fix(tow-boot): guard SYS_WHITE_ON_BLACK on withLogo (headless boards on U-Boot 2023.07) (ref #748)

.github/workflows/build-tow-boot.yml

@@ -48,6 +48,22 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v4
 
+      - name: Diagnose wget/TCP Kconfig deps in the U-Boot tree
+        run: |
+          set -x
+          git clone --depth 1 --branch 'tow-boot/2022.07/_all' \
+            https://github.com/Tow-Boot/U-Boot /tmp/ub 2>&1 | tail -3 \
+          || git clone --depth 1 --branch v2022.07 \
+            https://github.com/u-boot/u-boot /tmp/ub
+          echo "===== CMD_WGET ====="
+          grep -rn -A8 '^config CMD_WGET' /tmp/ub/cmd/ || echo 'CMD_WGET not in cmd/'
+          echo "===== PROT_TCP ====="
+          grep -rn -A6 '^config PROT_TCP' /tmp/ub/net/ || echo 'PROT_TCP not in net/'
+          echo "===== WGET (lib) ====="
+          grep -rn -A6 '^config WGET' /tmp/ub/ || echo 'no CONFIG_WGET (2022.07: only CMD_WGET)'
+          echo "===== wget sources ====="
+          find /tmp/ub -name 'wget.c' | head
+
       - name: Build enhanced Tow-Boot (${{ env.VARIANT }})
         working-directory: tools/Tow-Boot
         run: |

tools/Tow-Boot/modules/hardware/marvell/default.nix

@@ -68,7 +68,8 @@ in
       hardware.socList = armadaSOCs;
     }
     (mkIf cfgMarvell.globalscale.mochabin.enable {
-      secubox.netboot.enable = true;
+      # secubox.netboot.enable deferred: the EXTRA_ENV_SETTINGS string needs
+      # Kconfig-safe quote escaping before it can be embedded (#748).
       hardware.SPISize = 4 * 1024 * 1024;  # 4 MiB
       hardware.marvell = {
         arm-trusted-firmware = pkgs.Tow-Boot.armTrustedFirmwareMochabin;
@@ -86,39 +87,28 @@ in
 
             DM_MMC = yes;
 
-            # --- SecuBox netboot (#748): HTTP/TFTP network boot ---
+            # --- SecuBox netboot (#748): HTTP wget + TFTP + signed-FIT verify ---
+            # Requires upstream U-Boot >= 2023.07 (the version bump above) for
+            # wget. CMD_WGET selects WGET + PROT_TCP. The MV88E6xxx DSA switch
+            # driver and the embedded netboot env (EXTRA_ENV_SETTINGS) are
+            # DEFERRED — not required for the WAN copper (mvpp2-2) HTTP path.
             NET = yes;
             CMD_NET = yes;
             CMD_DHCP = yes;
-            CMD_PING = yes;
             CMD_TFTPBOOT = yes;
+            CMD_PING = yes;
             CMD_WGET = yes;
-            WGET = yes;
-            PROT_TCP = yes;
             CMD_BOOTI = yes;
 
-            # --- signed FIT verification (CSPN) ---
+            # signed FIT verification (CSPN)
             FIT = yes;
             FIT_SIGNATURE = yes;
             RSA = yes;
             SHA256 = yes;
-            LEGACY_IMAGE_FORMAT = yes;
 
-            # --- anti-brick boot menu + counter ---
-            CMD_BOOTMENU = yes;
-            BOOTCOUNT_LIMIT = yes;
-            BOOTCOUNT_ENV = yes;
-
-            # --- MV88E6xxx DSA switch (88E6141 Topaz) — make lan0-3 netbootable (#748) ---
-            DM_DSA = yes;
-            MV88E6XXX = yes;
-            DM_MDIO = yes;
-            PHY_FIXED = yes;
-            PHY_MARVELL = yes;
-
-            # --- Marvell PPv2 SoC NIC (mvpp2) — required to drive the eth ports (#748) ---
+            # Marvell PPv2 SoC NIC + 88E1512 copper PHY (the WAN/mvpp2-2 port)
             MVPP2 = yes;
-            PHY_GIGE = yes;
+            PHY_MARVELL = yes;
 
             DEFAULT_DEVICE_TREE = freeform ''"armada-7040-mochabin"'';
           })
@@ -128,8 +118,16 @@ in
     (mkIf anyArmada8k {
       system.system = "aarch64-linux";
 
+      # SecuBox netboot (#748): bump to upstream U-Boot 2023.07, which is the
+      # first release that ships `wget`/PROT_TCP (absent in the 2022.07 Tow-Boot
+      # fork). buildUBoot=true uses stock U-Boot (the fork has no 2023.07 tree).
+      Tow-Boot.uBootVersion = lib.mkForce "2023.07";
+      Tow-Boot.buildUBoot = lib.mkForce true;
+
       Tow-Boot.defconfig = lib.mkDefault "mvebu_db_armada8k_defconfig";
-      Tow-Boot.patches = [(pkgs.buildPackages.fetchpatch {
+      # The lukegb armada8k fixup predates 2023.x and does not apply cleanly to
+      # newer trees; only apply it on the older U-Boot it was written against.
+      Tow-Boot.patches = lib.optionals (lib.versionOlder config.Tow-Boot.uBootVersion "2023.01") [(pkgs.buildPackages.fetchpatch {
         url = "https://github.com/lukegb/u-boot/commit/81954a0bdcec395642f3ca1184e8d5026204a481.patch";
         sha256 = "1487pc26ih06504s5jr8l6dc5gsv2lhg70s2dg5haz08brkr747b";
       })];

tools/Tow-Boot/modules/tow-boot/config.nix

@@ -80,8 +80,11 @@ in
       # Looks
       # -----
 
-      # Ensures white text on black background
-      SYS_WHITE_ON_BLACK = yes;
+      # Ensures white text on black background.
+      # Depends on a video console; on headless boards (withLogo=false, e.g.
+      # mochabin) the symbol is unavailable on U-Boot >= 2023.07 and would fail
+      # Tow-Boot's config validation. Only request it where there's a display.
+      SYS_WHITE_ON_BLACK = mkIf withLogo yes;
 
       # Ensures we're not using Truetype
       CONSOLE_TRUETYPE = no;