This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts,
including TF-A and FIP, and enables this functionality for the ConnectCore MP2
platform.
This enhancement allows secure boot deployments with both authentication and
encryption for improved protection of critical boot components.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the Digi custom .bbappend recipes for FIP and TF-A to align
with the latest ST BSP release, based on the openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11
tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit simplifies the recipe by integrating the symlink generation
directly into the main do_deploy() function, removing the need to maintain
both a do_deploy() and a do_deploy:append().
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit addresses two issues in the symlink deployment function:
- do_deploy() should not write directly to DEPLOY_DIR_IMAGE. Instead,
it now uses DEPLOYDIR.
- Expands do_deploy() instead of using SYSROOT_PREPROCESS_FUNCS to ensure that
the original FIP artifacts are created and properly regenerated on each build.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit generalizes the symlink generation to allow creating a final
symlink in the deploy directory, supporting different artifact flavors:
regular, signed or encrypted.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit imports the sign-stm32mp bbclass from the meta-st-stm32mp layer to
allow customization. The main customization ensures that the search_path()
function does not raise a build exception if the signing tool or keys are not
present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit corrects an issue in the sign key processing when the SoC name does
not match the FIP device tree name.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates secure boot support based on the STM32 MPU Ecosystem v6.0
and integrates support for the ConnectCore MP2 platform.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The FIP flavor for OP-TEE + USB is managed in the meta-st-stm32mp layer through
the "optee-programmer-usb". However, since we do not require the additional
overhead introduced by the STM32CubeProgrammer tool, this commit introduces a
new FIP configuration based on OP-TEE for booting from USB.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
We had a SYSROOT_PREPROCESS_FUNCS on the tf-a-stm32mp recipe to
create symlinks to both TF-A and FIP binaries, but the FIP binaries
are now produced by fip-stm32mp recipe.
This had the effect that the files might not be ready.
Duplicate the function in the fip-stm32mp recipe and create the
symlinks for the FIP images there.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit integrates a custom .bbappend to fix a deployment issue of the
final FIP artifact, where the SoC name does not match with the FIP device tree
name.
https://onedigi.atlassian.net/browse/DEL-9381
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Hector Palacios