Port the recipe from the dunfell poky branch. This version contains the latest
vulnerability fixes, including CVE-2022-0778.
https://onedigi.atlassian.net/browse/DEL-7868
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit be046db4faae911b2a858d748551c6c91fc54043)
Signed image support in U-Boot has been split into two separate configurations:
one that adds artifact authentication support and another that signs the U-Boot
binary at the end of the build. Reflect this change in meta-digi.
https://onedigi.atlassian.net/browse/DEL-7862
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In meta-openembedded commit 35d249bb9a575a5a48491052896e121266d515f0,
libconfig, one of swupdate's dependencies, was split into two packages: one for
the C library and another for the C++ one. swupdate depends only on the C
library, but the C++ library was implicitly pulling in other dependencies, such
as libgcc.
After the commit mentioned above, libgcc stopped being pulled into our recovery
image, causing the following error to appear when swupdate terminates:
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborting
Even if the action carried out by swupdate is successful, our recovery script
detects this as an error and aborts the update operation. Avoid this by
explicitly adding libgcc as a runtime dependency for swupdate.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds power safe and reboot safe script for the MCA
and substitute default reboot and poweroff busybox commands.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7828
We originally included this recipe to fix some vulnerabilities in the dnsmasq
version used in zeus (v2.80), but the recipe has been updated since then. The
current version used by default in hardknott is v2.85.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Now that the "--platform" parameter is optional, we don't need to hardcode the
platform anymore, so remove the first patch.
In this version, the FDO platform has been renamed to WL, and since the default
PACKAGECONFIG is meant to work with older cog versions, we need to manually
append the "wl" PACKAGECONFIG to build the wayland platform.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This is a partial revert of commit 3819ee6672.
NXP simplified the profile script when updating to hardknott-5.10.72-2.2.0, but
since the /run/user/0 directory isn't automatically created in sysvinit
environments, the weston desktop fails to start in these cases. The previous
version of the script automatically creates said directory if it's missing, so
use that version instead.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We already have a copy of NXP's weston.ini, so there's no need to manuallly
append to it in our do_install_append(). Simply add our changes for our custom
desktop background directly in the source file.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In older Yocto versions, weston was launched via a udev rule, but now it gets
launched as part of the "graphical" system target. Since this target isn't
reached automatically on boot, the weston desktop will only appear if you
manually launch said target (or the weston service itself).
To make the desktop launch automatically, change the target to "multi-user",
which is the default target laucnhed on boot.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This makes it possible to distinguish between two different packages:
* NXP's tensorflow-lite, which contains modifications for i.MX platforms
* Our tensorflow-lite, which is meant to be used with Google Coral
Since tensorflow-lite-coral provides a subset of the files provided by
tensorflow-lite (specifically, the python libraries), make the packages
conflict during runtime.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Update a patch so it applies cleanly and remove another one, since it has
already been applied upstream
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This package was originally being added via RDEPENDS, and its removal was
missing when porting the newer file from NXP's meta-imx. Re-incorporate the
removal to avoid including the package in our images, but do so by adding it
to our images' BAD_RECOMMENDATIONS.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Even though our busybox recipe (v1.34.1) is backported from poky's honister
branch, it has many elements in common with the recipe provided from poky's
hardknott branch (v1.33.1). To simplify our backport, re-use poky's busybox
files when possible, replacing them only when strictly necessary.
While at it, remove the busybox-inittab recipe, since there are barely any
differences between the honister and hardknott versions.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This PACKAGECONFIG existed in gatesgarth, but it's included by default in
hardknott and it pulls in libgbm as a dependency. This package isn't available
for i.MX6 platforms, causing the build to fail immediately. Remove this from
the ccimx6 PACKAGECONFIG and leave it how it was on gatesgarth.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
For packages such as weston or opencv, bitbake will sometimes choose the poky
recipes, causing build errors. Explicitly set the NXP version of these packages
as the preferred version by mimicking the layer.conf configuration in the
meta-bsp layer of meta-imx.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We now use the meta-freescale recipe as a base for our .bbappend, so remove
the filter.
This reverts commit 9e68d61f7c465800d62913c044e43c541f2eacd7.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Aside from the file paths changing, there are a few cosmetic differences
between v1.22.14 and v1.30.4 that prevented the patches from applying, so
re-work them.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This is a generic package that is currently being used by NXP to load firmware
on the target, so include it in our images as well. Since it only works with
systemd, leave it out of builds that use sysvinit.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
poky now provides glibc v2.33 by default, and there aren't any alternative
versions available, so there's no need for this.
This reverts commit e7921dfd93.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Remove the v3.0.8 version of the recipe to use the v3.0.9 recipe in poky. Also,
adapt our .bbappend since some of its changes are outdated.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Most of the changes are cosmetic (copyright years and whitespace). Update
gstreamer1.0-plugins-good-qt to v1.18.5, remove outdated patch for said package
and sync qtwayland recipe.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We initially backported v4.5.2.imx into gatesgarth, but since that version is
already available in meta-freescale, remove the base recipe and keep only the
.bbappend.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Add custom NXP daemon.conf, new NXP patch and adapt ccimx6ulsbc patch to apply
cleanly over v14.2
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Sync the .bbappend while keeping our ccimx6 patch and remove the 9.0.0.imx
recipe, since it's already available in meta-freescale.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Remove recipes that are available in the community layers, include a new
.bbappend for python3-matplotlib and update the .bbappend for python3-wheel
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This patch was initially needed for a specific version combination of
NetworkManager (>= v1.22) and glib-2.0 (v2.63.3 - v2.64.X), but since the
hardknott branch of poky now provides glib-2.0 v2.66.7, the patch isn't
needed anymore.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We initially added newer versions of the recipes related to WPE Webkit in order
to incorporate performance improvements, but the hardknott branch of
meta-webkit includes even newer versions, so we can remove our recipes.
Reflect this change in our distro config file.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The weston recipe we ported from NXP's meta-imx layer has the same name,
causing warnings to appear when applying our patches. To avoid confusion,
ignore the meta-freescale version of the recipe so that ours is the only
option.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 9e68d61f7c465800d62913c044e43c541f2eacd7)
Otherwise, the .bbappend applies to all existing weston recipes, and since our
patch is only available in our layer, bitbake will print warnings about the
patch not being found for those other recipes. This is harmless, since DEY
always uses NXP's version of weston, but it can be confusing, so avoid the
warnings altogether.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit d4464a8211bff6b315a8ed5d094b8c25099f4130)
Digi Embedded Yocto 3.2-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
SQUASHFS read-only rootfs cannot be unencrypted on-the-fly
so skip encryption if read-only-rootfs is active.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
When TrustFence and a read-only rootfs are enabled, U-Boot must
authenticate the SQUASHFS root file system. Add config switch to force
U-Boot to authenticate this image.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This mode is necessary in the recovery initramfs to be able to properly detect
any external storage device that might contain an update package. The
configuration option associated with this mode became explicit after upgrading
busybox to v1.34.1, so enable it in our defconfig.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The nand devices doesn't need to call the mount_cryptrootfs
script.
Reported-by: Francisco Gil <francisco.gilmartinez@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Some recipes were forcibly removing conflicting packages.
This does not allow to add those packages back for users that
want to use meta-digi layer, but a different distro than 'dey'.
With the 'dey' distro override, such removals are only done
if using this distro.
Reported-by: Michael Burr <michael.burr@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7712
In the cc6ul we are not powering-off the supply of the XBee.
This is making that after a suspend/resume action the XBee
hangs due to ModemManager hasn't been stopped before the suspend.
Stopping ModemManager before going to suspend solves the issue.
https://onedigi.atlassian.net/browse/DEL-7701
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Since commit 11558352 ("swu-images: add "installed-directly" flag to
sw-description") the swu package images are streamed into the target without
any temporary copy to support devices with low memory available, that forces a
different order according with the swupdate documentation because scripts
should packed before the rest. This means that all the pre, post and shell
scripts will be executed after the images will be installed. This behavior
breaks the current support to mount the cryptorootfs node before install an
encrypted rootfs.
This commit moves the shell script to mount the cryptorootfs node to the
recovery initramfs and modifies the swupdate command line to call the shell
script before the images installation.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since we added support for compressing rootfs images, we need to manage SWU
packages with a regular rootfs image and with compressed images. That support
was missing in the identification process when the SWU packet was verified.
This commit fixes the identification of compressed rootfs images.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This recipe had a post install script to do the following:
- create runlevel symlinks.
- comment the 'auto' lines of /etc/network/interfaces if running on
a non-Wi-Fi variant.
- add Atheros or QCA bridge examples depending on the detected chip.
- add wlan1 interface only if QCA chip is detected.
This post install cannot run on a read-only-rootfs so the recipe has been
reworked to do the same things at build time:
- the runlevel symlinks have been removed because they are taken care
of by a poky class.
- add a pre-up condition (the existance of a wireless entry on the device
tree) so that the interface is not brought up if the condition is not met.
- for the cc6/cc6n, since the Wi-Fi chip can be Atheros or QCA, add
specific wlan1 and br0 fragments with a pre-up condition basing on the
detected ID of the Wi-Fi chip
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7708
The access point configuration files are dynamically modified on a post
install script to generate an SSID name based on the last digits of the
MAC address (physical or virtual) assigned to a wlanX interface.
On read-only file systems, this is not possible, so add some conditional
code to the do_install() to use instead the $DIGI_FAMILY name.
Caveat: if several identical SOMs with read-only-rootfs co-exist on the
same network as APs, they will identify with the same SSID.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7708
Some packages require different scripts, configuration files or installations
depending on the wireless chip assembled on the target. In general, the way
to support both chips in one image is to have the recipes install both
versions of the aforementioned files, then leave only the strictly necessary
version once the wireless chip can be deduced.
In the case of the init-ifupdown recipe, this involves installing temporary
configuration fragments that are later erased. In the case of the standby
script, the logic can be implemented in a single file.
https://onedigi.atlassian.net/browse/DEL-7661https://onedigi.atlassian.net/browse/DEL-7666
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This allows the packages to be included in the ccimx6sbc images. While at it,
include the Qualcomm bluez patches in ccimx6 builds. These patches aren't
destructive, they simply add functionality required by the Qualcomm chip, so
they shouldn't have any secondary effects when using the Atheros chip.
https://onedigi.atlassian.net/browse/DEL-7661https://onedigi.atlassian.net/browse/DEL-7666
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
These options should only be enabled when using SELinux, so apply them only
when "selinux" is in the DISTRO_FEATURES. The fragment is a copy of the one in
meta-selinux with the addition of DEFAULT_SECURITY_DAC and LSM.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The default policy provided by meta-selinux breaks a lot of the features in
DEY, so adapt it to make most features work. Note that this is simply an
example, end users should create their own policies for their own needs.
Make these changes toggleable so that users can use the reference policy
instead.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This packagegroup includes all of the userspace packages needed to use SELinux.
For now, use the same variant of the packagegroup, which contains all available
packages.
Since the meta-selinux layer isn't available in all platforms, implement this
change via a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit sets the GLIBC version to 2.32. The newest
eIQ packages require a newer glibc, but since said packages
are optional, make sure to use the gatesgarth glibc version
by default.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7625
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
(cherry picked from commit 30aa4a7444)
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
swupdate has the necessary logic to handle compressed images, so take advantage
of this to save space and reduce update package transfer times.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since these images are highly compressable, this greatly reduces the amount of
space taken up by build artifacts.
Modify the code used to generate the .sdcard and .installer.zip files so that
they contain the decompressed .ext4 image.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds the required libraries and packages to exercise the Google
Coral devices with Digi Embedded Yocto.
https://onedigi.atlassian.net/browse/DEL-7547
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
'mdev -s' run on ramfs initialization is able to mount external media already
detected but fails to automatically mount any media detected afterwards.
Running it as a daemon first it will also be able to mount any media detected
after 'mdev -s' is run.
Use argument '-d' to first run mdev as daemon in background.
Move 2 seconds delay to after mdev has been initialized to give external
hardware all the time possible to be successfully detected and mounted.
https://onedigi.atlassian.net/browse/DEL-7285
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Otherwise, Yocto will use the recipes in meta-webkit, which are slightly older.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
By default, we only support the latest versions of the webkit packages anyway,
so use a wildcard so we don't have to update the recipes every time a new
version is available.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Igalia has included performance improvements for i.MX platforms in the latest
versions of different packages related to webkit. Even though the recipes for
these versions are not yet available in meta-webkit, we can add our own to
meta-digi to take advantage of these improvements.
Update the cog patches so they apply cleanly over v0.9.90.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds some swupdate parameter to select the sw-description
configuration depending on the used platform.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Without this call, swupdate will be built with a default configuration which
is incompatible with our package format. Even though this function is already
called in the original recipe, it was done in the package's "git" directory.
Make sure the function is called at least once so that our defconfig is used in
the build.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Commit 28d9e025ea used += to append
a dependency to RDEPENDS but this was not working fine and was removing
previous dependencies.
Use instead _append override.
Reported-by: Francisco Gil Martinez <francisco.gilmartinez@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Otherwise, swupdate will treat the update process like it's an OTA one and it
will try to store the package contents in /tmp, which won't fit.
swupdate commit 8b70ae5796e75c2ff856e8c46b3a3c09cb8fcccd states that all local
SWU packages should include this flag, since the old implementation had this
information implicitly.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Technically, partition unencryption is safe to do in open devices, although it
implies that at least one partition has already been encrypted. If we aren't
going to encrypt any partitions, there's no need to print the warning.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Instead of checking for the existence of /proc/mtd, which might lead to false
positives, check the "root" parameter in /proc/cmdline. Assume eMMC in case of
any error.
https://onedigi.atlassian.net/browse/DEL-7539
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
There are some init packages from the poky layer that remain using only a SysV
init script. Systemd converts these init scripts to systemd service format on
boot and shows an ugly warning for each one. To avoid flooding the console with
this kind of messages, we reduce the verbosity of these messages.
https://onedigi.atlassian.net/browse/DEL-7540
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
In the libubootenv implementation of fw_setenv, multiple variables can be set
in one call. When setting a variable with a space-separated list, the app
interprets the list as new variable/value tuples, for example:
fw_setenv myvar value1 value2 value3
Results in:
myvar=value1
value2=value3
This was causing the encrypted eMMC partition mechanism to break, because the
list of encrypted partitions is stored as a space-separated list in an
environment variable. Avoid this by enclosing the variable argument of
set_uboot_var() with double quotes.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Update version from 2.28.1 to 2.32.0, remove patch that is already included in
the source tarball and stop removing the qtwpe PACKAGECONFIG, since it's no
longer being included by default.
https://onedigi.atlassian.net/browse/DEL-7545
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Update the version from 0.7.1 to 0.8.0 and remove two patches that are already
being applied in meta-webkit.
https://onedigi.atlassian.net/browse/DEL-7545
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Before using the encrypted partition functionality, users have to manually
install the encryption key in the system. Failing to install said key will
result in errors later on.
Even though the installation isn't a difficult operation from a user's point of
view, the recovery script has the necessary logic to detect cases where a
partition is going to be encrypted with no key installed. Automatically
generate a key in these cases to avoid undesired behavior and to improve the
overall user experience.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This version adds new functionality to check if an encryption key is installed
as well as a fix for an issue that happens when encrypting partitions with long
names (over 12 characters).
https://onedigi.atlassian.net/browse/DEL-7535
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
If we trigger a key change while there are partitions that are encrypted,
print a warning and ask for confirmation so users know that the operation will
erase the contents of said partitions.
Like in the partition (un)encryption mechanism, add the possibility to skip
both the warning message and the confirmation prompt.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This initramfs only makes sense in platforms with an eMMC as the internal
storage, due to how the partition encryption support is implemented. In
plaatforms that use NAND instead, ths initramfs offers no functionality and
increases the recovery image size, so remove it.
https://onedigi.atlassian.net/browse/DEL-7534
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
If we allow users to manually change the encryption status of the rootfs
partition, we run the risk of wiping it without flashing a proper replacement
image. Because of this, rootfs encryption status should be determined
automatically using information from the update package.
Have the recovery script parse the update package's description to determine
whether to encrypt the rootfs or not.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This partition isn't blacklisted, but it should only be (un)encrypted when
providing an update package. Make it so that manual encryption status changes
for this partition aren't possible from the recovery library.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since the recovery script checks the update package before installing it, use
the package's description to indicate if the package is meant to encrypt the
rootfs or not. Also, remove the pre-install script from the ccimx6ul packages,
since the logic in the script to remove the encryption flag from the rootfs is
now in the recovery script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Previously, TRUSTFENCE_INITRAMFS_IMAGE was the only variable used to configure
rootfs encryption. Now that any partition can be encrypted and the rootfs
encryption still needs to be handled differently, use two variables instead.
* TRUSTFENCE_ENCRYPT_PARTITIONS to control partition encryption in general
* TRUSTFENCE_ENCRYPT_ROOTFS to control rootfs encryption
As with most trustfence functionality, enable both by default. Leave
TRUSTFENCE_INITRAMFS_IMAGE as an internal variable only.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since the update partition might be involved during a software update, we need
to make sure that its contents are accesible and safe when using the partition
encryption feature at the same time.
Mount and unmount the partition correctly if it's encrypted and cancel any
operations that will result in the deletion of the update package.
https://onedigi.atlassian.net/browse/DEL-7174https://onedigi.atlassian.net/browse/DEL-7422
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Add a new function to the recovery library to be able to encrypt/unencrypt any
partition on the internal storage media. Since it's a destructive operation,
add a warning message and a confirmation prompt that can be skipped if needed.
Reflect this new functionality in the recovery-reboot app. Change the logic so
that an encryption key can be set even if there's no update package, because
now it's possible to encrypt other partitions while leaving the rootfs intact.
Also change the logic so that the app doesn't reboot into recovery mode if
there's no recovery command set.
Implement the same blacklist as the one in the recovery script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The partition encryption system now uses dynamically generated names for the
decrypted block devices, which are based on the partition name. Reflect this
change in places where the encrypted rootfs is referenced.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Modify the recovery and trustfence initramfs scripts to be able to encrypt any
partition on the internal storage media, not just the rootfs.
To implement this functionality, add a new recovery command called
'encrypt_partitions'. When used, this command must contain a comma-separated
list of the partitions that are to be encrypted by the end of the recovery
process, including partitions that were already encrypted beforehand. Any
partition that isn't in the list will be unencrypted. If the command is absent,
no changes will be made, but it's possible to pass an empty command to
unencrypt all partitions.
Include a blacklist to avoid encrypting partitions that shouldn't be encrypted,
such as partitions that need to be accessed by the ROM code/U-Boot or
partitions that contain encryption keys.
While at it, remove unnecessary "get_kernel_version" function from the script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The matchbox-terminal provides a GTK+ terminal application on the sato desktop,
however it has a dependeency of the virtual terminal emulator GTK+ widget
library (vte) that recently introduced a dependency with the icu package that
increase the rootfs size in 20MB. Since this is a sample application, remove it
to save space on the rootfs.
https://jira.digi.com/browse/DEL-7524
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This package adds a dependency of python3-xml that includes the python3 core
package, increasing the size of rootfs by 8MB.
https://jira.digi.com/browse/DEL-7524
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
packagegroup-core-x11-sato has a dependency on the gst-examples package and
adds a RRECOMMENDS for several packages including many codecs, enconders, etc.
We remove this package for the cc6ul platform to save space in rootfs.
https://jira.digi.com/browse/DEL-7524
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add just one qt demo by default and move all of them to platforms with gpu
support, as platforms like cc6ul have few space available.
https://jira.digi.com/browse/DEL-7524
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The prebuilt 'athtestcmd' binary allows you to test tx/rx of the
Wi-Fi MAC, when the driver is loaded in test mode.
This is required for certifying Wi-Fi in products, so add it by
default for the ccimx6sbc.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://jira.digi.com/browse/DEL-7444
(cherry picked from commit acb402fdcfa54d8d5519580ff7fcfb76fbed3f49)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Now libgpiod is not added automatically and we need to add the
dependence manually.
For more info see commit 4339c28ff4aa0264c34f4f183349aea20a5ff127 in
meta-openembedded layer.
https://jira.digi.com/browse/DEL-7522
Signed-off-by: Francisco Gil Martinez <francisco.gilmartinez@digi.com>
In the free meta-scale layer, the same entry "use-g2d = 1" is uncommented for
mx6dl and mx6q, however our ccimx6 platform has both machines in its
definition, so the same entry is uncommented twice and throws an unexpected
error. This commit adds a append in the install process to uncomment this entry
for the ccimx6 platform.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
vulkan has a dependency of vulkan-headers package that is not available
for the mx8mm platforms.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Recipe system-monitor has a dependency with systemd package, however it was
added unconditionally for all platforms. This commit adds a protection to
include this recipe only when systemd is present in the DISTRO_FEATURES
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Commit 98d76037("recipes-qt: qt5: Update recipes to new BSP release
imx_5.4.70_2.3.0") removes the definition of the PACKAGECONFIG_MX8_GPU
variable, but its use had to be removed. This commit completely removes the
undefined variable.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Simplify the structure of the recipe folder, if one version is not supported
we must use the COMPATIBLE_MACHINE overwrite
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Commit f7a354d("Generate image headers from their PNG source, while still
including them in dist tarball") provides a default PNG files removing the image
generation in build time. This commit overwrites the default PNG with one
customized by Digi.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Commit ae479d86d1("libical: add PACKAGECONFIG glib and enable it by default")
introduces a workaround to fix the build with glib support and enables it
by default, but this support is unstable and this workaround is not needed on
v3.0.8. Added original recipe without that workaround to avoid the build issue.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The "dhcp" software package has become unmaintained and thus has been
functionally replaced by "dhcpcd" (client) and "kea" (server).
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Modify the recovery-utils code to reflect the change (change in C header and
linked libraries)
https://jira.digi.com/browse/DEL-7410
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Sync with BSP release rel_imx_5.10.9_1.0.0 and remove unnecesary files
after most of them were updated in meta-freescale layer.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Sync with BSP release rel_imx_5.10.9_1.0.0 and remove unnecessary files
after most of them were updated in poky layer.
https://jira.digi.com/browse/DEL-7508
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Mike Engel
Gabriel Valcazar
Isaac Hermida
Arturo Buzarra
Hector Palacios
Francisco Gil
Javier Viguera
Gonzalo Ruiz