swupdate: add u-boot image into SWU update image

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

https://onedigi.atlassian.net/browse/DEL-7853

meta-digi-arm/classes/image_types_digi.bbclass

@@ -301,14 +301,18 @@ IMAGE_CMD:sdcard() {
 	parted -s ${SDIMG} unit KiB print
 
 	# Set u-boot image to flash depending on whether TRUSTFENCE_SIGN is enabled
-	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
-		if [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
-			SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER} | sed -e 's,u-boot-,u-boot-dtb-signed-,g')"
-		else
-			SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER} | sed -e 's,imx-boot-,imx-boot-signed-,g')"
-		fi
-	else
+	if [ "${SWUPDATE_UBOOTIMG}" = "true" ]; then
 		SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER})"
+	else
+		if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+			if [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
+				SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER} | sed -e 's,u-boot-,u-boot-dtb-signed-,g')"
+			else
+				SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER} | sed -e 's,imx-boot-,imx-boot-signed-,g')"
+			fi
+		else
+			SDIMG_BOOT="$(readlink -e ${SDIMG_BOOTLOADER})"
+		fi
 	fi
 
 	# Decompress rootfs image

meta-digi-arm/conf/machine/include/digi-defaults.inc

@@ -85,3 +85,6 @@ DEY_SELINUX_POLICY ?= "1"
 # U-Boot scripts to include in 'linux' partition
 # (use the '+=' operator, since other layers may append scripts to this list)
 BOOT_SCRIPTS += "boot.scr:boot.scr"
+
+# This can be used to enable U-Boot update through swupdate
+SWUPDATE_UBOOTIMG ?= "false"

meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend

@@ -349,6 +349,15 @@ do_deploy:append () {
 							trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${rev}-${ramc}.bin-${target} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}-${ramc}.bin-${target}
 							unset ENABLE_ENCRYPTION
 						fi
+						if [ "${SWUPDATE_UBOOTIMG}" = "true" ]; then
+							if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+								ln -sf ${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}-${ramc}.bin-${IMAGE_IMXBOOT_TARGET} ${BOOTABLE_FILENAME}
+							elif [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+								ln -sf ${UBOOT_PREFIX}-signed-${MACHINE}-${rev}-${ramc}.bin-${IMAGE_IMXBOOT_TARGET} ${BOOTABLE_FILENAME}
+							else
+								ln -sf ${UBOOT_PREFIX}-${MACHINE}-${rev}-${ramc}.bin-${IMAGE_IMXBOOT_TARGET} ${BOOTABLE_FILENAME}
+							fi
+						fi
 					done
 				done
 			done

meta-digi-dey/recipes-digi/swu-images/files/sw-description-uboot

@@ -0,0 +1,77 @@
+software =
+{
+    version = "##SW_VERSION##";
+    description = "##DESCRIPTION##";
+
+    mmc = {
+        platform: {
+            images: (
+                {
+                    filename = "##BOOTIMG_NAME##";
+                    device = "##BOOT_DEV##";
+                    type = "raw";
+                    sha256 = "$swupdate_get_sha256(##BOOTIMG_NAME##)";
+                    installed-directly = true;
+                },
+                {
+                    filename = "##ROOTIMG_NAME##";
+                    device = "##ROOTFS_DEV##";
+                    type = "raw";
+                    sha256 = "$swupdate_get_sha256(##ROOTIMG_NAME##)";
+                    compressed = "zlib";
+                    installed-directly = true;
+                }
+            );
+            files: (
+                {
+                    filename = "##UBOOTIMG_NAME##";
+                    path = "##UBOOT_IMAGE_PATH##";
+                    sha256 = "$swupdate_get_sha256(##UBOOTIMG_NAME##)";
+                }
+            );
+            scripts: (
+                {
+                    filename = "##SWUPDATE_UBOOT_SCRIPT##";
+                    type = "preinstall";
+                    data = "##UBOOTIMG_NAME## ##UBOOTIMG_ENC## ##UBOOTIMG_OFFSET##;
+                    sha256 = "$swupdate_get_sha256(##SWUPDATE_UBOOT_SCRIPT##)";
+                }
+            );
+        };
+    };
+    mtd = {
+        platform: {
+            images: (
+                {
+                    filename = "##BOOTIMG_NAME##";
+                    volume = "##BOOT_DEV##";
+                    type = "ubivol";
+                    sha256 = "$swupdate_get_sha256(##BOOTIMG_NAME##)";
+                    installed-directly = true;
+                },
+                {
+                    filename = "##ROOTIMG_NAME##";
+                    volume = "##ROOTFS_DEV##";
+                    type = "ubivol";
+                    sha256 = "$swupdate_get_sha256(##ROOTIMG_NAME##)";
+                    installed-directly = true;
+                }
+            );
+            files: (
+                {
+                    filename = "##UBOOTIMG_NAME##";
+                    path = "##UBOOT_IMAGE_PATH##";
+                    sha256 = "$swupdate_get_sha256(##UBOOTIMG_NAME##)";
+                }
+            );
+            scripts: (
+                {
+                    filename = "##SWUPDATE_UBOOT_SCRIPT##";
+                    type = "postinstall";
+                    data = "##UBOOTIMG_NAME## ##UBOOTIMG_ENC##";
+                    sha256 = "$swupdate_get_sha256(##SWUPDATE_UBOOT_SCRIPT##)";
+                }
+            );
+        };
+    };
+}

meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_mmc.sh

@@ -0,0 +1,211 @@
+#!/bin/sh
+#===============================================================================
+#
+#  Copyright (C) 2022 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  Description:
+#    Script will be called by swupdate to install a new u-boot within linux.
+#===============================================================================
+
+UBOOT_FILE="$1"
+UBOOT_ENC="$2"
+uboot_seek_kb="$3"
+
+echo "**** Start U-Boot update process *****"
+
+PLATFORM="$(cat /proc/device-tree/digi,machine,name)"
+UBOOT_MMC_DEV="/dev/mmcblk0boot0"
+
+dump_dek ()
+{
+	OUTPUT_FILE="/tmp/dek.bin"
+	KEY_SIZE_BYTES="32"
+	ENCRYPTED_UBOOT_DEK="u-boot-encrypted-with-dek.imx"
+	UBOOT_MMC_DUMP="/tmp/u-boot-dump.hex"
+
+	# ConnectCore 8X
+	if [ "${PLATFORM}" = "ccimx8x-sbc-pro" ] || [ "${PLATFORM}" = "ccimx8x-sbc-express" ]; then
+		AHAB_AUTH_CONTAINER_TAG="87"
+		AHAB_AUTH_SIG_BLOCK_TAG="90"
+		AHAB_AUTH_BLOB_TAG="00 58 00 81"
+		AHAB_VERSION="00"
+		CONT_HEADER_OFFSET="0x400"
+
+		dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=100 bs=1K skip=${uboot_seek_kb} 2>/dev/null
+		auth_container_tag=$(hexdump -C "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $2 $5}')
+		echo "auth_container_tag ${auth_container_tag}"
+		if [ "${auth_container_tag}" = "${AHAB_VERSION}${AHAB_AUTH_CONTAINER_TAG}" ]; then
+			sig_block_offset="0x$(hexdump -C "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_CONTAINER_TAG}" | awk '{print $13 $14}')"
+			echo " ++++ signature block offset ${sig_block_offset} "
+
+			nd_sig_block="$((CONT_HEADER_OFFSET + sig_block_offset))"
+			printf '++++ header offset 0x%x\n' ${nd_sig_block}
+			auth_sig_block_tag=$(hexdump -C -s "${nd_sig_block}" "${UBOOT_MMC_DUMP}" | grep -m 1 "${AHAB_AUTH_SIG_BLOCK_TAG}" | awk '{print $2 $5}')
+			echo "auth_sig_block_tag ${auth_sig_block_tag}"
+			if [ "${auth_sig_block_tag}" = "${AHAB_VERSION}${AHAB_AUTH_SIG_BLOCK_TAG}" ]; then
+				blob_offset="0x$(hexdump -C -s "${nd_sig_block}" "${UBOOT_MMC_DUMP}" -n 16 | awk '{print $13 $12}')"
+				printf " ++++ blob offset 0x%x\n" ${blob_offset}
+				dek_blob="$((nd_sig_block + blob_offset))"
+				printf " ++++ dek_blob offset 0x%x\n" ${dek_blob}
+
+				# DEK blobs have an overhead of 56 bytes.
+				dek_blob_size=$((KEY_SIZE_BYTES + 56))
+
+				# Dump dek blob into to a file
+				dd of=${OUTPUT_FILE} if=${UBOOT_MMC_DUMP} count=${dek_blob_size} bs=1 skip=${dek_blob} 2>/dev/null
+				rc=$?
+				if [ $rc -ne 0 ]; then
+					echo "DEK dump to the output file failed."
+					return $rc
+				fi
+				echo "dump_dek: output file has been created."
+				# Validate DEK blob
+				if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${AHAB_AUTH_BLOB_TAG}")" ]; then
+					echo "Could not find DEK blob"
+					rm -rf ${OUTPUT_FILE}
+					return 1
+				fi
+				echo "DEK blob correctly dumped"
+			else
+				echo "## ERROR: AHAB authentication signature block tag not found."
+			fi
+		else
+			echo "## ERROR: AHAB authentication container tag not found."
+			return 1
+		fi
+	else
+		#(The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions)
+		UBOOT_HEADER="d1 00 20 4"
+		if [ "${PLATFORM}" = "ccimx8mn-dvk" ] || [ "${PLATFORM}" = "ccimx8mm-dvk" ]; then
+			SKIP_BLOCKS="0"
+	                DEK_BLOB_HEADER="81 00 48 4"
+		else
+			SKIP_BLOCKS="2"
+			DEK_BLOB_HEADER="81 00 58 4"
+		fi
+
+		dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=1 skip=${SKIP_BLOCKS} 2>/dev/null
+		uboot_start="0x$(hexdump -C ${UBOOT_MMC_DUMP} | grep -m 1 "${UBOOT_HEADER}" | head -1 | cut -c -8)"
+		echo "++++ ${uboot_start} +++"
+		if [ "${uboot_start}" = "0x" ]; then
+			echo "Could not find U-Boot on MMC"
+			return 1
+		fi
+
+		uboot_size_offset="$((uboot_start + 36))"
+		uboot_size=$(hexdump -n 4 -s ${uboot_size_offset} -e '/4 "%d\t" "\n"' ${UBOOT_MMC_DUMP})
+
+		# DEK blobs have an overhead of 56 bytes.
+		dek_blob_size="$((KEY_SIZE_BYTES + 56))"
+
+		# remove the output DEK file before creating it.
+		# Since this function is called twice.
+		# For the actual upgrade and then for the validation after the upgrade.
+		rm -f ${OUTPUT_FILE}
+		dump_size="$((uboot_size / 512))"
+		echo "++++ ${dump_size} +++"
+		dd if=${UBOOT_MMC_DEV} of=${UBOOT_MMC_DUMP} count=${dump_size} skip=${SKIP_BLOCKS} conv=fsync 2>/dev/null
+		dek_start=$(hexdump -C ${UBOOT_MMC_DUMP} | grep -m 1 "${DEK_BLOB_HEADER}" | head -1 | cut -c -8)
+		echo "++++ dek_start ${dek_start} +++"
+		dek_start="$((16#${dek_start} + 8))"
+		echo "++++ dek_start ${dek_start} +++"
+		dd of=${OUTPUT_FILE} if=${UBOOT_MMC_DUMP} count=${dek_blob_size} bs=1 skip=${dek_start} 2>/dev/null
+		rc=$?
+		if [ $rc -ne 0 ]; then
+			echo "DEK dump to the output file failed."
+			return $rc
+		fi
+		echo "dump_dek: output file has been created."
+		# Validate DEK blob
+		if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${DEK_BLOB_HEADER}")" ]; then
+			echo "Could not find DEK blob"
+			rm -rf ${OUTPUT_FILE}
+			return 1
+		fi
+		echo "DEK blob correctly dumped"
+		rm -f ${UBOOT_MMC_DUMP}
+		return 0
+	fi
+}
+
+if [ "${UBOOT_ENC}" = "enc" ]; then
+	dump_dek
+	rc=$?
+	if [ "$rc" -ne 0 ]; then
+		echo "u-boot: DEK dump failed"
+		exit $rc
+	fi
+	if [ "${PLATFORM}" = "ccimx8x-sbc-pro" ] || [ "${PLATFORM}" = "ccimx8x-sbc-express" ]; then
+		cp /tmp/${UBOOT_FILE} /tmp/${ENCRYPTED_UBOOT_DEK}
+		# insert the dek_blob into the AHAB container
+		dd if=${OUTPUT_FILE} of=/tmp/${ENCRYPTED_UBOOT_DEK} bs=1 seek=${dek_blob} conv=notrunc 2>/dev/null
+		rc=$?
+		if [ "$rc" -ne 0 ]; then
+			echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
+			exit $rc
+		fi
+	elif [ "${PLATFORM}" = "ccimx8mn-dvk" ] || [ "${PLATFORM}" = "ccimx8mm-dvk" ]; then
+		FIT_DEK_BLOB_SIZE="96";
+		cp /tmp/${UBOOT_FILE} /tmp/${ENCRYPTED_UBOOT_DEK}
+		# insert the dek_blob into the SPL
+		dd if=${OUTPUT_FILE} of=/tmp/${ENCRYPTED_UBOOT_DEK} bs=1 seek=${dek_start} conv=notrunc 2>/dev/null
+		rc=$?
+		if [ "$rc" -ne 0 ]; then
+			echo "u-boot: Merging DEK with SPL image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
+			exit $rc
+		fi
+		# get u-boot image file size
+		uboot_file_size="$(stat -L -c %s /tmp/${UBOOT_FILE})"
+		echo " ++++ uboot_file_size ${uboot_file_size} ***"
+		uboot_dek_blob_offset="$((uboot_file_size - FIT_DEK_BLOB_SIZE))"
+		echo " ----- uboot_dek_blob_offset ${uboot_dek_blob_offset} **"
+		# insert the dek_blob at the end of the bootloader
+		dd of=/tmp/${ENCRYPTED_UBOOT_DEK} if=${OUTPUT_FILE} bs=1 seek=${uboot_dek_blob_offset} conv=notrunc 2>/dev/null
+		rc=$?
+		if [ "$rc" -ne 0 ]; then
+			echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
+			exit $rc
+		fi
+	else
+		cat /tmp/${UBOOT_FILE} ${OUTPUT_FILE} > /tmp/${ENCRYPTED_UBOOT_DEK}
+		rc=$?
+		if [ "$rc" -ne 0 ]; then
+			echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = /tmp/$UBOOT_FILE)"
+			exit $rc
+		fi
+	fi
+	# enable write access
+	echo 0 > /sys/block/mmcblk0boot0/force_ro
+	UBOOT_FILE="/tmp/${ENCRYPTED_UBOOT_DEK}"
+	# write the encrypted u-boot into the MMC
+	dd if=${UBOOT_FILE} of=${UBOOT_MMC_DEV} seek=${uboot_seek_kb} bs=1K
+	rc=$? 2>/dev/null
+	if [ "$rc" -ne 0 ]; then
+		echo "u-boot: failed to write file ${UBOOT_FILE}"
+	else
+		echo "u-boot: successfully written file ${UBOOT_FILE}"
+	fi
+	# disable write access
+	echo 1 > /sys/block/mmcblk0boot0/force_ro
+	rm -f ${UBOOT_FILE} ${OUTPUT_FILE}
+else
+	# enable write access
+	echo 0 > /sys/block/mmcblk0boot0/force_ro
+	# write the u-boot into the MMC
+	dd if=${UBOOT_FILE} of=${UBOOT_MMC_DEV} seek=${uboot_seek_kb} bs=1K 2>/dev/null
+	rc=$?
+	if [ "$rc" -ne 0 ]; then
+		echo "u-boot: failed to write file ${UBOOT_FILE}"
+	else
+		echo "u-boot: successfully written file ${UBOOT_FILE}"
+	fi
+	# disable write access
+	echo 1 > /sys/block/mmcblk0boot0/force_ro
+	rm -f ${UBOOT_FILE} ${OUTPUT_FILE}
+fi

meta-digi-dey/recipes-digi/swu-images/files/swupdate_uboot_nand.sh

@@ -0,0 +1,96 @@
+#!/bin/sh
+#===============================================================================
+#
+#  Copyright (C) 2022 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  Description:
+#    Script will be called by swupdate to install a new u-boot within linux.
+#===============================================================================
+
+UBOOT_FILE="$1"
+UBOOT_ENC="$2"
+
+echo "**** Start U-Boot update process *****"
+
+# need to mount debufs to remove some kobs-ng warnings
+if ! grep -qs debugfs /proc/mounts; then
+	mount -t debugfs debugfs /sys/kernel/debug/
+fi
+
+dump_dek ()
+{
+	echo "**** Get DEK and append to the new u-boot *****"
+	UBOOT_MTD_DEV="/dev/mtd0"
+	OUTPUT_FILE="/tmp/dek.bin"
+	KEY_SIZE_BYTES="32"
+	ENCRYPTED_UBOOT_DEK="u-boot-encrypted-with-dek.imx"
+
+	#(The last byte lacks one digit on purpose, to match 40, 41 and 42; all HAB versions)
+	UBOOT_HEADER="d1 00 20 4"
+	DEK_BLOB_HEADER="81 00 58 4"
+
+	uboot_start="0x$(nanddump ${UBOOT_MTD_DEV} | hexdump -C | grep -m 1 "${UBOOT_HEADER}" | head -1 | cut -c -8)"
+	if [ "${uboot_start}" = "0x" ]; then
+		echo "Could not find U-Boot on NAND"
+		return 78
+	fi
+
+	uboot_size_offset=$((uboot_start + 36))
+	uboot_size=$(hexdump -n 4 -s ${uboot_size_offset} -e '/4 "0x%08x\t" "\n"' ${UBOOT_MTD_DEV})
+	# dump start needs to be aligned (U-Boot always leaves 0x400 for DOS table)
+	dump_start=$((uboot_start - 0x400))
+	# DEK blobs have an overhead of 56 bytes.
+	dek_blob_size=$((KEY_SIZE_BYTES + 56))
+
+	# remove the output DEK file before creating it.
+	# Since this function is called twice.
+	# For the actual upgrade and then for the validation after the upgrade.
+	rm -f ${OUTPUT_FILE}
+	# read the complete U-Boot (to skip alignment issues) and keep the dek_blob (which is at the end)
+	nanddump -s ${dump_start} -l ${uboot_size} ${UBOOT_MTD_DEV} | tail -c ${dek_blob_size} > ${OUTPUT_FILE}
+	rc=$?
+	if [ $rc -ne 0 ]; then
+		echo "DEK dump to the output file failed."
+		return $rc
+	fi
+	echo "dump_dek: output file has been created."
+	# Validate DEK blob
+	if [ -z "$(dd if=${OUTPUT_FILE} bs=1 count=4 2>/dev/null | hexdump -C | grep "${DEK_BLOB_HEADER}")" ]; then
+		echo "Could not find DEK blob"
+		rm -rf ${OUTPUT_FILE}
+		return 60
+	fi
+	echo "DEK blob correctly dumped"
+	return 0
+}
+
+if [ "${UBOOT_ENC}" = "enc" ]; then
+	dump_dek
+	rc=$?
+	if [ "$rc" -ne 0 ]; then
+		echo "u-boot: DEK dump failed"
+		exit $rc
+	fi
+	cat $UBOOT_FILE $OUTPUT_FILE > /tmp/$ENCRYPTED_UBOOT_DEK
+	rc=$?
+	if [ "$rc" -ne 0 ]; then
+		echo "u-boot: Merging DEK with U-Boot image failed (DEV/FILE = $UBOOT_FILE)"
+		exit $rc
+	fi
+	UBOOT_FILE="${ENCRYPTED_UBOOT_DEK}"
+fi
+
+# install U-Boot onto the Nand Flash
+kobs-ng init -x -v /mnt/update/${UBOOT_FILE}
+rc=$?
+if [ "$rc" -ne 0 ]; then
+	echo "u-Boot: Updating U-Boot partition failed"
+else
+	echo "u-Boot: Updating U-Boot partition successful"
+fi

meta-digi-dey/recipes-digi/swu-images/swu.inc

@@ -5,15 +5,22 @@ SECTION = "base"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "file://sw-description"
-
+SRC_URI = " \
+    file://sw-description \
+    file://sw-description-uboot \
+    file://swupdate_uboot_nand.sh \
+    file://swupdate_uboot_mmc.sh \
+"
 inherit swupdate
 
 IMAGE_DEPENDS = "${@get_baseimg_pn(d)}"
 
 IMG_NAME = "${IMAGE_DEPENDS}"
 
-SWUPDATE_IMAGES = "${IMG_NAME}"
+SWUPDATE_IMAGES = " \
+    ${IMG_NAME} \
+    ${@oe.utils.ifelse(d.getVar('SWUPDATE_UBOOTIMG', True) == 'true', '${UBOOT_PREFIX}', '')} \
+"
 
 SOFTWARE_VERSION ?= "0.0.1"
 DESCRIPTION = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'Encrypted rootfs ${IMG_NAME} update', '${IMG_NAME} update')}"
@@ -24,7 +31,9 @@ BOOTFS_EXT:ccmp1 ?= ".boot.ubifs"
 ROOTFS_EXT ?= ".ext4.gz"
 ROOTFS_EXT:ccimx6ul ?= ".ubifs"
 ROOTFS_EXT:ccmp1 ?= ".ubifs"
+UBOOT_EXT ?= ".${UBOOT_SUFFIX}"
 
+UBOOTIMG_OFFSET ?= "${BOOTLOADER_SEEK_BOOT}"
 BOOT_DEV_NAME ?= "/dev/mmcblk0p1"
 BOOT_DEV_NAME:ccimx6ul ?= "linux"
 BOOT_DEV_NAME:ccmp1 ?= "linux"
@@ -35,10 +44,14 @@ ROOTFS_ENC_DEV = "/dev/mapper/cryptrootfs"
 ROOTFS_ENC_DEV:ccimx6ul = "${ROOTFS_DEV_NAME}"
 ROOTFS_ENC_DEV:ccmp1 = "${ROOTFS_DEV_NAME}"
 ROOTFS_DEV_NAME_FINAL = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${ROOTFS_ENC_DEV}', '${ROOTFS_DEV_NAME}')}"
+SWUPDATE_STORAGE_MEDIA = "${@oe.utils.conditional('STORAGE_MEDIA', 'mmc', 'swupdate_uboot_mmc.sh', 'swupdate_uboot_nand.sh', d)}"
 
 python () {
     img_fstypes = d.getVar('BOOTFS_EXT', True) + " " + d.getVar('ROOTFS_EXT', True)
     d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", d.getVar('IMG_NAME', True), img_fstypes)
+    if (d.getVar('SWUPDATE_UBOOTIMG', True) == "true"):
+        uboot_fstypes = d.getVar('UBOOT_EXT', True)
+        d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", d.getVar('UBOOT_PREFIX', True), uboot_fstypes)
 }
 
 python do_swuimage:prepend() {
@@ -55,6 +68,17 @@ def get_baseimg_pn(d):
 do_unpack[postfuncs] += "fill_description"
 
 fill_description() {
+	if [ "${SWUPDATE_UBOOTIMG}" = "true" ]; then
+		cp ${WORKDIR}/sw-description-uboot ${WORKDIR}/sw-description
+		if [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && [ "${TRUSTFENCE_DEK_PATH}" != "default" ]; then
+			sed -i -e "s,##UBOOTIMG_ENC##,enc,g" "${WORKDIR}/sw-description"
+		else
+			sed -i -e "s,##UBOOTIMG_ENC##,normal,g" "${WORKDIR}/sw-description"
+		fi
+		sed -i -e "s,##UBOOTIMG_NAME##,${UBOOT_PREFIX}-${MACHINE}${UBOOT_EXT},g" "${WORKDIR}/sw-description"
+		sed -i -e "s,##SWUPDATE_UBOOT_SCRIPT##,${SWUPDATE_STORAGE_MEDIA},g" "${WORKDIR}/sw-description"
+		sed -i -e "s,##UBOOTIMG_OFFSET##,${UBOOTIMG_OFFSET},g" "${WORKDIR}/sw-description"
+	fi
 	sed -i -e "s,##BOOTIMG_NAME##,${IMG_NAME}-${MACHINE}${BOOTFS_EXT},g" "${WORKDIR}/sw-description"
 	sed -i -e "s,##BOOT_DEV##,${BOOT_DEV_NAME},g" "${WORKDIR}/sw-description"
 	sed -i -e "s,##ROOTIMG_NAME##,${IMG_NAME}-${MACHINE}${ROOTFS_EXT},g" "${WORKDIR}/sw-description"

meta-digi-dey/recipes-support/swupdate/swupdate_2022.05.bbappend

@@ -16,6 +16,8 @@ do_configure:append() {
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
 		echo "CONFIG_SIGNED_IMAGES=y" >> ${B}/.config
 	fi
+	# add U-Booot handler to use uboot: type
+	echo "CONFIG_BOOTLOADERHANDLER=y" >> ${B}/.config
 	cml1_do_configure
 }