From 11ee0251d0b644ac5f82bd7330a767ef18086bd5 Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Mon, 17 Jun 2024 15:20:01 +0200
Subject: [PATCH] trustfence: ccimx93: disable boot artifacts encryption by
 default

Encrypting boot artifacts impacts the device's boot time, so disable them
by default. It is still possible to enable it in the project's config
file by setting the TRUSTFENCE_DEK_PATH option.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 meta-digi-dey/classes/trustfence.bbclass | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index eaff8f0b0..ba99025bb 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -23,8 +23,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 # Default secure boot configuration
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
-TRUSTFENCE_DEK_PATH ?= "default"
-TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
+TRUSTFENCE_DEK_PATH ?= "${TF_DEK_PATH}"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
@@ -45,6 +44,11 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 # NOTHING TO CUSTOMIZE BELOW THIS LINE
 #
 
+# Platform specific defaults
+TF_DEK_PATH = "default"
+TF_DEK_PATH:ccimx93 = "0"
+TF_DEK_PATH:ccmp1 = "0"
+
 # NXP-based sign a FIT-format boot artifact
 TRUSTFENCE_SIGN_FIT_NXP = "0"
 TRUSTFENCE_SIGN_FIT_NXP:ccimx93 = "${TRUSTFENCE_SIGN_ARTIFACTS}"