This commit fixes u-boot Trustfence naming for signed and
encrypted images used in the installation script removing
the a duplicated dash in the u-boot name.
https://onedigi.atlassian.net/browse/DEL-8271
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Add a check on the existence of the "temp-fitimg-loaded" environment
variable before setting it. It is needed, as with encrypted FIT images,
we need to decrypt them before accessing the boot script. In such cases,
u-boot sets that variable to "no" so the boot script does not override it,
and the FIT image is loaded again before the final boot to the OS.
https://onedigi.atlassian.net/browse/DEL-8945
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The signing tools have a dependency of libQt5Core.so.5, which implies that this
library must to be installed on the native PC. This commit includes all the
required shared libraries for the signing tools inside the own package to avoid
external dependencies. With this change there is not needed any more the qtbase
dependency at build time.
Package version has been bumped to 1.2.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
- For Qualcomm QCA65x4 platforms:
Add support to create the 'World' board data file for the QCA65x4 Wi-Fi
chip to operate on World regulatory domain.
Kernel wireless driver already supports selecting the correct file based
on the configured Regulatory Domain via Kernel command line argument
'wlan.regdmn', which allows the following parameters:
* "US", for U.S.A. (default)
* "World", for worldwide
- For Murata type2AE platforms:
Add World CLM blob file for the wireless interface and JRL hcd file for
the Bluetooth interface. Also add the autocountry ininitialization script
and systemd service.
World CLM blob file:
- cyfmac4373-sdio_World.clm_blob (1abe7f3fa86d4123b0586cbbf0ec91ac)
Kernel wireless and bluetooth drivers already support selecting the correct
files based on the configured Regulatory Domain via Kernel command line
arguments 'brcmfmac.regdmn' and 'btbcm.regdmn' respectively, which allow the
following parameters:
'brcmfmac.regdmn':
* "US", for U.S.A. (default)
* "World", for worldwide
'btbcm.regdmn':
* "FCC.CE", for U.S.A., Europe and the rest of the world (default)
* "JRL", for Japan
https://onedigi.atlassian.net/browse/DEL-8905
Co-authored-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.
Rename the variables so that it's easier to identify the platforms/vendors they
affect:
* Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
* Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP
Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Unless we have a use case in which we need to apply these fragments separately,
we can merge them both into a single fragment.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This logic was fixed in commit e915a14b4b, so we
no longer have to manually copy the bootscript to generate FIT images.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We rely on FIT support to implement boot artifact authentication on ccmp1
platforms, but our implementation made it impossible to enable FIT support
outside of the context of Trustfence/secure boot.
Change this so that it's possible to enable FIT support without having to sign
the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot
DTBs with signatures get copied only when FIT signing is enabled.
https://onedigi.atlassian.net/browse/DEL-8946
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit updates the required firmware binaries for Bluetooth and Wireless
interfaces, hostapd and wpa_supplicant recipes based on the Cypress Linux WiFi
Driver (FMAC) release v5.15.58-2023_1128 (Wireless firmware v13.10.246.334).
This change also includes a custom defconfig file for the hostapd and
wpa_supplicant recipes including the changes from the patches and the Digi
customizations.
Also are updated the Murata firmware repositories to match with the latest
Murata release imx-kirkstone-hedorah_r1.0, which is based in the same Cypress
Linux Wifi Driver release v5.15.58-2023_1128.
https://onedigi.atlassian.net/browse/DEL-8667
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The standard string split() function does not support splitting a string
by spaces but preserving quoted strings, so it does not work for build
options disabling functionality, as they have this format:
"# CONFIG_OPTION is not set"
On the other hand, the "shlex" module provides a split function that
allows splitting strings by spaces and, at the same time, preserves
quoted strings.
In Trustfence, we need this functionality to disable default options that
would allow the booting of non-authenticated images.
https://onedigi.atlassian.net/browse/DEL-8704
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Other recipes may access SYSROOT_DIRS content by adding a dependence
on do_populate_sysroot.
We need this specific directory for the kernel fitImage support.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This update fixes an initialization issue with devices without HWID programmed.
https://onedigi.atlassian.net/browse/DUB-1066
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit fixes a build issue when this script is installed but not shipped
in the u-boot-tools package.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Not only install the US but all the FW files.
Apart of that, some scripts need a little adjustement such as:
* Modify the BT baudrate to 3Mbps for EU power configuration, as it is the
baudrate used by the btnxpuart driver.
* Replace the way to reset the interface on each hcitool command to
avoid missleading BT behaviour.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This commit implements the support to sign the different memory configurations for
the CCMP1 platforms, when trustfence is enabled, using FIT images.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit implements the support to allow different memory configurations for
the CCMP1 platforms, adding support to 512MB and 1GB memory variants for the CCMP15.
https://onedigi.atlassian.net/browse/DEL-8752
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Command 'bootz' allows boot unsigned Linux zImages, so disable it when secure
boot is enabled using FIT images.
https://onedigi.atlassian.net/browse/DEL-8769
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Replace the US-only default CLM blob with the latest one, generated by
Infineon based on the results from Digi Certification of the CCMP1.
New file:
- cyfmac4373-sdio_US.clm_blob (92225a8bccf0c7c9d7df6cdd64670fa1)
https://onedigi.atlassian.net/browse/DEL-8598
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Some minor fixes:
* return error code if installation fails
* cosmetic: update comment with options
* just exit after error and do not execute boolimit command
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Murata provides this FW recipe for the infineon chip on the ccmpx products.
Now we are going to have more FW provided by Murata, but for other chips
which recipe is completely different.
Therefore, rename the recipe to explicitily indicate the FW it provides.
https://onedigi.atlassian.net/browse/DEL-8458
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Up until recently, we were only generating dey-image-qt images for the
ccimx93-dvk. Now that we are generating dey-image-lvgl images as well, make
sure to print the helper message to set image-name when installing said images.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
One of the conditions used to determine the U-Boot file was missing its
terminator, breaking the script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
New AR6233 chips from Qualcomm require a power reduction in the 2.4GHz
band to maintain a good EVM.
Generate new board data files with this optimized target power
configuration, but do not replace the original board data files so this
change does not affect CC6 modules with the original AR6233 chip.
The new AR6233 will be populated in modules with Hardware Version=6 or
higher. Load one board data file or the other based on the Hardware
Version field of the HWID via a post-installation script.
Board data files with optimized TX Power ('b' files):
- Digi_6203-6233-US_b.bin (MD5SUM: 53db0fba1eea22d5c7248b35669234bd)
- Digi_6203-6233-World_b.bin (MD5SUM: 307ea9e9364c46a243a36124c92cddc2)
- Digi_6203_2_ANT-US_b.bin (MD5SUM: 741f69584f43258ec15bfccaebdb8896)
- Digi_6203_2_ANT-World_b.bin (MD5SUM: 9f89d081aaef7f26292d42ad193c188d)
https://onedigi.atlassian.net/browse/DEL-8851
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
An additional line was added to a comment block without the '#' character,
resulting in the following error when running the script:
Unknown command '-' - try 'help'
Nonetheless, this error is harmless and the script continues as expected, which
is the reason why we hadn't found it until now.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In case a HWID is not set or the variant is unknown, do not set it to a default
U-Boot file but ask the user for the proper file.
This case should not happen, but cover it for safety.
https://onedigi.atlassian.net/browse/DEL-8855
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
libubootenv treats negative offsets as backwards offset from the end of
the block device, so use that to move the environment to the last 16KiB
of the hardware boot partitions.
https://onedigi.atlassian.net/browse/DUB-1064
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
With the update of the ethos-u firmware for the NPU in previous commit,
this overlay is no longer required.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The LEGACY_IMAGE_FORMAT defaults to 'y' if there is no FIT
support, which happens after applying the default configuration.
Then, the FIT support is added in a config fragment, but the
LEGACY_IMAGE_FORMAT is not disabled.
Disabling this is recommended to avoid the possibility to boot
unsigned legacy images.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The U-Boot bootscript loads the fitImage into RAM memory to run
this bootscript. This bootscript ends up calling 'dboot' command
to run the FIT default configuration.
To avoid 'dboot' re-loading again the fitImage into RAM memory,
set this temporary variable that will be immediately reset
by 'dboot'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit adds several overlays for DVK v2 and modifies the boot script to apply it
based on the board_version variable.
https://onedigi.atlassian.net/browse/DEL-8746
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit adds signed FIT image support for the CCMP1
platforms when using Trustfence.
https://onedigi.atlassian.net/browse/DEL-8591
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
During firmware install, the target may be reset several times.
We don't want the bootcount to count these as boot attempts.
This was done in a791bb4463 for the ccmp1
but not for the rest of platforms.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 961acf48de)
Improve boot attempts message showing not only the current boot attempt
but also the limit:
(boot attempt 1/3)
Print the message only when the bootcount mechanism is active, i.e. when
the bootlimit is defined (not zero), and when bootcount is > 0.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DUB-1056
(cherry picked from commit 918a9caf1d)
Use the intention of installing dual boot firmware as a condition to set
bootlimit=3 so that the bootcount mechanism is enabled.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DUB-1058
During firmware install, the target may be reset several times.
We don't want the bootcount to count these as boot attempts.
This was done in a791bb4463 for the ccmp1
but not for the rest of platforms.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Improve boot attempts message showing not only the current boot attempt
but also the limit:
(boot attempt 1/3)
Print the message only when the bootcount mechanism is active, i.e. when
the bootlimit is defined (not zero), and when bootcount is > 0.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DUB-1056
The STM signtools are precompiled binaries with a fixed RPATH to look for
dynamic libraries.
When the binaries are installed to the regular ${bindir} (either native or
nativesdk), additional toolchain libraries in the regular ${libdir} folder
confuse the binaries, resulting in segmentation faults when running them
or missing symbols.
The package has been reworked to place the directory structure expected
by the binaries, in a subfolder "stm" within the ${bindir}.
Two wrapper scripts with the names of the binaries (STM32MP_KeyGen_CLI and
STM32MP_SigningTool_CLI) have been created to run the binaries in the new
subfolder.
Package version has been bumped to 1.1.
While on it, remove the 'do_install' from trustfence-stm-signtools.inc
which is not needed because the 'bin_package' class already provides the
same functionality.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8720
The STM signtools are precompiled binaries with a fixed RPATH to look for
dynamic libraries.
When the binaries are installed to the regular ${bindir} (either native or
nativesdk), additional toolchain libraries in the regular ${libdir} folder
confuse the binaries, resulting in segmentation faults when running them
or missing symbols.
The package has been reworked to place the directory structure expected
by the binaries, in a subfolder "stm" within the ${bindir}.
Two wrapper scripts with the names of the binaries (STM32MP_KeyGen_CLI and
STM32MP_SigningTool_CLI) have been created to run the binaries in the new
subfolder.
Package version has been bumped to 1.1.
While on it, remove the 'do_install' from trustfence-stm-signtools.inc
which is not needed because the 'bin_package' class already provides the
same functionality.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8720
Some platforms do not support signing external artifacts (kernel, dtb,
etc.) yet, so we need to decouple the signing of the bootloader from the
signing of the external artifacts.
This commit generalizes the code, so instead of having platform exceptions
scattered along the recipes, we create a new variable used conditionally
to sign or not the external artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This version supports i.MX8ULP and i.MX9x devices.
NOTICE: changed the "srk_ca" parameter in ahab_pki_tree.sh from "yes" to
"no". This script is shared between cc8x and ccimx93. The imx93 does not
support that option at the moment (generation of subordinate SGK certs)
and for the cc8x we were generating them but never used them to sign
the artifacts.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Merge the patches for the PKI tree generation scripts, to ease
maintenance (still keeping two separate patches for HAB4/AHAB).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
If the default r/w rootfs is not found it will try to do a
fallback to the squashfs image.
In the nand devices additionally we need to set the rootfstype
to squashfs.
https://onedigi.atlassian.net/browse/DEL-8638
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
When booting from a microSD, the variable 'boot_device' is
set to "mmc". Check this to fall back to booting Linux from
the microSD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Until now, for dualboot systems, all boot variables were calculated on each boot depending on the value of the
'active_system'. These variables are used to boot the device but were not saved, which could lead to a missmatch
between their value in the environment and their required values to correctly boot the system. This commit
simplifies a bit the variables calculation and adds a block to synchronize their value in the environment.
Signed-off-by: David Escalona <david.escalona@digi.com>
All the 'altboot' script functionality has been moved directly to the 'altbootcmd' command
in U-Boot, so this script is no longer necessary. Remove it for all platforms.
https://onedigi.atlassian.net/browse/DEL-8674
Signed-off-by: David Escalona <david.escalona@digi.com>
The install scripts from SD/USB use a fixed image name.
If you are trying to install a different image you need to set
the env variable 'image-name' first.
Add a helper message if default files are not found to
avoid needing to go to the documentation.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
During firmware install, the target may be reset several times.
We don't want the bootcount to count these as boot attempts.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The 'bootcount' value is now incremented and stored in the system on every boot and
not only then the 'upgrade_available' flag is set. Also, ensure the value is cleared
when the 'altboot' script is executed by running the new U-Boot command 'bootcount reset'.
https://onedigi.atlassian.net/browse/DEL-8506
Signed-off-by: David Escalona <david.escalona@digi.com>
When TrustFence is enabled, a PKI tree is generated.
In the case of NXP platforms, the PKI contains public certificates
from which the public key needs to be extracted using an openssl
command.
In the case of STM platforms, the PKI contains directly the
public key.
In all cases, we need the public key to be installed in the
rootfs /etc/ssl/certs/ folder, so that it can be used by
swupdate to authenticate signed SWU packages.
Up to now, this was being done on the dualboot recipe, but the
installation of the public key should really be only dependant
on the fact of TF being enabled.
This commit:
- Removes the generation of the public key from dualboot.bb.
- Generates a patch to extract the public key from the certificate
as part of the PKI tree generation (on NXP platforms).
- Installs the public key during a post install function after
the final rootfs has been created.
- For NXP platforms, extracts the public key using openssl if
it does not exist (for backwards compatibility).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
When booting from recovery sdcard, in the imx93 the dualboot is yes by
default, so the mmcroot variable was not set correctly for the uSD.
If we boot from uSD, just assume all the system is in the uSD card, whether
it is a recovery system or a prepared uSD card for demo.
https://onedigi.atlassian.net/browse/DEL-8461
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Starting at kernel 6.1, the maxim98088 driver has been migrated
from the old imx-max98088.c driver to NXP’s new audio framework
fsl-asoc-card.c.
Update the sound stuff to match the new audio card and some of
the new controls.
https://onedigi.atlassian.net/browse/DEL-8596
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
This includes NXP's code from the SCFW porting kit v1.15.0, support for
variants with 4 GiB of RAM and a fix for an issue when resuming from suspend.
https://onedigi.atlassian.net/browse/DEL-8604
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds support for environment encryption/decryption of the
u-boot environment on the CCMP1 platform in Linux.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Regulatory domain is now provided as a Kernel parameter, and the
wlan driver uses it to select the correct BDF file, so we don't
need to change the symbolic links to point to one file or another
anymore.
https://onedigi.atlassian.net/browse/DEL-8360
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
We can't run a post installation script in a readonly file system.
We need to provide a configuration file beforehand.
https://onedigi.atlassian.net/browse/DEL-8556
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
We no longer need logic to determine the SOM's RAM size and bus width, we only
need to know the SOC revision, which is info that is always available.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Now that both U-Boot and the SCFW can autodetect the RAM configuration, we can
simplify the imx-boot build process to generate two binaries (one per SOC
revision) instead of eight. Build "flash_spl" imx-boot images and use only one
global defconfig for u-boot.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This update includes automatic RAM configuration detection, and only one SCFW
binary is needed for all ccimx8x variants. Adapt the imx-boot recipe
accordingly.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
For the ccimx8x, we changed the order of the steps in do_deploy() from:
Deploy -> Rename files -> Move binaries
To:
Deploy -> Move binaries -> Rename files
When it's time to rename the files, they won't be in their original place and
the process will fail. Make sure we move the files after they've been renamed
to avoid errors.
Also, one move operation is enough for all artifacts, so remove the second
operation.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
There are two different firmware files for Bluetooth on Murata's type2AE
module:
- JRL: It configures a Bluetooth TxPower of 7dB, to be used in Japan
only.
- FCC.CE: It configures a Bluetooth TxPower of 5dB, to be used in the
rest of the world.
To comply with the FCC requirement that it should not be possible to
configure different regulatory domains, or in this case configurations,
than FCC, only deploy the FCC.CE file by default:
- BCM4373A0_FCC.CE.hcd (md5sum: 1e287a3ab7f83e59352cb321315ea80f)
This file reports the following information during boot time:
Bluetooth: hci0: 89373 UART 37.4 MHz wlbga_BU sLNA muRata Type 2EA 5dBm 20220608-0103
Bluetooth: hci0: BCM4373A0 (001.001.025) build 0155
JRL file will be added via the Worldwide DEY patch addon that customers
can request from Digi.
https://onedigi.atlassian.net/browse/DEL-8453
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Replace the CLM blob file from Github, which supports several countries
with a custom US-only CLM blob file. This way, default images will only
have support for US regulatory domain, therefore complying with FCC
requirements.
The Worldwide CLM blob file will be provided by Digi International on
request.
https://onedigi.atlassian.net/browse/DEL-8453
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
We can't run a post installation script in a readonly file system.
We need to provide a configuration file beforehand.
https://onedigi.atlassian.net/browse/DEL-8556
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
This commit modifies the boot script condition to apply the overlay for MCA
based on HWID MCA field.
https://onedigi.atlassian.net/browse/DEL-8521
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The tools STM32MP_KeyGen_CLI and STM32MP_SigningTool_CLI have
a dependency of libQt5Core.so.5 which is provided by qtbase.
Add this dependency to avoid errors during SDK generation.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
For the moment, do not sign aditional artifacts, such as the ramdisk,
the kernel or the boot scripts for STM platforms.
In the specific case of the ramdisk, simply copy it over with the
expected filename extension.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The do_deploy:append did three things:
- adapt the U-Boot filenames to 'u-boot-<platform>-<config>.<ext>'
- sign/encrypt the U-Boot files (only for iMX6 family)
- sign the boot scripts
Convert the first two actions into functions (the third already was) and
call them conditionally as postfuncs.
Also skip the signing of U-Boot files if the platform is not based on
iMX6 family.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Certain platforms share a processor family but need to be differentiated
between them. DEY was using the variable DIGI_FAMILY as the SOM name
rather than the family. It becomes useful to have both (DIGI_SOM as the
more specific, and DIGI_FAMILY as the more generic).
This is the case, for example, of:
- ccmp1 (family)
- ccmp15 (SOM)
- ccmp13 (SOM)
- ccimx8m (family)
- ccimx8mm (SOM)
- ccimx8mn (SOM)
Both variables are used on the machine overrides.
Where DIGI_FAMILY was used, use now DIGI_SOM.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe downloads a tarball that contains the binaries:
- STM32MP_KeyGen_CLI
- STM32MP_SigningTool_CLI
from ST Microelectronics STM32CubeProgrammer v2.12.0.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The name of the variable was not very intuitive of what
it contains. This variable expands to the SoC vendor
(NXP or STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Commit 065cf3e9 ("kirkstone migration: general update to the new override
syntax") incorrectly renamed binaries in a massive change. This commit restores
the binary names to the original.
https://onedigi.atlassian.net/browse/DEL-8478
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
These are recipes we created to support Google Coral on i.MX platforms. ST's
machine learning layer provides similar recipes, so to avoid conflicts, move
the recipes meant for i.MX platforms to a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-8308
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The HWID is populated on the device tree by the boot loader.
This can be used as a key modifier when encrypting the U-Boot
environment. Some old U-Boot versions however, did not populate
the HWID on the device tree. When updating firmware from an
old version to a new one, the library may not be able to read
the HWID from the DT and then be unable to unencrypt the
environment.
This patch implements a fall-back function to read the HWID
directly from the nvmem node (sysfs). Implementation has been
done for ccimx6 family only, where this case of old U-Boot
can happen.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8444
(cherry picked from commit 222a91f213)
The HWID is populated on the device tree by the boot loader.
This can be used as a key modifier when encrypting the U-Boot
environment. Some old U-Boot versions however, did not populate
the HWID on the device tree. When updating firmware from an
old version to a new one, the library may not be able to read
the HWID from the DT and then be unable to unencrypt the
environment.
This patch implements a fall-back function to read the HWID
directly from the nvmem node (sysfs). Implementation has been
done for ccimx6 family only, where this case of old U-Boot
can happen.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8444
This commit modifies the boot script condition to apply the overlay for DVK v1
on boards without the board_version variable defined.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit adds an overlay for DVK v1 and modifies the boot script to apply it
based on the board_version variable.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Partitions 'fip-a' and 'fip-b' are redundant at the moment. They are
not currently part of the dualboot system. In consequence, program
both partitons unconditionally during the install process.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit updates the required firmware binaries for Bluetooth and Wireless
interfaces, based on the Murata release imx-kirkstone-fafnir_r1.0 that matches
with the Cypress Linux WiFi Driver (FMAC) release v5.15.58-2023_0222 (Wireless
firmware v13.10.246.300)
https://onedigi.atlassian.net/browse/DEL-8407
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
True is the default since long time ago, and thus not necessary. This
follows similar changes done in other layers.
Command used:
sed -e 's|\(d\.getVar \?\)( \?\([^,()]*\), \?True)|\1(\2)|g' -i $(git grep -E 'getVar ?\( ?([^,()]*), ?True\)' | cut -d':' -f1 | sort -u)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Set parameter 'greentxConfig__0_0=0x2' to use the optimal TxPower
in MCS7 data rates, improving performance.
Also, adjust maximum TxPower in the 5GHz band to account for
output power tolerances.
The new BDF is:
- bdwlan30_US.bin (53072f8af541a49e4ed9c22698b1912f)
https://onedigi.atlassian.net/browse/CC6UL-1302https://onedigi.atlassian.net/browse/DEL-8364
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Number of bootup logos is now configured using fbcon=logo-count parameter,
so use it instead of our deprecated custom code in the kernel.
For backwards compatibility, we add this parameter in the u-boot boot
script for all platforms but the ccimx93, where this is directly handled
by u-boot (v2022.04).
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This reverts commit 2bdfdc92e1.
This suffix was removed on error. The artifact does have the suffix.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This variable was removed from meta-st-stm32mp so we need to get rid of it
in meta-digi, too.
Reported-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8268
Rework the "build_uboot_scripts" to prevent changing the templates in
the WORKDIR, as those are part of the SRC_URI. Instead, change the
deployed scripts by using "sed" and redirection.
Also, removed UBOOT_HAS_FASTBOOT altogether, as there is no platform
that does not support fastboot.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Instead of overriding the whole do_compile function, just to reconfigure
u-boot for Trustfence, create a do_configure pre-function that takes care
of that. This allows the removal of duplicated code.
Also, disable the generation of u-boot environment artifacts. We are
not using them and so many u-boot artifacts in the deploy directory
are confusing.
Finally, adjust the names of the TF u-boot artifacts in the do_deploy
append function.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
These are just a verbatim copy of the ccimx8mm ones, so the project is
buildable. This file list should be revisited and adapted for the
ccimx93.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add configuration 'BUILD_UBOOT_SCRIPTS' to select whether to build the
boot and install scripts or not, and set it to 'true' by default.
This allows removing the scripts on upper Yocto layers.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
All the dualboot logic will be checked in run time.
To do this:
* Include the altboot.src by default in all the images
* Create a post installation script to change the
firmware_download_path in the cloud connector
* Unify the swupdate file descriptor for dual and single boot
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Increase the timeout from 90 to 120s since it's a large image
and it may take more time on different NANDs.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The U-Boot environment resides on a UBI volume. The uuu script
relies on the environment to save part of the commands that
U-Boot needs to execute after reboot in the middle of the
installation. If the UBI volume 'uboot_config' does not exist
the installer fails.
This commit:
- Creates a function -on the uuu script only- for obtaining
the result of running any U-Boot command (0=success, 1=error).
- Checks the existance of 'uboot_config' volume.
- Runs 'ubivolscript' script to create the UBI volumes layout
that generates the environment volume if it doesn't exist.
- Increases the timeout for running the 'ubivolscript' since
there are occasions in which 'ubi part' (which is part of the
script) takes more time (if it cannot find the fastmap).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
By default ccmp1 platforms have dualboot mode by default, however the required
boot script was added to ccmp15 platform only, so this commit fixes it.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The first time the 'dualboot' variable is tested it is directly run in
the script and doesn't need to escape the special characters.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
When Dual Boot is not enabled, 'rootfsvol' variable must point to the
single boot system rootfs partition 'rootfs'.
Explicitly set this value. Otherwise the script relays on the default
rootfsvol value, which may be a Dual Boot partition.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
- create dualboot.bbclass that
- sets DUALBOOT_ENABLED variable
- defines partition names and function for changing the sw-description
for swupdate
- move files from layer into meta-digi
https://onedigi.atlassian.net/browse/DEL-7962
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
On the CCMP1 SOMs, we only consider a single system partition called UBI,
with many UBI volumes.
The variable 'singlemtdsys' allowed to change between this and
a system with multiple MTD partitions with one UBI volume each
(old approach on CC6UL).
This commit removes the variable and uses the logic as if it was set.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Use the latest 2AE NVRAM file from the master branch. This file improves
the EVM performance for the 2AE murata module.
MD5SUM:
- cyfmac4373-sdio.2AE.txt: 6301804650847946c79797387eda9c7a
https://onedigi.atlassian.net/browse/DEL-7936
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit adds Bluetooth Vulnerability CVE-2019-9506
resolution to the firmware file.
CVE-2019-9506 is a Bluetooth key negotiation vulnerability.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7134
Co-authored-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Reset the FW files to release r00006.3.470144.2a
Verbatim copy of the recipes in DEY-3.2, using command:
git restore -s dey-3.2/master -- meta-digi-arm/recipes-bsp/firmware-qualcomm
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
For the CC6UL 1GB flash variant, the programming of the rootfs exceeds
the current 90 secs timeout, giving following failure:
[Bulk(R):LIBUSB_ERROR_TIMEOUT] fb[-t 90000]: ucmd update rootfs ram ${fastboot_buffer} ${fastboot_bytes} -e
Error: Bulk(R):LIBUSB_ERROR_TIMEOUT
Increase the timeout to prevent the failure.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As that's an old VM with limited specs, there is no much gain on using
it over the canonical Stash repositories that justifies the code
overhead and the possible errors due to synchronization problems.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit updates the required firmware binaries for bluetooth and wireless
interfaces, based on the release imx-hardknott-drogon_r1.0 (Wireless firmware
v13.10.246.265)
https://onedigi.atlassian.net/browse/DEL-8021
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The recipe fails to build for the target, but that is expected, as this
is a tool you need to run in the host or from the toolchain/SDK, so
rework the recipes to restrict only for native and nativesdk.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Yocto 4.0 only supports OpenSSL 3.0.x while NXP's CST (code signing
tool) is still using OpenSSL 1.1.x. So the build fails when using the
Yocto-build OpenSSL. Instead, build OpenSSL 1.1.1 as part of the build of
the CST and link statically against libcrypto, so the resulting binaries
(cst, srktool) do not depend on any specific OpenSSL version installed
on the development computer.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
In order to perform the standalone signature process, it was required
to rebuild the Toolchain with Trustfence support enabled.
CST source code is now available for downloading in the Digi FTP, so add
Trustfence sign scripts and cst/srktool to the default toolchain for it
to be used for standalone signature without rebuilding.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
(cherry picked from commit 2c9b721fb9ce38dcd0034e22d95db6e0ee068955)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
(cherry picked from commit 16eded4f0edcc603de83be7155f7c09718ba5ddd)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit updates the wireless firmware in order to work with the new Linux
qcacld-3.0 wireless driver.
Latest release "r10016.1 - Post-CS3 1.0.016.1" updates the following files from
"qca6574au-le-2-2-1_qca_oem" product branch:
PCIe:
- athwlan.bin (b4fd36922625b7303d006581f6c7cd10)
- utf.bin (0d70048214fea05d1c40b3034e8107cd)
SDIO:
- qwlan30.bin (342cb50ce5c6ff930a65f341c0dfbc77)
- utf30.bin (f94810be89cc2f3e979ab4a57243872b)
https://onedigi.atlassian.net/browse/DEL-7916
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This recipe will download and install the required firmware binaries for
bluetooth and wireless interfaces. This recipe is based on the release
imx-hardknott-cynder_r1.0 (Wireless firmware v13.10.246.261)
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Mike Engel
Javier Viguera
Arturo Buzarra
Gabriel Valcazar
Gonzalo Ruiz
Isaac Hermida
Hector Bujanda
Hector Palacios
Francisco Gil
David Escalona
Tatiana Leon