Skip to content

Commit

Permalink
u-boot-iot2050: Lift to 2023.10
Browse files Browse the repository at this point in the history
Most of our patches are merged now, just one DT change, a small fix for
the signing script are remaining.

In this latest upstream version, we folded PG1 and PG2 U-Boot configs
into a single one again, generating both artifacts in the same run.
Consequently, we can simplify the build as there is now only one recipe
as well.

We need to drop the disabling of CONFIG_DISTRO_DEFAULTS from the secure
boot configuration as this would make distro_bootcmd unavailable.

Signed-off-by: Jan Kiszka <[email protected]>
  • Loading branch information
jan-kiszka committed Oct 4, 2023
1 parent ec5e528 commit f790b1b
Show file tree
Hide file tree
Showing 43 changed files with 102 additions and 2,643 deletions.
6 changes: 2 additions & 4 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,8 @@ jobs:
uses: actions/checkout@v3
- name: Free Disk Space
uses: ./.github/workflows/free-disk-space
- name: Build bootloader image for PG1
run: ./kas-container build kas-iot2050-boot-pg1.yml
- name: Build bootloader image for PG2 & m.2
run: ./kas-container build kas-iot2050-boot-pg2.yml
- name: Build bootloader image
run: ./kas-container build kas-iot2050-boot.yml
- name: Archive bootloaders
uses: actions/upload-artifact@v3
with:
Expand Down
4 changes: 1 addition & 3 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,4 @@ all:
- kas build kas-iot2050-example.yml:kas/opt/preempt-rt.yml
- kas build kas-iot2050-swupdate.yml
- sudo rm -rf build/tmp
- kas build kas-iot2050-boot-pg1.yml
- sudo rm -rf build/tmp
- kas build kas-iot2050-boot-pg2.yml
- kas build kas-iot2050-boot.yml
31 changes: 11 additions & 20 deletions Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,13 @@ config IMAGE_SWUPDATE
Based on the example image, this adds SWUpdate and changes the
partition layout to an A/B rootfs.

config IMAGE_BOOT_PG1
bool "Firmware image for PG1 devices"
config IMAGE_BOOT
bool "Firmware image for PG1, PG2 and M.2 devices"
help
Build the firmware image that is responsible for booting Product
Generation 1 (PG1) devices.

WARNING: Do not flash this image onto your device unless you know
that it fits AND you have an external flash programmer at hand that
allows to recover. Otherwise you risk to BRICK THE IOT2050!

config IMAGE_BOOT_PG2
bool "Firmware image for PG2 and M.2 devices"
help
Build the firmware image that is responsible for booting Product
Generation 2 (PG2) devices, including its M.2 variant.
Build firmware images that are responsible for booting IOT2050
devices. Two artifacts are generated: iot2050-pg1-image-boot.bin
for Product Generation 1 devices and iot2050-pg2-image-boot.bin for
Product Generation 2 devices, including M.2 variants.

WARNING: Do not flash this image onto your device unless you know
that it fits AND you have an external flash programmer at hand that
Expand All @@ -56,8 +48,7 @@ config KAS_INCLUDE_MAIN
string
default "kas-iot2050-example.yml" if IMAGE_EXAMPLE
default "kas-iot2050-swupdate.yml" if IMAGE_SWUPDATE
default "kas-iot2050-boot-pg1.yml" if IMAGE_BOOT_PG1
default "kas-iot2050-boot-pg2.yml" if IMAGE_BOOT_PG2
default "kas-iot2050-boot.yml" if IMAGE_BOOT

comment "Image features"

Expand Down Expand Up @@ -128,7 +119,7 @@ config SECURE_BOOT

config SECURE_BOOT
bool "Secure boot"
depends on IMAGE_BOOT_PG2
depends on IMAGE_BOOT
help
Enable signing of all customizable firmware artifacts, enforce UEFI
Secure Boot mode, protect sensitive U-Boot environment variables and
Expand All @@ -140,7 +131,7 @@ config SECURE_BOOT

config OTP_PROVISIONING
bool "OTP Provisioning"
depends on IMAGE_BOOT_PG2
depends on IMAGE_BOOT
help
Integrate OTP provisioning data into the firmware artifacts. Various
options are avaiable. By default, this will integrate the OTP command
Expand All @@ -152,7 +143,7 @@ config OTP_PROVISIONING

config RPMB_SETUP
bool "OPTEE RPMB setup for OTP key write"
depends on IMAGE_BOOT_PG2 && !SECURE_BOOT
depends on IMAGE_BOOT && !SECURE_BOOT
help
Enable one-time pairing between processor and secure storage
(RPMB on eMMC). Do not sign and distribute this version. Run it
Expand Down Expand Up @@ -244,7 +235,7 @@ config KAS_INCLUDE_DEBIAN_MIRROR
config FIRMWARE_SECURE_VER
string "Use specific firmware secure version"
default "0"
depends on SECURE_BOOT && IMAGE_BOOT_PG2
depends on SECURE_BOOT && IMAGE_BOOT
help
Use specific anti-rollback secure version rather than the default 0.
Range 0 - 127.
Expand Down
2 changes: 0 additions & 2 deletions conf/distro/iot2050-debian.conf
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ DISTRO_NAME = "IOT2050 Debian System"

HOSTNAME ??= "iot2050-debian"

PREFERRED_VERSION_u-boot-iot2050-pg1 ?= "2022.10"
PREFERRED_VERSION_u-boot-iot2050-pg2 ?= "2022.10"
PREFERRED_VERSION_linux-iot2050 ?= "5.10.%"
PREFERRED_VERSION_linux-iot2050-rt ?= "5.10.%"

Expand Down
6 changes: 2 additions & 4 deletions conf/machine/iot2050.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,8 @@

DISTRO_ARCH ?= "arm64"

PRODUCT_GENERATION ?= "pg2"

PREFERRED_PROVIDER_u-boot-${MACHINE} ?= "u-boot-iot2050-${PRODUCT_GENERATION}"
PREFERRED_PROVIDER_u-boot-${MACHINE}-config ?= "u-boot-iot2050-${PRODUCT_GENERATION}"
PREFERRED_PROVIDER_u-boot-${MACHINE} ?= "u-boot-iot2050"
PREFERRED_PROVIDER_u-boot-${MACHINE}-config ?= "u-boot-iot2050"

KERNEL_NAME ?= "iot2050"
DTB_FILES ?= " \
Expand Down
23 changes: 0 additions & 23 deletions kas-iot2050-boot-pg1.yml

This file was deleted.

2 changes: 1 addition & 1 deletion kas-iot2050-boot-pg2.yml → kas-iot2050-boot.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#
# Copyright (c) Siemens AG, 2019-2021
# Copyright (c) Siemens AG, 2019-2022
#
# Authors:
# Le Jin <[email protected]>
Expand Down
2 changes: 0 additions & 2 deletions kas/opt/upstream.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ header:

local_conf_header:
upstream-versions: |
PREFERRED_VERSION_u-boot-iot2050-pg1 = "202x.xx-upstream"
PREFERRED_VERSION_u-boot-iot2050-pg2 = "202x.xx-upstream"
PREFERRED_VERSION_linux-iot2050 = "5.x-upstream"
extra-args: |
EXTRA_KERNEL_PARAMS = "fw_devlink=permissive"
2 changes: 0 additions & 2 deletions recipes-bsp/optee-os/optee-os-iot2050_3.22.0.bb
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,4 @@ python() {
if re.search("rpmb-setup", overrides):
if re.search("secureboot", overrides):
bb.fatal("Not possible to use Secure Boot and RPMB setup for OPTEE")
if d.getVar('PRODUCT_GENERATION') == "pg1":
bb.warn("PG1 devices do not supported RPMB based secure storage")
}
12 changes: 6 additions & 6 deletions recipes-bsp/secure-boot-otp-provisioning/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ Before start the build, make sure the currently using key set is copied to
`recipes-bsp/u-boot/files/keys/custMpk.pem`.

```shell
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision.yml
```

> Warning: The default key sets within kas/opt/key-provision.yml only contain
Expand Down Expand Up @@ -93,7 +93,7 @@ Then start to building the new key signed firmware together with the key switchi
otpcmd data.

```shell
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-switch.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-switch.yml
```

> Warning: The default switching within kas/opt/key-switch.yml is from MPK to SMPK.
Expand All @@ -118,31 +118,31 @@ by feeding different kas option file to the building.
If the BMPK need to be programmed together:

```bash
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-3keys.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-3keys.yml
```

### Provision keys only without enabling secure boot

If only the keys need to be programmed but not enabling the secure boot:

```bash
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-keys-only.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-keys-only.yml
```

### Enable secure boot only

If you want to only enable the secure boot(because the keys are already programmed):

```bash
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-enabling-only.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision-enabling-only.yml
```

### Switch from SMPK to BMPK

If the key switching is from SMPK to BMPK:

```bash
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-switch-2to3.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-switch-2to3.yml
```

### Use TUI alternative
Expand Down
5 changes: 2 additions & 3 deletions recipes-bsp/u-boot/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@
The boot loader for PG1 and PG2 boards is built like this:

```shell
./kas-container build kas-iot2050-boot-pg1.yml
./kas-container build kas-iot2050-boot-pg2.yml
./kas-container build kas-iot2050-boot.yml
```

After the build the boot images are under
Expand Down Expand Up @@ -81,7 +80,7 @@ A special firmware build is required to run in a secure operating environment to
program this key into RPMB. To build this special firmware:

```shell
./kas-container build kas-iot2050-boot-pg2.yml:kas/opt/rpmb-setup.yml
./kas-container build kas-iot2050-boot.yml:kas/opt/rpmb-setup.yml
```

This will build a special OPTee binary for generating and programming the otp
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Signed-off-by: Li Hua Qian <[email protected]>
1 file changed, 11 insertions(+)

diff --git a/arch/arm/dts/k3-am65-iot2050-common.dtsi b/arch/arm/dts/k3-am65-iot2050-common.dtsi
index e60006be..acc41335 100644
index 65da226847f..b6135b849f1 100644
--- a/arch/arm/dts/k3-am65-iot2050-common.dtsi
+++ b/arch/arm/dts/k3-am65-iot2050-common.dtsi
@@ -64,6 +64,12 @@
Expand All @@ -29,7 +29,7 @@ index e60006be..acc41335 100644
};

leds {
@@ -731,6 +737,11 @@
@@ -720,6 +726,11 @@
mboxes = <&mailbox0_cluster1 &mbox_mcu_r5fss0_core1>;
};

Expand Down

This file was deleted.

This file was deleted.

Loading

0 comments on commit f790b1b

Please sign in to comment.