External buildroot tree for Tse'na'hale based on stm32mp157f-dk2 from StMicroelectronics

@Xogium Xogium authored on 17 Jul 2022
board/ Tsenahale board/Tse'na'hale: make the IR receiver and gpio buttons have a stable symlink, and improve backlight toggling related services. 1 year ago
buildroot-patches buildroot-patches: provide patches to build host variant of python-pillow and make it available for optee. 2 years ago
configs board/Tse'na'hale: bump kernel to v5.15-stm32mp-r1. 1 year ago
fs {fs/dracut, packages/dracut}: updated this to the latest. 2 years ago
packages packages/evtone: new package. 2 years ago
scripts Initial commit. 2 years ago
.gitignore gitignore: added location of the local package override file. 2 years ago
Config.in Initial commit. 2 years ago
LICENSE Initial commit. 2 years ago
README.md Added hardware documentation and mention it in the readme. 1 year ago
changelog.md Release 2022-07-16 1 year ago
external.desc Initial commit. 2 years ago
external.mk external.mk: set the SOURCE_DATE_EPOCH env variable to the date of the latest commit. 2 years ago
hardware.md Added hardware documentation and mention it in the readme. 1 year ago


This is the external Buildroot repository used to build system images and updates for the Tse'na'hale project.

Important notice

The last release of this project to use ATF v2.4, u-boot 2020.10 and kernel 5.10 is 2022-07-13-v5.10-stm32mp. The following releases will use the newest components from ST.

How to migrate

Checkout a new release for example 2022-07-16, proceed through the build steps, then update as follows:

  • Install the rauc bundle
  • Flash the new ATF and FIP onto the sd card, in the partitions labled fsbl1, fsbl2 and fip respectively. The binaries are located in the images directory
  • Keep in mind that once you reboot, the older boot slot will no longer be bootable into, this is a backward incompatible switch.


A changelog is available so that users and developers can quickly check what changed between releases.

Sudo, and no root login

This project makes use of sudo for any administrative tasks the user might wish to perform. It hence disables the root account entirely, so at least one user on the system must be added in the wheel group (see below) for sudo to be usable.

Users table

By default, the project requires you create an users table to build correctly. This was not included in the external tree, as it is considered sensitive data. For instructions on creating the table, please refer to the buildroot user manual, chapter 26. Makeusers syntax documentation.

By default the path was set to $(BR2_EXTERNAL_TSENAHALE_PATH)/board/Tsenahale/utilities/users.table.

If you do not want an user table, or don't need one, simply modify the defconfig after renaming it, and remove the line defining it.


A list of the hardware parts this project makes use of and how to connect everything together is available at this link.


Building Tse'na'hale is an easy process, though it requires decent hardware.

First install Buildroot's required dependencies. See: The buildroot user manual, chapter 2: System requirements

Then set up the required source code:

mkdir Tsenahale && cd Tsenahale
wget 'https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz'
wget 'https://git.buildroot.net/buildroot/snapshot/buildroot-2022.02.2.tar.gz'
tar -xf EasyRSA-3.0.7.tgz
tar -xf buildroot-2022.02.2.tar.gz
mv EasyRSA-3.0.7 easy-rsa
mv buildroot-2022.02.2 buildroot
git clone 'https://git.xogium.me/git/xogium/buildroot-Tsenahale.git'
export BR2_EXTERNAL="$PWD/buildroot-Tsenahale"
cd buildroot
for p in ../buildroot-Tsenahale/buildroot-patches/*.patch; do patch -p1 < $p; done
cd ..

Create keys for RAUC updates:

cd easy-rsa
sed -i "s/extendedKeyUsage/#extendedKeyUsage/g" x509-types/code-signing
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req rauc
./easyrsa sign-req code-signing rauc
cd ..
cat >buildroot-Tsenahale/scripts/certs.sh <<EOF

Build the image:

cd buildroot
make O=output_build tsenahale_defconfig
make O=output_build -j8
cd ..

Installing via dd

For the initial install of Buildroot you'll need to write a full system image to a micro SD.

A 16 GB micro SD card is recommended.

dd if=Tsenahale.img of=/dev/sdX

Replace sdX with the proper device node.

You can use this method to install updates, but it's much slower compared to RAUC.

Updating via RAUC

To update using RAUC you'll need a server to host the files.

In this example I'll be using a web server (www.jookia.org) which serves contents from /var/www/www.jookia.org/.

First, copy RAUC bundles and keys to your server:

ls buildroot/output_build/images/
# Find the file ending in *.raucb
# You can also just flash Phoenix.img using dd but it takes a long time
mv buildroot/output_build/images/bundle-Tsenahale.2022-06-15.raucb /var/www/www.jookia.org/
cp $PWD/easy-rsa/pki/ca.crt /var/www/www.jookia.org/
chmod a+r /var/www/www.jookia.org/ca.crt

Install the update on the device from the server:

wget 'https://www.jookia.org/ca.crt'
cp /etc/rauc/keyring.pem{,.bak}
mv ca.crt /etc/rauc/keyring.pem
rauc install https://www.jookia.org/bundle-Tsenahale.2022-06-15.raucb
mv /etc/rauc/keyring.pem{.bak,}
  • Notes:
    • The bundle file name is derived from git describe, and might differ slightly if you use a branch with committed but not yet released work. E.g: bundle-Tsenahale.2020-09-06-18-g3d0589f.raucb.
    • If you have uncommitted work present in your branch, then the file name will have a 'dirty' tag added.
    • If your git index and cache become corrupted for any reason, your bundle will have a 'broken' tag added. This doesn't indicate by any means that your image is broken!

Future updates won't need to copy the keyring, a single 'rauc install' invocation should download and install the image without trouble.

You should now be running a system you've just built (check the kernel build date):

uname -a
# Linux Tsenahale 5.10.61 #1 SMP Wed Jun 15 03:28:26 EDT 2022 armv7l GNU/Linux