This patch adds the functionality to automatically detect if the enviroment
is encrypted (through the device tree). If it is, the environment is encrypted
and decrypted as required in a transparent way for the user.
https://jira.digi.com/browse/DEL-2836
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
- boot.txt
Sets the device tree filename basing on the SOM variant read from
the HWID and boots from NAND.
- install_linux_fw_sd
Deploys a full system (as generated by Digi Embedded Yocto) from
a FAT formatted micro SD card into the NAND flash.
https://jira.digi.com/browse/DEL-2925
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
APM is an ancient power management API mainly for x86. There is an
optional emulation layer for ARM, but none of our platforms is using
it, so just remove the machine feature.
https://jira.digi.com/browse/DEL-2745
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Tweaked to maintain the u-boot and linux revisions to AUTOREV instead of
the fixed SHA1s from the tag.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
So the warning message shows the TF variable setting in the correct
syntax that they should be written in the project's local.conf
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
When TRUSTFENCE_SIGN is enabled, the u-boot binary for the SDCARD image
needs to be the "signed" one.
https://jira.digi.com/browse/DEL-2876
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
enabled
There is currently no support on fw_printenv/fw_setenv to access an
encrypted environment.
This commit removes the package if U-Boot environment encryption is
enabled to avoid environment corruption on access.
It also documents the issue as a known issue.
https://jira.digi.com/browse/DEL-2625
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
When changing any of the secure boot configurable macros the Linux kernel
should be re-deployed so that it can be signed/encrypted as needed.
https://jira.digi.com/browse/DEL-2750
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
This package is native only, this patch ensures it can only be built
natively and fix the following problems:
* Add openssl-native rather than openssl to the dependencies.
* Use the $(CC) $(LDFLAGS) and $(CFLAGS) that Yocto provides to avoid a
compilation error.
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
The region code is programmed in the OTP bits. We want to allow to be able to
override this behavior by setting the new value as a property in the device
tree called "regulatory-domain".
This can be done by setting the variable "regdomain=<code>" in uboot or well
by defining that entry in the device tree.
https://jira.digi.com/browse/DEL-2799
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
The country region is programmed in the OTP bits. Based on that value we need
to load the firmware file for the specific country region.
https://jira.digi.com/browse/DEL-2774
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
We are including two firmware files: one for setting the country to US and the
other one to set it to the World Wide Roaming region (SKU 0060).
https://jira.digi.com/browse/DEL-2774
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
TRUSTFENCE_SIGN can be defined to "0" to explicitly disable uImage sign and
encryption.
https://jira.digi.com/browse/DEL-2803
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This device tree file corresponds to StarterBoard with ID=129
which corresponds to smart part number CC-WMX6UL-START.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The correct U-Boot branch to be used with dey-2.0/master is v2015.04/master, as
it contains the latest development changes (just like dey-2.0/master).
This reverts commit 728619a5bc.
After commit b0a766eafc8 in the U-Boot repository, both signed and
encrypted images will be generated. Copy both of them to the deploy folder
https://jira.digi.com/browse/DUB-642
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This allows to automatically create a secure PKI tree without user
interaction.
https://jira.digi.com/browse/DUB-618
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
NXP Code signing Tool for the High Assurance Boot library is needed for
signing and encrypting different artifacts (U-Boot image, uImage, ...).
As the CST cannot be included in DEY, the user needs to download the
tarball and add it to the recipe folder.
https://jira.digi.com/browse/DUB-618
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
To build the CC6UL boot image, the u-boot and linux images need to be
already deployed. Also the native mtd-utils package needs to be
available in the sysroot.
Make all this dependences explicit for deterministic reproducibility.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
U-Boot environment on the CC6UL NAND is located at partition /dev/mtd1:
- original copy is located at offset 0 in the partition
- redundant copy is located 1 erase block (128K) after the original copy
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://jira.digi.com/browse/DEL-2552
At the moment there is no support for rootfs encryption for the CC6UL,
so there is not a ramdisk in the boot image. But with the initial
addition of TF support, the u-boot boot script was being on-the-fly
updated for TF regardless of the platform, making the CC6UL unable to
boot when TF was enabled.
This commit fixes the problem, by just changing the u-boot boot script
when TF is enabled only for the CC6.
https://jira.digi.com/browse/DEL-2754
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
builds.
When building multiple u-boots they get compiled externally into a
directory named after machine defconfigs.
Once there is a directory with the same name as a defconfig it is not
possible to run the defconfig make target.
Fixes https://jira.digi.com/browse/DEL-2644
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
builds.
When building multiple u-boots they get compiled externally into a
directory named after machine defconfigs.
Once there is a directory with the same name as a defconfig it is not
possible to run the defconfig make target.
This change should be only temporary until it gets upstream.
Fixes https://jira.digi.com/browse/DEL-2644
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
When Trustfence is enabled, this adds a dependence on the TF initramfs,
so it's built and added to the boot image.
It also modifies the u-boot boot script on the fly, to boot correctly
using the Trustfence initramfs.
https://jira.digi.com/browse/DEL-2278
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The external module revision has been upgraded in meta-fsl-arm, thus
refresh the patches so they apply cleanly.
https://jira.digi.com/browse/DEL-2305
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The size of the destination partition (linux) is around 14MiB so the
max-leb-cnt must be reduced compared to the one used for the rootfs
partition.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://jira.digi.com/browse/DEL-2697
Diaz de Grenu, Jose
Isaac Hermida
Javier Viguera
Alex Gonzalez
Hector Palacios