This commit introduces a custom export_binaries() function to resolve a
deployment issue affecting the final TF-A artifact path. The issue occurs when
the SoC name does not match the TF-A device tree name.
This fix is required due to changes introduced in commit f0b4d0d02a
("ccmp15: enable secure_system_service for CCMP15"), which modified the TF-A
artifact generation process.
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the Digi custom .bbappend recipes for FIP and TF-A to align
with the latest ST BSP release, based on the openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11
tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes the default secure storage path
to /mnt/data/tee instead of /var/lib/tee. This will
store all secure storage keys in that path and will
keep them even during rootfs updates.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Update the STM32MP-specific kernel branch to Linux v6.6.78, aligned with the
latest ST release: openstlinux-6.6-yocto-scarthgap-mpu-v25.06.11.
https://onedigi.atlassian.net/browse/DEL-9734
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
mwifiex driver is not able to automatically download the corresponding
rgpower binary after receiving CountryIE beacon information from country
XX, so we have to do it manually running "iw reg set XX".
However, the driver considers country XX is already configured and
ignores the rgpower download request.
Fix it by not processing the countryIE information in the driver by
adding a patch from NXP that will be integrated in their next
official release.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Add service to automatically detect changes in the global regulatory
domain and force a PHY regulatory domain change.
This allows detecting regulatory domain changes based on beacon
information when 802.11d is enabled and instructing the wireless
driver to download the rgpower firmware file corresponding to the
selected country.
If the selected country is not one of the supported ones, Worldwide
rgpower_WW.bin file will be downloaded by default.
Run the check service every 5 seconds through a systemd timer.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
While on it, remove the third argument to write_artifact_emmc function,
as write access is always needed to write in U-Boot partitions, otherwise
they would be 'ro' protected.
https://onedigi.atlassian.net/browse/DEL-9735
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Until DEY 5.0, the ccimx6ul platform was the only one that did not include a
`data` partition.
As a result, `cccsd` had to store the client certificate from Remote Manager in
the root filesystem, under `/etc/ssl/certs` by default.
This setup caused issues after a software update, as the received client
certificate would be lost, making the device unable to reconnect to the server
until the certificate was manually reset from Remote Manager.
The same problem occurred in dual-boot systems, since the certificate was stored
in the rootfs of the current bank and was not accessible from the other bank.
To avoid this situation, the ccimx6ul used the `remotemanager.digi.com` endpoint
instead of `edp12.devicecloud.com`, as the former does not support or deliver
client certificates.
Now that DEY 5.0 includes a `data` partition in the ccimx6ul partition table, we
can remove this exception and allow the use of `edp12.devicecloud.com`, storing
the certificates persistently in the `data` partition.
Signed-off-by: Tatiana Leon <Tatiana.Leon@digi.com>
On the multi-MTD layout (default) the 'data' UBI volume is never created
and thus not mounted by the system. This is because with this layout, the
creation of the UBI volume is done by the 'update' command, but nobody
updates this partition cause DEY doesn't generate an image for it.
We want the 'data' UBI volume to be created so that the CC6UL can connect
to the regular Remote Manager URI and store the certificate in it.
As long as a UBI volume is created, Linux will mount it, so this commit
erases the partition and creates the UBI volume.
The same goes for the 'update' partition. The installer was relying on the
recovery mechanism to wipe this partition, but this is not longer required
with UBI. As long as the installer erases the partition and creates the
volume, Linux will be able to mount it, so the boot in recovery mode has
been removed from the script.
Note: the formatting is only done for multi-MTD layout; the ubivolscript
creates all volumes for single-MTD layout.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set V2 TX power method for regulatory management on the iw612 init
and remove the 'txpwrlimit_cfg' and 'init_hostcmd_cfg' driver
parameters which are only used for V1 TX power method.
This allows the driver to load a specific rgpower_XX.bin binary file
contained in the rootfs whenever command "iw reg set XX" is executed,
updating the TX power settings and allowed frequencies list to those
contained in the file. 'XX' stands for the 2-character ISO3166-1
alpha-2 country code.
If the selected rgpower_XX.bin file does not exist, or no country is
selected, the driver will load rgpower_WW.bin (Worldwide) by default.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Do not install 'txpower' and 'rutxpower' files from the Murata repo,
which are used for the V1 TX power method, and replace them with custom
'rgpower' files, required for the V2 TX power method.
These files encode the TxPower limitations obtained during the
ConnectCore 93 Certification tests, and there is one file per supported
country. There is a common file for all the European countries, so
create links for each of them, based on the CEPT REC7003E recommendation.
New 'rgpower' files:
- rgpower_CA.bin (MD5SUM: 7c012351f0521a02e3d78615fed5eb54)
- rgpower_EU.bin (MD5SUM: 4d1a54b3c1f12a7d0bb44d0337786a0b)
- rgpower_JP.bin (MD5SUM: b7706bb2718997d933b2bdf1e53e64b4)
- rgpower_US.bin (MD5SUM: 16555f962b025e0426098decd0147f1f)
- rgpower_WW.bin (MD5SUM: 505223c56527e849d4b1e5800c8613b5)
Take the opportunity to just install bt_power_config scripts and prevent
the installation of other unused files (db.txt, ed_mac_ctrl_V2_nw61x.conf
and regulatory.db) from the Murata repository.
https://onedigi.atlassian.net/browse/DEL-8974
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
The latest X-LINUX-AI v6.0.1 release consolidated the config_board_npu.sh
script across all STM32MP2x platforms with NPU support. As part of this
consolidation, the supported video resolutions were unified under a single
default setting, which does not work correctly with USB webcams.
This commit updates Digi’s custom patch to adjust the internal resolution used
for processing video streams from webcams, ensuring proper support and
functionality.
https://onedigi.atlassian.net/browse/DEL-9721
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since the release of X-LINUX-AI v6.0.1, AI support has been split between
devices with NPU and those relying solely on CPU. As a result, the Digi custom
patch to enable USB webcam support was no longer applied, because the
config_board_npu.sh script is now handled by the new config-npu.bb recipe.
This commit addresses the issue by introducing a new bbappend for config-npu,
ensuring that the webcam-related patch is correctly applied for NPU-enabled
platforms.
https://onedigi.atlassian.net/browse/DEL-9721
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Commit ac69566ecd mistakenly removed
the command of cc9, cc8x, and cc8m media installers that sets the
variable that contains the U-Boot file to install.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9720
At the point of saving the bootcmd for the second stage of the install
process we want to use the variable value, not the variable name
since this variable doesn't exist after the environment is reset.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9711
This commit enables building dey-image-flutter for the ConnectCore MP15
platform. It integrates the necessary configurations to support Flutter-based
graphical applications on this platform.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Systemd-based systems do not use the global /etc/sysctl.conf file. Instead,
they read configuration from individual files under /etc/sysctl.d. This
change installs our sysctl settings as /etc/sysctl.d/console.conf when
systemd is enabled.
For systems that do not use systemd, the configuration file is still
installed at /etc/sysctl.conf. The CONFFILES entry is also updated.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Use the existing uboot_deploy(_spl)_config function to clean up and rework
the symlinks created in the deploy directory.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
On NXP platforms, the signed/encrypted bootloader images are not
included on the installer ZIP. This prevents from using the installer
when TrustFence is enabled.
This commit adds to the installer:
- If encryption is enabled
- encrypted bootloader
- signed bootloader (for USB recovery boot)
- If encryption is disabled
- signed bootloader
- If TrustFence is disabled
- non-signed bootloader
It also treats the ccimx6ul special, as this has a dedicated file for
USB recovery boot.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9698
This gets substituted when TrustFence is enabled to "signed/encrypted"
or removed when TrustFence is disabled.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Programming an encrypted bootloader can only be done after the
secure keys have been programed on the OTP bits, and the device
has been closed. Programming on an open device would result in a
non-secure configuration or a non-bootable device after the
close operation.
Create functions to detect the current TrustFence status and exit
the install script if the device is open and the artifacts are
encrypted.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9699
The `-t` option to program images with TrustFence didn't make
much sense because the install script is dynamically generated
at build-time with the name of the boot artifacts containing
"signed/encrypted" on their filenames.
This commit:
- Removes `-t` option to simplify the script.
- Determines if programming a signed/encrypted bootloader by
looking at the bootloader filename.
- For NXP platforms, reworks the function that updates the
bootloader to properly program only-signed bootloaders (currently
wrongly using `trustfence update`)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
fix missing option to include the required kernel options for tsn support.
That support was added in commit 37f5db42ac for kernel 6.1, but it
was missed for kernel 6.6.
Add the support to include the required fragment, regardless the kernel
version.
While on it, update the tsn config to match kernel 6.6.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
The vsftpd-cert init script was previously starting too late,
causing vsftpd to start before the certificates were generated.
The priority has been increased (to 70) so that vsftpd-cert
runs earlier during boot.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
The default secure storage (/var/lib/tee) is a tmpfs and not persistent
across reboots. Change it to the data partition (/mnt/data/tee) when
TrustFence file system encryption enabled
For the log file, do use the /var/log/ directory instead of default
/data
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9683
Removed curl_%.bbappend which forced the use of ares over the default
threaded-resolver. We did this customization for NetworkManager long
ago in the context of network failover. Later we dropped it from NM,
but the customization in curl remained.
This saves approx. 100KB in the rootfs (libcares.so).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
* Disable GTK-based gstreamer player and connman network manager
* Remove matchbox-terminal to avoid pulling ICU
* Avoid pulseaudio client configuration to prevent duplicate instances
Also, delete the autospawn-for-root package config removal in our bbappend,
as that is not enabled by default in the recipe.
https://onedigi.atlassian.net/browse/DEL-9685
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As the OmniVision OV5640 camera is now deprecated and no longer supported by
most vendors, this commit moves its support to a separate Device Tree overlay,
allowing it to be used if needed.
Instead, the Sony IMX335 MIPI camera is integrated into the default device
tree as the default supported camera for the CCMP25-DVK platform.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
* Y2038: compile pulseaudio and alsa-lib with 64bit time flags
* Add patch to fix playback stuck issues on suspend/resume
https://onedigi.atlassian.net/browse/DEL-9681
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As of Yocto 5.0, Poky includes an equivalent solution for the Y2038 issue,
so drop the redundant code in meta-digi.
https://onedigi.atlassian.net/browse/DEL-9681
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Moved deploy_symlinks_atf from SYSROOT_PREPROCESS_FUNCS to do_deploy task
to ensure symlinks are created correctly even when rebuilding from the
shared state after a "bitbake -c clean tf-a-stm32mp".
Override do_deploy[sstate-outputdirs] from the original recipe to allow
installing both the deploy artifacts (binaries and symlinks) to the
package deploy directory.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Move the address where the fitImage is loaded after the addresses
where the binaries in it are decompressed. This way, the fitImage
can grow without size restrictions.
The memory map now looks like this:
0xC0000000 Start of memory
|
| (32 MiB)
v
0xC2000000 Kernel loadaddr ($loadaddr)
|
| (32 MiB)
v
0xC4000000 DTB/DTBO load address ($fdt_addr)
| (4 MiB)
v
0xC4400000 Init ram disk ($initrd_addr)
|
|
| (64 MiB)
|
v
0xC8400000 ZIP/fitImage address ($fit_addr_r)
|
~
|
v
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
On the CCMP13 platform, the inclusion of pam_systemd in the PAM stack
causes excessive delays during login -close to 10 seconds- and can
even lead to SSH login failures.
Since we do not require per-user systemd services (--user), disable
the pam_systemd session module to improve login responsiveness.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
- The TF-A binaries now have ${BOOTSCHEME_DEFAULT} in them (optee or
opteemin)
- The FIP binaries now have ${BOOTSCHEME_DEFAULT}-sdcard in them
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9678
The login prompt appears before Wayland is fully initialized and
has created a wayland socket.
Logging in too early as root in this scenario caused the
WAYLAND_DISPLAY environment variable to be left empty. As a
consequence, gstreamer failed to use waylandsink to print contents
in the display.
Introduce a 10-seconds polling loop to wait for the wayland socket to
be available before proceeding with the login.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit enables SSL/TLS support in vsftpd, allowing FTP communications to
be encrypted for improved security.
SSL/TLS support is enabled by default, but to preserve compatibility with
clients that do not support encrypted connections, this feature can be disabled
at runtime. Users can simply comment or uncomment a few lines in the
`vsftpd.conf` configuration file to toggle the behavior.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Mike Engel
Gonzalo Ruiz
Isaac Hermida
Francisco Gil
Hector Palacios
Tatiana Leon
Javier Viguera