These options should only be enabled when using SELinux, so apply them only
when "selinux" is in the DISTRO_FEATURES. The fragment is a copy of the one in
meta-selinux with the addition of DEFAULT_SECURITY_DAC and LSM.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This allows users to apply small changes to our kernel configuration without
having to create a completely new defconfig. Use a simplified version of the
kernel-yocto.bbclass implementation.
https://onedigi.atlassian.net/browse/DEL-6706
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The default policy provided by meta-selinux breaks a lot of the features in
DEY, so adapt it to make most features work. Note that this is simply an
example, end users should create their own policies for their own needs.
Make these changes toggleable so that users can use the reference policy
instead.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This packagegroup includes all of the userspace packages needed to use SELinux.
For now, use the same variant of the packagegroup, which contains all available
packages.
Since the meta-selinux layer isn't available in all platforms, implement this
change via a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This layer has no effect unless "selinux" is in the DISTRO_FEATURES, so it's
safe to add it to our default builds.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This package includes a script that is executed by a udev rule that we
currently include in our sysvinit images. Without it, the regulatory firmware
mechanism is broken and an error appears when booting the system.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When we added the SDMA fw systemd service, we accidentally made it so that all
scripts were installed only when using systemd. These files are still needed
when using sysvinit, so correct this change.
While at it, include the SDMA fw service in firmware-imx-sdma's FILES.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When DualBoot mechanism is enabled and an update is pending,
the boot script needs to change certain variables and save the
environment.
The regular boot script already changes a number of variables,
such as 'extra_bootargs' and 'overlays' by appending strings to
the already existing values. Saving the envionment may make these
grow endlessly with each iteration of the boot script.
For this reason, move the DualBoot check as the first thing in
the script, save the environment if needed, and then continue
with the normal flow, that changes variables before booting
but doesn't save them.
On certain scripts, this allows us to get rid of some instructions
for resetting the overlays variable.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The script required the passing of option '-b' for setting up the
target to use a single MTD partition and multiple UBI volumes.
If a target however already has the variable 'ubisysvols' set to
'yes' but this parameter is forgotten when calling the script, the
partition layout would change to default (several MTD partitions).
Remove the recently added '-b' option and make the script decide
basing on the current value of 'ubisysvols' variable.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The script preserves the current value of env variable 'ubisysvols'
so that the new partition script generates the appropriate partition
table before proceeding with the update operations.
If using a UBI volumes layout, the script will not erase the partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
With U-Boot supporting the creation of mtdparts and UBI volumes depending
on the value of variable 'ubisysvols', adapt the install script to make
use of those to generate a partition table and UBI volumes accordingly.
This can be triggered with new option '-b'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set the new variable 'rootfsvol' to rootfs_a or rootfs_b when dualboot is
enabled, to cover the case where the devices uses the 'system' partition
with different UBI volumes.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The support for dualboot was integrated on meta-digi-dualboot layer, but it
really depends only on environment variable 'dualboot' so we'd better
integrate the support on the scripts in meta-digi, to avoid synchonization
problems between both layers.
This also allows to be able to easily enable dualboot in U-Boot with the
variable, without needing to update the script on the linux partition.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Traditionally, platforms based on NAND, used one UBI volume
per MTD partition.
Now it's possible to use only one MTD partition containing many
UBI volumes.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
Enabling DIGI_INTERNAL_GIT defaults to LOG server. The build from local
MTK Digi server was broken.
Fix uboot and linux recipes declaring different repo paths depending on
whether the local remote is LOG or MTK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit sets the GLIBC version to 2.32. The newest
eIQ packages require a newer glibc, but since said packages
are optional, make sure to use the gatesgarth glibc version
by default.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7625
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
(cherry picked from commit 30aa4a7444)
Add scfw, mca-tool and trustfence-tool version updates to changelog.
Update OpenSSL version to v1.1.1k in the changelog.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This command was already present on the script used for CC8X. Add it here
so the scripts are as much alike as possible.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Fastboot is configured on boot with the current MMC configuration.
If we create a GPT partition table, we need to restart fastboot before we
try to program any partition with the 'flash' fastboot command.
Set 'fastboot_dev' to a different device, 'sata' for example an back to 'mmc'
to trigger a fastboot restart after creating the partition table on blank
devices.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Includes:
- add support for getting properties from the ROM bootloader.
- flash layout extra check by asking flash size to the MCA bootloader.
- flash layout extra check by asking flash size to the MCA.
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
The current syntax only works properly when running the script through bash.
Change this so that it works for other shells as well.
While at it, fix a typo in the message that appears when the variant can't be
detected in the 6UL script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We document how to use this script from the Yocto image directory. Now that the
*.ext4 files are compressed by default, the script needs to automatically
decompress said files before starting the update process.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Gabriel Valcazar
Hector Palacios
Arturo Buzarra
Mike Engel
Gonzalo Ruiz
Hector Bujanda