.github/workflows/build-tow-boot.yml

@@ -48,22 +48,6 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v4
 
-      - name: Diagnose wget/TCP Kconfig deps in the U-Boot tree
-        run: |
-          set -x
-          git clone --depth 1 --branch 'tow-boot/2022.07/_all' \
-            https://github.com/Tow-Boot/U-Boot /tmp/ub 2>&1 | tail -3 \
-          || git clone --depth 1 --branch v2022.07 \
-            https://github.com/u-boot/u-boot /tmp/ub
-          echo "===== CMD_WGET ====="
-          grep -rn -A8 '^config CMD_WGET' /tmp/ub/cmd/ || echo 'CMD_WGET not in cmd/'
-          echo "===== PROT_TCP ====="
-          grep -rn -A6 '^config PROT_TCP' /tmp/ub/net/ || echo 'PROT_TCP not in net/'
-          echo "===== WGET (lib) ====="
-          grep -rn -A6 '^config WGET' /tmp/ub/ || echo 'no CONFIG_WGET (2022.07: only CMD_WGET)'
-          echo "===== wget sources ====="
-          find /tmp/ub -name 'wget.c' | head
-
       - name: Build enhanced Tow-Boot (${{ env.VARIANT }})
         working-directory: tools/Tow-Boot
         run: |

tools/Tow-Boot/modules/hardware/marvell/default.nix

@@ -68,8 +68,7 @@ in
       hardware.socList = armadaSOCs;
     }
     (mkIf cfgMarvell.globalscale.mochabin.enable {
-      # secubox.netboot.enable deferred: the EXTRA_ENV_SETTINGS string needs
-      # Kconfig-safe quote escaping before it can be embedded (#748).
+      secubox.netboot.enable = true;
       hardware.SPISize = 4 * 1024 * 1024;  # 4 MiB
       hardware.marvell = {
         arm-trusted-firmware = pkgs.Tow-Boot.armTrustedFirmwareMochabin;
@@ -87,29 +86,40 @@ in
 
             DM_MMC = yes;
 
-            # --- SecuBox netboot (#748): HTTP wget + TFTP + signed-FIT verify ---
-            # Requires upstream U-Boot >= 2023.07 (the version bump above) for
-            # wget. CMD_WGET selects WGET + PROT_TCP. The MV88E6xxx DSA switch
-            # driver and the embedded netboot env (EXTRA_ENV_SETTINGS) are
-            # DEFERRED — not required for the WAN copper (mvpp2-2) HTTP path.
+            # --- SecuBox netboot (#748): HTTP/TFTP network boot ---
             NET = yes;
             CMD_NET = yes;
             CMD_DHCP = yes;
-            CMD_TFTPBOOT = yes;
             CMD_PING = yes;
+            CMD_TFTPBOOT = yes;
             CMD_WGET = yes;
+            WGET = yes;
+            PROT_TCP = yes;
             CMD_BOOTI = yes;
 
-            # signed FIT verification (CSPN)
+            # --- signed FIT verification (CSPN) ---
             FIT = yes;
             FIT_SIGNATURE = yes;
             RSA = yes;
             SHA256 = yes;
+            LEGACY_IMAGE_FORMAT = yes;
 
-            # Marvell PPv2 SoC NIC + 88E1512 copper PHY (the WAN/mvpp2-2 port)
-            MVPP2 = yes;
+            # --- anti-brick boot menu + counter ---
+            CMD_BOOTMENU = yes;
+            BOOTCOUNT_LIMIT = yes;
+            BOOTCOUNT_ENV = yes;
+
+            # --- MV88E6xxx DSA switch (88E6141 Topaz) — make lan0-3 netbootable (#748) ---
+            DM_DSA = yes;
+            MV88E6XXX = yes;
+            DM_MDIO = yes;
+            PHY_FIXED = yes;
             PHY_MARVELL = yes;
 
+            # --- Marvell PPv2 SoC NIC (mvpp2) — required to drive the eth ports (#748) ---
+            MVPP2 = yes;
+            PHY_GIGE = yes;
+
             DEFAULT_DEVICE_TREE = freeform ''"armada-7040-mochabin"'';
           })
         ];
@@ -118,16 +128,8 @@ in
     (mkIf anyArmada8k {
       system.system = "aarch64-linux";
 
-      # SecuBox netboot (#748): bump to upstream U-Boot 2023.07, which is the
-      # first release that ships `wget`/PROT_TCP (absent in the 2022.07 Tow-Boot
-      # fork). buildUBoot=true uses stock U-Boot (the fork has no 2023.07 tree).
-      Tow-Boot.uBootVersion = lib.mkForce "2023.07";
-      Tow-Boot.buildUBoot = lib.mkForce true;
-
       Tow-Boot.defconfig = lib.mkDefault "mvebu_db_armada8k_defconfig";
-      # The lukegb armada8k fixup predates 2023.x and does not apply cleanly to
-      # newer trees; only apply it on the older U-Boot it was written against.
-      Tow-Boot.patches = lib.optionals (lib.versionOlder config.Tow-Boot.uBootVersion "2023.01") [(pkgs.buildPackages.fetchpatch {
+      Tow-Boot.patches = [(pkgs.buildPackages.fetchpatch {
         url = "https://github.com/lukegb/u-boot/commit/81954a0bdcec395642f3ca1184e8d5026204a481.patch";
         sha256 = "1487pc26ih06504s5jr8l6dc5gsv2lhg70s2dg5haz08brkr747b";
       })];

tools/Tow-Boot/modules/tow-boot/config.nix

@@ -80,11 +80,8 @@ in
       # Looks
       # -----
 
-      # Ensures white text on black background.
-      # Depends on a video console; on headless boards (withLogo=false, e.g.
-      # mochabin) the symbol is unavailable on U-Boot >= 2023.07 and would fail
-      # Tow-Boot's config validation. Only request it where there's a display.
-      SYS_WHITE_ON_BLACK = mkIf withLogo yes;
+      # Ensures white text on black background
+      SYS_WHITE_ON_BLACK = yes;
 
       # Ensures we're not using Truetype
       CONSOLE_TRUETYPE = no;