trustfence: add new TRUSTFENCE_SRK_REVOKE_MASK variable

In order to revoke SRKs in platforms with AHAB we need to set a mask
during the signing/encryption process.

Create new TRUSTFENCE_SRK_REVOKE_MASK variable to export the
SRK_REVOKE_MASK variable required by the imx-boot signing script.

The revoke mask is not necessary for signing/encryption of other artifacts,
so set it by default to 0x0.

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>

meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend

@@ -213,6 +213,7 @@ do_deploy_append () {
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
+		[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
 
 		# Sign U-boot image
 		if [ "${UBOOT_RAM_COMBINATIONS}" = "" ]; then

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab

@@ -14,7 +14,7 @@
     # Type of SRK set (NXP or OEM)
     Source set = OEM
     # bitmask of the revoked SRKs
-    Revocations = 0x%key_index%
+    Revocations = 0x0
 
 [Authenticate Data]
     # Binary to be signed generated by mkimage

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab

@@ -14,7 +14,7 @@
     # Type of SRK set (NXP or OEM)
     Source set = OEM
     # bitmask of the revoked SRKs
-    Revocations = 0x%key_index%
+    Revocations = 0x0
 
 [Authenticate Data]
     # Binary to be signed generated by mkimage

meta-digi-dey/classes/trustfence.bbclass

@@ -23,6 +23,7 @@ TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
+TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 
 # Trustfence initramfs image recipe
 TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"