DEY generates the ccmp25 boot artifacts on subdirectories of the main
deploy folder. The firmware installation script expects to have them on
the deploy directory, so create the proper symlinks.
https://onedigi.atlassian.net/browse/DEL-9120
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add support based on STM release openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add open-source implementation of the OpenGL API support based on v23.0.3
version from STM release openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add GPU support based on v6.4.15 version from STM release
openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support based on v2.8 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support based on v3.19.0 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
When TrustFence is enabled, use the HUK programmed on the OTP
bits for the ccmp15 platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9121
By default, the secure storage path in the REE is "/var/lib/tee". It is
part of the rootfs, and thus, it gets lost on a firmware update.
This commit changes that path to a different partition "/mnt/data/tee"
when Trustfence file-based encryption is enabled.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Building Optee trusted applications (TA) depends on optee_client and the TA
devkit provided by optee_os. Our toolchain provides those dependencies, but
the SDK script which configures the environment for standalone building,
is not configuring some variables needed to build trusted applications.
This commit extends the SDK environment script to allow building TAs.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Optee-client provides the TEE Client API as defined by the GlobalPlatform TEE standard.
It is required to communicate with a Trusted Application (TA) running in a Trusted OS.
https://onedigi.atlassian.net/browse/DEL-8970
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Several things were wrong after the latest update to version 4.0: the
tee-supplicant path, some settings in the systemd unit, etc.
This commit fixes the installation so the optee test suite completes again.
https://onedigi.atlassian.net/browse/DEL-8989
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This is an NXP change that reverts a mainline weston commit form v9.0.0, in
which the mouse cursor only gets activated when there is mouse movement. This
change was only being included in the weston v10.0.X i.MX forks.
For platforms that don't use these weston forks (ccimx93 uses the v11.0.X fork
and ccmp15 uses mainline weston), the mouse cursor doesn't load right away when
booting the system, which causes apps that are automatically launched (such as
the LVGL demo) to not register the mouse, rendering said apps unresponsive to
it.
Port NXP's change to all of the weston versions we currently use to avoid this
problem.
https://onedigi.atlassian.net/browse/DEL-8865
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
As part of the integration of the new ML package, also update the
ethos-u-firmware binary built from Stash:
Repo: emp/ethos_u_firmware.git
Revision: bd5506ddba364ad04602d5009b77077f78450b97
Source: NXP's MCUXpresso SDK_2.14.2_MIMX9352xxxxM
Co-authored-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Backport of graphics package for ccimx93 from NXP's Mickledore-based
lf-6.1.55-2.2.0 release. Mainly copies and appends of graphics recipes
from the new release, and restricted to ccimx93 by changing the
COMPATIBLE_MACHINE, so it does not affect other platforms.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
When TrustFence is enabled, the boot artifacts (TFA and FIP)
have a 'signed' suffix. Handle this case so that the correct
symlinks are created and the correct artifacts are put into the
SWU file.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Starting with NXP release "lf-6.1.55-2.2.0" the IMX optee fork (based on
version 4.0.0) does not support SOC revision A0. This commit recovers
support to build a bootloader for A0, extending the optee patch for
ccimx93 to support A0 with a build time option, and then extending the
optee-os and imx-boot recipes to build two optee binaries and using them
to generate bootloaders for both SOC revisions.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This includes also an update and rename of the Edgelock Enclave firmware
package (firmware-ele-imx).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Backport of graphics package for ccimx93 from NXP's Mickledore-based
6.1.36-2.1.0 release. Mainly copies and appends of graphics recipes
from the new release, and restricted to ccimx93 by changing the
COMPATIBLE_MACHINE, so it does not affect other platforms.
Notice, that the new version of weston used now by the ccimx93 requires
a different profile file (weston-socket.sh). This profile supercedes the
old 'weston.sh'.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
In commit 2fd1dbfed7, we accidentally removed some changes needed to
build imx-boot with Trustfence enabled, which were added in commit
1ce17da864.
This partially reverts commit 2fd1dbfed7
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
In commit 2fd1dbfed7, we accidentally removed some changes needed to
build imx-boot with Trustfence enabled, which were added in commit
1ce17da864.
This partially reverts commit 2fd1dbfed7
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
These binaries are installed in subdirectories by default. The uuu
installer expects to find all binaries on the same folder where the script
is. By creating symlinks, the uuu installer can find all the binaries it
needs directly on the deploy folder.
NOTE: variables in 'for' clauses are intentionally without quotes to skip
whitespaces in them.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 019deb6313)
These binaries are installed in subdirectories by default. The uuu
installer expects to find all binaries on the same folder where the script
is. By creating symlinks, the uuu installer can find all the binaries it
needs directly on the deploy folder.
NOTE: variables in 'for' clauses are intentionally without quotes to skip
whitespaces in them.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
New NXP's release is based on upstream v2.8. Use this only for ccimx93,
and keep using the previous Kirkstone release (based on upstream v2.6)
for the rest of the platforms.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Recently, meta-freescale backported the support to build multiple boot
artifacts. This clashes with the changes in our imx-boot bbappend,
so update the bbappend to make it compatible with the latest changes
in meta-freescale.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
(cherry picked from commit 2fd1dbfed7)
Recently, meta-freescale backported the support to build multiple boot
artifacts. This clashes with the changes in our imx-boot bbappend,
so update the bbappend to make it compatible with the latest changes
in meta-freescale.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
mkimage output provides some information (basically image offsets) that
cst (code signing tool) uses to sign imx-boot images.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
We will use BOOTDEVICE_LABELS as a means to add 'sdcard'
configuration to TF_A_CONFIG within meta-st-stm32 so there
is no need to have a wrapper variable in meta-digi.
This reverts commit c6f19a099c.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 92969f0c4 ("plat-stm32mp1: Remove CFG_STM32_BSEC_WRITE dependency with
debug configuration OP-TEE") on OP-TEE source code, removed the link between
the BSEC WRITE feature with DEBUG feature, so now by default it is enabled.
This reverts commit 2395378ec4.
https://onedigi.atlassian.net/browse/DEL-8657
Create a new script for the generation of PKI tree for STM platforms
and leave the trustfence-sign-artifact script exclusively for signing.
The new gen-pki script only requires the platform as an argument and the
path to where to save the tree (if it doesn't exist) in
CONFIG_SIGN_KEYS_PATH.
This commit also reverts commit 13c136dbc5 by getting rid of the
trustfence-genpki-native.bb recipe and moving back the PKI generation
functions into trustfence.bbclass. This recipe didn't quite guarantee
that the PKI was generated on time for the recipes that required the
keys to exist, anyway.
Instead, the PKI generation function must be called right after
do_compile() of recipe tf-a-stm32mp to be ready for do_deploy() where
the key is used.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 7cf314ba80 made a weak assignment of TF_A_CONFIG in the machine
config file, so that it could be overriden from conf/local.conf with a
straight assignment. However, this variable already has a weak assignment
on include files for the tf-a-stm32mp recipe, which apparently take
precedence over the machine files.
This commit creates a new variable DEY_TF_A_CONFIG in the machine config,
and then uses a straight assignment of TF_A_CONFIG to the new variable on the
tf-a-stm32mp.bbappend.
This allows users to override the machine default and avoids the STM recipe
weak assignment.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Do not install the combo FW and install the WiFi and BT FW as separated FWs,
so they are managed independently.
Md5sums are:
44cf5535f3b40784296843544eae159e sd_w61x_v1.bin.se
300c739a4e126a8f430001c41e5b3a5f uartspi_n61x_v1.bin.se
Note: currently these FW files are copied manually here, till the github FW
files are updated.
These firmware files come from the package IW612_18.99.2.p19.5.zip provided
by NXP support page.
https://onedigi.atlassian.net/browse/DEL-8632
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Make a series of changes to make sure the imx-boot signing process works:
* Store separate mkimage logs for each imx-boot build. In our case, this
means storing one log per SoC revision. Each SoC revision has a different
SECO fw binary with varying sizes, which causes offsets of specific
signing regions to differ among revisions. Since we parse the offsets
from the logs, we need to make sure the offset information is correct in
each case.
* Remove u-boot-atf-container.img in each mkimage iteration, otherwise the
ATF offset information will be missing from subsequent logs.
* Implement a separate trustfence_sign_imxboot() function for the ccimx8x
to iterate through all SoC revisions.
Note that the SPL+AHAB signing script doesn't support imx-boot encryption yet.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
New NXP's release is based on upstream v2.8. Use this only for ccimx93,
and keep using the previous Kirkstone release (based on upstream v2.6)
for the rest of the platforms.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Weston is not launched in read-only filesystem because /home/root
is not a writable path.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Now that both U-Boot and the SCFW can autodetect the RAM configuration, we can
simplify the imx-boot build process to generate two binaries (one per SOC
revision) instead of eight. Build "flash_spl" imx-boot images and use only one
global defconfig for u-boot.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This update includes automatic RAM configuration detection, and only one SCFW
binary is needed for all ccimx8x variants. Adapt the imx-boot recipe
accordingly.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Use our custom compile/install/deploy functions from DEY 3.2. NXP's imx-boot
recipe assumes only one U-Boot config and SOC revision, but we have multiple,
so we have to rewrite all of these functions.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Currenlty, the github FW version is a bit old and some functionality does not
work on latest IW61x batches.
Use this FW binary till it is released on github. This is required to
have WiFi and Bt working simultaneously.
0c6d454ea83b1a78b4e60df16f478f43 sduart_nw61x_v1.bin.se
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
(cherry picked from commit 92ca458e4f)
Currenlty, the github FW version is a bit old and some functionality does not
work on latest IW61x batches.
Use this FW binary till it is released on github. This is required to
have WiFi and Bt working simultaneously.
0c6d454ea83b1a78b4e60df16f478f43 sduart_nw61x_v1.bin.se
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Remove patch file "0001-Makefile-Suppress-array-bounds-error.patch"
for ccimx93, as it is already included in the lf-6.1.1_1.0.0 revision.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Weston is not launched in read-only filesystem because /home/root
is not a writable path.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
By default, the signing script generates a file without 'w'
permission so DEY cannot remove it from the deploy dir on
a clean operation.
Add the 'w' permission so that DEY can remove it on clean
operations and generate a new signed file when required.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The FIP image is signed internally by this recipe. The password must be
set in FIP_SIGN_KEY_PASS. With the signing script, the password is
randomly generated and saved in key_pass.txt.
This prefunc obtains the password(s) from the file to set FIP_SIGN_KEY_PASS
so that the FIP can be properly signed.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
These are recipes we created to support Google Coral on i.MX platforms. ST's
machine learning layer provides similar recipes, so to avoid conflicts, move
the recipes meant for i.MX platforms to a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-8308
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Javier Viguera
Arturo Buzarra
Mike Engel
Hector Palacios
Isaac Hermida
Francisco Gil
Gabriel Valcazar
David Escalona