This gets substituted when TrustFence is enabled to "signed/encrypted"
or removed when TrustFence is disabled.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Programming an encrypted bootloader can only be done after the
secure keys have been programed on the OTP bits, and the device
has been closed. Programming on an open device would result in a
non-secure configuration or a non-bootable device after the
close operation.
Create functions to detect the current TrustFence status and exit
the install script if the device is open and the artifacts are
encrypted.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9699
The `-t` option to program images with TrustFence didn't make
much sense because the install script is dynamically generated
at build-time with the name of the boot artifacts containing
"signed/encrypted" on their filenames.
This commit:
- Removes `-t` option to simplify the script.
- Determines if programming a signed/encrypted bootloader by
looking at the bootloader filename.
- For NXP platforms, reworks the function that updates the
bootloader to properly program only-signed bootloaders (currently
wrongly using `trustfence update`)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The USB and SD installers are U-Boot scripts that are practically
identical.
Merge them into a single template with a couple of machine variables that
determine the default device index in U-Boot for the USB or the microSD
card.
Do dynamic substitutions to create the two installers out of the template.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The installer uses the regular rootfs filename or falls back to search
for a squashfs (read-only) rootfs image.
The UUU installers of eMMC-based platforms use an if/elif/else structure
to determine which file exist (in order of preference). Replicate this
structure on the rest of platforms and installers.
This avoids printing an error message if the default rootfs does not exist
but the read-only one does.
Also, reset 'rootfstype' variable if the default rootfs file exists, which
allows to install regular images over a previous read-only system.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This overlay contains a workaround to make the USB-OTG
work as USB device when connected to a host.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9610
(cherry picked from commit ec92f5fdd10a61e37ac3778d0d3aa1816bc6b0aa)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit updates the installer scripts to support CCMP1 platforms under
Yocto 5.0, aligning them with the current behavior used for CCMP2.
Changes include:
- Adding support for the metadata partition, which is now required
- Including the optee/opteemin flavors in boot artifact filenames
- Ensuring the script structure and logic remain consistent with CCMP2 install scripts
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Both boot artifacts now use the same signed label, so this commit removes
unnecessary logic and updates the UUU install script to support the new boot
artifact naming. It also fixes the detection of signed artifacts by checking
for the presence of the FIP artifact, instead of relying on a U-BOOT artifact
that does not exist on this platform.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Assignment of variable 'force_erase' was done without escaping quotes
which led to wrong assignment and the script not forcing the erasure of
NAND partitions.
While on it, remove it from ccmp1 scripts where its use makes no sense
as the 'ubivolscript' script takes care of erasing the partitions.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Device tree overlays now have the extension 'dtso' that
distinguishes them from board 'dts' files, so there is
no need for a prefix '_ov_' to tell if a file contains
a DT overlay.
To make them shorter and easier to tell the platform they
are for, change the filename format to:
<platform-name>_<functionality>.dtso
where <platform-name> can be the name of the SOM or the
name of the DVK, so there is no need either to specify
'som' or 'board' on the filename.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Based on the boot schemes and sources supported for each platform, the boot
artifacts now include this information in their filenames. This commit updates
the filenames accordingly in several recipes.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit changes the linux and recovery UUID when booting
the system in single mode.
https://onedigi.atlassian.net/browse/DEL-9244
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Based on the environment variable emulate-cc91:
* Limit the ram memory to 512MB
* Enable the overlay _ov_som_emulate-ccimx91_ccimx93.dtbo
* Disable the npu node
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
In CCMP2 the HWID is stored in 3 consecutive fuse words, now the third word has
the following scheme:
| 31..18 | 17 | 16 |15..12| 11..7 |6..3| 2..0 |
+--------+----+-------+------+---------+----+------+
| -- | BT | Wi-Fi | RAM | Variant | HV | Cert |
+--------+----+-------+------+---------+----+------+
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add initial support cloned from ccmp15, based on v2022.10 from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
When running the installation script on variants with larger NANDs, two of the
script's commands take longer than our intended timeouts under specific
circumstances:
* When the variant has a NAND with 512 MiB or more and singlemtdsys is set
to "yes", running ubivolscipt takes longer than our 10 second timeout.
The larger the NAND storage size, the longer this command takes.
* When the variant has a 1 GiB NAND, singlemtdsys is set to "yes" and
dualboot is set to "no", the update of the recovery UBI volume takes
longer than our 15 second timeout.
In both of these cases, the script fails and the installation process cannot
continue. Apply the following changes to prevent this:
* Increase the ubivolscript timeout from 10 seconds to 30
* Increase the recovery update timeout from 15 seconds to 20
Also, remove the command immediately before ubivolscript is run, since said
command is already being run at the beginning of ubivolscript.
https://onedigi.atlassian.net/browse/DEL-9097
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 26dc437a25)
There is a corner case that wasn't cover by the script, if you
use the script using a -k -t the "-t" would be the name of the
dek.bin.
This new implementation solves the issue.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Some variables in the script belong to u-boot, not to the shell
running the script. Escape those variables so the shell does not
expand them.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
The command trustfence update doesn't require the partition argument.
Besides of that, remove extra fi on the cc8m platforms.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
At the moment, this overlay adds RTC calibration to compensate
the drift observed in the 32kHz input frequency of hardware
version 1 of the SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8987
Add a check on the existence of the "temp-fitimg-loaded" environment
variable before setting it. It is needed, as with encrypted FIT images,
we need to decrypt them before accessing the boot script. In such cases,
u-boot sets that variable to "no" so the boot script does not override it,
and the FIT image is loaded again before the final boot to the OS.
https://onedigi.atlassian.net/browse/DEL-8945
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Unless we have a use case in which we need to apply these fragments separately,
we can merge them both into a single fragment.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit implements the support to allow different memory configurations for
the CCMP1 platforms, adding support to 512MB and 1GB memory variants for the CCMP15.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Command 'bootz' allows boot unsigned Linux zImages, so disable it when secure
boot is enabled using FIT images.
https://onedigi.atlassian.net/browse/DEL-8769
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Some minor fixes:
* return error code if installation fails
* cosmetic: update comment with options
* just exit after error and do not execute boolimit command
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Up until recently, we were only generating dey-image-qt images for the
ccimx93-dvk. Now that we are generating dey-image-lvgl images as well, make
sure to print the helper message to set image-name when installing said images.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
An additional line was added to a comment block without the '#' character,
resulting in the following error when running the script:
Unknown command '-' - try 'help'
Nonetheless, this error is harmless and the script continues as expected, which
is the reason why we hadn't found it until now.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In case a HWID is not set or the variant is unknown, do not set it to a default
U-Boot file but ask the user for the proper file.
This case should not happen, but cover it for safety.
https://onedigi.atlassian.net/browse/DEL-8855
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Hector Palacios
Arturo Buzarra
Francisco Gil
Javier Viguera
Mike Engel
Isaac Hermida
Gabriel Valcazar
Gonzalo Ruiz