On new platforms, trustfence will use file-based encryption instead of
full-disk encryption. Add base variables and platform defaults to allow
implementing file-based encryption.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Encrypting boot artifacts impacts the device's boot time, so disable them
by default. It is still possible to enable it in the project's config
file by setting the TRUSTFENCE_DEK_PATH option.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
There is a corner case that wasn't cover by the script, if you
use the script using a -k -t the "-t" would be the name of the
dek.bin.
This new implementation solves the issue.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
By default is trying to install an artifact imx-boot--<platform>
if trustfence is not enabled.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Some variables in the script belong to u-boot, not to the shell
running the script. Escape those variables so the shell does not
expand them.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Unlike the rest of the NXP platforms, in u-boot, the ccimx93 allows
configuring a GPIO name to activate the console when secure console is
enabled. Those u-boot options were not translated to the trustfence code
in meta-digi.
https://onedigi.atlassian.net/browse/DEL-9063
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit removes the Cortex-M4 overlay because the M4 has
been enabled now in the DTSI file.
https://onedigi.atlassian.net/browse/DEL-9056
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds some basic TSN support to DEY.
It includes the kernel configuration fragment with
the IEEE 802.1 support and the some user space tools
necessary to configure the network.
https://onedigi.atlassian.net/browse/DEL-9026
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The command trustfence update doesn't require the partition argument.
Besides of that, remove extra fi on the cc8m platforms.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
* Move Digi code out of the upstream files to minimize conflicts in
version migrations.
* Remove all the TEE client copied code and use the libteeclient library.
* Some fixes in the Optee-based environment encryption
* Some simplifications in CAAM-based environment encryption.
https://onedigi.atlassian.net/browse/DUB-1079
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
At the moment, this overlay adds RTC calibration to compensate
the drift observed in the 32kHz input frequency of hardware
version 1 of the SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8987
Update BDF file used on CC8MN and CC8MM with a new calibration
(GOLDEN3) to obtain a flatter frequency response and a better EVM
performance.
Reference calibration file is obtained from 'qca6574au-le-2-2-2_qca_oem'
repo at tag 'r00005.1' under path
'wlanfw/cnss_proc/wlan/fw/target/sdio_dst/qc6174/bdwlan30.bin'
(MD5SUM: 8a40d95698825e1718bee640b1f7982a).
Target output powers tables and CTL tables remain intact.
Changes required to pass the EN 300 328 V2.2.2 blocking test also remain
intact.
New BDF file:
- bdwlan30_US.bin (86180198440e6ab53734aabf0112c6ba)
https://onedigi.atlassian.net/browse/DEL-9001
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit adds RT functionality to CCMP1. The patches
have been extracted from STM RT expansion package and
includes the maineline RT patches and the STM RT driver
patches and RT Kernel defconfig changes.
https://onedigi.atlassian.net/browse/DEL-8880
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
This commit adds real time test tools to the system.
The hwlatedetct is a program that controls the kernel
hardware latency detector module. This is used to detect
large system latencies independent of Linux itself.
The rt-tests package is a test suite that includes the cyclictest
tool to measure the difference between a thread's intended
wake-up time and the time at which it actually wakes up.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
This commit adds RT functionality to the CCiMX93
platform. The patches have been extracted from the
NXP real time edge BSP and include the maineline RT
patches and the NXP RT driver patches and RT Kernel
defconfig changes.
https://onedigi.atlassian.net/browse/DEL-8881
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Use the generic sys class to check if a mtd device is attached.
The virtual node may not be present in some kernel versions.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
We have intermittent build failures due to fetch errors of some large
source packages (like linux.git).
This commit tries to workaround those failures by downloading all the
source packages, with a retries mechanism, before starting the build.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit fixes u-boot Trustfence naming for signed and
encrypted images used in the installation script removing
the a duplicated dash in the u-boot name.
https://onedigi.atlassian.net/browse/DEL-8271
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Optee-client provides the TEE Client API as defined by the GlobalPlatform TEE standard.
It is required to communicate with a Trusted Application (TA) running in a Trusted OS.
https://onedigi.atlassian.net/browse/DEL-8970
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Rework commit c5c9838e54 to only limit ML
packages for our ccimx93 and not for other imx93-based devices.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Several things were wrong after the latest update to version 4.0: the
tee-supplicant path, some settings in the systemd unit, etc.
This commit fixes the installation so the optee test suite completes again.
https://onedigi.atlassian.net/browse/DEL-8989
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Trustfence class was setting the TRUSTFENCE_PASSWORD_FILE variable using the
old keys format where a unique key_pass.txt file contains all the key
passwords. However, in the new format there are one key_pass file for each
key, so using a PKI tree with the new format throws an unexpected error in the
FIP generation due to it is not able to find the required key password.
This commit sets the TRUSTFENCE_PASSWORD_FILE variable for the ccmp1 platforms
on different way.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a race condition where, if you have an existing PKI tree with
the new format (one key_pass file for each key), the script detects that the
PKI tree is incomplete because it is always trying to find the key_pass.txt
file with the old format. This commit adds an additional validation step to
verify the new keys format.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add a check on the existence of the "temp-fitimg-loaded" environment
variable before setting it. It is needed, as with encrypted FIT images,
we need to decrypt them before accessing the boot script. In such cases,
u-boot sets that variable to "no" so the boot script does not override it,
and the FIT image is loaded again before the final boot to the OS.
https://onedigi.atlassian.net/browse/DEL-8945
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The signing tools have a dependency of libQt5Core.so.5, which implies that this
library must to be installed on the native PC. This commit includes all the
required shared libraries for the signing tools inside the own package to avoid
external dependencies. With this change there is not needed any more the qtbase
dependency at build time.
Package version has been bumped to 1.2.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This patch fixes the hang issue with EiQ demos using multiple tflite files,
for instance the gesture_detection demo.
https://onedigi.atlassian.net/browse/DEL-8949
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This recipe is not supported anymore. If you need to add that package
for aarch64, a solution is include pip3 in your image and install it
using the pip3 install manager.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Trustfence class was setting the TRUSTFENCE_PASSWORD_FILE variable using the
old keys format where a unique key_pass.txt file contains all the key
passwords. However, in the new format there are one key_pass file for each
key, so using a PKI tree with the new format throws an unexpected error in the
FIP generation due to it is not able to find the required key password.
This commit sets the TRUSTFENCE_PASSWORD_FILE variable for the ccmp1 platforms
on different way.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a race condition where, if you have an existing PKI tree with
the new format (one key_pass file for each key), the script detects that the
PKI tree is incomplete because it is always trying to find the key_pass.txt
file with the old format. This commit adds an additional validation step to
verify the new keys format.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
It is fixed with the new wireless firmware v5.15.58-2023_1128 integrated in
Yocto.
https://onedigi.atlassian.net/browse/DEL-8667
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
- For Qualcomm QCA65x4 platforms:
Add support to create the 'World' board data file for the QCA65x4 Wi-Fi
chip to operate on World regulatory domain.
Kernel wireless driver already supports selecting the correct file based
on the configured Regulatory Domain via Kernel command line argument
'wlan.regdmn', which allows the following parameters:
* "US", for U.S.A. (default)
* "World", for worldwide
- For Murata type2AE platforms:
Add World CLM blob file for the wireless interface and JRL hcd file for
the Bluetooth interface. Also add the autocountry ininitialization script
and systemd service.
World CLM blob file:
- cyfmac4373-sdio_World.clm_blob (1abe7f3fa86d4123b0586cbbf0ec91ac)
Kernel wireless and bluetooth drivers already support selecting the correct
files based on the configured Regulatory Domain via Kernel command line
arguments 'brcmfmac.regdmn' and 'btbcm.regdmn' respectively, which allow the
following parameters:
'brcmfmac.regdmn':
* "US", for U.S.A. (default)
* "World", for worldwide
'btbcm.regdmn':
* "FCC.CE", for U.S.A., Europe and the rest of the world (default)
* "JRL", for Japan
https://onedigi.atlassian.net/browse/DEL-8905
Co-authored-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.
Rename the variables so that it's easier to identify the platforms/vendors they
affect:
* Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
* Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP
Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Unless we have a use case in which we need to apply these fragments separately,
we can merge them both into a single fragment.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Mike Engel
Javier Viguera
Francisco Gil
Gonzalo Ruiz
Gabriel Valcazar
Hector Palacios
Isaac Hermida
Arturo Buzarra