Install scripts may rework the partition table basing on the value of
env variables. Information of UBI volumes may remain on the NAND that
could later not correspond to the new partition table.
Make sure the MTD partitions are erased prior to updating:
- For Multi-MTD, append '-e' option to the update command.
- For Single-MTD, erase the system partition.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Check the status of 'dualboot' env variable.
If set to "yes", use the dualboot partition table in the script and
restore the variable (default is "no") after resetting the environment.
Also, for dualboot, there's no need to wipe the recovery partition or
boot into recovery mode.
For dualboot, this script programs both systems A and B with the same
images.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7649
Commit c33fc8a7fe wrongly used
https protocol when using MTK remote when it should have been
ssh.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This is necessary for images that have SELinux enabled. Aside from changing
some package configurations and including an additional library in the rootfs,
this change has no apparent effects on the core functionality of the system.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
These options should only be enabled when using SELinux, so apply them only
when "selinux" is in the DISTRO_FEATURES. The fragment is a copy of the one in
meta-selinux with the addition of DEFAULT_SECURITY_DAC and LSM.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This allows users to apply small changes to our kernel configuration without
having to create a completely new defconfig. Use a simplified version of the
kernel-yocto.bbclass implementation.
https://onedigi.atlassian.net/browse/DEL-6706
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The default policy provided by meta-selinux breaks a lot of the features in
DEY, so adapt it to make most features work. Note that this is simply an
example, end users should create their own policies for their own needs.
Make these changes toggleable so that users can use the reference policy
instead.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This packagegroup includes all of the userspace packages needed to use SELinux.
For now, use the same variant of the packagegroup, which contains all available
packages.
Since the meta-selinux layer isn't available in all platforms, implement this
change via a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This layer has no effect unless "selinux" is in the DISTRO_FEATURES, so it's
safe to add it to our default builds.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This package includes a script that is executed by a udev rule that we
currently include in our sysvinit images. Without it, the regulatory firmware
mechanism is broken and an error appears when booting the system.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When we added the SDMA fw systemd service, we accidentally made it so that all
scripts were installed only when using systemd. These files are still needed
when using sysvinit, so correct this change.
While at it, include the SDMA fw service in firmware-imx-sdma's FILES.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When DualBoot mechanism is enabled and an update is pending,
the boot script needs to change certain variables and save the
environment.
The regular boot script already changes a number of variables,
such as 'extra_bootargs' and 'overlays' by appending strings to
the already existing values. Saving the envionment may make these
grow endlessly with each iteration of the boot script.
For this reason, move the DualBoot check as the first thing in
the script, save the environment if needed, and then continue
with the normal flow, that changes variables before booting
but doesn't save them.
On certain scripts, this allows us to get rid of some instructions
for resetting the overlays variable.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The script required the passing of option '-b' for setting up the
target to use a single MTD partition and multiple UBI volumes.
If a target however already has the variable 'ubisysvols' set to
'yes' but this parameter is forgotten when calling the script, the
partition layout would change to default (several MTD partitions).
Remove the recently added '-b' option and make the script decide
basing on the current value of 'ubisysvols' variable.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The script preserves the current value of env variable 'ubisysvols'
so that the new partition script generates the appropriate partition
table before proceeding with the update operations.
If using a UBI volumes layout, the script will not erase the partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
With U-Boot supporting the creation of mtdparts and UBI volumes depending
on the value of variable 'ubisysvols', adapt the install script to make
use of those to generate a partition table and UBI volumes accordingly.
This can be triggered with new option '-b'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set the new variable 'rootfsvol' to rootfs_a or rootfs_b when dualboot is
enabled, to cover the case where the devices uses the 'system' partition
with different UBI volumes.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The support for dualboot was integrated on meta-digi-dualboot layer, but it
really depends only on environment variable 'dualboot' so we'd better
integrate the support on the scripts in meta-digi, to avoid synchonization
problems between both layers.
This also allows to be able to easily enable dualboot in U-Boot with the
variable, without needing to update the script on the linux partition.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Traditionally, platforms based on NAND, used one UBI volume
per MTD partition.
Now it's possible to use only one MTD partition containing many
UBI volumes.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
Enabling DIGI_INTERNAL_GIT defaults to LOG server. The build from local
MTK Digi server was broken.
Fix uboot and linux recipes declaring different repo paths depending on
whether the local remote is LOG or MTK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This package includes a script that is executed by a udev rule that we
currently include in our sysvinit images. Without it, the regulatory firmware
mechanism is broken and an error appears when booting the system.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When we added the SDMA fw systemd service, we accidentally made it so that all
scripts were installed only when using systemd. These files are still needed
when using sysvinit, so correct this change.
While at it, include the SDMA fw service in firmware-imx-sdma's FILES.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit sets the GLIBC version to 2.32. The newest
eIQ packages require a newer glibc, but since said packages
are optional, make sure to use the gatesgarth glibc version
by default.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7625
Gonzalo Ruiz
Hector Palacios
Gabriel Valcazar
Arturo Buzarra
Mike Engel