[isar-cip-core][PATCH 0/6] Switch to cip_merged_defconfig, clean up ti-am62px-sk recipes

[isar-cip-core][PATCH 0/6] Switch to cip_merged_defconfig, clean up ti-am62px-sk recipes

[Jan Kiszka]

This first of all switches all boards to the cip_merged_defconfig. There
is a slight risk to regress as not all boards could have been tested so
far. Please support this!

Test status:
 - qemus - ok
 - bbb - ok
 - iwg20m - does not boot from isar-cip-core, even before the change
 - hihope-rzg2m - boots but takes longer [1]
 - ti-am62px-dk - untested

The series closes with two clean-up patches for the ti-am62px-sk. Both
are build-tested only.

Jan

[1] https://lore.kernel.org/cip-dev/21c328a5-ab4e-4678-adf2-cf34fa341869@siemens.com/

Jan Kiszka (6):
  linux-cip: Add lz4 as build dependency when using cip-kernel-config
  arm: Switch to cip_merged_defconfig
  arm64: Switch to cip_merged_defconfig
  linux-cip: Refactor KERNEL_DEFCONFIG initialization
  u-boot-ti-am62px-sk: Drop redundant or unused DEBIAN_BUILD_DEPENDS
  ti-am62px-sk: Switch wks files to gpt-hybrid

 conf/machine/bbb.conf                             |  3 +--
 conf/machine/hihope-rzg2m.conf                    |  3 +--
 conf/machine/iwg20m.conf                          |  1 -
 conf/machine/qemu-amd64.conf                      |  1 -
 conf/machine/qemu-arm.conf                        |  3 +--
 conf/machine/qemu-arm64.conf                      |  1 -
 conf/machine/qemu-riscv64.conf                    |  2 --
 conf/machine/ti-am62px-sk.conf                    |  1 -
 conf/machine/x86-uefi.conf                        |  1 -
 recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb |  1 -
 recipes-kernel/linux/cip-kernel-config.inc        | 12 ++++++++++--
 recipes-kernel/linux/linux-cip-common.inc         |  3 ---
 wic/ti-am62px-sk-efibootguard-secureboot.wks.in   |  4 ++--
 wic/ti-am62px-sk-efibootguard.wks.in              |  4 ++--
 wic/ti-am62px-sk.wks                              |  4 ++--
 15 files changed, 19 insertions(+), 25 deletions(-)

-- 
2.51.0

[isar-cip-core][PATCH 1/6] linux-cip: Add lz4 as build dependency when using cip-kernel-config

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

The merged defconfig for arm needs this.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-kernel/linux/cip-kernel-config.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/cip-kernel-config.inc b/recipes-kernel/linux/cip-kernel-config.inc
index 8b3de446..e944a128 100644
--- a/recipes-kernel/linux/cip-kernel-config.inc
+++ b/recipes-kernel/linux/cip-kernel-config.inc
@@ -19,4 +19,4 @@ SRCREV_cip-kernel-config ?= "ba0204aa6c1c5a41dcb4fa1087b5ef5dd3ebf81f"
 
 do_fetch[vardeps] += "SRCREV_cip-kernel-config"
 
-KBUILD_DEPENDS:append = "${@', lzop' if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else ''}"
+KBUILD_DEPENDS:append = "${@', lzop, lz4' if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else ''}"
-- 
2.51.0

[isar-cip-core][PATCH 2/6] arm: Switch to cip_merged_defconfig

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Allows to use the same kernel for all arm64 targets. Tested on qemu and
bbb.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/machine/bbb.conf      | 4 ++--
 conf/machine/iwg20m.conf   | 2 +-
 conf/machine/qemu-arm.conf | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/conf/machine/bbb.conf b/conf/machine/bbb.conf
index af6b3299..cd1e09be 100644
--- a/conf/machine/bbb.conf
+++ b/conf/machine/bbb.conf
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2025
 #
 # SPDX-License-Identifier: MIT
 #
@@ -14,7 +14,7 @@ IMAGER_INSTALL:wic += "u-boot-bbb ${SYSTEMD_BOOTLOADER_INSTALL}"
 IMAGER_BUILD_DEPS += "u-boot-bbb"
 
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_bbb_defconfig"
+KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 
 # for SWUpdate setups: watchdog is configured in U-Boot
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/iwg20m.conf b/conf/machine/iwg20m.conf
index f5d5dda6..a5b2ecd3 100644
--- a/conf/machine/iwg20m.conf
+++ b/conf/machine/iwg20m.conf
@@ -16,7 +16,7 @@ BAUDRATE_TTY = "115200"
 
 # Setting for kernel and boot
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/renesas_shmobile_defconfig"
+KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 DTB_FILES = "r8a7743-iwg20d-q7-dbcm-ca.dtb"
 KERNEL_IMAGE="zImage"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
index 6e1192a1..551494b8 100644
--- a/conf/machine/qemu-arm.conf
+++ b/conf/machine/qemu-arm.conf
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2025
 # Copyright (c) TOSHIBA CORPORATION, 2021
 #
 # SPDX-License-Identifier: MIT
@@ -11,7 +11,7 @@ DISTRO_ARCH = "armhf"
 
 IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/qemu_arm_defconfig"
+KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 
 # watchdog is not yet supported in our QEMU executor for this platform, disable it
 WDOG_TIMEOUT = "0"
-- 
2.51.0

[isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Allows to use the same kernel for all arm64 targets.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/machine/hihope-rzg2m.conf | 4 ++--
 conf/machine/ti-am62px-sk.conf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index 0b3acf49..485683b2 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2025
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
 
 IMAGE_FSTYPES ?= "wic"
 
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/renesas_defconfig"
+KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 USE_CIP_KERNEL_CONFIG = "1"
 DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-sk.conf
index 589f071e..bf3cf9ab 100644
--- a/conf/machine/ti-am62px-sk.conf
+++ b/conf/machine/ti-am62px-sk.conf
@@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
     /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-evm.bin;tiboot3.bin"
 
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/ti_defconfig"
+KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 
 WDOG_TIMEOUT = "0"
-- 
2.51.0

[isar-cip-core][PATCH 4/6] linux-cip: Refactor KERNEL_DEFCONFIG initialization

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Now that all targets are on cip_merged_defconfig, we can make this the
standard value of KERNEL_DEFCONFIG if USE_CIP_KERNEL_CONFIG is set.
This is logically best done in cip-kernel-config.inc.

While at it, switch to bb.utils.to_boolean for the evaluation of
USE_CIP_KERNEL_CONFIG.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/machine/bbb.conf                      |  1 -
 conf/machine/hihope-rzg2m.conf             |  1 -
 conf/machine/iwg20m.conf                   |  1 -
 conf/machine/qemu-amd64.conf               |  1 -
 conf/machine/qemu-arm.conf                 |  1 -
 conf/machine/qemu-arm64.conf               |  1 -
 conf/machine/qemu-riscv64.conf             |  2 --
 conf/machine/ti-am62px-sk.conf             |  1 -
 conf/machine/x86-uefi.conf                 |  1 -
 recipes-kernel/linux/cip-kernel-config.inc | 12 ++++++++++--
 recipes-kernel/linux/linux-cip-common.inc  |  3 ---
 11 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/conf/machine/bbb.conf b/conf/machine/bbb.conf
index cd1e09be..40af2dc0 100644
--- a/conf/machine/bbb.conf
+++ b/conf/machine/bbb.conf
@@ -14,7 +14,6 @@ IMAGER_INSTALL:wic += "u-boot-bbb ${SYSTEMD_BOOTLOADER_INSTALL}"
 IMAGER_BUILD_DEPS += "u-boot-bbb"
 
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 
 # for SWUpdate setups: watchdog is configured in U-Boot
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index 485683b2..a09e4a71 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -13,7 +13,6 @@ DISTRO_ARCH = "arm64"
 
 IMAGE_FSTYPES ?= "wic"
 
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 USE_CIP_KERNEL_CONFIG = "1"
 DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
diff --git a/conf/machine/iwg20m.conf b/conf/machine/iwg20m.conf
index a5b2ecd3..ace7b9ac 100644
--- a/conf/machine/iwg20m.conf
+++ b/conf/machine/iwg20m.conf
@@ -16,7 +16,6 @@ BAUDRATE_TTY = "115200"
 
 # Setting for kernel and boot
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 DTB_FILES = "r8a7743-iwg20d-q7-dbcm-ca.dtb"
 KERNEL_IMAGE="zImage"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
diff --git a/conf/machine/qemu-amd64.conf b/conf/machine/qemu-amd64.conf
index 7db2a9db..d8f5453c 100644
--- a/conf/machine/qemu-amd64.conf
+++ b/conf/machine/qemu-amd64.conf
@@ -10,6 +10,5 @@ DISTRO_ARCH = "amd64"
 
 IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/x86/cip_merged_defconfig"
 
 PREFERRED_PROVIDER_factory-reset-helper:swupdate = "factory-reset-helper-efi"
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
index 551494b8..17c01fa6 100644
--- a/conf/machine/qemu-arm.conf
+++ b/conf/machine/qemu-arm.conf
@@ -11,7 +11,6 @@ DISTRO_ARCH = "armhf"
 
 IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/cip_merged_defconfig"
 
 # watchdog is not yet supported in our QEMU executor for this platform, disable it
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf
index cd8187b6..3d590e1c 100644
--- a/conf/machine/qemu-arm64.conf
+++ b/conf/machine/qemu-arm64.conf
@@ -12,7 +12,6 @@ IMAGE_FSTYPES ?= "ext4"
 IMAGE_FSTYPES:append:ftpm-stmm = " qemu-emmc"
 
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 
 # watchdog is not yet supported in our QEMU executor for this platform, disable it
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/qemu-riscv64.conf b/conf/machine/qemu-riscv64.conf
index 5d45c0ec..281c4249 100644
--- a/conf/machine/qemu-riscv64.conf
+++ b/conf/machine/qemu-riscv64.conf
@@ -14,7 +14,5 @@ DISTRO_ARCH = "riscv64"
 IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
 
-KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/riscv/cip_merged_defconfig"
-
 # watchdog is not yet supported in our QEMU executor for this platform, disable it
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-sk.conf
index bf3cf9ab..beabac9e 100644
--- a/conf/machine/ti-am62px-sk.conf
+++ b/conf/machine/ti-am62px-sk.conf
@@ -23,6 +23,5 @@ IMAGE_BOOT_FILES = " \
     /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-evm.bin;tiboot3.bin"
 
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 
 WDOG_TIMEOUT = "0"
diff --git a/conf/machine/x86-uefi.conf b/conf/machine/x86-uefi.conf
index 28ef245f..6bb607a9 100644
--- a/conf/machine/x86-uefi.conf
+++ b/conf/machine/x86-uefi.conf
@@ -12,6 +12,5 @@ IMAGE_FSTYPES ?= "wic"
 WKS_FILE ?= "x86_64-generic.wks"
 IMAGER_INSTALL:wic += "${GRUB_BOOTLOADER_INSTALL}"
 USE_CIP_KERNEL_CONFIG = "1"
-KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/x86/cip_merged_defconfig"
 
 PREFERRED_PROVIDER_factory-reset-helper = "factory-reset-helper-efi"
diff --git a/recipes-kernel/linux/cip-kernel-config.inc b/recipes-kernel/linux/cip-kernel-config.inc
index e944a128..407404ed 100644
--- a/recipes-kernel/linux/cip-kernel-config.inc
+++ b/recipes-kernel/linux/cip-kernel-config.inc
@@ -12,11 +12,19 @@
 SRC_URI:append = " ${@ \
     'git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;branch=master;destsuffix=cip-kernel-config;name=cip-kernel-config \
     file://no-tpm-hwrng.cfg' \
-    if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \
+    if bb.utils.to_boolean(d.getVar('USE_CIP_KERNEL_CONFIG')) else '' \
     }"
 
 SRCREV_cip-kernel-config ?= "ba0204aa6c1c5a41dcb4fa1087b5ef5dd3ebf81f"
 
 do_fetch[vardeps] += "SRCREV_cip-kernel-config"
 
-KBUILD_DEPENDS:append = "${@', lzop, lz4' if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else ''}"
+KERNEL_DEFCONFIG_VERSION ?= "${KERNEL_MAJOR_MINOR}.y-cip"
+KERNEL_DEFCONFIG ?= "${@ \
+    'cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/${KERNEL_ARCH}/cip_merged_defconfig' \
+    if bb.utils.to_boolean(d.getVar('USE_CIP_KERNEL_CONFIG')) else \
+    '${MACHINE}_defconfig'}"
+
+KBUILD_DEPENDS:append = "${@ \
+    ', lzop, lz4' \
+    if bb.utils.to_boolean(d.getVar('USE_CIP_KERNEL_CONFIG')) else ''}"
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index aa625674..8200c617 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -11,9 +11,6 @@
 
 FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
 
-KERNEL_DEFCONFIG_VERSION ?= "${KERNEL_MAJOR_MINOR}.y-cip"
-KERNEL_DEFCONFIG ?= "${MACHINE}_defconfig"
-
 require recipes-kernel/linux/linux-custom.inc
 require recipes-kernel/linux/cip-kernel-config.inc
 
-- 
2.51.0

[isar-cip-core][PATCH 5/6] u-boot-ti-am62px-sk: Drop redundant or unused DEBIAN_BUILD_DEPENDS

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

The 2 ssl deps are already added by the common inc, and grub is uneeded.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb b/recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb
index fa72054c..b26c089d 100644
--- a/recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb
+++ b/recipes-bsp/u-boot/u-boot-ti-am62px-sk_2025.07.bb
@@ -47,7 +47,6 @@ OVERRIDES .= ":ftpm-stmm"
 
 DEPENDS += "trusted-firmware-a-ti-k3 optee-os-ti-k3"
 DEBIAN_BUILD_DEPENDS =. "gcc-arm-linux-gnueabihf, \
-    libssl-dev:native, libssl-dev, grub-common, \
     swig, python3-dev:native, python3-setuptools, python3-pyelftools, \
     python3-jsonschema:native, yamllint:native, \
     trusted-firmware-a-ti-k3, optee-os-ti-k3,"
-- 
2.51.0

[isar-cip-core][PATCH 6/6] ti-am62px-sk: Switch wks files to gpt-hybrid

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Isar will deprecate the boot-hybrid plugin because native wic supports
this now as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/ti-am62px-sk-efibootguard-secureboot.wks.in | 4 ++--
 wic/ti-am62px-sk-efibootguard.wks.in            | 4 ++--
 wic/ti-am62px-sk.wks                            | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/wic/ti-am62px-sk-efibootguard-secureboot.wks.in b/wic/ti-am62px-sk-efibootguard-secureboot.wks.in
index 52fcb091..fb21cd05 100644
--- a/wic/ti-am62px-sk-efibootguard-secureboot.wks.in
+++ b/wic/ti-am62px-sk-efibootguard-secureboot.wks.in
@@ -8,7 +8,7 @@
 #
 
 # Boot partition containing Bootloader binaries
-part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE
+part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE --mbr
 
 include ebg-signed-sysparts.inc
 
@@ -20,4 +20,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /var --fstype=ext4 --label var --align 1024 --fixed-size 512M --fsuuid 96be3374-4258-11ee-be56-0242ac120002 --uuid 423f0a2e-b9b3-4615-85be-2a4261fa32d9
 ${WIC_HOME_PARTITION}
 
-bootloader --ptable gpt --source hybrid-boot --timeout=0 --append "rootwait rw console=ttyS2,115200n8"
+bootloader --ptable gpt-hybrid --timeout=0 --append "rootwait rw console=ttyS2,115200n8"
diff --git a/wic/ti-am62px-sk-efibootguard.wks.in b/wic/ti-am62px-sk-efibootguard.wks.in
index 100f303b..b6976ee8 100644
--- a/wic/ti-am62px-sk-efibootguard.wks.in
+++ b/wic/ti-am62px-sk-efibootguard.wks.in
@@ -8,7 +8,7 @@
 #
 
 # Boot partition containing Bootloader binaries
-part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE
+part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE --mbr
 
 include ebg-sysparts.inc
 
@@ -20,4 +20,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /var --fstype=ext4 --label var --align 1024 --fixed-size 512M --fsuuid 96be3374-4258-11ee-be56-0242ac120002 --uuid 423f0a2e-b9b3-4615-85be-2a4261fa32d9 --exclude-path boot/
 ${WIC_HOME_PARTITION}
 
-bootloader --ptable gpt --source hybrid-boot --timeout=0 --append "rootwait rw console=ttyS2,115200n8"
+bootloader --ptable gpt-hybrid --timeout=0 --append "rootwait rw console=ttyS2,115200n8"
diff --git a/wic/ti-am62px-sk.wks b/wic/ti-am62px-sk.wks
index 40214a8f..0d5f114c 100644
--- a/wic/ti-am62px-sk.wks
+++ b/wic/ti-am62px-sk.wks
@@ -7,9 +7,9 @@
 # SPDX-License-Identifier: MIT
 #
 
-part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE
+part /boot/firmware --source bootimg-partition --fstype=vfat --label firmware --active --align 1024 --size 16M --overhead-factor 1 --extra-space 0 --use-uuid --part-type E3C9E316-0B5C-4DB8-817D-F92DF00215AE --mbr
 part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot" --label efi --part-type EF00 --align 1024 --use-uuid
 
 part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid --exclude-path boot/
 
-bootloader --ptable gpt --source hybrid-boot --timeout=0 --append "rootwait rw"
+bootloader --ptable gpt-hybrid --timeout=0 --append "rootwait rw"
-- 
2.51.0

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Sai Sree Kartheek Adivi]

On 11/17/25 22:45, Jan Kiszka wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> Allows to use the same kernel for all arm64 targets.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>   conf/machine/hihope-rzg2m.conf | 4 ++--
>   conf/machine/ti-am62px-sk.conf | 2 +-
>   2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
> index 0b3acf49..485683b2 100644
> --- a/conf/machine/hihope-rzg2m.conf
> +++ b/conf/machine/hihope-rzg2m.conf
> @@ -1,7 +1,7 @@
>   #
>   # CIP Core, generic profile
>   #
> -# Copyright (c) Siemens AG, 2019
> +# Copyright (c) Siemens AG, 2019-2025
>   #
>   # Authors:
>   #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>   
>   IMAGE_FSTYPES ?= "wic"
>   
> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/renesas_defconfig"
> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
>   USE_CIP_KERNEL_CONFIG = "1"
>   DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>   IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-sk.conf
> index 589f071e..bf3cf9ab 100644
> --- a/conf/machine/ti-am62px-sk.conf
> +++ b/conf/machine/ti-am62px-sk.conf
> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>       /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-evm.bin;tiboot3.bin"
>   
>   USE_CIP_KERNEL_CONFIG = "1"
> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/ti_defconfig"
> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"

Jan, I'm seeing a boot issue after this change. The boot stops at 
initramfs with the following log

No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot 
create a encrypted device!

But the tpm2 device is available and the `tpm2 getcap algorithms` 
command confirms that the device supports sha256 and ecc.

It's working with ti_defconfig. So looks like there is some timing issue 
/ race condition when the tpm support is built as inbuilt instead of module.

I'll run some more tests to properly identify the issue and post a fix 
in here or cip-kernel-config repo.

>   
>   WDOG_TIMEOUT = "0"

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
> 
> 
> On 11/17/25 22:45, Jan Kiszka wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Allows to use the same kernel for all arm64 targets.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>   conf/machine/hihope-rzg2m.conf | 4 ++--
>>   conf/machine/ti-am62px-sk.conf | 2 +-
>>   2 files changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>> rzg2m.conf
>> index 0b3acf49..485683b2 100644
>> --- a/conf/machine/hihope-rzg2m.conf
>> +++ b/conf/machine/hihope-rzg2m.conf
>> @@ -1,7 +1,7 @@
>>   #
>>   # CIP Core, generic profile
>>   #
>> -# Copyright (c) Siemens AG, 2019
>> +# Copyright (c) Siemens AG, 2019-2025
>>   #
>>   # Authors:
>>   #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>     IMAGE_FSTYPES ?= "wic"
>>   -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>> arm64/renesas_defconfig"
>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>> arm64/cip_merged_defconfig"
>>   USE_CIP_KERNEL_CONFIG = "1"
>>   DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>   IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>> sk.conf
>> index 589f071e..bf3cf9ab 100644
>> --- a/conf/machine/ti-am62px-sk.conf
>> +++ b/conf/machine/ti-am62px-sk.conf
>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>       /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>> evm.bin;tiboot3.bin"
>>     USE_CIP_KERNEL_CONFIG = "1"
>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>> arm64/ti_defconfig"
>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>> arm64/cip_merged_defconfig"
> 
> Jan, I'm seeing a boot issue after this change. The boot stops at
> initramfs with the following log
> 
> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
> create a encrypted device!
> 
> But the tpm2 device is available and the `tpm2 getcap algorithms`
> command confirms that the device supports sha256 and ecc.
> 
> It's working with ti_defconfig. So looks like there is some timing
> issue / race condition when the tpm support is built as inbuilt instead
> of module.

And there is no other module missing in the initramfs that might be
built-in with your config? If you re-run the encryption hook manually
from the initramfs later, that will work then?

> 
> I'll run some more tests to properly identify the issue and post a fix
> in here or cip-kernel-config repo.
> 
>>     WDOG_TIMEOUT = "0"
> 

Thanks for reporting. Finding the root cause will be important to avoid
that other users will run into similar issues later on.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Sai Sree Kartheek Adivi]

On 11/24/25 15:27, Jan Kiszka wrote:
> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>
>>
>> On 11/17/25 22:45, Jan Kiszka wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> Allows to use the same kernel for all arm64 targets.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>>    conf/machine/hihope-rzg2m.conf | 4 ++--
>>>    conf/machine/ti-am62px-sk.conf | 2 +-
>>>    2 files changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>> rzg2m.conf
>>> index 0b3acf49..485683b2 100644
>>> --- a/conf/machine/hihope-rzg2m.conf
>>> +++ b/conf/machine/hihope-rzg2m.conf
>>> @@ -1,7 +1,7 @@
>>>    #
>>>    # CIP Core, generic profile
>>>    #
>>> -# Copyright (c) Siemens AG, 2019
>>> +# Copyright (c) Siemens AG, 2019-2025
>>>    #
>>>    # Authors:
>>>    #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>      IMAGE_FSTYPES ?= "wic"
>>>    -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>> arm64/renesas_defconfig"
>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>> arm64/cip_merged_defconfig"
>>>    USE_CIP_KERNEL_CONFIG = "1"
>>>    DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>    IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>> sk.conf
>>> index 589f071e..bf3cf9ab 100644
>>> --- a/conf/machine/ti-am62px-sk.conf
>>> +++ b/conf/machine/ti-am62px-sk.conf
>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>        /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>> evm.bin;tiboot3.bin"
>>>      USE_CIP_KERNEL_CONFIG = "1"
>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>> arm64/ti_defconfig"
>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>> arm64/cip_merged_defconfig"
>>
>> Jan, I'm seeing a boot issue after this change. The boot stops at
>> initramfs with the following log
>>
>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>> create a encrypted device!
>>
>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>> command confirms that the device supports sha256 and ecc.
>>
>> It's working with ti_defconfig. So looks like there is some timing
>> issue / race condition when the tpm support is built as inbuilt instead
>> of module.
> 
> And there is no other module missing in the initramfs that might be
> built-in with your config? If you re-run the encryption hook manually
> from the initramfs later, that will work then?

yes. Once after the boot stops at initramfs with above error, running
`/scripts/local-top/crypt` manually starts encryption without any issues.

> 
>>
>> I'll run some more tests to properly identify the issue and post a fix
>> in here or cip-kernel-config repo.
>>
>>>      WDOG_TIMEOUT = "0"
>>
> 
> Thanks for reporting. Finding the root cause will be important to avoid
> that other users will run into similar issues later on.

Yup, actively working on it.

> 
> Jan
> 

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
> 
> 
> On 11/24/25 15:27, Jan Kiszka wrote:
>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>
>>>
>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>
>>>> Allows to use the same kernel for all arm64 targets.
>>>>
>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>> ---
>>>>    conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>    conf/machine/ti-am62px-sk.conf | 2 +-
>>>>    2 files changed, 3 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>> rzg2m.conf
>>>> index 0b3acf49..485683b2 100644
>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>> @@ -1,7 +1,7 @@
>>>>    #
>>>>    # CIP Core, generic profile
>>>>    #
>>>> -# Copyright (c) Siemens AG, 2019
>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>    #
>>>>    # Authors:
>>>>    #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>      IMAGE_FSTYPES ?= "wic"
>>>>    -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>> arm64/renesas_defconfig"
>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>> arm64/cip_merged_defconfig"
>>>>    USE_CIP_KERNEL_CONFIG = "1"
>>>>    DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>    IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>>> sk.conf
>>>> index 589f071e..bf3cf9ab 100644
>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>        /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>> evm.bin;tiboot3.bin"
>>>>      USE_CIP_KERNEL_CONFIG = "1"
>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>> arm64/ti_defconfig"
>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>> arm64/cip_merged_defconfig"
>>>
>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>> initramfs with the following log
>>>
>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>>> create a encrypted device!
>>>
>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>> command confirms that the device supports sha256 and ecc.
>>>
>>> It's working with ti_defconfig. So looks like there is some timing
>>> issue / race condition when the tpm support is built as inbuilt instead
>>> of module.
>>
>> And there is no other module missing in the initramfs that might be
>> built-in with your config? If you re-run the encryption hook manually
>> from the initramfs later, that will work then?
> 
> yes. Once after the boot stops at initramfs with above error, running
> `/scripts/local-top/crypt` manually starts encryption without any issues.
> 
>>
>>>
>>> I'll run some more tests to properly identify the issue and post a fix
>>> in here or cip-kernel-config repo.
>>>
>>>>      WDOG_TIMEOUT = "0"
>>>
>>
>> Thanks for reporting. Finding the root cause will be important to avoid
>> that other users will run into similar issues later on.
> 
> Yup, actively working on it.
> 

Is initramfs-tee-ftpm-hook included in the build? That is supposed to
wait for the ftpm to appear.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Sai Sree Kartheek Adivi]

On 11/24/25 16:35, Jan Kiszka wrote:
> On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
>>
>>
>> On 11/24/25 15:27, Jan Kiszka wrote:
>>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>>
>>>>
>>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>
>>>>> Allows to use the same kernel for all arm64 targets.
>>>>>
>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>>> ---
>>>>>     conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>>     conf/machine/ti-am62px-sk.conf | 2 +-
>>>>>     2 files changed, 3 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>>> rzg2m.conf
>>>>> index 0b3acf49..485683b2 100644
>>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>>> @@ -1,7 +1,7 @@
>>>>>     #
>>>>>     # CIP Core, generic profile
>>>>>     #
>>>>> -# Copyright (c) Siemens AG, 2019
>>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>>     #
>>>>>     # Authors:
>>>>>     #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>>       IMAGE_FSTYPES ?= "wic"
>>>>>     -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>> arm64/renesas_defconfig"
>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>> arm64/cip_merged_defconfig"
>>>>>     USE_CIP_KERNEL_CONFIG = "1"
>>>>>     DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>>     IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>>>> sk.conf
>>>>> index 589f071e..bf3cf9ab 100644
>>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>>         /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>>> evm.bin;tiboot3.bin"
>>>>>       USE_CIP_KERNEL_CONFIG = "1"
>>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>> arm64/ti_defconfig"
>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>> arm64/cip_merged_defconfig"
>>>>
>>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>>> initramfs with the following log
>>>>
>>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>>>> create a encrypted device!
>>>>
>>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>>> command confirms that the device supports sha256 and ecc.
>>>>
>>>> It's working with ti_defconfig. So looks like there is some timing
>>>> issue / race condition when the tpm support is built as inbuilt instead
>>>> of module.
>>>
>>> And there is no other module missing in the initramfs that might be
>>> built-in with your config? If you re-run the encryption hook manually
>>> from the initramfs later, that will work then?
>>
>> yes. Once after the boot stops at initramfs with above error, running
>> `/scripts/local-top/crypt` manually starts encryption without any issues.
>>
>>>
>>>>
>>>> I'll run some more tests to properly identify the issue and post a fix
>>>> in here or cip-kernel-config repo.
>>>>
>>>>>       WDOG_TIMEOUT = "0"
>>>>
>>>
>>> Thanks for reporting. Finding the root cause will be important to avoid
>>> that other users will run into similar issues later on.
>>
>> Yup, actively working on it.
>>
> 
> Is initramfs-tee-ftpm-hook included in the build? That is supposed to
> wait for the ftpm to appear.

Just found out that it's not included in the build. The recipe itself is 
built but the local-top is not added to the SRC_URI.

There are 2 issues.
1. TEE_SUPPLICANT_IN_USERLAND is not set.
2. the initramfs-tee-ftpm-hook recipe has an issue. There is a missing : 
while adding supp-user to the OVERRIDES.

I'll send a patch fixing [1] in sometime. I've sent a PATCH on 
isar-users for [2] but I don't see it on the list. Will try to repost in 
sometime if I still don't find it.

Kartheek

> 
> Jan
> 

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

On 26.11.25 11:25, Sai Sree Kartheek Adivi wrote:
> 
> 
> On 11/24/25 16:35, Jan Kiszka wrote:
>> On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
>>>
>>>
>>> On 11/24/25 15:27, Jan Kiszka wrote:
>>>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>>>
>>>>>
>>>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>
>>>>>> Allows to use the same kernel for all arm64 targets.
>>>>>>
>>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>> ---
>>>>>>     conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>>>     conf/machine/ti-am62px-sk.conf | 2 +-
>>>>>>     2 files changed, 3 insertions(+), 3 deletions(-)
>>>>>>
>>>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>>>> rzg2m.conf
>>>>>> index 0b3acf49..485683b2 100644
>>>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>>>> @@ -1,7 +1,7 @@
>>>>>>     #
>>>>>>     # CIP Core, generic profile
>>>>>>     #
>>>>>> -# Copyright (c) Siemens AG, 2019
>>>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>>>     #
>>>>>>     # Authors:
>>>>>>     #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>>>       IMAGE_FSTYPES ?= "wic"
>>>>>>     -KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>> arm64/renesas_defconfig"
>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>> arm64/cip_merged_defconfig"
>>>>>>     USE_CIP_KERNEL_CONFIG = "1"
>>>>>>     DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>>>     IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>>>>> sk.conf
>>>>>> index 589f071e..bf3cf9ab 100644
>>>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>>>         /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>>>> evm.bin;tiboot3.bin"
>>>>>>       USE_CIP_KERNEL_CONFIG = "1"
>>>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>> arm64/ti_defconfig"
>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>> arm64/cip_merged_defconfig"
>>>>>
>>>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>>>> initramfs with the following log
>>>>>
>>>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>>>>> create a encrypted device!
>>>>>
>>>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>>>> command confirms that the device supports sha256 and ecc.
>>>>>
>>>>> It's working with ti_defconfig. So looks like there is some timing
>>>>> issue / race condition when the tpm support is built as inbuilt
>>>>> instead
>>>>> of module.
>>>>
>>>> And there is no other module missing in the initramfs that might be
>>>> built-in with your config? If you re-run the encryption hook manually
>>>> from the initramfs later, that will work then?
>>>
>>> yes. Once after the boot stops at initramfs with above error, running
>>> `/scripts/local-top/crypt` manually starts encryption without any
>>> issues.
>>>
>>>>
>>>>>
>>>>> I'll run some more tests to properly identify the issue and post a fix
>>>>> in here or cip-kernel-config repo.
>>>>>
>>>>>>       WDOG_TIMEOUT = "0"
>>>>>
>>>>
>>>> Thanks for reporting. Finding the root cause will be important to avoid
>>>> that other users will run into similar issues later on.
>>>
>>> Yup, actively working on it.
>>>
>>
>> Is initramfs-tee-ftpm-hook included in the build? That is supposed to
>> wait for the ftpm to appear.
> 
> Just found out that it's not included in the build. The recipe itself is
> built but the local-top is not added to the SRC_URI.
> 
> There are 2 issues.
> 1. TEE_SUPPLICANT_IN_USERLAND is not set.
> 2. the initramfs-tee-ftpm-hook recipe has an issue. There is a missing :
> while adding supp-user to the OVERRIDES.
> 
> I'll send a patch fixing [1] in sometime. I've sent a PATCH on isar-
> users for [2] but I don't see it on the list. Will try to repost in
> sometime if I still don't find it.

I had a look at the config diff again but still didn't spot anything
that could explain the different behavior. Fact is that the userland
supplicant should no longer be used - pulling it in is likely only
papering over the underlying synchronization issue we may still have.

Did you also try with just the initramfs-tee-ftpm-hook of isar fixed
while keeping TEE_SUPPLICANT_IN_USERLAND = "0"? If that still causes
issues on your board, maybe you could add "set -x" to
isar/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/local-top and
also to recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
and share a boot log. I hope that this will tell us more about what is
going on.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

On 27.11.25 14:37, Jan Kiszka wrote:
> On 26.11.25 11:25, Sai Sree Kartheek Adivi wrote:
>>
>>
>> On 11/24/25 16:35, Jan Kiszka wrote:
>>> On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
>>>>
>>>>
>>>> On 11/24/25 15:27, Jan Kiszka wrote:
>>>>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>>>>
>>>>>>
>>>>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>>
>>>>>>> Allows to use the same kernel for all arm64 targets.
>>>>>>>
>>>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>> ---
>>>>>>>     conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>>>>     conf/machine/ti-am62px-sk.conf | 2 +-
>>>>>>>     2 files changed, 3 insertions(+), 3 deletions(-)
>>>>>>>
>>>>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>>>>> rzg2m.conf
>>>>>>> index 0b3acf49..485683b2 100644
>>>>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>>>>> @@ -1,7 +1,7 @@
>>>>>>>     #
>>>>>>>     # CIP Core, generic profile
>>>>>>>     #
>>>>>>> -# Copyright (c) Siemens AG, 2019
>>>>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>>>>     #
>>>>>>>     # Authors:
>>>>>>>     #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>>>>       IMAGE_FSTYPES ?= "wic"
>>>>>>>     -KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>> arm64/renesas_defconfig"
>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>> arm64/cip_merged_defconfig"
>>>>>>>     USE_CIP_KERNEL_CONFIG = "1"
>>>>>>>     DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>>>>     IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>>>>>> sk.conf
>>>>>>> index 589f071e..bf3cf9ab 100644
>>>>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>>>>         /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>>>>> evm.bin;tiboot3.bin"
>>>>>>>       USE_CIP_KERNEL_CONFIG = "1"
>>>>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>> arm64/ti_defconfig"
>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>> arm64/cip_merged_defconfig"
>>>>>>
>>>>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>>>>> initramfs with the following log
>>>>>>
>>>>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>>>>>> create a encrypted device!
>>>>>>
>>>>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>>>>> command confirms that the device supports sha256 and ecc.
>>>>>>
>>>>>> It's working with ti_defconfig. So looks like there is some timing
>>>>>> issue / race condition when the tpm support is built as inbuilt
>>>>>> instead
>>>>>> of module.
>>>>>
>>>>> And there is no other module missing in the initramfs that might be
>>>>> built-in with your config? If you re-run the encryption hook manually
>>>>> from the initramfs later, that will work then?
>>>>
>>>> yes. Once after the boot stops at initramfs with above error, running
>>>> `/scripts/local-top/crypt` manually starts encryption without any
>>>> issues.
>>>>
>>>>>
>>>>>>
>>>>>> I'll run some more tests to properly identify the issue and post a fix
>>>>>> in here or cip-kernel-config repo.
>>>>>>
>>>>>>>       WDOG_TIMEOUT = "0"
>>>>>>
>>>>>
>>>>> Thanks for reporting. Finding the root cause will be important to avoid
>>>>> that other users will run into similar issues later on.
>>>>
>>>> Yup, actively working on it.
>>>>
>>>
>>> Is initramfs-tee-ftpm-hook included in the build? That is supposed to
>>> wait for the ftpm to appear.
>>
>> Just found out that it's not included in the build. The recipe itself is
>> built but the local-top is not added to the SRC_URI.
>>
>> There are 2 issues.
>> 1. TEE_SUPPLICANT_IN_USERLAND is not set.
>> 2. the initramfs-tee-ftpm-hook recipe has an issue. There is a missing :
>> while adding supp-user to the OVERRIDES.
>>
>> I'll send a patch fixing [1] in sometime. I've sent a PATCH on isar-
>> users for [2] but I don't see it on the list. Will try to repost in
>> sometime if I still don't find it.
> 
> I had a look at the config diff again but still didn't spot anything
> that could explain the different behavior. Fact is that the userland
> supplicant should no longer be used - pulling it in is likely only
> papering over the underlying synchronization issue we may still have.
> 
> Did you also try with just the initramfs-tee-ftpm-hook of isar fixed
> while keeping TEE_SUPPLICANT_IN_USERLAND = "0"? If that still causes
> issues on your board, maybe you could add "set -x" to
> isar/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/local-top and
> also to recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> and share a boot log. I hope that this will tell us more about what is
> going on.
> 

Now I recall:

https://github.com/ilbers/isar/commit/a1893507e495710297a2749efa3b2cb05e4f2881

There is no waiting for some tpm device anymore. I was assuming that 
this device node appears magically in time when the in-kernel supplicant 
is used. But I was likely misguided by the timing I saw inside qemu.

If you roll this isar commit back, then things should work with in-
kernel supplicant as well. Please confirm, then I will provide some 
upstream patch which also updates the comments in the local-top file.

Well, this kind makes sense because we also need just polling loops when 
waiting on partitions to appear before decrypting or mounting them - 
same reason, I guess: The storage device has to be probed first. And the 
RPMB is attached to the same device, so it does not matter if we are 
waiting for an in-kernel or a userland supplicant, both also need to 
wait for the eMMC.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Sai Sree Kartheek Adivi]

On 27/11/25 20:05, Jan Kiszka wrote:
> On 27.11.25 14:37, Jan Kiszka wrote:
>> On 26.11.25 11:25, Sai Sree Kartheek Adivi wrote:
>>>
>>> On 11/24/25 16:35, Jan Kiszka wrote:
>>>> On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
>>>>>
>>>>> On 11/24/25 15:27, Jan Kiszka wrote:
>>>>>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>>>>>
>>>>>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>>>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>>>
>>>>>>>> Allows to use the same kernel for all arm64 targets.
>>>>>>>>
>>>>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>>> ---
>>>>>>>>      conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>>>>>      conf/machine/ti-am62px-sk.conf | 2 +-
>>>>>>>>      2 files changed, 3 insertions(+), 3 deletions(-)
>>>>>>>>
>>>>>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>>>>>> rzg2m.conf
>>>>>>>> index 0b3acf49..485683b2 100644
>>>>>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>>>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>>>>>> @@ -1,7 +1,7 @@
>>>>>>>>      #
>>>>>>>>      # CIP Core, generic profile
>>>>>>>>      #
>>>>>>>> -# Copyright (c) Siemens AG, 2019
>>>>>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>>>>>      #
>>>>>>>>      # Authors:
>>>>>>>>      #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>>>>>        IMAGE_FSTYPES ?= "wic"
>>>>>>>>      -KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>> arm64/renesas_defconfig"
>>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>> arm64/cip_merged_defconfig"
>>>>>>>>      USE_CIP_KERNEL_CONFIG = "1"
>>>>>>>>      DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>>>>>      IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>>>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-am62px-
>>>>>>>> sk.conf
>>>>>>>> index 589f071e..bf3cf9ab 100644
>>>>>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>>>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>>>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>>>>>          /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>>>>>> evm.bin;tiboot3.bin"
>>>>>>>>        USE_CIP_KERNEL_CONFIG = "1"
>>>>>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>> arm64/ti_defconfig"
>>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>> arm64/cip_merged_defconfig"
>>>>>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>>>>>> initramfs with the following log
>>>>>>>
>>>>>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' - cannot
>>>>>>> create a encrypted device!
>>>>>>>
>>>>>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>>>>>> command confirms that the device supports sha256 and ecc.
>>>>>>>
>>>>>>> It's working with ti_defconfig. So looks like there is some timing
>>>>>>> issue / race condition when the tpm support is built as inbuilt
>>>>>>> instead
>>>>>>> of module.
>>>>>> And there is no other module missing in the initramfs that might be
>>>>>> built-in with your config? If you re-run the encryption hook manually
>>>>>> from the initramfs later, that will work then?
>>>>> yes. Once after the boot stops at initramfs with above error, running
>>>>> `/scripts/local-top/crypt` manually starts encryption without any
>>>>> issues.
>>>>>
>>>>>>> I'll run some more tests to properly identify the issue and post a fix
>>>>>>> in here or cip-kernel-config repo.
>>>>>>>
>>>>>>>>        WDOG_TIMEOUT = "0"
>>>>>> Thanks for reporting. Finding the root cause will be important to avoid
>>>>>> that other users will run into similar issues later on.
>>>>> Yup, actively working on it.
>>>>>
>>>> Is initramfs-tee-ftpm-hook included in the build? That is supposed to
>>>> wait for the ftpm to appear.
>>> Just found out that it's not included in the build. The recipe itself is
>>> built but the local-top is not added to the SRC_URI.
>>>
>>> There are 2 issues.
>>> 1. TEE_SUPPLICANT_IN_USERLAND is not set.
>>> 2. the initramfs-tee-ftpm-hook recipe has an issue. There is a missing :
>>> while adding supp-user to the OVERRIDES.
>>>
>>> I'll send a patch fixing [1] in sometime. I've sent a PATCH on isar-
>>> users for [2] but I don't see it on the list. Will try to repost in
>>> sometime if I still don't find it.
>> I had a look at the config diff again but still didn't spot anything
>> that could explain the different behavior. Fact is that the userland
>> supplicant should no longer be used - pulling it in is likely only
>> papering over the underlying synchronization issue we may still have.
>>
>> Did you also try with just the initramfs-tee-ftpm-hook of isar fixed
>> while keeping TEE_SUPPLICANT_IN_USERLAND = "0"? If that still causes
>> issues on your board, maybe you could add "set -x" to
>> isar/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/local-top and
>> also to recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>> and share a boot log. I hope that this will tell us more about what is
>> going on.
>>
> Now I recall:
>
> https://github.com/ilbers/isar/commit/a1893507e495710297a2749efa3b2cb05e4f2881
>
> There is no waiting for some tpm device anymore. I was assuming that
> this device node appears magically in time when the in-kernel supplicant
> is used. But I was likely misguided by the timing I saw inside qemu.
>
> If you roll this isar commit back, then things should work with in-
> kernel supplicant as well. Please confirm, then I will provide some
> upstream patch which also updates the comments in the local-top file.
>
> Well, this kind makes sense because we also need just polling loops when
> waiting on partitions to appear before decrypting or mounting them -
> same reason, I guess: The storage device has to be probed first. And the
> RPMB is attached to the same device, so it does not matter if we are
> waiting for an in-kernel or a userland supplicant, both also need to
> wait for the eMMC.

[1] on isar worked. Thanks for the patch Jan.

[1] - https://groups.google.com/g/isar-users/c/sVJxkjDm6Uc

> Jan
>

Re: [isar-cip-core][PATCH 3/6] arm64: Switch to cip_merged_defconfig

[Jan Kiszka]

On 02.12.25 07:58, Sai Sree Kartheek Adivi wrote:
> 
> On 27/11/25 20:05, Jan Kiszka wrote:
>> On 27.11.25 14:37, Jan Kiszka wrote:
>>> On 26.11.25 11:25, Sai Sree Kartheek Adivi wrote:
>>>>
>>>> On 11/24/25 16:35, Jan Kiszka wrote:
>>>>> On 24.11.25 11:36, Sai Sree Kartheek Adivi wrote:
>>>>>>
>>>>>> On 11/24/25 15:27, Jan Kiszka wrote:
>>>>>>> On 24.11.25 10:31, Sai Sree Kartheek Adivi wrote:
>>>>>>>>
>>>>>>>> On 11/17/25 22:45, Jan Kiszka wrote:
>>>>>>>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>>>>
>>>>>>>>> Allows to use the same kernel for all arm64 targets.
>>>>>>>>>
>>>>>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>>>>>>>> ---
>>>>>>>>>      conf/machine/hihope-rzg2m.conf | 4 ++--
>>>>>>>>>      conf/machine/ti-am62px-sk.conf | 2 +-
>>>>>>>>>      2 files changed, 3 insertions(+), 3 deletions(-)
>>>>>>>>>
>>>>>>>>> diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-
>>>>>>>>> rzg2m.conf
>>>>>>>>> index 0b3acf49..485683b2 100644
>>>>>>>>> --- a/conf/machine/hihope-rzg2m.conf
>>>>>>>>> +++ b/conf/machine/hihope-rzg2m.conf
>>>>>>>>> @@ -1,7 +1,7 @@
>>>>>>>>>      #
>>>>>>>>>      # CIP Core, generic profile
>>>>>>>>>      #
>>>>>>>>> -# Copyright (c) Siemens AG, 2019
>>>>>>>>> +# Copyright (c) Siemens AG, 2019-2025
>>>>>>>>>      #
>>>>>>>>>      # Authors:
>>>>>>>>>      #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>>>>>> @@ -13,7 +13,7 @@ DISTRO_ARCH = "arm64"
>>>>>>>>>        IMAGE_FSTYPES ?= "wic"
>>>>>>>>>      -KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>>> arm64/renesas_defconfig"
>>>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>>> arm64/cip_merged_defconfig"
>>>>>>>>>      USE_CIP_KERNEL_CONFIG = "1"
>>>>>>>>>      DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
>>>>>>>>>      IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
>>>>>>>>> diff --git a/conf/machine/ti-am62px-sk.conf b/conf/machine/ti-
>>>>>>>>> am62px-
>>>>>>>>> sk.conf
>>>>>>>>> index 589f071e..bf3cf9ab 100644
>>>>>>>>> --- a/conf/machine/ti-am62px-sk.conf
>>>>>>>>> +++ b/conf/machine/ti-am62px-sk.conf
>>>>>>>>> @@ -23,6 +23,6 @@ IMAGE_BOOT_FILES = " \
>>>>>>>>>          /usr/lib/u-boot/${MACHINE}/tiboot3-am62px-hs-fs-
>>>>>>>>> evm.bin;tiboot3.bin"
>>>>>>>>>        USE_CIP_KERNEL_CONFIG = "1"
>>>>>>>>> -KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>>> arm64/ti_defconfig"
>>>>>>>>> +KERNEL_DEFCONFIG = "cip-kernel-config/
>>>>>>>>> ${KERNEL_DEFCONFIG_VERSION}/
>>>>>>>>> arm64/cip_merged_defconfig"
>>>>>>>> Jan, I'm seeing a boot issue after this change. The boot stops at
>>>>>>>> initramfs with the following log
>>>>>>>>
>>>>>>>> No tpm device exists or supports pcr_hash 'sha256' or 'ecc' -
>>>>>>>> cannot
>>>>>>>> create a encrypted device!
>>>>>>>>
>>>>>>>> But the tpm2 device is available and the `tpm2 getcap algorithms`
>>>>>>>> command confirms that the device supports sha256 and ecc.
>>>>>>>>
>>>>>>>> It's working with ti_defconfig. So looks like there is some timing
>>>>>>>> issue / race condition when the tpm support is built as inbuilt
>>>>>>>> instead
>>>>>>>> of module.
>>>>>>> And there is no other module missing in the initramfs that might be
>>>>>>> built-in with your config? If you re-run the encryption hook
>>>>>>> manually
>>>>>>> from the initramfs later, that will work then?
>>>>>> yes. Once after the boot stops at initramfs with above error, running
>>>>>> `/scripts/local-top/crypt` manually starts encryption without any
>>>>>> issues.
>>>>>>
>>>>>>>> I'll run some more tests to properly identify the issue and post
>>>>>>>> a fix
>>>>>>>> in here or cip-kernel-config repo.
>>>>>>>>
>>>>>>>>>        WDOG_TIMEOUT = "0"
>>>>>>> Thanks for reporting. Finding the root cause will be important to
>>>>>>> avoid
>>>>>>> that other users will run into similar issues later on.
>>>>>> Yup, actively working on it.
>>>>>>
>>>>> Is initramfs-tee-ftpm-hook included in the build? That is supposed to
>>>>> wait for the ftpm to appear.
>>>> Just found out that it's not included in the build. The recipe
>>>> itself is
>>>> built but the local-top is not added to the SRC_URI.
>>>>
>>>> There are 2 issues.
>>>> 1. TEE_SUPPLICANT_IN_USERLAND is not set.
>>>> 2. the initramfs-tee-ftpm-hook recipe has an issue. There is a
>>>> missing :
>>>> while adding supp-user to the OVERRIDES.
>>>>
>>>> I'll send a patch fixing [1] in sometime. I've sent a PATCH on isar-
>>>> users for [2] but I don't see it on the list. Will try to repost in
>>>> sometime if I still don't find it.
>>> I had a look at the config diff again but still didn't spot anything
>>> that could explain the different behavior. Fact is that the userland
>>> supplicant should no longer be used - pulling it in is likely only
>>> papering over the underlying synchronization issue we may still have.
>>>
>>> Did you also try with just the initramfs-tee-ftpm-hook of isar fixed
>>> while keeping TEE_SUPPLICANT_IN_USERLAND = "0"? If that still causes
>>> issues on your board, maybe you could add "set -x" to
>>> isar/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/local-top and
>>> also to recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>> and share a boot log. I hope that this will tell us more about what is
>>> going on.
>>>
>> Now I recall:
>>
>> https://github.com/ilbers/isar/commit/
>> a1893507e495710297a2749efa3b2cb05e4f2881
>>
>> There is no waiting for some tpm device anymore. I was assuming that
>> this device node appears magically in time when the in-kernel supplicant
>> is used. But I was likely misguided by the timing I saw inside qemu.
>>
>> If you roll this isar commit back, then things should work with in-
>> kernel supplicant as well. Please confirm, then I will provide some
>> upstream patch which also updates the comments in the local-top file.
>>
>> Well, this kind makes sense because we also need just polling loops when
>> waiting on partitions to appear before decrypting or mounting them -
>> same reason, I guess: The storage device has to be probed first. And the
>> RPMB is attached to the same device, so it does not matter if we are
>> waiting for an in-kernel or a userland supplicant, both also need to
>> wait for the eMMC.
> 
> [1] on isar worked. Thanks for the patch Jan.
> 
> [1] - https://groups.google.com/g/isar-users/c/sVJxkjDm6Uc
> 

Thanks for confirming! It's all in isar-cip-core next as well now.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center