Optee-client provides the TEE Client API as defined by the GlobalPlatform TEE standard.
It is required to communicate with a Trusted Application (TA) running in a Trusted OS.
https://onedigi.atlassian.net/browse/DEL-8970
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Rework commit c5c9838e54 to only limit ML
packages for our ccimx93 and not for other imx93-based devices.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Several things were wrong after the latest update to version 4.0: the
tee-supplicant path, some settings in the systemd unit, etc.
This commit fixes the installation so the optee test suite completes again.
https://onedigi.atlassian.net/browse/DEL-8989
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Trustfence class was setting the TRUSTFENCE_PASSWORD_FILE variable using the
old keys format where a unique key_pass.txt file contains all the key
passwords. However, in the new format there are one key_pass file for each
key, so using a PKI tree with the new format throws an unexpected error in the
FIP generation due to it is not able to find the required key password.
This commit sets the TRUSTFENCE_PASSWORD_FILE variable for the ccmp1 platforms
on different way.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a race condition where, if you have an existing PKI tree with
the new format (one key_pass file for each key), the script detects that the
PKI tree is incomplete because it is always trying to find the key_pass.txt
file with the old format. This commit adds an additional validation step to
verify the new keys format.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add a check on the existence of the "temp-fitimg-loaded" environment
variable before setting it. It is needed, as with encrypted FIT images,
we need to decrypt them before accessing the boot script. In such cases,
u-boot sets that variable to "no" so the boot script does not override it,
and the FIT image is loaded again before the final boot to the OS.
https://onedigi.atlassian.net/browse/DEL-8945
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The signing tools have a dependency of libQt5Core.so.5, which implies that this
library must to be installed on the native PC. This commit includes all the
required shared libraries for the signing tools inside the own package to avoid
external dependencies. With this change there is not needed any more the qtbase
dependency at build time.
Package version has been bumped to 1.2.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This patch fixes the hang issue with EiQ demos using multiple tflite files,
for instance the gesture_detection demo.
https://onedigi.atlassian.net/browse/DEL-8949
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This recipe is not supported anymore. If you need to add that package
for aarch64, a solution is include pip3 in your image and install it
using the pip3 install manager.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Trustfence class was setting the TRUSTFENCE_PASSWORD_FILE variable using the
old keys format where a unique key_pass.txt file contains all the key
passwords. However, in the new format there are one key_pass file for each
key, so using a PKI tree with the new format throws an unexpected error in the
FIP generation due to it is not able to find the required key password.
This commit sets the TRUSTFENCE_PASSWORD_FILE variable for the ccmp1 platforms
on different way.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a race condition where, if you have an existing PKI tree with
the new format (one key_pass file for each key), the script detects that the
PKI tree is incomplete because it is always trying to find the key_pass.txt
file with the old format. This commit adds an additional validation step to
verify the new keys format.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
It is fixed with the new wireless firmware v5.15.58-2023_1128 integrated in
Yocto.
https://onedigi.atlassian.net/browse/DEL-8667
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
- For Qualcomm QCA65x4 platforms:
Add support to create the 'World' board data file for the QCA65x4 Wi-Fi
chip to operate on World regulatory domain.
Kernel wireless driver already supports selecting the correct file based
on the configured Regulatory Domain via Kernel command line argument
'wlan.regdmn', which allows the following parameters:
* "US", for U.S.A. (default)
* "World", for worldwide
- For Murata type2AE platforms:
Add World CLM blob file for the wireless interface and JRL hcd file for
the Bluetooth interface. Also add the autocountry ininitialization script
and systemd service.
World CLM blob file:
- cyfmac4373-sdio_World.clm_blob (1abe7f3fa86d4123b0586cbbf0ec91ac)
Kernel wireless and bluetooth drivers already support selecting the correct
files based on the configured Regulatory Domain via Kernel command line
arguments 'brcmfmac.regdmn' and 'btbcm.regdmn' respectively, which allow the
following parameters:
'brcmfmac.regdmn':
* "US", for U.S.A. (default)
* "World", for worldwide
'btbcm.regdmn':
* "FCC.CE", for U.S.A., Europe and the rest of the world (default)
* "JRL", for Japan
https://onedigi.atlassian.net/browse/DEL-8905
Co-authored-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.
Rename the variables so that it's easier to identify the platforms/vendors they
affect:
* Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
* Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP
Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Unless we have a use case in which we need to apply these fragments separately,
we can merge them both into a single fragment.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This logic was fixed in commit e915a14b4b, so we
no longer have to manually copy the bootscript to generate FIT images.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We rely on FIT support to implement boot artifact authentication on ccmp1
platforms, but our implementation made it impossible to enable FIT support
outside of the context of Trustfence/secure boot.
Change this so that it's possible to enable FIT support without having to sign
the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot
DTBs with signatures get copied only when FIT signing is enabled.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit updates the required firmware binaries for Bluetooth and Wireless
interfaces, hostapd and wpa_supplicant recipes based on the Cypress Linux WiFi
Driver (FMAC) release v5.15.58-2023_1128 (Wireless firmware v13.10.246.334).
This change also includes a custom defconfig file for the hostapd and
wpa_supplicant recipes including the changes from the patches and the Digi
customizations.
Also are updated the Murata firmware repositories to match with the latest
Murata release imx-kirkstone-hedorah_r1.0, which is based in the same Cypress
Linux Wifi Driver release v5.15.58-2023_1128.
https://onedigi.atlassian.net/browse/DEL-8667
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The standard string split() function does not support splitting a string
by spaces but preserving quoted strings, so it does not work for build
options disabling functionality, as they have this format:
"# CONFIG_OPTION is not set"
On the other hand, the "shlex" module provides a split function that
allows splitting strings by spaces and, at the same time, preserves
quoted strings.
In Trustfence, we need this functionality to disable default options that
would allow the booting of non-authenticated images.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The script to sign the boot artifacts lacked the support to configure the
revocation mask. The at-the-moment supported platforms did not need it,
but the ccimx93 does need it, so implement it in this commit.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
With the introduction of the ccimx93 support in the following commits, the
srktool parameters not only differ for HAB/AHAB devices but also between
devices using AHAB (for example, different parameters for ccimx8x and
ccimx93). Thus, move this information to the platform-specific data table.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
It is a cosmetic change, as there is no change in functionality, but
convert the if..elif..fi structure to a table with the platform-specific
data, so it's easier to maintain and extend.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
In our previous commit, we changed the CVE scan class from "vigiles" to
"digi_ccss" if we plan on building images with the CVE layer. However, we
make this change in conf/local.conf and then run "bitbake-layers add-layer" to
add said layer. Since the bbclass is exclusive to the CVE layer, bitbake isn't
able to recognize it and fails.
Add the CVE layer to the project before adding the Vigiles configuration
template to conf/local.conf.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Our CVE layer now includes a new bbclass that extends the logic of the
"vigiles" bbclass. Use this new class if we are building images with the CVE
layer.
https://onedigi.atlassian.net/browse/DEL-8939
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
expand the docker defconfig excerpt to add more default options, as some
of them might be enable in some platform defconfigs but not in other ones,
so just set all of them, as it is safe, and nothing happens if they are
already set in the original default defconfig.
To check if all LXC/docker options are enabled for a kernel,
run lxc-checkconfig in the system.
https://onedigi.atlassian.net/browse/DEL-8924
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
When we use a fitImage kernel type, all the boot artifacts are inside the
FIT image, so there is no need to add them to the boot image additionally.
We were using TRUSTFENCE_FIT_IMG to do this filtering, which uses
a fitImage kernel type underneath. This commit uses KERNEL_IMAGETYPE
instead, as this way, we can use kernel FIT images out of Trustfence and
still prevent polluting the boot images with not-needed artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Other recipes may access SYSROOT_DIRS content by adding a dependence
on do_populate_sysroot.
We need this specific directory for the kernel fitImage support.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Not installing all the ML packages but just tensorflow-lite saves space.
We are not including onnxruntime and torchvision, which are not supported
by the i.mx93 (see NXP user guide for details).
The ext4.gz size is decreased from 430MB to 217MB.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
The patch we were using comes from the time during dualboot support development
where said feature was selectable at build time. The patch adds a new build
option, giving the impression that it only gets enabled under certain
circumstances, when in reality:
* The option is never enabled anywhere in our code
* It's a string option that is treated like a boolean, meaning its
respective conditional compilation is always getting compiled even when
disabled
Our current dualboot support is enabled at runtime, so it doesn't make sense to
have a build-time option related to it, especially one that's broken. Replace
the patch with a functionally equivalent one that is less confusing. Also,
remove the related config option from our defconfig.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The current log level is very verbose and generates way too much output in some
cases, such as a binary diff update. Reduce the default log level to avoid
this.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This update fixes an initialization issue with devices without HWID programmed.
https://onedigi.atlassian.net/browse/DUB-1066
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a build issue using meta-digi layer with a different distro
than "dey". Also simplified the bbappend to avoid creating a custom
do_patch_png() task before do_configure().
Reported-by: Stephan Klatt <skladd@users.noreply.github.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a build issue when this script is installed but not shipped
in the u-boot-tools package.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This reverts commit c5b53c9765.
The HCI reset interface is fixed inside each BT power calibration shell
script, so this workaround is not needed anymore.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Not only install the US but all the FW files.
Apart of that, some scripts need a little adjustement such as:
* Modify the BT baudrate to 3Mbps for EU power configuration, as it is the
baudrate used by the btnxpuart driver.
* Replace the way to reset the interface on each hcitool command to
avoid missleading BT behaviour.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This commit implements the support to sign the different memory configurations for
the CCMP1 platforms, when trustfence is enabled, using FIT images.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit implements the support to allow different memory configurations for
the CCMP1 platforms, adding support to 512MB and 1GB memory variants for the CCMP15.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Javier Viguera
Isaac Hermida
Mike Engel
Gabriel Valcazar
Gonzalo Ruiz