This commit adds a retry to the swu_package_path function of
the recovery-initramfs-init script. It has been seen that
with some USB memory stick a retry is necessary to mount
the external storage device containing the SWU package.
If the SWU package file is found before the max retries
is reached the loop will be exited and the SWU installation
will start. If max retry is reached and the SWU package
wasn't found it finishes with an error.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-9908
In single boot layout the ccmp1 platforms have two UBI devices:
ubi0: Contains uboot_config_r, linux, and recovery.
ubi1: Contains rootfs, data, and update.
The regular expression used for the update partition needs
to be updated to include the ubi1 device, ensuring proper
handling of the update partition.
https://onedigi.atlassian.net/browse/DEL-9387
Signed-off-by: Francisco Gil francisco.gilmartinez@digi.com
This commit adds a compiler flag to remove certain options from the
recovery-utils, because some features rely on functionality that is
not supported by the CCMP1 platforms.
https://onedigi.atlassian.net/browse/DEL-9116
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
In legacy NAND platforms like the ccimx6ul, it's possible to use a single-MTD
configuration with dualboot disabled, which allows access to the functionality
provided by the recovery partition. However, the partition encryption feature
requires a multi-MTD configuation, so said feature shouldn't be accessible in
this case.
Prevent access to partition encryption in a single-MTD system by:
* Adding the "system" partition to the partition blacklist in both the
recovery-utils library and the recovery initscript.
* Checking the "singlemtdsys" environment variable before using any
functionality related to partition encryption.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Currently, when wiping the update volume via the recovery partition on a
ccimx6ul with singlemtdsys enabled, the procedure fails with this error:
[RECOVERY] Starting recovery...
[RECOVERY] Wipe 'update' partition requested
[RECOVERY] Formatting 'update' ubi volume
ubi0 error: ubi_open_volume.part.0: cannot open device 0, volume 3, error -16
ubiupdatevol: error!: cannot open "/dev/ubi0_3"
error 16 (Device or resource busy)
This is because the logic used to unmount a volume before formatting it is
expecting this entry format when running "mount":
ubi0:update on /mnt/update type ubifs
While this is the format of the "mount" output in userspace for the rootfs
volume, other trivial volumes have this format instead:
ubi0_3 on /mnt/update type ubifs
Adapt the logic to this format so that the "update" volume wipe procedure can
take place.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
We were using the .cfg suffix for both the build-time config fragments and the
runtime configuration file. During do_configure(), all files in SRC_URI ending
in .cfg were being merged together to create the final build configuration,
including said runtime file, which has a completely different syntax. In most
cases, the contents of this file were being ignored, but when tweaking
swupdate's configuration and re-building the package, sometimes strange errors
would prevent the build from finishing.
Change the runtime file's suffix entirely to separate it from the config
fragments and prevent it from being treated as such, and reflect the name
change in the defconfig and the recovery script.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Commit 7e81e706a1 modified the logic used to
determine if a NAND is using multi-MTD or single-MTD, but single quotes were
used in the grep pattern, which prevents the variable inside from expanding.
This makes the script always enter the single-MTD code path, even in multi-MTD
systems, which breaks partition formatting in these cases.
Replace the single quotes with double quotes so the variable can expand and the
condition can be properly checked.
https://onedigi.atlassian.net/browse/DEL-8773
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The swupdate recipe installs by default a systemd service
and a socket to listen for updates coming from a web server.
DEY only makes use of such service during on-the-fly updates from Cloud
Connector web service.
The default swupdate service fails on images with TrustFence because it's
called with no arguments and there doesn't exist a configuration file.
This commit installs a default configuration file and, if TrustFence is
enabled, sets the parameter 'public-key-file' to point to the public
certificate to use to authenticate SWU packages.
While on it, it removes the same file from the recovery-initramfs recipe
that was the only recipe that was adding such config file for recovery
images only.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The ccmp1 has two MTD partitions (UBI, UBI_2) with different system
volumes.
Previously, the fact of having two ubi devices was taken as proof of
being on a multi-MTD system (one that has one UBI volume per partition).
Instead, this commit reformulates the condition to having a partition of
the same name than the UBI volume.
For the case of the ccmp1, add a new for loop to iterate across any number
of UBI devices.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
There is a corner case in the cc6ul where the update from
recovery was failing.
If the u-boot variable rootfstype is set to squashfs u-boot
modify the bootargs adding "root=/dev/ubiblock1_0". The grep
of the command line was failing and detecting the device as
mmc and making the firmware update process fail.
Modify the grep to use the same system that we are using in
the update-firmware script.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
This variable is not defined in ccmp1 platforms, making the
swupdate for single mtd failing.
Instead of reading this variable from uboot environment,
determine if the system is multimtd checking the existence
of /dev/ubi1.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
The root file system requires the public key to authenticate SWU files.
For NXP platforms, the public key is extracted from the certificate.
For STM platforms, simply copy the public key over to the rootfs.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
dualboot and recovery recipes may require to use the keys so they must
depend on the recipe that installs the script that generates them.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit 6a8bf7afff)
On systems with a single MTD system partition and multiple UBI
volumes, the initramdisk doesn't mount the 'update' partition
because mdev rules only trigger events for MTD partitions.
This commit adds a rule to trigger an event for every /dev/ubi0_x
(every UBI volume on ubi0 device) and call the new automount_ubi.sh
script. The script checks if the volume is called 'update' and if
so, it creates /mnt/update mountpoint and mounts the volume.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8297
(cherry picked from commit df9c622b1bf0a7307c61deda12cf1f67d4f630f0)
(cherry picked from commit 8b8f9560af)
Add a new parameter '-i' to update-firmware to let the user
select a specific image_set of the sw-description file to
use during the swu update.
This allows adding different image_sets on the sw-description
and reduce the number of images to build. It also adds more
future-proof flexibility.
Signed-off-by: Tatiana Leon <Tatiana.Leon@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8199
In previous line we are launching the mdev in daemon mode. One of the
first tasks the daemon mode performs is a cold scan, so there is no need
to repeat it afterwards.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
There is a problem when building the SDK because two binaries
have the same name (update-firmware) and makes the compilation
to fail.
Change the name to update-firmware.recovery and create a wrapper
over the update-firmware to check if the system is not dual boot
to call it.
Rework the code to make it more reliable.
Remove the umount of the alternative linux partition, now it is
not needed because only the active linux partition is mounted now.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Now in the file descriptor we have three different names:
platform, primary and secondary.
Also a link from 'platform' to 'single' to keep backward
compatibility.
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
As a result of the dualboot support we may end up with two
'update-firmware' commands in the rootfs. To prevent file name clashing,
we may need to install the recovery-utils update-firmware as
update-firmware.recovery, and then the current command mode check would
fail.
Relax the check, by just looking at the first character.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The nand devices doesn't need to call the mount_cryptrootfs
script.
Reported-by: Francisco Gil <francisco.gilmartinez@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since commit 11558352 ("swu-images: add "installed-directly" flag to
sw-description") the swu package images are streamed into the target without
any temporary copy to support devices with low memory available, that forces a
different order according with the swupdate documentation because scripts
should packed before the rest. This means that all the pre, post and shell
scripts will be executed after the images will be installed. This behavior
breaks the current support to mount the cryptorootfs node before install an
encrypted rootfs.
This commit moves the shell script to mount the cryptorootfs node to the
recovery initramfs and modifies the swupdate command line to call the shell
script before the images installation.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Since we added support for compressing rootfs images, we need to manage SWU
packages with a regular rootfs image and with compressed images. That support
was missing in the identification process when the SWU packet was verified.
This commit fixes the identification of compressed rootfs images.
https://onedigi.atlassian.net/browse/CC8X-320
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The latest version of psplash changed the default path to store the
communication FIFO with other processes to "/run" to allow keeping the
information between reboots, however we are using this tool from an initramfs
where "/run" does not exist, producing multiple errors trying to write to a
nonexistent path, delaying the update process.
This commit forces psplash to use an existing path like "/tmp" to handle the
communication FIFO, because we don't need to maintain the update information.
https://onedigi.atlassian.net/browse/CC8X-318
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
(cherry picked from commit 30aa4a7444)
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
'mdev -s' run on ramfs initialization is able to mount external media already
detected but fails to automatically mount any media detected afterwards.
Running it as a daemon first it will also be able to mount any media detected
after 'mdev -s' is run.
Use argument '-d' to first run mdev as daemon in background.
Move 2 seconds delay to after mdev has been initialized to give external
hardware all the time possible to be successfully detected and mounted.
https://onedigi.atlassian.net/browse/DEL-7285
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Mike Engel
Francisco Gil
Hector Palacios
Isaac Hermida
Gabriel Valcazar
Tatiana Leon
Javier Viguera
Arturo Buzarra
Gonzalo Ruiz