Commit 52a1111da6d72446530da26e135b65a34b48e279 ("OPTEE: MANAGE signature,
M33TD") in the ST layer incorrectly enables CFG_REMOTEPROC_PUB_KEY_VERIFY=y for
all platforms when SIGN_ENABLE is set.
However, co-processor public key verification against OTP fuses is not
supported on stm32mp1x platforms and causes the build to fail.
Remove CFG_REMOTEPROC_PUB_KEY_VERIFY for ccmp15.
https://onedigi.atlassian.net/browse/DEL-10022
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Update secure boot support for Cortex-M processors by refreshing the patch set
and dropping patches already integrated, aligning the implementation with ST
release openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18.
https://onedigi.atlassian.net/browse/DEL-10022
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
We only want to recover the libinput patch that fixes the cursor issue in the
LVGL demo, don't recover the wl_shell patch.
This partially reverts commit 7afc4a67de.
https://onedigi.atlassian.net/browse/DEL-9925
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
These libraries are required by libcamera when IPA support is enabled.
Import them from the meta-OpenSTLinux layer at the
openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18 tag.
https://onedigi.atlassian.net/browse/DEL-10021
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Synchronize the libcamera recipe with the meta-OpenSTLinux layer from the
openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18 tag.
https://onedigi.atlassian.net/browse/DEL-10021
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Remove the local ccimx95 patch series from imx-system-manager bbappend
and fetch the DEY-specific changes directly from the Digi fork.
https://onedigi.atlassian.net/browse/DEL-10009
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Remove the local ccimx95 patch series from imx-oei bbappend and fetch
the DEY-specific changes directly from the Digi fork.
https://onedigi.atlassian.net/browse/DEL-10009
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The system manager was not reporting (via SCMI) the size for the 2GiB
ram. This patch is a backport of a newer version of the SM.
https://onedigi.atlassian.net/browse/DUB-1117
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Use the SDMA firmware provided by linux-firmware for i.MX6 and i.MX8
platforms. The SDMA blobs shipped in linux-firmware and firmware-imx are
identical, so just use the upstream ones as meta-freescale does.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Enable signed firmware to prevent unauthenticated code on the Cortex-M4
co-processor by verifying images against custom public key from OP-TEE.
https://onedigi.atlassian.net/browse/DEL-9920
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Introduce a configurable variable to enable/disable secure co-processor
firmware when TrustFence is enabled.
https://onedigi.atlassian.net/browse/DEL-9813
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
GPIO1 port access was not enabled on ATF because NXP
reserved it to have exclusive access from the secure
world on their EVK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9839
Fix runtime undefined symbol by wrapping Awb::queueRequest() call to
configureAwbAlgo() with EVISION_ALGO_ENABLED.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Integrate ST libcamera recipe from meta-st-openstlinux layer at
openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11 tag. This recipe is required by
the NPU demos in meta-st-x-linux-ai.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Enable signed firmware to prevent unauthenticated code on the Cortex-M33
co-processor by verifying images against OTP-stored keys.
https://onedigi.atlassian.net/browse/DEL-9813
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Exposing these regulators makes the SM disable them during
a reboot process, which leaves the SoC without power, preventing
it from resetting.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9804
Add a patch with the DDR calibration for B0 generated with NXP's config
tool version 2025.09.
https://onedigi.atlassian.net/browse/DEL-9811
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact
encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to
use a more generic name and avoid overloading it as an on/off flag. Add per-key
variables for encryption key filenames to avoid hardcoded names and allow
platform overrides.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Adds support for signing and encrypting Cortex-M firmware on STM platforms,
following the STM32 MPU Ecosystem v6.1.0. This update enables secure boot of
co-processor binaries on ConnectCore MP2, enhancing firmware protection.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Remove obsolete SD card image creation logic and related variables. We
will use WIC images for bootable SD cards.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Notice that we need to create u-boot and imx-boot symlinks in the deploy
directory, as they are required for the bootloader of the wic images.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Different platforms use different Cortex-M processors, so instead of
using the M4_DEFAULT_IMAGE_MX95 (as meta-imx does) for an M7 processor,
generalize to the CORTEXM_DEFAULT_IMAGE variable name. Also, move it
to the imx-boot recipe (where it is used) and deploy that image to
the imx-boot-tools directory, so the imx-boot image can be regenerated
externally (without yocto).
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This series of patches expose a number of regulators of
the PMIC to the non-secure world, so that they can be
referenced and used by Linux drivers.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts,
including TF-A and FIP, and enables this functionality for the ConnectCore MP2
platform.
This enhancement allows secure boot deployments with both authentication and
encryption for improved protection of critical boot components.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit imports the Digi custom version of sign-stm32mp bbclass to ensure
that the search_path() function does not raise a build exception if the signing
tool or keys are not present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support for the ccimx95 and reorganize the recipe so that all machine
patches are applied for the DEY distribution, regardless of the build
target.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add the ccimx95dvk flavor to OP-TEE, define the UART6 base and DDR
settings, and update the machine mappings using OPTEEMACHINE as the base
recipe does.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add the ccimx95 platform cloned from mx95lp5. Provide DDR configuration,
configure the console on lpuart6, and update ccimx95-dvk.conf to select
the new board.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit removes the wl_shell and libweston patche, which
are now not necessary anymore. Becasue we have removed the
wayland backend for the LVGL image.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The Digi commits on the optee-os repository are part of the
same branch and apply on top of each other since they do not
collide with each other.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
After the update of the recipe in meta-freescale this patch
(which exists in meta-freescale) does no longer need to
live in meta-digi.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The Digi commits on the imx-atf repository are now part of the
same branch and apply on top of each other since they do not
collide with each other.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Arturo Buzarra
Gabriel Valcazar
Javier Viguera
Mike Engel
Gonzalo Ruiz
Hector Palacios