i # -u -while getopts 'bdhi:nu:' c +# -k +while getopts 'bdhi:k:ntu:' c do case $c in b) BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; h) show_usage ;; i) IMAGE_NAME=${OPTARG} ;; + k) DEK_BLOB_KEY=${OPTARG} ;; n) NOWAIT=true ;; + t) TRUSTFENCE=true ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; esac done @@ -102,7 +123,7 @@ echo "Determining image files to use..." # Determine U-Boot file to program basing on SOM's SOC type (linked to bus width) if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then - INSTALL_UBOOT_FILENAME="imx-boot-##MACHINE##.bin" + INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##.bin" fi # Determine linux, recovery, and rootfs image filenames to update @@ -214,7 +235,7 @@ uuu fb: ucmd setenv fastboot_buffer \${loadaddr} uuu fb: ucmd setenv forced_update 1 # Update U-Boot -part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" +part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_KEY}" # Set MMC to boot from BOOT1 partition uuu fb: ucmd mmc partconf 0 1 1 1 diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh index 0eae8737c..760cfd8e4 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh @@ -39,7 +39,10 @@ show_usage() echo " -i Image name that prefixes the image filenames, such as 'dey-image-qt', " echo " 'dey-image-webkit', 'core-image-base'..." echo " Defaults to '##DEFAULT_IMAGE_NAME##' if not provided." + echo " -k Update includes dek blob file." + echo " (requires -t)." echo " -n No wait. Skips 10 seconds delay to stop script." + echo " -t Install Trustfence artifacts." echo " -u U-Boot filename." echo " Auto-determined by variant if not provided." exit 2 @@ -49,6 +52,7 @@ show_usage() # Params: # 1. partition # 2. file +# 3. dek blob file when updating an encrypted bootloader part_update() { echo "\033[36m" @@ -57,10 +61,23 @@ part_update() echo "=====================================================================================" echo "\033[0m" - if [ "${1}" = "bootloader" ]; then - uuu fb: flash "${1}" "${2}" + if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then + uuu fb: download -f "${2}" + if [ -n "${DEK_BLOB_KEY}" ]; then + uuu fb: ucmd setenv uboot_size $filesize + uuu fb: ucmd setenv fastboot_buffer $initrd_addr + uuu fb: download -f "${3}" + uuu fb: ucmd setenv dek_size $filesize + uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size} + else + uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} + fi else - uuu fb: flash -raw2sparse "${1}" "${2}" + if [ "${1}" = "bootloader" ]; then + uuu fb: flash "${1}" "${2}" + else + uuu fb: flash -raw2sparse "${1}" "${2}" + fi fi } @@ -73,14 +90,17 @@ echo "############################################################" # -b, -d, -n (booleans) # -i # -u -while getopts 'bdhi:nu:' c +# -k +while getopts 'bdhi:k:ntu:' c do case $c in b) BOOTCOUNT=true ;; d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;; h) show_usage ;; i) IMAGE_NAME=${OPTARG} ;; + k) DEK_BLOB_KEY=${OPTARG} ;; n) NOWAIT=true ;; + t) TRUSTFENCE=true ;; u) INSTALL_UBOOT_FILENAME=${OPTARG} ;; esac done @@ -106,7 +126,7 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then soc_rev="B0" fi - INSTALL_UBOOT_FILENAME="imx-boot-##MACHINE##-${soc_rev}.bin" + INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##-${soc_rev}.bin" fi # remove redirect @@ -214,11 +234,14 @@ if [ "${NOWAIT}" != true ]; then printf " Starting update process\n" fi +# Set fastboot buffer address to $loadaddr, just in case +uuu fb: ucmd setenv fastboot_buffer \${loadaddr} + # Skip user confirmation for U-Boot update uuu fb: ucmd setenv forced_update 1 # Update U-Boot -part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" +part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_KEY}" # Set MMC to boot from BOOT1 partition uuu fb: ucmd mmc partconf 0 1 1 1 diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh index 02f28b37d..68d7fb680 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh @@ -120,12 +120,12 @@ echo "Determining image files to use..." # Determine ATF file to program if [ -z "${INSTALL_ATF_FILENAME}" ]; then - INSTALL_ATF_FILENAME="tf-a-##MACHINE##-nand.stm32" + INSTALL_ATF_FILENAME="tf-a-##MACHINE##-nand##SIGNED_TFA##.stm32" fi # Determine FIP file to program if [ -z "${INSTALL_FIP_FILENAME}" ]; then - INSTALL_FIP_FILENAME="fip-##MACHINE##-optee.bin" + INSTALL_FIP_FILENAME="fip-##MACHINE##-optee##SIGNED##.bin" fi # Determine linux, recovery, and rootfs image filenames to update