- 30 Aug, 2022 1 commit
-
-
Currently, signing i.MX8MM via meta-secure-imx is not working with a recent U-Boot, such as 2022.07. Use the same signing script suggested by mainline U-Boot: https://source.denx.de/u-boot/custodians/u-boot-imx/-/blob/8642e5db0e9bd734e2f0eb252dc21824c4e0f759/doc/imx/habv4/csf_examples/mx8m/csf.sh Successfully tested it on a kontron-sl-mx8mm board. Signed-off-by:
Fabio Estevam <festevam@denx.de>
-
- 13 Jul, 2022 3 commits
-
-
Stefano Babic authored
Last U-Boot versions use binman to produce a single file instead of generating SPL and u-boot.itb. In this case, it is enough to sign the resulting compound file and it is not required to sign u-boot.itb. Add UBOOT_SIGN_SPL_ONLY to skip this. Signed-off-by:
Stefano Babic <sbabic@denx.de>
-
Stefano Babic authored
File to be signed was not found after updating poky to last dunfell. Signed-off-by:
Stefano Babic <sbabic@denx.de>
-
Stefano Babic authored
Signed-off-by:
Stefano Babic <sbabic@denx.de>
-
- 06 Jul, 2022 1 commit
-
-
Stefano Babic authored
Using negation does not work in some cases. Signed-off-by:
Stefano Babic <sbabic@denx.de>
-
- 25 Apr, 2022 1 commit
-
-
"HAB Blocks" log line could be missing if CONFIG_IMX_HAB is not enabled in u-boot configuration. If not found, it results in the CSF file to missing parameters (load address, offset, length) to the "Block" argument of "[Authenticate Data]" command. E.g.: Blocks = "u-boot.imx" Instead of: Blocks = 0x877ff400 0x00000000 0x0009fc00 "u-boot.imx" When these arguments are missing, the nxp "cst" tools segfault. The root cause of this error is not easy to understand in yocto/bitbake error output (segfault in a shell command). $ cst --o u-boot.imx.csf.bin --i u-boot.imx.csf Install SRK Install CSFK Authenticate CSF Install key Authenticate data Segmentation fault This patch generates a build fatal error if HAB block parameters are not found. Ideally, the "cst" tool should detect the missing arguments and print an error message instead of segfaulting.
-
- 05 Feb, 2022 1 commit
-
-
Stefano Babic authored
Several fixes for meta-secure-imx See merge request !4
-
- 18 Jan, 2022 1 commit
-
-
Lukasz Majewski authored
The cst tar archive (cst-3.1.0.tgz) shall be downloaded from NXP web site (without costs). Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 02 Dec, 2021 1 commit
-
-
Lukasz Majewski authored
The imx6ull only has the RNGB random number generator (which is not part of CAAM) which works as a standalone IP block (in conjunction with DCP). As imx6ull doesn't have CAAM, the RNGC iMX driver can be used to control RNGB random number HW. This change enables usage of RNGC driver with imx6ull RNGB HW. Now it is possible to use the /dev/hwrng device (with e.g. cat /dev/hwrng) (Those patches are not required on LTS 5.10.y onwards) Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 08 Nov, 2021 1 commit
-
-
Stefano Babic authored
fuse: Use script defines instead of hardcoded values See merge request !3
-
- 04 Nov, 2021 1 commit
-
-
Lukasz Majewski authored
Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 03 Nov, 2021 6 commits
-
-
Lukasz Majewski authored
The code to setup the eMMC's boot partition RO protection is board specific and hence shall be provided from BSP part of initramfs factory script. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
This function is supposed to call board specific tweaks/quirks during factory setup. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
When the rootfs keyblob is created the SRK key data from eFUSEs is read. For the above reason, in the factory, we first need to program this data and afterwards generate the key blob. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The DEBUGSHELL variable is set to "yes" only when 'debugshell' parameter is passed to the kernel. When it is not passed the board shall just reboot - without entering the debug shell. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
To program eMMC to have RO permanent on the boot area, one needs to use the '-p' switch to 'mmc writeprotect boot set' command. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The 'mmc writeprotect boot set [-p] /dev/mmcblk1 1' command shall be used to protect boot eMMC partition from being accidentally overwritten. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 27 Oct, 2021 4 commits
-
-
Lukasz Majewski authored
The do_assembly_fit() has been augmented to created HAB signed version of the fitImage, which it is going to produce. This image can be then validated via HAB IP block in the iMX SoC. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
After this commit it would be possible to set SEC_CONFIG[1:0] bits to 0x1x to only allow booting the HAB verified images. THIS OPERATION IS IRREVERSIBLE AND CAN CAUSE BOARD BEING BRICKED!!! Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
Some iMX SoCs allow programming two MAC addresses. This patch allows this when proper input file is provided; for example 02:0C:B1:00:AA:BB 02:0C:B1:00:AA:CC (with new line on the end of the file). Also, the BSP's meta layer shall define: IMX_FUSE_MAC2_IDX="36" in recipes-core/initrdscripts/files/initramfs specific to the BSP Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 26 Oct, 2021 1 commit
-
-
Lukasz Majewski authored
Different IMX SoCs can have different offsets for the same nvmem fields (for example imx6ull vs imx8). To make this meta layer better reusable - the script defines have been used instead of hardcoded values. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 22 Oct, 2021 1 commit
-
-
Stefano Babic authored
Extend the functionality of meta-secure-imx (tested on imx6ull) See merge request !2
-
- 18 Oct, 2021 2 commits
-
-
Lukasz Majewski authored
This function is responsible for setting (if it is not already set) the CRYPTO_HW_ACCEL variable according to the used SoC and errata. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
This change fixes following error: "132: [: =: unexpected operator" when uboot-hab-sign.bbclass functions are parsed (on imx6ull). Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 15 Oct, 2021 12 commits
-
-
Lukasz Majewski authored
The common code used to generate CSF binary blob has been moved to the separate function and can be reused not only with preparing kernel image to be validated through HAB ROM IP block. Other *.itb images - like one with SWUpdate based initramfs can be extended to have the CSF binary data appended. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
After this change it is now possible to pass information regarding used CRYPTO_HW_ACCEL device available on the NXP board; CAAM, DCP or SW. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The initramfs-init-factory recipe provides extra factory functions, which are not required on standard boot (with decryption of rootfs). Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
Add factory_functions file to store functions, which are only used at factory setup. Init scripts (factory, secure boot) ----------------------------------- Create the encryption rootfs key on your server (to be accessible via tftp or curl) echo "fdf6842566d47e47d6874da561fec422" > imx6ull-inverter-rootfs-enc-key.txt Remove the rootfs key blob from boot0 part: echo 0 > /sys/block/mmcblk1boot0/force_ro dd if=/dev/zero of=/dev/mmcblk1boot0 bs=512 seek=8191 count=1 MAC address fuse write support ------------------------------ One needs to provide tftp accessible file: Setup mac address echo -n "24:0B:B1:00:03:58" > imx6ull-inverter-mac.txt to write MAC address data to inverter board fuses. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
Introduce some consistency to the formatting of initramfs-init.sh script. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The fw_{printenv|setenv} are used to get root device info used during decryption at boot time. The u-boot-env provides /etc/fw_env.conf file. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
This patch provides the generic recipe to create itb fitImage from any initramfs image. It only needs one platform specific augmentation - namely the load entry/address for Linux kernel shall be set in board specific *.bbappend file: do_assemble_fit_prepend() { sed -i "s|ITS_KERNEL_LOAD_ADDR|0x87800000|g" ${B}/rescue.its.in sed -i "s|ITS_KERNEL_ENTRY_ADDR|0x87800000|g" ${B}/rescue.its.in } Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The IMAGE_BASENAME variable is set to ${PN} by default, so this line is not necessary anymore. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
This image reuses code from in-production used crypt-image-initramfs.bb recipe. Some extra code for factory setup is added. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The crypt-image-initramfs code now can be reused by other images. In that way it is possible to avoid code duplication when for example an image for factory setup is required. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
Lukasz Majewski authored
The xargs is necessary to avoid leading white space when UBOOT_MACHINE is expanded (or created). Moreover, it is now possible to use the CRYPTO_HW_ACCEL variable to decide if DCP, CAAM or SW shall be used as the crypto engine. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 17 Sep, 2021 1 commit
-
-
Lukasz Majewski authored
Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 24 Aug, 2021 1 commit
-
-
Lukasz Majewski authored
New, common cst-native.inc file has been introduced to provide common code for both versions. Moreover, the cst-3.1.0.tgz binary has been pulled to facilitate the workflow. Signed-off-by:
Lukasz Majewski <lukma@denx.de>
-
- 12 Aug, 2021 1 commit
-
-
Stefano Babic authored
Patches were tested only with linux-stable, so move them and add only if linux-stable is taken. TODO: check patches with linux-yocto, too. Signed-off-by:
Stefano Babic <sbabic@denx.de>
-