diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
new file mode 100644
index 000000000..6b668d7c3
--- /dev/null
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
@@ -0,0 +1,29 @@
+From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
+Date: Fri, 29 Jul 2016 17:20:28 +0200
+Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI
+ generation
+
+Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
+---
+ keys/hab4_pki_tree.sh | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
+index b2c6b71b604e..93347521cea1 100644
+--- a/keys/hab4_pki_tree.sh
++++ b/keys/hab4_pki_tree.sh
+@@ -95,9 +95,10 @@ fi
+ # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
+ if [ ! -f key_pass.txt ]
+ then
+-    echo "test" > key_pass.txt
+-    echo "test" >> key_pass.txt
+-    echo "A default file 'key_pass.txt' was created with password = test!"
++    password="$(openssl rand -base64 32)"
++    echo "${password}" > key_pass.txt
++    echo "${password}" >> key_pass.txt
++    echo "A file 'key_pass.txt' was created with a random password!"
+ fi
+ 
+ # The following is required otherwise OpenSSL complains
+
diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile
index f443ef3d1..ed9df8301 100644
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile
@@ -1,7 +1,6 @@
 TARGET = linux64/cst
 LIBS = -lfrontend -lcrypto
-CC = gcc
-CFLAGS = -g -Wall
+CFLAGS += -g -Wall
 
 .PHONY: default all clean
 
@@ -18,7 +17,7 @@ LIBS_PATH = linux64/lib
 .PRECIOUS: $(TARGET) $(OBJECTS)
 
 $(TARGET): $(OBJECTS)
-	$(CC) $(OBJECTS) $(CFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@
+	$(CC) $(OBJECTS) $(CFLAGS) $(LDFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@
 
 clean:
 	-rm -f *.o $(TARGET)
diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_2.3.2.bb
similarity index 88%
rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb
rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_2.3.2.bb
index eb5fd5f39..765d5fb0e 100644
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_2.3.2.bb
@@ -3,15 +3,18 @@ DESCRIPTION = "Provides software code signing support designed for use with i.MX
 HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
 LICENSE = "CLOSED"
 
-DEPENDS = "openssl"
+DEPENDS = "openssl-native"
 
-S= "${WORKDIR}/cst-${PV}"
+S = "${WORKDIR}/cst-${PV}"
+
+inherit native
 
 SRC_URI = " \
 	${@base_conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tar.gz', '', d)} \
 	file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
 	file://0002-hab4_pki_tree.sh-automate-script.patch \
 	file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
+	file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
 	file://Makefile \
 "
 
@@ -32,5 +35,3 @@ do_install () {
 	install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf
 	install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
 }
-
-BBCLASSEXTEND = "native"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
index 4ddc949d0..280b7b2d4 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@@ -36,11 +36,6 @@ UBOOT_EXTRA_CONF ?= ""
 python __anonymous() {
     if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
          bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_DEK_PATH = 0)")
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
-            bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
-        if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
-            bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
 }
 
 do_compile () {
@@ -78,6 +73,7 @@ do_compile () {
                     if [ "${TRUSTFENCE_SIGN}" = "1" ]
                     then
                         cp ${S}/build_${config}/u-boot-signed.imx ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
+                        cp ${S}/build_${config}/u-boot-usb-signed.imx ${S}/build_${config}/u-boot-usb-signed-${type}.${UBOOT_SUFFIX}
 			if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
 			then
 				cp ${S}/build_${config}/u-boot-encrypted.imx ${S}/build_${config}/u-boot-encrypted-${type}.${UBOOT_SUFFIX}
@@ -129,6 +125,9 @@ do_deploy_append() {
 						install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
 						ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}
 
+						install ${S}/build_${config}/u-boot-usb-signed-${type}.${UBOOT_SUFFIX} u-boot-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
+						ln -sf u-boot-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-usb-signed-${type}.${UBOOT_SUFFIX}
+
 						if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
 						then
 							install ${S}/build_${config}/u-boot-encrypted-${type}.${UBOOT_SUFFIX} u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
index 19c71f113..a7717b203 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@@ -44,6 +44,8 @@ do_deploy_append() {
 	(cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME})
 }
 
+do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"
+
 FILES_kernel-image += "/boot/config-${KERNEL_VERSION}"
 
 # Don't include kernels in standard images
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 6530f01ef..b174655e3 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -10,7 +10,7 @@
 #
 
 # Default secure console configuration
-TRUSTFENCE_CONSOLE_DISABLE ?= "1"
+TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 
 # Uncomment to enable the console with the specified passphrase
 #TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE = "my_secure_passphrase"
@@ -22,7 +22,8 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
-TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
+TRUSTFENCE_DEK_PATH_ccimx6ul = "0"
+TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 
 # Trustfence initramfs image recipe
 TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
@@ -46,9 +47,6 @@ python () {
             d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))
 
     # Secure boot configuration
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
-        d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
-
     if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
         d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
 
@@ -63,6 +61,6 @@ python () {
             d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
         if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
             d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
+    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
+        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
 }
diff --git a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
index cab5f931e..ff85f755e 100644
--- a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
+++ b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
@@ -10,3 +10,4 @@ inherit packagegroup
 RDEPENDS_${PN} = "\
 	${@base_conditional('TRUSTFENCE_CONSOLE_DISABLE', '1', 'auto-serial-console', '', d)} \
 "
+do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE"