Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact
encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to
use a more generic name and avoid overloading it as an on/off flag. Add per-key
variables for encryption key filenames to avoid hardcoded names and allow
platform overrides.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
vfat images need U-Boot scripts, which are always provided by the U-Boot
recipe, even for imx-boot-based machines. Replace the machine-dependent
BOOTLOADER_IMAGE_RECIPE with virtual/bootloader (which is provided by
u-boot recipes).
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Remove obsolete SD card image creation logic and related variables. We
will use WIC images for bootable SD cards.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This is the version supporting the i.MX95. This library is a dependence
of the gputop package.
As a requirement to allow building this library for the ccimx95-dvk,
update the fsl-eula-graphics bbclass with the latest changes in meta-imx.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit imports the sign-stm32mp bbclass from the meta-st-stm32mp layer to
allow customization. The main customization ensures that the search_path()
function does not raise a build exception if the signing tool or keys are not
present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit removes all unnecessary files after the integration of the latest
ST BSP, based on the openstlinux-6.6-yocto-scarthgap-mpu-v24.11.06 tag for
Yocto 5.0 (Scarthgap).
https://onedigi.atlassian.net/browse/DEL-9381
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
poky has reworked the format of image names, hardcoding the IMAGE_NAME_SUFFIX
(.rootfs) into IMAGE_LINK_NAME, the name used for image symlinks. This would
only be considered a cosmetic change if it weren't for the fact that we have
scripts and test infrastructure that relies on the old image name format, and
this change would force us to rework it all.
Remove the suffix from the link name to maintain our image name format, and
reflect this name in our custom image type scripts. Note that this removes
".rootfs" from several files, for example:
* .rootfs.ext4.gz is now .ext4.gz
* .rootfs.cpio.gz.u-boot.tf is now .cpio.gz.u-boot.tf
* .rootfs.ubifs is now .ubifs
* .rootfs.sdcard is now .sdcard
However, symlink names and non-rootfs files (.boot.vfat, .recovery.vfat...)
are unchanged.
https://onedigi.atlassian.net/browse/DEL-9011
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds the initramfs into the FIT recovery
image. If the RAM disk image is included in the FIT
image we need to create a initramfs file that doesn't
include the u-boot header, because the FIT descriptor
contains all the necessary information to use the
initramfs file.
https://onedigi.atlassian.net/browse/DEL-9168
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Add support based on v2.8 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.
Rename the variables so that it's easier to identify the platforms/vendors they
affect:
* Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
* Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP
Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When we use a fitImage kernel type, all the boot artifacts are inside the
FIT image, so there is no need to add them to the boot image additionally.
We were using TRUSTFENCE_FIT_IMG to do this filtering, which uses
a fitImage kernel type underneath. This commit uses KERNEL_IMAGETYPE
instead, as this way, we can use kernel FIT images out of Trustfence and
still prevent polluting the boot images with not-needed artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This compression method has a better compression ratio than the default (lzo),
but the (de)compression speed is slower, leading to slower read/write speeds.
However, the recovery partition only gets accessed in specific use cases such
as software updates and partition encryption, and it contains an initramfs. The
UBIFS will only be read at boot time to load its elements, but once the
initramfs is loaded in RAM, there are no more read/write operations to the
UBIFS during runtime, so the speed penalty is minimal.
Take advantage of the improved compression ratio to reduce the size of the
recovery image. On the ccimx6ul, the size is reduced by 248 KiB.
https://onedigi.atlassian.net/browse/DEL-8819https://onedigi.atlassian.net/browse/DEL-8825
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds signed FIT image support for the CCMP1
platforms when using Trustfence.
https://onedigi.atlassian.net/browse/DEL-8591
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Some platforms do not support signing external artifacts (kernel, dtb,
etc.) yet, so we need to decouple the signing of the bootloader from the
signing of the external artifacts.
This commit generalizes the code, so instead of having platform exceptions
scattered along the recipes, we create a new variable used conditionally
to sign or not the external artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
For the moment, do not sign aditional artifacts, such as the ramdisk,
the kernel or the boot scripts for STM platforms.
In the specific case of the ramdisk, simply copy it over with the
expected filename extension.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Certain platforms share a processor family but need to be differentiated
between them. DEY was using the variable DIGI_FAMILY as the SOM name
rather than the family. It becomes useful to have both (DIGI_SOM as the
more specific, and DIGI_FAMILY as the more generic).
This is the case, for example, of:
- ccmp1 (family)
- ccmp15 (SOM)
- ccmp13 (SOM)
- ccimx8m (family)
- ccimx8mm (SOM)
- ccimx8mn (SOM)
Both variables are used on the machine overrides.
Where DIGI_FAMILY was used, use now DIGI_SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
A recipe may generate different runtime packages, with names other than
PN. This commit allows removing the ontarget postinst script for those
other runtime package names. To do so, just define REMOVE_POSTINST_RPN
before including this class in the recipe.
The first user is in the following commit.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
True is the default since long time ago, and thus not necessary. This
follows similar changes done in other layers.
Command used:
sed -e 's|\(d\.getVar \?\)( \?\([^,()]*\), \?True)|\1(\2)|g' -i $(git grep -E 'getVar ?\( ?([^,()]*), ?True\)' | cut -d':' -f1 | sort -u)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The class 'boot-artifacts.bbclass' was created to generate a
list of the bootable artifacts that must be copied from the
deploy dir to the installer ZIP file, so that the installer
has all the possible bootloader files to update any variant
of the hardware.
The class was somewhat over-engineered to produce the list,
specially for the cc8x, with the variants of SoC revision,
RAM size and width. With the arrival of ST family, it got
more complex, as the artifacts don't even come from U-Boot
recipe.
To remove complexity, this commit removes the bbclass and
moves the list to the platform config file.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
For platforms that do not define FIP_UBOOT_DTB, the
'd.getVar('FIP_UBOOT_DTB') gets evaluated to None, which is not equal to
"", and thus the code continues in the wrong "if" branch.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This variable was removed from meta-st-stm32mp so we need to get rid of it
in meta-digi, too.
Reported-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8268
This commit changes the arm-trusted-firmware build configuration to only build
one ATF artifact.
It will create an image that boot over USB and NAND.
https://onedigi.atlassian.net/browse/DEL-8187
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
For platforms with a FIP artifact, ignore U-Boot artifacts and instead
add to the installer zip file the FIP artifact and the ATF artifacts.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit reverts partially the commit 548b8729 ("image_types: add support to
create CCMP15 ubifs images") to fix the boot partition generation.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The sign mode needed for each platform is invariable, and since the platform
is already a mandatory parameter for the script, we can store this information
implicitly. Reflect this change in every recipe where the script is used, but
keep the variable at the Yocto level since it's still needed in several places.
https://onedigi.atlassian.net/browse/DEL-7862
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
It seems like the version of mkfs.vfat used in Yocto 3.3 has a label name
length limit of 11 characters. All of the labels for our current platforms
surpassed this limit ("Boot ccimxX" alone already occupies 11 characters), so
replace the machine name with "DEY"
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since these images are highly compressable, this greatly reduces the amount of
space taken up by build artifacts.
Modify the code used to generate the .sdcard and .installer.zip files so that
they contain the decompressed .ext4 image.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When the Bootloader is an 'u-boot' select the correct u-boot
signed image to compose the sdcard artifact.
Signed u-boot artifacts start with 'u-boot-dtb-signed-'.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
When the Bootloader is an 'imx-boot', select the correct imx-boot
signed image to compose the sdcard artifact.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
The signing script is used for signing multiple artifacts, not just the
kernel, so rename it for a broader use.
https://jira.digi.com/browse/DEL-7047
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
imx-mkimage is a host recipe to provide the mkimage_imx8 binaries, required
for the trustfence support with platform based on AHAB (ccimx8x). Since
these binaries are required to the sign process we need to export it in the
SDK to allow the standalone sign mode, and with that we can simplify the
mechanism to share these binaries with another recipes (u-boot, linux).
Also the do_deploy() from imx-mkimage recipe was removed to avoid overriding
the implementation from the native class and allow populating the mkimage
binaries.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The scripts need to know the SOC's revision to be able to select the correct
imx-boot image. Modify the boot-artifacts bbclass so the renamed imx-boot files
are included in the installation .zip.
Also, bypass the SECO fw check in the uSD script so it can install future
versions that aren't recognized by U-Boot's SECO fw checking logic. The UUU
script doesn't require this bypass, since it doesn't use the Digi update
command to flash the bootloader.
https://jira.digi.com/browse/DEL-7069
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The bootable artifacts that must go inside the installer ZIP image, are defined
in the variable BOOTABLE_ARTIFACTS. For platforms without RAM_CONFIGS, these
artifacts are obtained from the UBOOT_CONFIG variable.
This commit fixes the final artifact name added to the BOOTABLE_ARTIFACTS that
for some platform is not strictly the same that the UBOOT_CONFIG name.
For example for the U-Boot configuration "ccimx8mn_dvk", corresponds the
bootable artifact "ccimx8mn-dvk"
https://jira.digi.com/browse/DEL-6974
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Javier Viguera
Gabriel Valcazar
Mike Engel
Hector Palacios
Gonzalo Ruiz
Ariel D'Alessandro