Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact
encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to
use a more generic name and avoid overloading it as an on/off flag. Add per-key
variables for encryption key filenames to avoid hardcoded names and allow
platform overrides.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Remove obsolete SD card image creation logic and related variables. We
will use WIC images for bootable SD cards.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Notice that we need to create u-boot and imx-boot symlinks in the deploy
directory, as they are required for the bootloader of the wic images.
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Different platforms use different Cortex-M processors, so instead of
using the M4_DEFAULT_IMAGE_MX95 (as meta-imx does) for an M7 processor,
generalize to the CORTEXM_DEFAULT_IMAGE variable name. Also, move it
to the imx-boot recipe (where it is used) and deploy that image to
the imx-boot-tools directory, so the imx-boot image can be regenerated
externally (without yocto).
https://onedigi.atlassian.net/browse/DEL-9768
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Add support for the ccimx95 and reorganize the recipe so that all machine
patches are applied for the DEY distribution, regardless of the build
target.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
On NXP platforms, the signed/encrypted bootloader images are not
included on the installer ZIP. This prevents from using the installer
when TrustFence is enabled.
This commit adds to the installer:
- If encryption is enabled
- encrypted bootloader
- signed bootloader (for USB recovery boot)
- If encryption is disabled
- signed bootloader
- If TrustFence is disabled
- non-signed bootloader
It also treats the ccimx6ul special, as this has a dedicated file for
USB recovery boot.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-9698
* Set the OP-TEE base address to 0x7e000000 (32MiB below the first gigabyte
of DDR).
* Update the ATF and OP-TEE memory maps to support up to 4GiB DDR.
This ensures OP-TEE runs reliably across all ccimx8mm memory configurations.
https://onedigi.atlassian.net/browse/DEL-9502
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
imx-boot includes the 'imx-mkimage_git.inc' from meta-freescale, so
redefine the SRCBRANCH and SRCREV for every platform in the bbappend.
https://onedigi.atlassian.net/browse/DEL-9417
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Our distribution is Digi Embedded Yocto (DEY), so use that to mark the
upstream status of the patches in our layer.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The way tagged imx-boot images are handled in meta-freescale was changed in
commit 161f1b3e69a3cf011a50e9b742fb8c46d61e41e8. Reflect this in our recipe by
using the same overrides as uuu_bootloader_tag.bbclass to disable the
functionality
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This variable was removed from the base imx-boot recipe in meta-freescale
commit c30f12b809a8cf36043b42c67dd8a11f69d9cf77, as it was never being
overridden and always had a value of "imx-boot".
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In meta-freescale commit 4d64dde1686a017ebe2763dd7880563a6fc51b53,
compile_mx8m() was modified to account for possible configuration suffixes in
the dtb filename via the creation of a symlink. In our case, the filename is
the same as the target, causing the dtb to get replaced with a dead symlink.
For now, revert this function to how it was in the kirkstone branch of
meta-freescale to avoid this.
https://onedigi.atlassian.net/browse/DEL-9011https://onedigi.atlassian.net/browse/DEL-9081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since our recipes handle native builds differently, port the latest version
of the recipes from meta-freescale to our layer while keeping our
customizations. Use the same revision for all platforms.
Adapt patches for lf-6.6.23-2.0.0 release and add the "Upstream-Status" tag to
them to avoid QA errors.
For now, use the imx-boot recipe from meta-freescale, but there's a chance we
might need to port the version of the recipe in meta-imx.
https://onedigi.atlassian.net/browse/DEL-9011https://onedigi.atlassian.net/browse/DEL-9081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commits adds the CCMX91 platform to the DEY
build system. Furthermore, it creates generic ccimx9
support to be used for the CCiMX91 and CCiMX93
platform.
https://onedigi.atlassian.net/browse/DEL-9106
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
The patches have been backported from the lf-6.1.36-2.1.0 release of
imx-mkimage.
https://onedigi.atlassian.net/browse/DUB-1081
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Starting with NXP release "lf-6.1.55-2.2.0" the IMX optee fork (based on
version 4.0.0) does not support SOC revision A0. This commit recovers
support to build a bootloader for A0, extending the optee patch for
ccimx93 to support A0 with a build time option, and then extending the
optee-os and imx-boot recipes to build two optee binaries and using them
to generate bootloaders for both SOC revisions.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
In commit 2fd1dbfed7, we accidentally removed some changes needed to
build imx-boot with Trustfence enabled, which were added in commit
1ce17da864.
This partially reverts commit 2fd1dbfed7
Signed-off-by: Francisco Gil <francisco.gilmartinez@digi.com>
Recently, meta-freescale backported the support to build multiple boot
artifacts. This clashes with the changes in our imx-boot bbappend,
so update the bbappend to make it compatible with the latest changes
in meta-freescale.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
(cherry picked from commit 2fd1dbfed7)
mkimage output provides some information (basically image offsets) that
cst (code signing tool) uses to sign imx-boot images.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Make a series of changes to make sure the imx-boot signing process works:
* Store separate mkimage logs for each imx-boot build. In our case, this
means storing one log per SoC revision. Each SoC revision has a different
SECO fw binary with varying sizes, which causes offsets of specific
signing regions to differ among revisions. Since we parse the offsets
from the logs, we need to make sure the offset information is correct in
each case.
* Remove u-boot-atf-container.img in each mkimage iteration, otherwise the
ATF offset information will be missing from subsequent logs.
* Implement a separate trustfence_sign_imxboot() function for the ccimx8x
to iterate through all SoC revisions.
Note that the SPL+AHAB signing script doesn't support imx-boot encryption yet.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Now that both U-Boot and the SCFW can autodetect the RAM configuration, we can
simplify the imx-boot build process to generate two binaries (one per SOC
revision) instead of eight. Build "flash_spl" imx-boot images and use only one
global defconfig for u-boot.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This update includes automatic RAM configuration detection, and only one SCFW
binary is needed for all ccimx8x variants. Adapt the imx-boot recipe
accordingly.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Use our custom compile/install/deploy functions from DEY 3.2. NXP's imx-boot
recipe assumes only one U-Boot config and SOC revision, but we have multiple,
so we have to rewrite all of these functions.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Although in theory, you can use any label to name the different u-boot
build configurations, we have them coupled to machine names in the
boot-artifacts bbclass, and also in the default boot artifact filename
in the firmware installation scripts.
So fix that up for the ccimx93 in the machine config, and create the
proper symlinks in the do_deploy imx-boot recipe.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Both recipes (imx-boot and imx-mkimage) use the same source code
repository, so update both of them to the new NXP release, by copying
with minimal changes the recipes in meta-imx.
Also convert the original 'imx-mkimage' recipe, which was only for
native class, to a full target, native, nativesdk recipe. We need this
to be able to include the nativesdk one in our toolchain.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Arturo Buzarra
Javier Viguera
Hector Palacios
Gonzalo Ruiz
Gabriel Valcazar
Mike Engel
Isaac Hermida
David Escalona
Francisco Gil