Add initial support cloned from ccmp15, based on v2022.10 from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
When TrustFence is enabled, use the HUK programmed on the OTP
bits for the ccmp15 platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9121
There is a harmless error when restoring alsa profiles, as it also
attempts to restore UCM profiles.
Since we do not include UCM profiles for our sound cards, skip it.
https://onedigi.atlassian.net/browse/DEL-9066
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
In legacy NAND platforms like the ccimx6ul, it's possible to use a single-MTD
configuration with dualboot disabled, which allows access to the functionality
provided by the recovery partition. However, the partition encryption feature
requires a multi-MTD configuation, so said feature shouldn't be accessible in
this case.
Prevent access to partition encryption in a single-MTD system by:
* Adding the "system" partition to the partition blacklist in both the
recovery-utils library and the recovery initscript.
* Checking the "singlemtdsys" environment variable before using any
functionality related to partition encryption.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Currently, when wiping the update volume via the recovery partition on a
ccimx6ul with singlemtdsys enabled, the procedure fails with this error:
[RECOVERY] Starting recovery...
[RECOVERY] Wipe 'update' partition requested
[RECOVERY] Formatting 'update' ubi volume
ubi0 error: ubi_open_volume.part.0: cannot open device 0, volume 3, error -16
ubiupdatevol: error!: cannot open "/dev/ubi0_3"
error 16 (Device or resource busy)
This is because the logic used to unmount a volume before formatting it is
expecting this entry format when running "mount":
ubi0:update on /mnt/update type ubifs
While this is the format of the "mount" output in userspace for the rootfs
volume, other trivial volumes have this format instead:
ubi0_3 on /mnt/update type ubifs
Adapt the logic to this format so that the "update" volume wipe procedure can
take place.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When running the installation script on variants with larger NANDs, two of the
script's commands take longer than our intended timeouts under specific
circumstances:
* When the variant has a NAND with 512 MiB or more and singlemtdsys is set
to "yes", running ubivolscipt takes longer than our 10 second timeout.
The larger the NAND storage size, the longer this command takes.
* When the variant has a 1 GiB NAND, singlemtdsys is set to "yes" and
dualboot is set to "no", the update of the recovery UBI volume takes
longer than our 15 second timeout.
In both of these cases, the script fails and the installation process cannot
continue. Apply the following changes to prevent this:
* Increase the ubivolscript timeout from 10 seconds to 30
* Increase the recovery update timeout from 15 seconds to 20
Also, remove the command immediately before ubivolscript is run, since said
command is already being run at the beginning of ubivolscript.
https://onedigi.atlassian.net/browse/DEL-9097
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
By default, the secure storage path in the REE is "/var/lib/tee". It is
part of the rootfs, and thus, it gets lost on a firmware update.
This commit changes that path to a different partition "/mnt/data/tee"
when Trustfence file-based encryption is enabled.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Building Optee trusted applications (TA) depends on optee_client and the TA
devkit provided by optee_os. Our toolchain provides those dependencies, but
the SDK script which configures the environment for standalone building,
is not configuring some variables needed to build trusted applications.
This commit extends the SDK environment script to allow building TAs.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add also 'e2fsprogs-tune2fs' to the image, as busybox's version of
tune2fs command does not support setting the "encrypt" feature of the
EXT4 filesystem.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Occassionally, the loading the WiFi driver might fail, because of the
MMC node was not correctly initialized.
Fix that by rebinding the MMC node. This fix implements a similar workaround
as in c30b947408.
https://onedigi.atlassian.net/browse/DEL-9083
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 26dc437a25)
On devices with NAND as storage media, a post install script
modifies the fw_env.config file basing on the NAND geometry.
This only happens once after deployment, typically on production
environments. If the power is removed soon after the post install
script runs (which is a normal procedure on manufacturing
environments), there are chances that pending file system
operations have not been flushed, which may occasionally lead
to the fw_env.config file end up empty on the next reboot.
This commit adds a sync at the end of the post-install script
to guarantee the changes are written to the file system.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9059
On new platforms, trustfence will use file-based encryption instead of
full-disk encryption. Add base variables and platform defaults to allow
implementing file-based encryption.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Encrypting boot artifacts impacts the device's boot time, so disable them
by default. It is still possible to enable it in the project's config
file by setting the TRUSTFENCE_DEK_PATH option.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
There is a corner case that wasn't cover by the script, if you
use the script using a -k -t the "-t" would be the name of the
dek.bin.
This new implementation solves the issue.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
By default is trying to install an artifact imx-boot--<platform>
if trustfence is not enabled.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Some variables in the script belong to u-boot, not to the shell
running the script. Escape those variables so the shell does not
expand them.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Unlike the rest of the NXP platforms, in u-boot, the ccimx93 allows
configuring a GPIO name to activate the console when secure console is
enabled. Those u-boot options were not translated to the trustfence code
in meta-digi.
https://onedigi.atlassian.net/browse/DEL-9063
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit removes the Cortex-M4 overlay because the M4 has
been enabled now in the DTSI file.
https://onedigi.atlassian.net/browse/DEL-9056
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds some basic TSN support to DEY.
It includes the kernel configuration fragment with
the IEEE 802.1 support and the some user space tools
necessary to configure the network.
https://onedigi.atlassian.net/browse/DEL-9026
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The command trustfence update doesn't require the partition argument.
Besides of that, remove extra fi on the cc8m platforms.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
* Move Digi code out of the upstream files to minimize conflicts in
version migrations.
* Remove all the TEE client copied code and use the libteeclient library.
* Some fixes in the Optee-based environment encryption
* Some simplifications in CAAM-based environment encryption.
https://onedigi.atlassian.net/browse/DUB-1079
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
At the moment, this overlay adds RTC calibration to compensate
the drift observed in the 32kHz input frequency of hardware
version 1 of the SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8987
Update BDF file used on CC8MN and CC8MM with a new calibration
(GOLDEN3) to obtain a flatter frequency response and a better EVM
performance.
Reference calibration file is obtained from 'qca6574au-le-2-2-2_qca_oem'
repo at tag 'r00005.1' under path
'wlanfw/cnss_proc/wlan/fw/target/sdio_dst/qc6174/bdwlan30.bin'
(MD5SUM: 8a40d95698825e1718bee640b1f7982a).
Target output powers tables and CTL tables remain intact.
Changes required to pass the EN 300 328 V2.2.2 blocking test also remain
intact.
New BDF file:
- bdwlan30_US.bin (86180198440e6ab53734aabf0112c6ba)
https://onedigi.atlassian.net/browse/DEL-9001
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit adds RT functionality to CCMP1. The patches
have been extracted from STM RT expansion package and
includes the maineline RT patches and the STM RT driver
patches and RT Kernel defconfig changes.
https://onedigi.atlassian.net/browse/DEL-8880
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
This commit adds real time test tools to the system.
The hwlatedetct is a program that controls the kernel
hardware latency detector module. This is used to detect
large system latencies independent of Linux itself.
The rt-tests package is a test suite that includes the cyclictest
tool to measure the difference between a thread's intended
wake-up time and the time at which it actually wakes up.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Arturo Buzarra
Hector Palacios
Mike Engel
Isaac Hermida
Francisco Gil
Gabriel Valcazar
Javier Viguera
Gonzalo Ruiz