From 3fdb245765bfc4a9c2599c2d7bd7ebe62b3d9a69 Mon Sep 17 00:00:00 2001
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Thu, 5 Mar 2026 09:35:09 +0100
Subject: [PATCH] trustfence: add encrypted boot artifact support for CCMP13
 platform

This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.1. It introduces support for encrypted boot artifacts,
including TF-A and FIP for the ConnectCore MP13 platform.

https://onedigi.atlassian.net/browse/DEL-8535

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
 meta-digi-arm/conf/machine/ccmp13-dvk.conf    | 12 ++++--
 .../trustfence-gen-pki-stm.sh                 | 37 +++++++++++++++----
 meta-digi-dey/classes/trustfence.bbclass      | 10 +++--
 3 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/meta-digi-arm/conf/machine/ccmp13-dvk.conf b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
index 8bd31d79e..79b1aaf71 100644
--- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
@@ -153,11 +153,15 @@ ST_USERFS   = "0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32', \
-                                                           'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32')} \
+    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
+        oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32 ', \
+                                                               'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32 '), \
+        'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32 ')} \
     metadata-ccmp13-dvk.bin \
-    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin', \
-                                                           'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin')} \
+    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
+        oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin ', \
+                                                               'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin '), \
+        'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin ')} \
 "
 
 # Default overlayfs_etc mount point and type
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
index 7568b9341..4cc60eb74 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
@@ -168,10 +168,33 @@ if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then
 	fi
 fi
 
-if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
-
-	# Generate random keys if they don't exist
-	if [ "${PLATFORM}" = "ccmp25" ]; then
+# Generate random keys if they don't exist
+if [ "${PLATFORM}" = "ccmp13" ]; then
+	if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
+		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
+			echo "Generating random encryption key for FSBL"
+			if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
+				exit 1
+			fi
+			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"
+		fi
+		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
+			echo "Generating encryption key for FIP"
+			if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" > "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 32-byte FIP encryption key"
+				exit 1
+			fi
+			if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 32-byte FIP encryption key"
+				exit 1
+			fi
+			printf "\n" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
+			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
+		fi
+	fi
+elif [ "${PLATFORM}" = "ccmp25" ]; then
+	if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
 		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
 			echo "Generating random encryption key for FSBL"
 			if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
@@ -196,8 +219,8 @@ if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME
 			fi
 			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"
 		fi
-	else
-		echo "[ERROR] Could not generate encryption keys. Platform not supported."
-		exit 1
 	fi
+else
+	echo "[ERROR] Could not generate encryption keys. Platform not supported."
+	exit 1
 fi
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index fe18354d1..be263313a 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -21,7 +21,7 @@ TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence"
 # NXP keys
 TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin"
 # STM keys
-TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin"
+TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "${TF_FIP_ENCRYPT_KEYNAME}"
 TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin"
 TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin"
 
@@ -59,7 +59,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 # Platform specific defaults
 TF_ENCRYPT = "1"
 TF_ENCRYPT:ccimx9 = "0"
-TF_ENCRYPT:ccmp1 = "0"
+TF_ENCRYPT:ccmp15 = "0"
+TF_FIP_ENCRYPT_KEYNAME = "encryption_key_fip.bin"
+TF_FIP_ENCRYPT_KEYNAME:ccmp13 = "encryption_key_fip.txt"
 TF_FILE_BASED_ENCRYPT = "0"
 TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
 TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
@@ -91,7 +93,9 @@ gen_pki_tree() {
 			if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
 				export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}"
 				export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}"
-				export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
+				if [ "${DIGI_SOM}" = "ccmp25" ]; then
+					export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
+				fi
 			fi
 			trustfence-gen-pki.sh -p ${DIGI_SOM}
 		fi