DEY generates the ccmp25 boot artifacts on subdirectories of the main
deploy folder. The firmware installation script expects to have them on
the deploy directory, so create the proper symlinks.
https://onedigi.atlassian.net/browse/DEL-9120
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Both CC93 and CCMP2 store the environment at the end of BOOT1 partition
and the redundant environment at the end of BOOT2 partition. Reuse the
'fw_env.config' file defined for CC93 for both platforms, and also include
CC91 in the process.
https://onedigi.atlassian.net/browse/DEL-9119
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
In CCMP2 the HWID is stored in 3 consecutive fuse words, now the third word has
the following scheme:
| 31..18 | 17 | 16 |15..12| 11..7 |6..3| 2..0 |
+--------+----+-------+------+---------+----+------+
| -- | BT | Wi-Fi | RAM | Variant | HV | Cert |
+--------+----+-------+------+---------+----+------+
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The main recipe already contains this file on the SRC_URI.
No need to append for every platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Add support based on v6.1.28 kernel version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support based on STM release openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add open-source implementation of the OpenGL API support based on v23.0.3
version from STM release openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add GPU support based on v6.4.15 version from STM release
openstlinux-6.1-yocto-mickledore-mpu-v24.06.26.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support based on v2.8 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add support based on v3.19.0 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add initial support cloned from ccmp15, based on v2022.10 from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
When TrustFence is enabled, use the HUK programmed on the OTP
bits for the ccmp15 platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9121
There is a harmless error when restoring alsa profiles, as it also
attempts to restore UCM profiles.
Since we do not include UCM profiles for our sound cards, skip it.
https://onedigi.atlassian.net/browse/DEL-9066
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
In legacy NAND platforms like the ccimx6ul, it's possible to use a single-MTD
configuration with dualboot disabled, which allows access to the functionality
provided by the recovery partition. However, the partition encryption feature
requires a multi-MTD configuation, so said feature shouldn't be accessible in
this case.
Prevent access to partition encryption in a single-MTD system by:
* Adding the "system" partition to the partition blacklist in both the
recovery-utils library and the recovery initscript.
* Checking the "singlemtdsys" environment variable before using any
functionality related to partition encryption.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Currently, when wiping the update volume via the recovery partition on a
ccimx6ul with singlemtdsys enabled, the procedure fails with this error:
[RECOVERY] Starting recovery...
[RECOVERY] Wipe 'update' partition requested
[RECOVERY] Formatting 'update' ubi volume
ubi0 error: ubi_open_volume.part.0: cannot open device 0, volume 3, error -16
ubiupdatevol: error!: cannot open "/dev/ubi0_3"
error 16 (Device or resource busy)
This is because the logic used to unmount a volume before formatting it is
expecting this entry format when running "mount":
ubi0:update on /mnt/update type ubifs
While this is the format of the "mount" output in userspace for the rootfs
volume, other trivial volumes have this format instead:
ubi0_3 on /mnt/update type ubifs
Adapt the logic to this format so that the "update" volume wipe procedure can
take place.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
When running the installation script on variants with larger NANDs, two of the
script's commands take longer than our intended timeouts under specific
circumstances:
* When the variant has a NAND with 512 MiB or more and singlemtdsys is set
to "yes", running ubivolscipt takes longer than our 10 second timeout.
The larger the NAND storage size, the longer this command takes.
* When the variant has a 1 GiB NAND, singlemtdsys is set to "yes" and
dualboot is set to "no", the update of the recovery UBI volume takes
longer than our 15 second timeout.
In both of these cases, the script fails and the installation process cannot
continue. Apply the following changes to prevent this:
* Increase the ubivolscript timeout from 10 seconds to 30
* Increase the recovery update timeout from 15 seconds to 20
Also, remove the command immediately before ubivolscript is run, since said
command is already being run at the beginning of ubivolscript.
https://onedigi.atlassian.net/browse/DEL-9097
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
By default, the secure storage path in the REE is "/var/lib/tee". It is
part of the rootfs, and thus, it gets lost on a firmware update.
This commit changes that path to a different partition "/mnt/data/tee"
when Trustfence file-based encryption is enabled.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Building Optee trusted applications (TA) depends on optee_client and the TA
devkit provided by optee_os. Our toolchain provides those dependencies, but
the SDK script which configures the environment for standalone building,
is not configuring some variables needed to build trusted applications.
This commit extends the SDK environment script to allow building TAs.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add also 'e2fsprogs-tune2fs' to the image, as busybox's version of
tune2fs command does not support setting the "encrypt" feature of the
EXT4 filesystem.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Occassionally, the loading the WiFi driver might fail, because of the
MMC node was not correctly initialized.
Fix that by rebinding the MMC node. This fix implements a similar workaround
as in c30b947408.
https://onedigi.atlassian.net/browse/DEL-9083
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 26dc437a25)
On devices with NAND as storage media, a post install script
modifies the fw_env.config file basing on the NAND geometry.
This only happens once after deployment, typically on production
environments. If the power is removed soon after the post install
script runs (which is a normal procedure on manufacturing
environments), there are chances that pending file system
operations have not been flushed, which may occasionally lead
to the fw_env.config file end up empty on the next reboot.
This commit adds a sync at the end of the post-install script
to guarantee the changes are written to the file system.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9059
On new platforms, trustfence will use file-based encryption instead of
full-disk encryption. Add base variables and platform defaults to allow
implementing file-based encryption.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Encrypting boot artifacts impacts the device's boot time, so disable them
by default. It is still possible to enable it in the project's config
file by setting the TRUSTFENCE_DEK_PATH option.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
There is a corner case that wasn't cover by the script, if you
use the script using a -k -t the "-t" would be the name of the
dek.bin.
This new implementation solves the issue.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
By default is trying to install an artifact imx-boot--<platform>
if trustfence is not enabled.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Some variables in the script belong to u-boot, not to the shell
running the script. Escape those variables so the shell does not
expand them.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Javier Viguera
Gonzalo Ruiz
Arturo Buzarra
Hector Palacios
Mike Engel
Isaac Hermida
Francisco Gil
Gabriel Valcazar