Optee-client provides the TEE Client API as defined by the GlobalPlatform TEE standard.
It is required to communicate with a Trusted Application (TA) running in a Trusted OS.
https://onedigi.atlassian.net/browse/DEL-8970
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Several things were wrong after the latest update to version 4.0: the
tee-supplicant path, some settings in the systemd unit, etc.
This commit fixes the installation so the optee test suite completes again.
https://onedigi.atlassian.net/browse/DEL-8989
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add a check on the existence of the "temp-fitimg-loaded" environment
variable before setting it. It is needed, as with encrypted FIT images,
we need to decrypt them before accessing the boot script. In such cases,
u-boot sets that variable to "no" so the boot script does not override it,
and the FIT image is loaded again before the final boot to the OS.
https://onedigi.atlassian.net/browse/DEL-8945
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The signing tools have a dependency of libQt5Core.so.5, which implies that this
library must to be installed on the native PC. This commit includes all the
required shared libraries for the signing tools inside the own package to avoid
external dependencies. With this change there is not needed any more the qtbase
dependency at build time.
Package version has been bumped to 1.2.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes the set_fip_sign_key() function to match the new keys format
where there is a key_pass file for each key, no longer needing to search with
the key index.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a race condition where, if you have an existing PKI tree with
the new format (one key_pass file for each key), the script detects that the
PKI tree is incomplete because it is always trying to find the key_pass.txt
file with the old format. This commit adds an additional validation step to
verify the new keys format.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
- For Qualcomm QCA65x4 platforms:
Add support to create the 'World' board data file for the QCA65x4 Wi-Fi
chip to operate on World regulatory domain.
Kernel wireless driver already supports selecting the correct file based
on the configured Regulatory Domain via Kernel command line argument
'wlan.regdmn', which allows the following parameters:
* "US", for U.S.A. (default)
* "World", for worldwide
- For Murata type2AE platforms:
Add World CLM blob file for the wireless interface and JRL hcd file for
the Bluetooth interface. Also add the autocountry ininitialization script
and systemd service.
World CLM blob file:
- cyfmac4373-sdio_World.clm_blob (1abe7f3fa86d4123b0586cbbf0ec91ac)
Kernel wireless and bluetooth drivers already support selecting the correct
files based on the configured Regulatory Domain via Kernel command line
arguments 'brcmfmac.regdmn' and 'btbcm.regdmn' respectively, which allow the
following parameters:
'brcmfmac.regdmn':
* "US", for U.S.A. (default)
* "World", for worldwide
'btbcm.regdmn':
* "FCC.CE", for U.S.A., Europe and the rest of the world (default)
* "JRL", for Japan
https://onedigi.atlassian.net/browse/DEL-8905
Co-authored-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.
Rename the variables so that it's easier to identify the platforms/vendors they
affect:
* Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
* Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP
Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Unless we have a use case in which we need to apply these fragments separately,
we can merge them both into a single fragment.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This logic was fixed in commit e915a14b4b, so we
no longer have to manually copy the bootscript to generate FIT images.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We rely on FIT support to implement boot artifact authentication on ccmp1
platforms, but our implementation made it impossible to enable FIT support
outside of the context of Trustfence/secure boot.
Change this so that it's possible to enable FIT support without having to sign
the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot
DTBs with signatures get copied only when FIT signing is enabled.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit updates the required firmware binaries for Bluetooth and Wireless
interfaces, hostapd and wpa_supplicant recipes based on the Cypress Linux WiFi
Driver (FMAC) release v5.15.58-2023_1128 (Wireless firmware v13.10.246.334).
This change also includes a custom defconfig file for the hostapd and
wpa_supplicant recipes including the changes from the patches and the Digi
customizations.
Also are updated the Murata firmware repositories to match with the latest
Murata release imx-kirkstone-hedorah_r1.0, which is based in the same Cypress
Linux Wifi Driver release v5.15.58-2023_1128.
https://onedigi.atlassian.net/browse/DEL-8667
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The standard string split() function does not support splitting a string
by spaces but preserving quoted strings, so it does not work for build
options disabling functionality, as they have this format:
"# CONFIG_OPTION is not set"
On the other hand, the "shlex" module provides a split function that
allows splitting strings by spaces and, at the same time, preserves
quoted strings.
In Trustfence, we need this functionality to disable default options that
would allow the booting of non-authenticated images.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The script to sign the boot artifacts lacked the support to configure the
revocation mask. The at-the-moment supported platforms did not need it,
but the ccimx93 does need it, so implement it in this commit.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
With the introduction of the ccimx93 support in the following commits, the
srktool parameters not only differ for HAB/AHAB devices but also between
devices using AHAB (for example, different parameters for ccimx8x and
ccimx93). Thus, move this information to the platform-specific data table.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
It is a cosmetic change, as there is no change in functionality, but
convert the if..elif..fi structure to a table with the platform-specific
data, so it's easier to maintain and extend.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
expand the docker defconfig excerpt to add more default options, as some
of them might be enable in some platform defconfigs but not in other ones,
so just set all of them, as it is safe, and nothing happens if they are
already set in the original default defconfig.
To check if all LXC/docker options are enabled for a kernel,
run lxc-checkconfig in the system.
https://onedigi.atlassian.net/browse/DEL-8924
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
When we use a fitImage kernel type, all the boot artifacts are inside the
FIT image, so there is no need to add them to the boot image additionally.
We were using TRUSTFENCE_FIT_IMG to do this filtering, which uses
a fitImage kernel type underneath. This commit uses KERNEL_IMAGETYPE
instead, as this way, we can use kernel FIT images out of Trustfence and
still prevent polluting the boot images with not-needed artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Other recipes may access SYSROOT_DIRS content by adding a dependence
on do_populate_sysroot.
We need this specific directory for the kernel fitImage support.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This update fixes an initialization issue with devices without HWID programmed.
https://onedigi.atlassian.net/browse/DUB-1066
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a build issue when this script is installed but not shipped
in the u-boot-tools package.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Not only install the US but all the FW files.
Apart of that, some scripts need a little adjustement such as:
* Modify the BT baudrate to 3Mbps for EU power configuration, as it is the
baudrate used by the btnxpuart driver.
* Replace the way to reset the interface on each hcitool command to
avoid missleading BT behaviour.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This commit implements the support to sign the different memory configurations for
the CCMP1 platforms, when trustfence is enabled, using FIT images.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit implements the support to allow different memory configurations for
the CCMP1 platforms, adding support to 512MB and 1GB memory variants for the CCMP15.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Command 'bootz' allows boot unsigned Linux zImages, so disable it when secure
boot is enabled using FIT images.
https://onedigi.atlassian.net/browse/DEL-8769
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Replace the US-only default CLM blob with the latest one, generated by
Infineon based on the results from Digi Certification of the CCMP1.
New file:
- cyfmac4373-sdio_US.clm_blob (92225a8bccf0c7c9d7df6cdd64670fa1)
https://onedigi.atlassian.net/browse/DEL-8598
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Some minor fixes:
* return error code if installation fails
* cosmetic: update comment with options
* just exit after error and do not execute boolimit command
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Murata provides this FW recipe for the infineon chip on the ccmpx products.
Now we are going to have more FW provided by Murata, but for other chips
which recipe is completely different.
Therefore, rename the recipe to explicitily indicate the FW it provides.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This is an NXP change that reverts a mainline weston commit form v9.0.0, in
which the mouse cursor only gets activated when there is mouse movement. This
change was only being included in the weston v10.0.X i.MX forks.
For platforms that don't use these weston forks (ccimx93 uses the v11.0.X fork
and ccmp15 uses mainline weston), the mouse cursor doesn't load right away when
booting the system, which causes apps that are automatically launched (such as
the LVGL demo) to not register the mouse, rendering said apps unresponsive to
it.
Port NXP's change to all of the weston versions we currently use to avoid this
problem.
https://onedigi.atlassian.net/browse/DEL-8865
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Arturo Buzarra
Javier Viguera
Mike Engel
Gabriel Valcazar
Gonzalo Ruiz
Isaac Hermida