trustfence: use conditionals for NXP-specific stuff

Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc

@@ -27,6 +27,7 @@ do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 
 do_install() {
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
 		install -d ${D}${bindir}/csf_templates
 		if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
@@ -38,8 +39,9 @@ do_install() {
 			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 			exit 1
 		fi
-	install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/
+
 		install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
+		install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/
 
 		# Select U-Boot sign script depending on U-Boot including an SPL image
 		if [ -n "${SPL_BINARY}" ]; then
@@ -47,6 +49,7 @@ do_install() {
 		else
 			install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 		fi
+	fi
 }
 
 FILES:${PN} = "${bindir}"

meta-digi-dey/classes/trustfence.bbclass

@@ -22,7 +22,9 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
+TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
+TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccmp1 ?= "0"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 
 # Partition encryption configuration
@@ -52,6 +54,7 @@ python () {
     if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
         d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
 
+    if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
         if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
             d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
 
@@ -65,11 +68,13 @@ python () {
             d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
         if d.getVar("TRUSTFENCE_KEY_INDEX"):
             d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
             if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
                 d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
             if d.getVar("TRUSTFENCE_SIGN_MODE"):
                 d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
     if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
             d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
 
     # Provide sane default values for SWUPDATE class in case Trustfence is enabled
@@ -87,6 +92,7 @@ python () {
         key_index_1 = key_index + 1
 
         # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
             if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
                 d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
                 d.setVar("CONFIG_SIGN_MODE", "AHAB")

meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb

@@ -47,6 +47,7 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
 
 		# Find the certificate to use.
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
 			if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
 			elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
@@ -55,6 +56,7 @@ do_install() {
 				bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 				exit 1
 			fi
+		fi
 
 		# Extract the public key from the certificate.
 		install -d ${D}${sysconfdir}/ssl/certs