The `-t` option to program images with TrustFence didn't make
much sense because the install script is dynamically generated
at build-time with the name of the boot artifacts containing
"signed/encrypted" on their filenames.
This commit:
- Removes `-t` option to simplify the script.
- Determines if programming a signed/encrypted bootloader by
looking at the bootloader filename.
- For NXP platforms, reworks the function that updates the
bootloader to properly program only-signed bootloaders (currently
wrongly using `trustfence update`)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The USB and SD installers are U-Boot scripts that are practically
identical.
Merge them into a single template with a couple of machine variables that
determine the default device index in U-Boot for the USB or the microSD
card.
Do dynamic substitutions to create the two installers out of the template.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The installer uses the regular rootfs filename or falls back to search
for a squashfs (read-only) rootfs image.
The UUU installers of eMMC-based platforms use an if/elif/else structure
to determine which file exist (in order of preference). Replicate this
structure on the rest of platforms and installers.
This avoids printing an error message if the default rootfs does not exist
but the read-only one does.
Also, reset 'rootfstype' variable if the default rootfs file exists, which
allows to install regular images over a previous read-only system.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit fixes the rm command in the adapt_uboot_filenames function to
prevent build failures when the target artifact does not exist, ensuring the
operation is safe in all cases.
https://onedigi.atlassian.net/browse/DEL-9634
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since commit 29d32063ac0abb1017756f62f94aec22ce305b60 ("u-boot: kernel-fitimage:
Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled") in Poky layer,
the `kernel-fitimage` and `uboot-sign` classes are no longer explicitly
dependent. This change introduced a race condition when inserting the signed
RSA keys into the U-Boot DTB for FIT image verification.
This commit introduces a new step for `do_uboot_assemble_fitimage`, which is
now responsible for injecting the keys into the U-Boot DTB. This logic was
previously handled in the Linux kernel recipe via the `do_assemble_fitimage`
function in previous Yocto versions.
Additionally, a build-time dependency is added between the `do_uboot_assemble_fitimage()`
function and the kernel's `do_kernel_generate_rsa_keys()` task, which is
responsible for generating the RSA keys used to sign the FIT image.
https://onedigi.atlassian.net/browse/DEL-9634
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
There are several recipes in meta-digi related to features that we haven't
tested in a long time and don't appear in the DEY 5.0 documentation. Remove
them to avoid unexpected behavior.
Said features are:
* Coral TPU support (only supported in DEY 3.2)
* AWS support (removed from default images and docs in DEY 4.0)
* dey-image-tiny (hasn't been maintained since DEY 2.0)
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Add the following countries to the CLM Blob file:
- Brazil
- Mexico
- Saudi Arabia
- Hong Kong
- Singapore
- Malaysia
- Taiwan
- Korea
This is the new World CLM Blob file:
- cyfmac4373-sdio_World.clm_blob (11d5fab6659eff491aca1a219ad33b00)
https://onedigi.atlassian.net/browse/DEL-9438
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This overlay contains a workaround to make the USB-OTG
work as USB device when connected to a host.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9610
(cherry picked from commit ec92f5fdd10a61e37ac3778d0d3aa1816bc6b0aa)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit updates the firmware binaries for Bluetooth and Wireless interfaces,
aligned with the Cypress Linux WiFi Driver (FMAC) release v6.1.97-2025_0219.
The updated wireless firmware versions are as follows:
- 2FY Wireless chip: v28.10.387.16
- 2AE Wireless chip: v13.10.246.356
These updates are included as part of the imx-scarthgap-jaculus_r1.1 Murata release.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the installer scripts to support CCMP1 platforms under
Yocto 5.0, aligning them with the current behavior used for CCMP2.
Changes include:
- Adding support for the metadata partition, which is now required
- Including the optee/opteemin flavors in boot artifact filenames
- Ensuring the script structure and logic remain consistent with CCMP2 install scripts
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The binaries of certain recipes use 32-bit APIs (ioctl, stat) that produce
build warnings. Add INSANE_SKIP to prevent the warnings.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The function had into account the memory variants when copying U-Boot
device trees, but not the U-Boot binaries themselves.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Both boot artifacts now use the same signed label, so this commit removes
unnecessary logic and updates the UUU install script to support the new boot
artifact naming. It also fixes the detection of signed artifacts by checking
for the presence of the FIP artifact, instead of relying on a U-BOOT artifact
that does not exist on this platform.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the trustfence-stm-signtools package with the latest
versions from the STM32 MPU ecosystem v6.0:
- STM32MP_KeyGen_CLI v2.19.0
- STM32MP_SigningTool_CLI v2.19.0
These tools are deployed as part of STM32CubeProgrammer v2.19.0, adding support
for STM32MP2x processors.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Assignment of variable 'force_erase' was done without escaping quotes
which led to wrong assignment and the script not forcing the erasure of
NAND partitions.
While on it, remove it from ccmp1 scripts where its use makes no sense
as the 'ubivolscript' script takes care of erasing the partitions.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
(cherry picked from commit 96e1e8351d)
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Assignment of variable 'force_erase' was done without escaping quotes
which led to wrong assignment and the script not forcing the erasure of
NAND partitions.
While on it, remove it from ccmp1 scripts where its use makes no sense
as the 'ubivolscript' script takes care of erasing the partitions.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
This commit updates several binaries, including the NVRAM and Bluetooth patch
file, based on the latest Murata release imx-scarthgap-jaculus_r1.0. This release
is still based on the Cypress Linux WiFi Driver (FMAC) v6.1.97-2024_1115
(Wireless firmware v28.10.387.10), keeping the wireless firmware unchanged.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Device tree overlays now have the extension 'dtso' that
distinguishes them from board 'dts' files, so there is
no need for a prefix '_ov_' to tell if a file contains
a DT overlay.
To make them shorter and easier to tell the platform they
are for, change the filename format to:
<platform-name>_<functionality>.dtso
where <platform-name> can be the name of the SOM or the
name of the DVK, so there is no need either to specify
'som' or 'board' on the filename.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
bluez5-init is a Digi custom recipe to collect the init script
needed to bring up the specific platform bluetooth hardware.
CCMP1s do not require any bluetooth init extra action.
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
The BT interface initialization is occasionally failing with the hci0
interface not being fully up.
Adding the retry solves all those initialization failures.
https://onedigi.atlassian.net/browse/DEL-9287
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Based on the boot schemes and sources supported for each platform, the boot
artifacts now include this information in their filenames. This commit updates
the filenames accordingly in several recipes.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit updates the required firmware binaries for Bluetooth and Wireless
interfaces and the Murata firmware repositories to match with the latest Murata
release imx-scarthgap-jaculus_r1.0, which is based in the Cypress Linux Wifi
Driver (FMAC) release v6.1.97-2024_1115 (Wireless firmware v28.10.387.10).
https://onedigi.atlassian.net/browse/DEL-9426
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Update ccmp2 platform to use the latest U-Boot v2023.10 based on the
openstlinux-6.6-yocto-scarthgap-mpu-v24.11.06 tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9381
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit changes the audio card name for the
asound configuration and state of the following
platforms:
* CCiMX8X
* CCiMX8M
* CCiMX6UL
https://onedigi.atlassian.net/browse/DEL-9005
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Now that the tool supports OpenSSL 3.2.3, the same version provided by Yocto
5.0 poky, we can simply use the regular Yocto version of the package and link
to it dynamically instead of building a separate version specific for the tool.
Reflect this change in the recipe and include the new binary "mac_dump" in the
package.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
An internal build of openssl is compiled as part of the cst build process,
which is later linked statically to the tool. When building the nativesdk
version of cst, openssl's internal "Configure" tool chooses Yocto's nativesdk
compiler for its compilation (x86_64-deysdk-linux-gcc). However, cst's Makefile
uses host tools by default, meaning it will compile its C files with the host's
gcc and link the final binary with the host's ld. This can lead to errors due
to the Yocto nativesdk compiler including symbols in the openssl libraries that
are unknown to the host's linker.
For example, when attempting to build nativesdk-trustfence-cst in Yocto 5.0 on
Ubuntu 2020.04, the following linker error appears multiple times:
undefined reference to `__isoc23_strtol'
Fix this by making sure cst uses the same toolchain as the one used when
building the internal openssl libraries (and ultimately, when the final binary
is linked together). This doesn't affect the native version of cst, which uses
the host's toolchain.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Our distribution is Digi Embedded Yocto (DEY), so use that to mark the
upstream status of the patches in our layer.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Our do_install() places all firmware files inside of the path in the
{base_libdir} variable, but we were hardcoding /lib in FILES. This is an issue
when using the usrmerge distro feature, because {base_libdir} becomes /usr/lib
instead of /lib. This was causing these recipes to fail.
Fix this by using {base_libdir} in FILES so that it matches do_install().
https://onedigi.atlassian.net/browse/DEL-9011
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
These patches were originally backported from U-Boot v2023.07, and now that
u-boot-tools is using v2024.01, they are no longer needed
https://onedigi.atlassian.net/browse/DEL-9011
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit changes the linux and recovery UUID when booting
the system in single mode.
https://onedigi.atlassian.net/browse/DEL-9244
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Some settings were incorrectly set. Align the card settings with the
same values used in our other platforms.
https://onedigi.atlassian.net/browse/DEL-8703
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Based on the environment variable emulate-cc91:
* Limit the ram memory to 512MB
* Enable the overlay _ov_som_emulate-ccimx91_ccimx93.dtbo
* Disable the npu node
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Both CC93 and CCMP2 store the environment at the end of BOOT1 partition
and the redundant environment at the end of BOOT2 partition. Reuse the
'fw_env.config' file defined for CC93 for both platforms, and also include
CC91 in the process.
https://onedigi.atlassian.net/browse/DEL-9119
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
In CCMP2 the HWID is stored in 3 consecutive fuse words, now the third word has
the following scheme:
| 31..18 | 17 | 16 |15..12| 11..7 |6..3| 2..0 |
+--------+----+-------+------+---------+----+------+
| -- | BT | Wi-Fi | RAM | Variant | HV | Cert |
+--------+----+-------+------+---------+----+------+
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The main recipe already contains this file on the SRC_URI.
No need to append for every platform.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Add initial support cloned from ccmp15, based on v2022.10 from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.
https://onedigi.atlassian.net/browse/DEL-8995
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
When running the installation script on variants with larger NANDs, two of the
script's commands take longer than our intended timeouts under specific
circumstances:
* When the variant has a NAND with 512 MiB or more and singlemtdsys is set
to "yes", running ubivolscipt takes longer than our 10 second timeout.
The larger the NAND storage size, the longer this command takes.
* When the variant has a 1 GiB NAND, singlemtdsys is set to "yes" and
dualboot is set to "no", the update of the recovery UBI volume takes
longer than our 15 second timeout.
In both of these cases, the script fails and the installation process cannot
continue. Apply the following changes to prevent this:
* Increase the ubivolscript timeout from 10 seconds to 30
* Increase the recovery update timeout from 15 seconds to 20
Also, remove the command immediately before ubivolscript is run, since said
command is already being run at the beginning of ubivolscript.
https://onedigi.atlassian.net/browse/DEL-9097
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 26dc437a25)
On devices with NAND as storage media, a post install script
modifies the fw_env.config file basing on the NAND geometry.
This only happens once after deployment, typically on production
environments. If the power is removed soon after the post install
script runs (which is a normal procedure on manufacturing
environments), there are chances that pending file system
operations have not been flushed, which may occasionally lead
to the fw_env.config file end up empty on the next reboot.
This commit adds a sync at the end of the post-install script
to guarantee the changes are written to the file system.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9059
There is a corner case that wasn't cover by the script, if you
use the script using a -k -t the "-t" would be the name of the
dek.bin.
This new implementation solves the issue.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
By default is trying to install an artifact imx-boot--<platform>
if trustfence is not enabled.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Some variables in the script belong to u-boot, not to the shell
running the script. Escape those variables so the shell does not
expand them.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
The command trustfence update doesn't require the partition argument.
Besides of that, remove extra fi on the cc8m platforms.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
* Move Digi code out of the upstream files to minimize conflicts in
version migrations.
* Remove all the TEE client copied code and use the libteeclient library.
* Some fixes in the Optee-based environment encryption
* Some simplifications in CAAM-based environment encryption.
https://onedigi.atlassian.net/browse/DUB-1079
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
At the moment, this overlay adds RTC calibration to compensate
the drift observed in the 32kHz input frequency of hardware
version 1 of the SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8987
Update BDF file used on CC8MN and CC8MM with a new calibration
(GOLDEN3) to obtain a flatter frequency response and a better EVM
performance.
Reference calibration file is obtained from 'qca6574au-le-2-2-2_qca_oem'
repo at tag 'r00005.1' under path
'wlanfw/cnss_proc/wlan/fw/target/sdio_dst/qc6174/bdwlan30.bin'
(MD5SUM: 8a40d95698825e1718bee640b1f7982a).
Target output powers tables and CTL tables remain intact.
Changes required to pass the EN 300 328 V2.2.2 blocking test also remain
intact.
New BDF file:
- bdwlan30_US.bin (86180198440e6ab53734aabf0112c6ba)
https://onedigi.atlassian.net/browse/DEL-9001
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Hector Palacios
Arturo Buzarra
Javier Viguera
Gabriel Valcazar
Gonzalo Ruiz
Isaac Hermida
Francisco Gil
Mike Engel