This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.1. It introduces support for encrypted boot artifacts,
including TF-A and FIP for the ConnectCore MP13 platform.
https://onedigi.atlassian.net/browse/DEL-8535
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The ConnectCore 95 SMARC module has an MCA so we need to
build the mca-tool for this platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Due to GPIO1 port belongs to the Always-ON (AON) domain and probed last,
port GPIO4 is probed as gpio2.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
The i.MX91 does not include an NPU; only the i.MX93 does.
Remove the Ethos-U firmware support that was accidentally added during
code reorganization.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Some of the hardware settings that were common between the cc93/cc91 SOMs
and DVK are not common for the cc95.
This commit moves those defines from common ccimx9.inc to each specific
machine configuration file.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
For SOM v2, the Wi-Fi chipset has been changed, which requires
overlays that are specific to cc95, different than the ones
for cc93/cc91.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9915
Use the SDMA firmware provided by linux-firmware for i.MX6 and i.MX8
platforms. The SDMA blobs shipped in linux-firmware and firmware-imx are
identical, so just use the upstream ones as meta-freescale does.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Version 1.14.0 is no longer available, as meta-openembedded updated it
to version 1.14.1. Update our preferred version using a wildcard.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Select the proper OP-TEE board configuration in the optee-os-stm32mp recipe so
trusted applications are built/exported correctly in the SDK. Without this
change, the build may choose a different MACHINE and trigger unexpected
compilation issues.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Correct the bootloader artifact names (TF-A and FIP) for CCMP1/CCMP2 during
.swu generation with TrustFence enabled.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Distribute all the required bootloader artifacts required for USB recovery
as part of the ZIP installer. That way, every pre-compiled set of images
is enough for starting development.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
i.MX6 platforms use an older version of weston, 10.0.5.imx, which sets the
wayland socket to wayland-0 by default. Without this change, our demo launcher
scripts/services will fail on ccimx6/6qp platforms.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We support only B0 silicon revision and that is already set on
"imx-digi-base.inc" for all mx95 based machines.
https://onedigi.atlassian.net/browse/DEL-9811
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact
encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to
use a more generic name and avoid overloading it as an on/off flag. Add per-key
variables for encryption key filenames to avoid hardcoded names and allow
platform overrides.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the virtual OP-TEE syntax for the CCMP1 and CCMP2 platforms
to align with the changes introduced in the meta-st-stm32mp layer. Specifically,
it mirrors the update made in commit ded46c7d24addf91ec81c9f64309e6376689977a
("Adapt to virtual optee changes").
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The ConnectCore MP2 DVK does not include an external STM32G0 component.
This commit removes the 'usbg0' entry from MACHINE_FEATURES to prevent
the installation of the unnecessary stm32mp-g0 firmware.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Adds support for signing and encrypting Cortex-M firmware on STM platforms,
following the STM32 MPU Ecosystem v6.1.0. This update enables secure boot of
co-processor binaries on ConnectCore MP2, enhancing firmware protection.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
vfat images need U-Boot scripts, which are always provided by the U-Boot
recipe, even for imx-boot-based machines. Replace the machine-dependent
BOOTLOADER_IMAGE_RECIPE with virtual/bootloader (which is provided by
u-boot recipes).
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Remove obsolete SD card image creation logic and related variables. We
will use WIC images for bootable SD cards.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Notice that we need to create u-boot and imx-boot symlinks in the deploy
directory, as they are required for the bootloader of the wic images.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Different platforms use different Cortex-M processors, so instead of
using the M4_DEFAULT_IMAGE_MX95 (as meta-imx does) for an M7 processor,
generalize to the CORTEXM_DEFAULT_IMAGE variable name. Also, move it
to the imx-boot recipe (where it is used) and deploy that image to
the imx-boot-tools directory, so the imx-boot image can be regenerated
externally (without yocto).
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Remove IMAGE_BOOT_FILES and related WKS dependencies from ccimx93-dvk and
ccimx95-dvk machine configs. IMAGE_BOOT_FILES defines the files included
in the boot partition when creating WIC images. The removed files are
the Cortex-M demo firmware that we don't want on the boot partition of
our WIC image.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts,
including TF-A and FIP, and enables this functionality for the ConnectCore MP2
platform.
This enhancement allows secure boot deployments with both authentication and
encryption for improved protection of critical boot components.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit disables the signing and encryption mechanism for the ConnectCore
MP2 platform's co-processor firmware. Currently, this functionality is not yet
supported in DEY, and enabling it causes build failures when TrustFence support
is active. Disabling it ensures successful builds until full support is
implemented.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add the ccimx95 platform cloned from mx95lp5. Provide DDR configuration,
configure the console on lpuart6, and update ccimx95-dvk.conf to select
the new board.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Move the LPDDR4 firmware list from the shared ccimx9 include into the
machine configurations for the ccimx91/93 DVK, allowing the upcoming
ccimx95 to utilize its own distinct values.
Also, remove the redundant IMXBOOT_TARGETS and BOOTLOADER_SEEK_USERDATA
overrides in ccimx91-dvk, as they are duplicated.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit updates the CC6 and CC6QP platform configurations to use the latest
NXP BSP based on U-Boot v2024.04, unifying support across all NXP-based
platforms.
https://onedigi.atlassian.net/browse/DEL-9758
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the CC6 and CC6QP platform configurations to use the latest
NXP BSP based on Linux kernel v6.6, unifying support across all NXP-based
platforms.
https://onedigi.atlassian.net/browse/DEL-9758
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
With the updated firmware-ele-imx recipe, the installation logic now
requires SECOEXT_FIRMWARE_NAME to be empty when no extra firmware is
to be installed.
https://onedigi.atlassian.net/browse/DEL-9748
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit updates the Digi custom .bbappend recipes for FIP and TF-A to align
with the latest ST BSP release, based on the openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11
tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
On NXP platforms, the signed/encrypted bootloader images are not
included on the installer ZIP. This prevents from using the installer
when TrustFence is enabled.
This commit adds to the installer:
- If encryption is enabled
- encrypted bootloader
- signed bootloader (for USB recovery boot)
- If encryption is disabled
- signed bootloader
- If TrustFence is disabled
- non-signed bootloader
It also treats the ccimx6ul special, as this has a dedicated file for
USB recovery boot.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9698
Arturo Buzarra
Javier Viguera
Hector Palacios
Francisco Gil
Isaac Hermida
Gonzalo Ruiz
Gabriel Valcazar
Mike Engel