tf-a-stm32mp: obtain password to use during FIP image signing process

The FIP image is signed internally by this recipe. The password must be
set in FIP_SIGN_KEY_PASS. With the signing script, the password is
randomly generated and saved in key_pass.txt.
This prefunc obtains the password(s) from the file to set FIP_SIGN_KEY_PASS
so that the FIP can be properly signed.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend

@@ -16,6 +16,33 @@ SRC_URI = " \
 
 TF_A_CONFIG[nand]   = "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''} STM32MP_USB_PROGRAMMER=1"
 
+DEPENDS += " \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native trustfence-genpki-native', '', d)} \
+"
+
+# This dependency is required so that the PKI generation completes before
+# proceeding with set_fip_sign_key() where we extract the password that
+# is later used on the do_deploy of the fip-utils-stm32mp.bbclass.
+do_install[depends] = " \
+    trustfence-sign-tools-native:do_populate_sysroot \
+    openssl-native:do_populate_sysroot \
+"
+
+# Obtain password to use in FIP generation
+# Get password from file using the given key index
+do_deploy[prefuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'set_fip_sign_key', '', d)}"
+python set_fip_sign_key() {
+    passfile = d.getVar('TRUSTFENCE_PASSWORD_FILE')
+    if (os.path.isfile(passfile)):
+        with open(passfile, "r") as file:
+            p = file.read().split()
+            i = int(d.getVar('TRUSTFENCE_KEY_INDEX'))
+            if (i > 7):
+                i = 0
+            if (p):
+                d.setVar('FIP_SIGN_KEY_PASS', p[i])
+}
+
 # Sign TF-A image
 do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'tfa_sign', '', d)}"
 tfa_sign() {