GitLab

fuse: Use script defines instead of hardcoded values

See merge request !3

Signed-off-by: Lukasz Majewski <lukma@denx.de>

The code to setup the eMMC's boot partition RO protection is board
specific and hence shall be provided from BSP part of initramfs factory
script.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

This function is supposed to call board specific tweaks/quirks during
factory setup.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

When the rootfs keyblob is created the SRK key data from eFUSEs is read.
For the above reason, in the factory, we first need to program this data
and afterwards generate the key blob.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The DEBUGSHELL variable is set to "yes" only when 'debugshell' parameter
is passed to the kernel.

When it is not passed the board shall just reboot - without entering
the debug shell.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

To program eMMC to have RO permanent on the boot area, one needs to
use the '-p' switch to 'mmc writeprotect boot set' command.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The 'mmc writeprotect boot set [-p] /dev/mmcblk1 1'
command shall be used to protect boot eMMC partition from being
accidentally overwritten.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The do_assembly_fit() has been augmented to created HAB signed version
of the fitImage, which it is going to produce.

This image can be then validated via HAB IP block in the iMX SoC.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Signed-off-by: Lukasz Majewski <lukma@denx.de>

After this commit it would be possible to set SEC_CONFIG[1:0] bits
to 0x1x to only allow booting the HAB verified images.

THIS OPERATION IS IRREVERSIBLE AND CAN CAUSE BOARD BEING BRICKED!!!
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Some iMX SoCs allow programming two MAC addresses.

This patch allows this when proper input file is provided; for example
02:0C:B1:00:AA:BB
02:0C:B1:00:AA:CC
(with new line on the end of the file).

Also, the BSP's meta layer shall define:
IMX_FUSE_MAC2_IDX="36" in
recipes-core/initrdscripts/files/initramfs specific to the BSP
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Different IMX SoCs can have different offsets for the same nvmem fields
(for example imx6ull vs imx8).

To make this meta layer better reusable - the script defines have been
used instead of hardcoded values.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Extend the functionality of meta-secure-imx (tested on imx6ull)

See merge request !2

This function is responsible for setting (if it is not already set) the
CRYPTO_HW_ACCEL variable according to the used SoC and errata.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

This change fixes following error:
"132: [: =: unexpected operator" when uboot-hab-sign.bbclass functions
are parsed (on imx6ull).
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The common code used to generate CSF binary blob has been moved to the
separate function and can be reused not only with preparing kernel
image to be validated through HAB ROM IP block.

Other *.itb images - like one with SWUpdate based initramfs can be
extended to have the CSF binary data appended.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

After this change it is now possible to pass information regarding used
CRYPTO_HW_ACCEL device available on the NXP board; CAAM, DCP or SW.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The initramfs-init-factory recipe provides extra factory functions,
which are not required on standard boot (with decryption of rootfs).
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Add factory_functions file to store functions, which are only used
at factory setup.

Init scripts (factory, secure boot)
-----------------------------------

Create the encryption rootfs key on your server (to be accessible via tftp or curl)
echo "fdf6842566d47e47d6874da561fec422" > imx6ull-inverter-rootfs-enc-key.txt

Remove the rootfs key blob from boot0 part:
echo 0 > /sys/block/mmcblk1boot0/force_ro
dd if=/dev/zero of=/dev/mmcblk1boot0 bs=512 seek=8191 count=1

MAC address fuse write support
------------------------------

One needs to provide tftp accessible file:

Setup mac address
echo -n "24:0B:B1:00:03:58" > imx6ull-inverter-mac.txt

to write MAC address data to inverter board fuses.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Introduce some consistency to the formatting of initramfs-init.sh
script.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The fw_{printenv|setenv} are used to get root device info used during
decryption at boot time.

The u-boot-env provides /etc/fw_env.conf file.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Signed-off-by: Lukasz Majewski <lukma@denx.de>

This patch provides the generic recipe to create itb fitImage
from any initramfs image.

It only needs one platform specific augmentation - namely the
load entry/address for Linux kernel shall be set in board
specific *.bbappend file:

do_assemble_fit_prepend() {
   sed -i "s|ITS_KERNEL_LOAD_ADDR|0x87800000|g" ${B}/rescue.its.in
   sed -i "s|ITS_KERNEL_ENTRY_ADDR|0x87800000|g" ${B}/rescue.its.in
}
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The IMAGE_BASENAME variable is set to ${PN} by default, so this
line is not necessary anymore.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

This image reuses code from in-production used crypt-image-initramfs.bb
recipe. Some extra code for factory setup is added.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The crypt-image-initramfs code now can be reused by other images.
In that way it is possible to avoid code duplication when for example
an image for factory setup is required.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

The xargs is necessary to avoid leading white space when UBOOT_MACHINE
is expanded (or created).

Moreover, it is now possible to use the CRYPTO_HW_ACCEL variable to
decide if DCP, CAAM or SW shall be used as the crypto engine.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Signed-off-by: Lukasz Majewski <lukma@denx.de>

New, common cst-native.inc file has been introduced to provide common
code for both versions.

Moreover, the cst-3.1.0.tgz binary has been pulled to facilitate
the workflow.
Signed-off-by: Lukasz Majewski <lukma@denx.de>

Patches were tested only with linux-stable, so move them and add only if
linux-stable is taken.

TODO: check patches with linux-yocto, too.
Signed-off-by: Stefano Babic <sbabic@denx.de>

Signed-off-by: Stefano Babic <sbabic@denx.de>

Signed-off-by: Stefano Babic <sbabic@denx.de>

Signed-off-by: Stefano Babic <sbabic@denx.de>

sign-fs: fix build if PASS_FILE is not set

See merge request !1

commit:825d05f0

 ("Signing fs: add PASS_FILE as set in README")
add handling of variable PASS_FILE. If this variable is
not set build failed, fix it.
Signed-off-by: Heiko Schocher <hs@denx.de>

Signed-off-by: Stefano Babic <sbabic@denx.de>

Signed-off-by: Stefano Babic <sbabic@denx.de>

u-boot has multiple providers - better use the generic
virtual/bootloader package name.
Signed-off-by: Stefano Babic <sbabic@denx.de>

Heiko Schocher authored Aug 03, 2021 and Stefano Babic committed Aug 05, 2021

do_sign_uboot must also run before do_deploy.
Signed-off-by: Heiko Schocher <hs@denx.de>