The FIP image is signed internally by this recipe. The password must be
set in FIP_SIGN_KEY_PASS. With the signing script, the password is
randomly generated and saved in key_pass.txt.
This prefunc obtains the password(s) from the file to set FIP_SIGN_KEY_PASS
so that the FIP can be properly signed.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
For the moment, do not sign aditional artifacts, such as the ramdisk,
the kernel or the boot scripts for STM platforms.
In the specific case of the ramdisk, simply copy it over with the
expected filename extension.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This script can be called stand-alone or from DEY.
Syntax is :
trustfence-sign-artifact.sh -p <platform> [-t input-unsigned-image> <output-signed-image>]
If files are omitted, it at least generates random keys if they do not
exist.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The do_deploy:append did three things:
- adapt the U-Boot filenames to 'u-boot-<platform>-<config>.<ext>'
- sign/encrypt the U-Boot files (only for iMX6 family)
- sign the boot scripts
Convert the first two actions into functions (the third already was) and
call them conditionally as postfuncs.
Also skip the signing of U-Boot files if the platform is not based on
iMX6 family.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Certain platforms share a processor family but need to be differentiated
between them. DEY was using the variable DIGI_FAMILY as the SOM name
rather than the family. It becomes useful to have both (DIGI_SOM as the
more specific, and DIGI_FAMILY as the more generic).
This is the case, for example, of:
- ccmp1 (family)
- ccmp15 (SOM)
- ccmp13 (SOM)
- ccimx8m (family)
- ccimx8mm (SOM)
- ccimx8mn (SOM)
Both variables are used on the machine overrides.
Where DIGI_FAMILY was used, use now DIGI_SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe downloads a tarball that contains the binaries:
- STM32MP_KeyGen_CLI
- STM32MP_SigningTool_CLI
from ST Microelectronics STM32CubeProgrammer v2.12.0.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This is in preparation of using the same script name for different SOC
vendors (NXP and STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Dependencies of this recipe are run-time dependencies, not build-time.
While on it, move them to specific native/nativesdk recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe builds the script (that depends on cst-tool) that is used to
sign the images. It's only run natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The name of the variable was not very intuitive of what
it contains. This variable expands to the SoC vendor
(NXP or STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 065cf3e9 ("kirkstone migration: general update to the new override
syntax") incorrectly renamed binaries in a massive change. This commit restores
the binary names to the original.
https://onedigi.atlassian.net/browse/DEL-8478
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
By default, our 'cloudconnector' package is installed.
This can be overriden by defining 'CLOUDCONNECTOR_PKG' in the 'local.conf'
with the custom package that includes this application.
Signed-off-by: Tatiana Leon <Tatiana.Leon@digi.com>
These are recipes we created to support Google Coral on i.MX platforms. ST's
machine learning layer provides similar recipes, so to avoid conflicts, move
the recipes meant for i.MX platforms to a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-8308
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This dependency is only required if you wish to build ST's reference images,
which isn't our case. Add said reference images' recipes to the BBMASK to
avoid build errors.
https://onedigi.atlassian.net/browse/DEL-8308
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
rename interface sta_name to be "wlan0" instead of "mlan0", so it keeps
compatibility with other platforms.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
OPTEE_PKGS variable must have a default (empty) value to prevent bitbake
parsing errors.
This fixes a build failure for MP1 platforms where the variable was
undefined in the commit that added the support.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
A recipe may generate different runtime packages, with names other than
PN. This commit allows removing the ontarget postinst script for those
other runtime package names. To do so, just define REMOVE_POSTINST_RPN
before including this class in the recipe.
The first user is in the following commit.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
NXP platforms that have 'optee' in the MACHINE_FEATURES, will install
optee userspace packages (ccimx8m and ccimx93 at the moment).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add nxp-wlan-sdk repice as a verbatim copy and add our bbappend
for fixing the build.
This recipe include some tools, mainly for RF porpouses.
https://onedigi.atlassian.net/browse/DEL-8346
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Add the overlay required to perform the BLE HCI Raw test to the
linux default images. That way, default images can be used to certify
the product.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
1)
CcxTagControlData struct in CORE/HDD/inc/CcxTagDefs.h had some fields missing compared
with 'cctags api’ which was producing CCX_TAG_DRVR_RSP_ERR_CTRL_SIZE.
2)
Then CCX_TAG_DRVR_RSP_ERR_PACKET_SIZE aroused because following paddings:
CCX_TAG_MPDU_HEADER_PAD_SIZE = 2
CCX_TAG_CONTENT_HEADER_PAD_SIZE = 3
where producing wrong alignements and sizes between the 'cctags api’ and the driver.
With changes in this commit, master branch of ‘CCxTagTest’ repository compiled
out of source code gets on well with 'cctags api’ repository and with qca driver in
both dey-2.4 and dey4.0.
Packets in the air match 100% in content in both dey-2.4 and dey4.0.
https://onedigi.atlassian.net/browse/DEL-8446
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
An official fix was added to meta-timesys in commit
ae4f6e9854361d4a6d71b6f8b87130268d990b32, so our workaround is no longer needed
This reverts commit 7a77130550.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The HWID is populated on the device tree by the boot loader.
This can be used as a key modifier when encrypting the U-Boot
environment. Some old U-Boot versions however, did not populate
the HWID on the device tree. When updating firmware from an
old version to a new one, the library may not be able to read
the HWID from the DT and then be unable to unencrypt the
environment.
This patch implements a fall-back function to read the HWID
directly from the nvmem node (sysfs). Implementation has been
done for ccimx6 family only, where this case of old U-Boot
can happen.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8444
(cherry picked from commit 222a91f213)
The commit we use to build the cryotpauthlib package is currently not part of
any branches or tags in the original MicrochipTech repo. To make sure the
package can always be built, use our mirror of the repo, which includes an
additional branch for the specific commit.
While at it, move the "nobranch=1" parameter to the GIT_URI variable, since
we're putting all other git parameters there, anyway. Also, remove the "branch"
parameter because it isn't needed in this case.
https://onedigi.atlassian.net/browse/DEL-8015
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Commit 32dd3d59c250f916115b339c29aa4dbfe50a3235 in poky breaks i.MX platform
builds when "vigiles" is inherited. While we wait for a fix in the community,
work around this issue by setting a dummy default value in the MULTIUBI_BUILD
variable.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
For devices running 'systemd', the mount process is done through 'systemd-mount', which
spawns a system unit. Trying to mount the partition again throws an error stating that a
unit with the same name is already running. To avoid it, check if the unit is already
spawned before mounting the partition and, if so, just restart the unit.
Signed-off-by: David Escalona <david.escalona@digi.com>
add a verbatim copy of those recipes as they are provided by nxp in langdale-6.1.1-1.0.0
https://onedigi.atlassian.net/browse/DEL-8346
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Instead of changing POKY_DEFAULT_DISTRO_FEATURES, do the distro features
configuration directly in the DISTRO_FEATURES variable. Also, add a couple
of variables (MACHINE_DISTRO_FEATURES_ADD/REMOVE) that allow machines
for extra tweaking the distro features.
While on it, clean up some distro features:
- pulseaudio: already added by DISTRO_FEATURES_BACKFILL
- bluez5, splashscreen, initrd, gplv3: not used (dead code)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
In rare cases, the wlan module may fail to load. In this scenario, forcing the
MMC driver to rebind the interface resolves the issue, making the WLAN module
load more reliably.
This only affects to modules where the qca chip is connected through the
MMC interface.
https://onedigi.atlassian.net/browse/DEL-8361
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
There are other device managers (e.g. mdev) that do not understand those
udev rules, so do not install them unconditionally.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit 6a8bf7afff)
By launching in system mode it is possible to play music from a shell using
pulseaudio. With change all platforms and images (with or without graphical
support) have pulseaudio working.
https://onedigi.atlassian.net/browse/DEL-8417
Signed-off-by: Tatiana Leon <Tatiana.Leon@digi.com>
This commit modifies the boot script condition to apply the overlay for DVK v1
on boards without the board_version variable defined.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Hector Palacios
Arturo Buzarra
Tatiana Leon
Gabriel Valcazar
Javier Viguera
Isaac Hermida
Gonzalo Ruiz
Hector Bujanda
David Escalona
Francisco Gil