uuu installer: remove -t option and determine by filename

The `-t` option to program images with TrustFence didn't make
much sense because the install script is dynamically generated
at build-time with the name of the boot artifacts containing
"signed/encrypted" on their filenames.

This commit:
 - Removes `-t` option to simplify the script.
 - Determines if programming a signed/encrypted bootloader by
   looking at the bootloader filename.
 - For NXP platforms, reworks the function that updates the
   bootloader to properly program only-signed bootloaders (currently
   wrongly using `trustfence update`)

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2021-2024 by Digi International Inc.
+#  Copyright (C) 2021-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -42,7 +42,6 @@ show_usage()
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -61,23 +60,27 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			# Non-encrypted bootloader (can be signed or not)
+			uuu fb: flash "${1}" "${2}"
 		fi
 	else
-		if [ "${1}" = "bootloader" ]; then
-			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
-		fi
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -91,7 +94,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -107,7 +110,6 @@ do
 	i) IMAGE_NAME=${OPTARG} ;;
 	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -161,6 +163,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
 	fi
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2021-2024 by Digi International Inc.
+#  Copyright (C) 2021-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -42,7 +42,6 @@ show_usage()
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -61,23 +60,27 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			# Non-encrypted bootloader (can be signed or not)
+			uuu fb: flash "${1}" "${2}"
 		fi
 	else
-		if [ "${1}" = "bootloader" ]; then
-			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
-		fi
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -91,7 +94,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -105,9 +108,8 @@ do
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -180,6 +182,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
 	fi
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2020-2024 by Digi International Inc.
+#  Copyright (C) 2020-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -42,7 +42,6 @@ show_usage()
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -74,17 +73,20 @@ part_update()
 		ERASE="-e"
 	fi
 	uuu fb: download -f "${2}"
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "uboot" ]; then
+	if [ "${1}" = "bootloader" ] && [ "${ENCRYPTED}" = "true" ]; then
 		if [ -n "${DEK_FILE}" ]; then
+			# Encrypted bootloader + dek
 			uuu fb: ucmd setenv uboot_size \${filesize}
 			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
 			uuu fb: download -f "${4}"
 			uuu fb: ucmd setenv dek_size \${filesize}
 			uuu "fb[-t ${3}]:" ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
 		else
+			# Encrypted bootloader (re-use existing dek)
 			uuu "fb[-t ${3}]:" ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
 		fi
 	else
+		# Rest of images (including non-encrypted bootloader)
 		uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE}
 	fi
 }
@@ -99,7 +101,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -113,9 +115,8 @@ do
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -184,6 +185,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
 	fi
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2020-2024 by Digi International Inc.
+#  Copyright (C) 2020-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -42,7 +42,6 @@ show_usage()
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -61,23 +60,27 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			# Non-encrypted bootloader (can be signed or not)
+			uuu fb: flash "${1}" "${2}"
 		fi
 	else
-		if [ "${1}" = "bootloader" ]; then
-			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
-		fi
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -91,7 +94,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -105,9 +108,8 @@ do
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -132,6 +134,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
 	INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##.bin"
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # Determine linux, recovery, and rootfs image filenames to update
 if [ -z "${IMAGE_NAME}" ]; then
 	IMAGE_NAME="##DEFAULT_IMAGE_NAME##"

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2020-2024 by Digi International Inc.
+#  Copyright (C) 2020-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -42,7 +42,6 @@ show_usage()
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -61,23 +60,27 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			# Non-encrypted bootloader (can be signed or not)
+			uuu fb: flash "${1}" "${2}"
 		fi
 	else
-		if [ "${1}" = "bootloader" ]; then
-			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
-		fi
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -91,7 +94,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -105,9 +108,8 @@ do
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -136,6 +138,14 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
 	INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##-${soc_rev}.bin"
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2020-2024 by Digi International Inc.
+#  Copyright (C) 2020-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -43,7 +43,6 @@ show_usage()
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
 	echo "   -u <u-boot-filename>   U-Boot filename."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "                          Auto-determined by variant if not provided."
 	echo "   -U                     Update redundant bootloader partition."
 
@@ -63,23 +62,27 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ] || [ "${1}" = "bootloader_redundant" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			# Non-encrypted bootloader (can be signed or not)
+			uuu fb: flash "${1}" "${2}"
 		fi
 	else
-		if [ "${1}" = "bootloader" ] || [ "${1}" = "bootloader_redundant" ]; then
-			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
-		fi
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -93,7 +96,7 @@ echo "############################################################"
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhti:nu:Uk:' c
+while getopts ':bdhi:nu:Uk:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -107,10 +110,9 @@ do
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
-	t) TRUSTFENCE=true ;;
 	U) INSTALL_REDUNDANT_UBOOT=true ;;
 	esac
 done
@@ -145,6 +147,14 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
 	INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##${SOCREV}.bin"
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 
@@ -344,7 +354,7 @@ if [ -f ${COMPRESSED_ROOTFS_IMAGE} ] && [ -f ${INSTALL_ROOTFS_FILENAME} ]; then
 	rm -f "${INSTALL_ROOTFS_FILENAME}"
 fi
 # Set the dboot_kernel_var to fitimage if Trustfence is enabled
-if [ "${TRUSTFENCE}" = "true" ] || echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed" -e "encrypted"; then
+if [ "${SIGNED}" = "true" || "${ENCRYPTED}" = "true" ]; then
 	uuu fb: ucmd setenv dboot_kernel_var fitimage
 fi
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh

@@ -50,7 +50,6 @@ show_usage()
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	exit 2
 }
 
@@ -84,7 +83,7 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -f <fip-filename>
 # -i <image-name>
-while getopts 'a:bdf:hi:nt' c
+while getopts 'a:bdf:hi:n' c
 do
 	case $c in
 	a) INSTALL_ATF_FILENAME=${OPTARG} ;;
@@ -94,7 +93,6 @@ do
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	esac
 done
 
@@ -137,6 +135,11 @@ if [ -z "${INSTALL_FIP_FILENAME}" ]; then
 	INSTALL_FIP_FILENAME="fip-##MACHINE##-${module_ram}-##BOOTSCHEME_DEFAULT##-nand##SIGNED##.bin"
 fi
 
+# Determine if boot artifacts are signed
+if echo "$INSTALL_FIP_FILENAME" | grep -q -e "Signed"; then
+	SIGNED=true
+fi
+
 # Determine linux, recovery, and rootfs image filenames to update
 if [ -z "${IMAGE_NAME}" ]; then
 	IMAGE_NAME="##DEFAULT_IMAGE_NAME##"
@@ -320,7 +323,7 @@ else
 fi
 
 # Set the dboot_kernel_var to fitimage if Trustfence is enabled
-if [ "${TRUSTFENCE}" = "true" ] || echo "${INSTALL_FIP_FILENAME}" | grep -q -e "Signed"; then
+if [ "${SIGNED}" = "true" ]; then
 	uuu fb: ucmd setenv dboot_kernel_var fitimage
 	uuu fb: ucmd saveenv
 fi

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp2/install_linux_fw_uuu.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2024 by Digi International Inc.
+#  Copyright (C) 2024, 2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -44,7 +44,6 @@ show_usage()
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	exit 2
 }
 
@@ -80,7 +79,7 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -f <fip-filename>
 # -i <image-name>
-while getopts 'a:bdf:hi:nt' c
+while getopts 'a:bdf:hi:n' c
 do
 	case $c in
 	a) INSTALL_ATF_FILENAME=${OPTARG} ;;
@@ -90,7 +89,6 @@ do
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	esac
 done
 
@@ -117,6 +115,11 @@ if [ -z "${INSTALL_FIP_FILENAME}" ]; then
 	INSTALL_FIP_FILENAME="fip-##MACHINE##-optee-emmc##SIGNED##.bin"
 fi
 
+# Determine if boot artifacts are signed
+if echo "$INSTALL_FIP_FILENAME" | grep -q -e "Signed"; then
+	SIGNED=true
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 
@@ -306,7 +309,7 @@ else
 fi
 
 # Set the dboot_kernel_var to fitimage if Trustfence is enabled
-if [ "${TRUSTFENCE}" = "true" ] || echo "${INSTALL_FIP_FILENAME}" | grep -q -e "Signed"; then
+if [ "${SIGNED}" = "true" ]; then
 	uuu fb: ucmd setenv dboot_kernel_var fitimage
 	uuu fb: ucmd saveenv
 fi