Adding STM32MP_USB_PROGRAMMER=1 to TF-A NAND build allows the images to
boot from either NAND or USB (recovery) however, the source code of TF-A
disallows correct resuming from suspend when either STM32MP_USB_PROGRAMMER
or STM32MP_UART_PROGRAMMER are defined.
Remove this support so that the system can correctly resume from suspend.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9629
OP-TEE comes in two flavors: optee and opteemin
For NAND-boot images, add support for USB boot as well,
so that the default tf-a image is valid for booting from
either NAND or USB.
We had this for 'optee' flavor but not for 'opteemin'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Currently, the final metadata symlink is composed using the TF-A Device Tree
configuration, which includes memory variant details. However, these variants
are not relevant for the metadata binary.
To avoid generating multiple redundant metadata files or using confusing names,
this commit updates the symlink to be composed using the MACHINE variable
instead.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
On the new BSP the configuration is called 'optee-nand' and the build
parameters have changed.
We do this override in meta-digi only to incorporate
`STM32MP_USB_PROGRAMMER=1`
parameter, which allows to boot the nand image from USB, too.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit generalizes the symlink generation to allow creating a final
symlink in the deploy directory, supporting different artifact flavors:
regular, signed or encrypted.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit imports the sign-stm32mp bbclass from the meta-st-stm32mp layer to
allow customization. The main customization ensures that the search_path()
function does not raise a build exception if the signing tool or keys are not
present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit introduces a custom do_compile() function to resolve a signing
issue affecting the final TF-A artifact, where the SoC name does not match the
TF-A device tree name.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates secure boot support based on the STM32 MPU Ecosystem v6.0
and integrates support for the ConnectCore MP2 platform.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
We had a SYSROOT_PREPROCESS_FUNCS on the tf-a-stm32mp recipe to
create symlinks to both TF-A and FIP binaries, but the FIP binaries
are now produced by fip-stm32mp recipe.
This had the effect that the files might not be ready.
Duplicate the function in the fip-stm32mp recipe and create the
symlinks for the FIP images there.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
These are clones of 'optee-programmer-uart' and
'optee-programmer-usb' defined in tf-a-stm32mp-config.inc but
do not require to have the STM32MP_DEVICETREE_PROGRAMMER_ENABLE=1
which causes build problems in U-Boot.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9483
The following TF-A artifacts are deployed to subdirectories of
the image deploydir:
- arm-trusted-firmware/tf-a-<platform>-<bootconfig>.stm32
- arm-trusted-firmware/metadata-<platform>.bin
- fip/fip-<platform>-<bootconfig>.bin
- fip/fip-<platform>-ddr-<bootconfig>.bin
These binaries are not copied to the image deploy dir during
the regular do_deploy(), instead, they are deployed by script
tf_a_sysroot_populate() which is added to SYSROOT_PREPROCESS_FUNCS.
To follow this logic, change the previously wrong do_deploy:append
into a new function and append it also to SYSROOT_PREPROCESS_FUNCS,
so that it is called after the artifacts have really been deployed.
In the existing code, fix the paths and commands, which had some
errors.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9461
Based on the boot schemes and sources supported for each platform, the boot
artifacts now include this information in their filenames. This commit updates
the filenames accordingly in several recipes.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit removes all outdated TF-A recipes and synchronizes the Digi custom
.bbappend with the latest v2.10 from the ST BSP release, based on the
openstlinux-6.6-yocto-scarthgap-mpu-v24.11.06 tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9381
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
DEY generates the ccmp25 boot artifacts on subdirectories of the main
deploy folder. The firmware installation script expects to have them on
the deploy directory, so create the proper symlinks.
https://onedigi.atlassian.net/browse/DEL-9120
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add support based on v2.8 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
When TrustFence is enabled, the boot artifacts (TFA and FIP)
have a 'signed' suffix. Handle this case so that the correct
symlinks are created and the correct artifacts are put into the
SWU file.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
These binaries are installed in subdirectories by default. The uuu
installer expects to find all binaries on the same folder where the script
is. By creating symlinks, the uuu installer can find all the binaries it
needs directly on the deploy folder.
NOTE: variables in 'for' clauses are intentionally without quotes to skip
whitespaces in them.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
We will use BOOTDEVICE_LABELS as a means to add 'sdcard'
configuration to TF_A_CONFIG within meta-st-stm32 so there
is no need to have a wrapper variable in meta-digi.
This reverts commit c6f19a099c.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Create a new script for the generation of PKI tree for STM platforms
and leave the trustfence-sign-artifact script exclusively for signing.
The new gen-pki script only requires the platform as an argument and the
path to where to save the tree (if it doesn't exist) in
CONFIG_SIGN_KEYS_PATH.
This commit also reverts commit 13c136dbc5 by getting rid of the
trustfence-genpki-native.bb recipe and moving back the PKI generation
functions into trustfence.bbclass. This recipe didn't quite guarantee
that the PKI was generated on time for the recipes that required the
keys to exist, anyway.
Instead, the PKI generation function must be called right after
do_compile() of recipe tf-a-stm32mp to be ready for do_deploy() where
the key is used.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 7cf314ba80 made a weak assignment of TF_A_CONFIG in the machine
config file, so that it could be overriden from conf/local.conf with a
straight assignment. However, this variable already has a weak assignment
on include files for the tf-a-stm32mp recipe, which apparently take
precedence over the machine files.
This commit creates a new variable DEY_TF_A_CONFIG in the machine config,
and then uses a straight assignment of TF_A_CONFIG to the new variable on the
tf-a-stm32mp.bbappend.
This allows users to override the machine default and avoids the STM recipe
weak assignment.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
By default, the signing script generates a file without 'w'
permission so DEY cannot remove it from the deploy dir on
a clean operation.
Add the 'w' permission so that DEY can remove it on clean
operations and generate a new signed file when required.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The FIP image is signed internally by this recipe. The password must be
set in FIP_SIGN_KEY_PASS. With the signing script, the password is
randomly generated and saved in key_pass.txt.
This prefunc obtains the password(s) from the file to set FIP_SIGN_KEY_PASS
so that the FIP can be properly signed.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit changes the arm-trusted-firmware build configuration to only build
one ATF artifact.
It will create an image that boot over USB and NAND.
https://onedigi.atlassian.net/browse/DEL-8187
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Hector Palacios
Arturo Buzarra
Javier Viguera
Isaac Hermida
Mike Engel
Francisco Gil