On systems with a single MTD system partition and multiple UBI
volumes, the initramdisk doesn't mount the 'update' partition
because mdev rules only trigger events for MTD partitions.
This commit adds a rule to trigger an event for every /dev/ubi0_x
(every UBI volume on ubi0 device) and call the new automount_ubi.sh
script. The script checks if the volume is called 'update' and if
so, it creates /mnt/update mountpoint and mounts the volume.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8297
(cherry picked from commit df9c622b1bf0a7307c61deda12cf1f67d4f630f0)
(cherry picked from commit 8b8f9560af)
Add a new parameter '-i' to update-firmware to let the user
select a specific image_set of the sw-description file to
use during the swu update.
This allows adding different image_sets on the sw-description
and reduce the number of images to build. It also adds more
future-proof flexibility.
Signed-off-by: Tatiana Leon <Tatiana.Leon@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8199
In previous line we are launching the mdev in daemon mode. One of the
first tasks the daemon mode performs is a cold scan, so there is no need
to repeat it afterwards.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
There is a problem when building the SDK because two binaries
have the same name (update-firmware) and makes the compilation
to fail.
Change the name to update-firmware.recovery and create a wrapper
over the update-firmware to check if the system is not dual boot
to call it.
Rework the code to make it more reliable.
Remove the umount of the alternative linux partition, now it is
not needed because only the active linux partition is mounted now.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Now in the file descriptor we have three different names:
platform, primary and secondary.
Also a link from 'platform' to 'single' to keep backward
compatibility.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
As a result of the dualboot support we may end up with two
'update-firmware' commands in the rootfs. To prevent file name clashing,
we may need to install the recovery-utils update-firmware as
update-firmware.recovery, and then the current command mode check would
fail.
Relax the check, by just looking at the first character.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The nand devices doesn't need to call the mount_cryptrootfs
script.
Reported-by: Francisco Gil <francisco.gilmartinez@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since commit 11558352 ("swu-images: add "installed-directly" flag to
sw-description") the swu package images are streamed into the target without
any temporary copy to support devices with low memory available, that forces a
different order according with the swupdate documentation because scripts
should packed before the rest. This means that all the pre, post and shell
scripts will be executed after the images will be installed. This behavior
breaks the current support to mount the cryptorootfs node before install an
encrypted rootfs.
This commit moves the shell script to mount the cryptorootfs node to the
recovery initramfs and modifies the swupdate command line to call the shell
script before the images installation.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since we added support for compressing rootfs images, we need to manage SWU
packages with a regular rootfs image and with compressed images. That support
was missing in the identification process when the SWU packet was verified.
This commit fixes the identification of compressed rootfs images.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
(cherry picked from commit 30aa4a7444)
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
'mdev -s' run on ramfs initialization is able to mount external media already
detected but fails to automatically mount any media detected afterwards.
Running it as a daemon first it will also be able to mount any media detected
after 'mdev -s' is run.
Use argument '-d' to first run mdev as daemon in background.
Move 2 seconds delay to after mdev has been initialized to give external
hardware all the time possible to be successfully detected and mounted.
https://onedigi.atlassian.net/browse/DEL-7285
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit adds some swupdate parameter to select the sw-description
configuration depending on the used platform.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Technically, partition unencryption is safe to do in open devices, although it
implies that at least one partition has already been encrypted. If we aren't
going to encrypt any partitions, there's no need to print the warning.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Instead of checking for the existence of /proc/mtd, which might lead to false
positives, check the "root" parameter in /proc/cmdline. Assume eMMC in case of
any error.
https://onedigi.atlassian.net/browse/DEL-7539
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In the libubootenv implementation of fw_setenv, multiple variables can be set
in one call. When setting a variable with a space-separated list, the app
interprets the list as new variable/value tuples, for example:
fw_setenv myvar value1 value2 value3
Results in:
myvar=value1
value2=value3
This was causing the encrypted eMMC partition mechanism to break, because the
list of encrypted partitions is stored as a space-separated list in an
environment variable. Avoid this by enclosing the variable argument of
set_uboot_var() with double quotes.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Before using the encrypted partition functionality, users have to manually
install the encryption key in the system. Failing to install said key will
result in errors later on.
Even though the installation isn't a difficult operation from a user's point of
view, the recovery script has the necessary logic to detect cases where a
partition is going to be encrypted with no key installed. Automatically
generate a key in these cases to avoid undesired behavior and to improve the
overall user experience.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
If we trigger a key change while there are partitions that are encrypted,
print a warning and ask for confirmation so users know that the operation will
erase the contents of said partitions.
Like in the partition (un)encryption mechanism, add the possibility to skip
both the warning message and the confirmation prompt.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
If we allow users to manually change the encryption status of the rootfs
partition, we run the risk of wiping it without flashing a proper replacement
image. Because of this, rootfs encryption status should be determined
automatically using information from the update package.
Have the recovery script parse the update package's description to determine
whether to encrypt the rootfs or not.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This partition isn't blacklisted, but it should only be (un)encrypted when
providing an update package. Make it so that manual encryption status changes
for this partition aren't possible from the recovery library.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since the update partition might be involved during a software update, we need
to make sure that its contents are accesible and safe when using the partition
encryption feature at the same time.
Mount and unmount the partition correctly if it's encrypted and cancel any
operations that will result in the deletion of the update package.
https://onedigi.atlassian.net/browse/DEL-7174https://onedigi.atlassian.net/browse/DEL-7422
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Add a new function to the recovery library to be able to encrypt/unencrypt any
partition on the internal storage media. Since it's a destructive operation,
add a warning message and a confirmation prompt that can be skipped if needed.
Reflect this new functionality in the recovery-reboot app. Change the logic so
that an encryption key can be set even if there's no update package, because
now it's possible to encrypt other partitions while leaving the rootfs intact.
Also change the logic so that the app doesn't reboot into recovery mode if
there's no recovery command set.
Implement the same blacklist as the one in the recovery script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Modify the recovery and trustfence initramfs scripts to be able to encrypt any
partition on the internal storage media, not just the rootfs.
To implement this functionality, add a new recovery command called
'encrypt_partitions'. When used, this command must contain a comma-separated
list of the partitions that are to be encrypted by the end of the recovery
process, including partitions that were already encrypted beforehand. Any
partition that isn't in the list will be unencrypted. If the command is absent,
no changes will be made, but it's possible to pass an empty command to
unencrypt all partitions.
Include a blacklist to avoid encrypting partitions that shouldn't be encrypted,
such as partitions that need to be accessed by the ROM code/U-Boot or
partitions that contain encryption keys.
While at it, remove unnecessary "get_kernel_version" function from the script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Modify the recovery-utils code to reflect the change (change in C header and
linked libraries)
https://jira.digi.com/browse/DEL-7410
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The old fsl_otp driver is deprecated and we need to determine
if the device is closed using a new property of the device tree
called 'digi,tf-closed'.
Assume the device is open if the property is not found.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://jira.digi.com/browse/DEL-7185
(cherry picked from commit fc1a736758)
By default, we generate SWU files which update both the linux and rootfs
partitions. This, along with the fact that platforms using NAND as the storage
media require a reboot for the rootfs partition's "enc" flag to take effect,
makes it safe to format the NAND's rootfs partition before performing an
update, regardless of having to encrypt the rootfs or not.
However, customers that wish to use the swupdate feature to update just the
linux partition will find that the rootfs is completely erased after the update
is finished, because a new rootfs hasn't been written in its place.
To avoid this scenario, parse the SWU package's description to verify that it
contains a rootfs image before formatting the partition.
https://jira.digi.com/browse/DEL-7067
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Busybox's device manager mdev was originally meant to be set up by writing its
path to /proc/sys/kernel/hotplug before launching it, but that entry no longer
exists in Linux v5.4's procfs and mdev can be launched directly.
Since mdev is the element in the recovery initramfs that is in charge of
mounting all partitions where .swu packages can be found (update partition on
the eMMC/MTD, uSD and USB), checking for the existence of the hotplug entry in
the procfs before launching mdev in v5.4 was preventing the partitions from
being mounted, and causing all software updates to fail.
While at it, move the two second delay to before mdev is launched, so all
partitions can be mounted. Otherwise, some devices such as the USB might not
be ready when mdev is launched, causing its partition to not be mounted.
https://jira.digi.com/browse/DEL-7143
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 074e3ba3 ("meta-digi-dey: add cryptsetup tool into initramfs") added
the runtime dependency to cryptsetup for all platforms, but it is
required only to encrypt/decrypt block devices.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Hector Palacios
Tatiana Leon
Javier Viguera
Francisco Gil
Gabriel Valcazar
Arturo Buzarra
Mike Engel
Gonzalo Ruiz