This series of patches expose a number of regulators of
the PMIC to the non-secure world, so that they can be
referenced and used by Linux drivers.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts,
including TF-A and FIP, and enables this functionality for the ConnectCore MP2
platform.
This enhancement allows secure boot deployments with both authentication and
encryption for improved protection of critical boot components.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit imports the Digi custom version of sign-stm32mp bbclass to ensure
that the search_path() function does not raise a build exception if the signing
tool or keys are not present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support for the ccimx95 and reorganize the recipe so that all machine
patches are applied for the DEY distribution, regardless of the build
target.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add the ccimx95dvk flavor to OP-TEE, define the UART6 base and DDR
settings, and update the machine mappings using OPTEEMACHINE as the base
recipe does.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add the ccimx95 platform cloned from mx95lp5. Provide DDR configuration,
configure the console on lpuart6, and update ccimx95-dvk.conf to select
the new board.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit removes the wl_shell and libweston patche, which
are now not necessary anymore. Becasue we have removed the
wayland backend for the LVGL image.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The Digi commits on the optee-os repository are part of the
same branch and apply on top of each other since they do not
collide with each other.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
After the update of the recipe in meta-freescale this patch
(which exists in meta-freescale) does no longer need to
live in meta-digi.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The Digi commits on the imx-atf repository are now part of the
same branch and apply on top of each other since they do not
collide with each other.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
A recent change in meta-st-x-linux-ai was completely overwriting our default
PACKAGECONFIG values, causing several plugins to be omitted (for example, the
wayland plugin). In turn, this was causing several build errors in many
packages that depend on said plugins.
Use a strict PACKAGECONFIG assignment to prevent this. As a side effect, this
removes the new "uvcsink" PACKAGECONFIG introduced by the recent change in
meta-st-x-linux-ai, so make sure to re-add it to avoid unexpected behavior when
building the brand new people-tracking-heatmap AI example.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
meta-freescale updated the base recipe for NXP's release 6.6.52_2.2.1,
so our overrides in the bbappend are no longer needed.
https://onedigi.atlassian.net/browse/DEL-9748
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit introduces a custom export_binaries() function to resolve a
deployment issue affecting the final TF-A artifact path. The issue occurs when
the SoC name does not match the TF-A device tree name.
This fix is required due to changes introduced in commit f0b4d0d02a
("ccmp15: enable secure_system_service for CCMP15"), which modified the TF-A
artifact generation process.
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the Digi custom .bbappend recipes for FIP and TF-A to align
with the latest ST BSP release, based on the openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11
tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes the default secure storage path
to /mnt/data/tee instead of /var/lib/tee. This will
store all secure storage keys in that path and will
keep them even during rootfs updates.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
mwifiex driver is not able to automatically download the corresponding
rgpower binary after receiving CountryIE beacon information from country
XX, so we have to do it manually running "iw reg set XX".
However, the driver considers country XX is already configured and
ignores the rgpower download request.
Fix it by not processing the countryIE information in the driver by
adding a patch from NXP that will be integrated in their next
official release.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Add service to automatically detect changes in the global regulatory
domain and force a PHY regulatory domain change.
This allows detecting regulatory domain changes based on beacon
information when 802.11d is enabled and instructing the wireless
driver to download the rgpower firmware file corresponding to the
selected country.
If the selected country is not one of the supported ones, Worldwide
rgpower_WW.bin file will be downloaded by default.
Run the check service every 5 seconds through a systemd timer.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Set V2 TX power method for regulatory management on the iw612 init
and remove the 'txpwrlimit_cfg' and 'init_hostcmd_cfg' driver
parameters which are only used for V1 TX power method.
This allows the driver to load a specific rgpower_XX.bin binary file
contained in the rootfs whenever command "iw reg set XX" is executed,
updating the TX power settings and allowed frequencies list to those
contained in the file. 'XX' stands for the 2-character ISO3166-1
alpha-2 country code.
If the selected rgpower_XX.bin file does not exist, or no country is
selected, the driver will load rgpower_WW.bin (Worldwide) by default.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
On NXP platforms, the signed/encrypted bootloader images are not
included on the installer ZIP. This prevents from using the installer
when TrustFence is enabled.
This commit adds to the installer:
- If encryption is enabled
- encrypted bootloader
- signed bootloader (for USB recovery boot)
- If encryption is disabled
- signed bootloader
- If TrustFence is disabled
- non-signed bootloader
It also treats the ccimx6ul special, as this has a dedicated file for
USB recovery boot.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9698
The default secure storage (/var/lib/tee) is a tmpfs and not persistent
across reboots. Change it to the data partition (/mnt/data/tee) when
TrustFence file system encryption enabled
For the log file, do use the /var/log/ directory instead of default
/data
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9683
Moved deploy_symlinks_atf from SYSROOT_PREPROCESS_FUNCS to do_deploy task
to ensure symlinks are created correctly even when rebuilding from the
shared state after a "bitbake -c clean tf-a-stm32mp".
Override do_deploy[sstate-outputdirs] from the original recipe to allow
installing both the deploy artifacts (binaries and symlinks) to the
package deploy directory.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The login prompt appears before Wayland is fully initialized and
has created a wayland socket.
Logging in too early as root in this scenario caused the
WAYLAND_DISPLAY environment variable to be left empty. As a
consequence, gstreamer failed to use waylandsink to print contents
in the display.
Introduce a 10-seconds polling loop to wait for the wayland socket to
be available before proceeding with the login.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
* Delete custom wolfssl_5.4.0-fips.bb recipe and README.
* Removed WolfSSL dynamic layer registration.
FIPS support is now managed through the external meta-wolfssl layer,
making this implementation unnecessary in meta-digi.
https://onedigi.atlassian.net/browse/DEL-9631
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The new version in meta-wolfssl does build properly, so this append is
no longer needed.
https://onedigi.atlassian.net/browse/DEL-9631
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
We reverted the stub that didn't allow PM when serial boot
was enabled on TF-A. Restore the part of the recipe that
includes USB boot support on NAND boot images.
This reverts commit 24aef482ef.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9629
Adding STM32MP_USB_PROGRAMMER=1 to TF-A NAND build allows the images to
boot from either NAND or USB (recovery) however, the source code of TF-A
disallows correct resuming from suspend when either STM32MP_USB_PROGRAMMER
or STM32MP_UART_PROGRAMMER are defined.
Remove this support so that the system can correctly resume from suspend.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9629
Starting with OP-TEE v4.0.0, the use of a test key is no longer supported.
The Hardware Unique Key (HUK) is now always derived from the programmed OTP bits.
As a result, the Digi custom `CFG_OTP_HUK` flag is obsolete and has been removed.
https://onedigi.atlassian.net/browse/DEL-9634
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
There are several recipes in meta-digi related to features that we haven't
tested in a long time and don't appear in the DEY 5.0 documentation. Remove
them to avoid unexpected behavior.
Said features are:
* Coral TPU support (only supported in DEY 3.2)
* AWS support (removed from default images and docs in DEY 4.0)
* dey-image-tiny (hasn't been maintained since DEY 2.0)
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
OP-TEE comes in two flavors: optee and opteemin
For NAND-boot images, add support for USB boot as well,
so that the default tf-a image is valid for booting from
either NAND or USB.
We had this for 'optee' flavor but not for 'opteemin'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Currently, the final metadata symlink is composed using the TF-A Device Tree
configuration, which includes memory variant details. However, these variants
are not relevant for the metadata binary.
To avoid generating multiple redundant metadata files or using confusing names,
this commit updates the symlink to be composed using the MACHINE variable
instead.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
After more in-depth testing, we discovered that the flv/ogv video issues on the
ccmp25-dvk don't happen when playing videos with standard resolutions. Since
the workaround consisted of reverting a patch backported from upstream
gstreamer, and it only fixed flv video playback anyway, revert said workaround
and test using videos with standard formats.
This reverts commit e09eff7e1a.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
On the new BSP the configuration is called 'optee-nand' and the build
parameters have changed.
We do this override in meta-digi only to incorporate
`STM32MP_USB_PROGRAMMER=1`
parameter, which allows to boot the nand image from USB, too.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Hector Palacios
Javier Viguera
Arturo Buzarra
Mike Engel
Gabriel Valcazar
Gonzalo Ruiz