From 1134e4c07c75b8da6015e4b6f9320ae4db47d1e9 Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Thu, 4 Mar 2021 13:14:13 +0100
Subject: [PATCH] trustfence-sign-tools: don't encrypt artifacts in
 ccimx8mn/ccimx8mm projects

Attempting to boot encrypted artifacts on these platforms will result in HAB
events caused by CAAM errors. This is due to the CAAM being configured for
non-secure contexts (in regards to Trustzone) while the HAB expects it to be
configured for secure contexts.

For now, only sign artifacts for these platforms even if the project has the
encryption feature enabled.

https://jira.digi.com/browse/DUB-993

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 .../trustfence-sign-artifact.sh                    | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
index cff9ccf89..9c49347e2 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
@@ -123,17 +123,11 @@ if [ -z "${CONFIG_RAM_START}" ]; then
 fi
 
 # Get DEK key
-if [ -n "${CONFIG_DEK_PATH}" ]; then
+if [ -n "${CONFIG_DEK_PATH}" ] && [ "${PLATFORM}" != "ccimx8mn" ] && [ "${PLATFORM}" != "ccimx8mm" ]; then
 	if [ ! -f "${CONFIG_DEK_PATH}" ]; then
-		if [ "${PLATFORM}" = "ccimx8mn" ] || [ "${PLATFORM}" = "ccimx8mm" ]; then
-			echo "DEK not found. Generating random 128 bit DEK."
-			[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
-			dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=16 count=1 >/dev/null 2>&1
-		else
-			echo "DEK not found. Generating random 256 bit DEK."
-			[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
-			dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1
-		fi
+		echo "DEK not found. Generating random 256 bit DEK."
+		[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
+		dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1
 	fi
 	dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))"
 	if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then