NXP's machine learning packagegroup now has a dependency for gst-shark, a GPU
profiling tool which is provided by this layer. Since it's a part of a repo
that already exists in our manifest, simply add it to the default layers of all
i.MX platforms that support the machine learning feature to be able to include
its packages out of the box.
https://onedigi.atlassian.net/browse/DEL-8551
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit modifies the boot script condition to apply the overlay for MCA
based on HWID MCA field.
https://onedigi.atlassian.net/browse/DEL-8521
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This layer provides machine learning functionality, so include it in our
default layers so customers can use it out of the box if wanted.
https://onedigi.atlassian.net/browse/DEL-8551
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
NXP's machine learning packagegroup now has a dependency for gst-shark, a GPU
profiling tool which is provided by this layer. Since it's a part of a repo
that already exists in our manifest, simply add it to the default layers of all
i.MX platforms that support the machine learning feature to be able to include
its packages out of the box.
https://onedigi.atlassian.net/browse/DEL-8551
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Instead of depending on library releases in Pypi, update the recipe to compile latest
Github code. This allows to use minor fixes in DEY before a new release of the library
is available. While on it, set the 'SRCREV' to point to the last commit of the repository
for traceability.
Signed-off-by: David Escalona <david.escalona@digi.com>
Main development of the library will be done in Github. The Stash repository will be
used as a "security backup mirror", so update the recipe to always compile from Github.
Signed-off-by: David Escalona <david.escalona@digi.com>
This commits changes the CONFIG_CONSOLE_ENABLE_GPIO_NAME to be a string
and not an integer.
https://onedigi.atlassian.net/browse/DEL-8520
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
By default, the signing script generates a file without 'w'
permission so DEY cannot remove it from the deploy dir on
a clean operation.
Add the 'w' permission so that DEY can remove it on clean
operations and generate a new signed file when required.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Otherwise, the sw-description used for non-dualboot systems will be missing
these values and the software update process will fail.
https://onedigi.atlassian.net/browse/DEL-8513
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We accidentally used "mx8mm" instead of "mx8mn" in commit
9b165196bb, which caused several elements to stop
working on the target (including the optee-os).
https://onedigi.atlassian.net/browse/DEL-8512
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The tools STM32MP_KeyGen_CLI and STM32MP_SigningTool_CLI have
a dependency of libQt5Core.so.5 which is provided by qtbase.
Add this dependency to avoid errors during SDK generation.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit disables the uSD mounting, due to issues
detected during the boot process when UBIFS starts
with the wear-leveling process to erase NAND blocks.
https://onedigi.atlassian.net/browse/DEL-8415
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Sometimes, it may be desired that the DEY project does not sign the
artifacts, for example, if they are going to be externally signed on a
secure server. In this case, the user sets TRUSTFENCE_SIGN="0".
On STM platforms, all the variables were being set if TRUSTFENCE_SIGN="1"
and authentication support is not enabled on TF_A otherwise.
Set TF_A_SIGN_ENABLE (which adds authentication support to TF_A) always
for STM platforms (as long as the project inherits the trustfence class)
and set FIP_SIGN_ENABLE="0" if its sibling TRUSTFENCE_SIGN="0", so that
DEY doesn't sign the FIP image either.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The FIP image is signed internally by this recipe. The password must be
set in FIP_SIGN_KEY_PASS. With the signing script, the password is
randomly generated and saved in key_pass.txt.
This prefunc obtains the password(s) from the file to set FIP_SIGN_KEY_PASS
so that the FIP can be properly signed.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The root file system requires the public key to authenticate SWU files.
For NXP platforms, the public key is extracted from the certificate.
For STM platforms, simply copy the public key over to the rootfs.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
For the moment, do not sign aditional artifacts, such as the ramdisk,
the kernel or the boot scripts for STM platforms.
In the specific case of the ramdisk, simply copy it over with the
expected filename extension.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
dualboot and recovery recipes may require to use the keys so they must
depend on the recipe that installs the script that generates them.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This script can be called stand-alone or from DEY.
Syntax is :
trustfence-sign-artifact.sh -p <platform> [-t input-unsigned-image> <output-signed-image>]
If files are omitted, it at least generates random keys if they do not
exist.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The do_deploy:append did three things:
- adapt the U-Boot filenames to 'u-boot-<platform>-<config>.<ext>'
- sign/encrypt the U-Boot files (only for iMX6 family)
- sign the boot scripts
Convert the first two actions into functions (the third already was) and
call them conditionally as postfuncs.
Also skip the signing of U-Boot files if the platform is not based on
iMX6 family.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Certain platforms share a processor family but need to be differentiated
between them. DEY was using the variable DIGI_FAMILY as the SOM name
rather than the family. It becomes useful to have both (DIGI_SOM as the
more specific, and DIGI_FAMILY as the more generic).
This is the case, for example, of:
- ccmp1 (family)
- ccmp15 (SOM)
- ccmp13 (SOM)
- ccimx8m (family)
- ccimx8mm (SOM)
- ccimx8mn (SOM)
Both variables are used on the machine overrides.
Where DIGI_FAMILY was used, use now DIGI_SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe downloads a tarball that contains the binaries:
- STM32MP_KeyGen_CLI
- STM32MP_SigningTool_CLI
from ST Microelectronics STM32CubeProgrammer v2.12.0.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This is in preparation of using the same script name for different SOC
vendors (NXP and STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Dependencies of this recipe are run-time dependencies, not build-time.
While on it, move them to specific native/nativesdk recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe builds the script (that depends on cst-tool) that is used to
sign the images. It's only run natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The name of the variable was not very intuitive of what
it contains. This variable expands to the SoC vendor
(NXP or STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Gabriel Valcazar
Arturo Buzarra
Javier Viguera
Mike Engel
David Escalona
Hector Palacios