diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch new file mode 100644 index 000000000..dc1679b5c --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch @@ -0,0 +1,76 @@ +From: Arturo Buzarra +Date: Fri, 31 Oct 2025 09:26:02 +0100 +Subject: [PATCH] ARM: dts: ccmp25: add signed firmware support for RPROC + +Enable device-tree bindings required to load/authenticate signed +Cortex-M33 firmware via remoteproc. + +https://onedigi.atlassian.net/browse/DEL-9813 + +Signed-off-by: Arturo Buzarra +--- + core/arch/arm/dts/ccmp25-dvk-rif.dtsi | 12 ++++++++++++ + core/arch/arm/dts/ccmp25-dvk.dts | 4 ++++ + 2 files changed, 16 insertions(+) + +diff --git a/core/arch/arm/dts/ccmp25-dvk-rif.dtsi b/core/arch/arm/dts/ccmp25-dvk-rif.dtsi +index f2f31dcdf..15121de46 100644 +--- a/core/arch/arm/dts/ccmp25-dvk-rif.dtsi ++++ b/core/arch/arm/dts/ccmp25-dvk-rif.dtsi +@@ -869,6 +869,8 @@ + + &cm33_sram2 { + st,protreg = ; ++ access-controllers-conf-default = <&risab4 RISABPROT(RIF_DDCID_DIS, RIF_UNUSED, RIF_NSEC, RIF_UNUSED, RIF_CFEN, RIF_CID2_BF, RIF_CID2_BF, 0)>; ++ access-controllers-conf-load = <&risab4 RISABPROT(RIF_DDCID_DIS, RIF_UNUSED, RIF_SEC, RIF_PRIV, RIF_CFEN, RIF_CID1_BF, RIF_CID1_BF, RIF_CID1_BF)>; + }; + + &cm33_retram { +@@ -948,22 +950,32 @@ + + &tfm_code { + st,protreg = ; ++ access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(1), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>; ++ access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(1), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>; + }; + + &cm33_cube_fw { + st,protreg = ; ++ access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(2), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>; ++ access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(2), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>; + }; + + &tfm_data { + st,protreg = ; ++ access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(3), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>; ++ access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(3), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>; + }; + + &cm33_cube_data { + st,protreg = ; ++ access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(4), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>; ++ access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(4), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>; + }; + + &ipc_shmem { + st,protreg = ; ++ access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(5), RIF_CID1_BF|RIF_CID2_BF, RIF_CID1_BF|RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>; ++ access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(5), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>; + }; + + &spare1 { +diff --git a/core/arch/arm/dts/ccmp25-dvk.dts b/core/arch/arm/dts/ccmp25-dvk.dts +index 7292b9be8..3ce64ccff 100644 +--- a/core/arch/arm/dts/ccmp25-dvk.dts ++++ b/core/arch/arm/dts/ccmp25-dvk.dts +@@ -437,6 +437,10 @@ + + &m33_rproc { + status = "okay"; ++ compatible = "st,stm32mp2-m33-tee"; ++ memory-region = <&cm33_cube_fw>, <&cm33_cube_data>, ++ <&ipc_shmem>, <&tfm_code>, <&tfm_data>, ++ <&cm33_sram2>; + }; + + &ommanager { diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend index 1d508f1df..bec2e0251 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend @@ -2,6 +2,8 @@ # Copyright (C) 2022-2025, Digi International Inc. # +FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:" + # Inherit custom DIGI sign class to skip signing tool and key parsing restrictions inherit sign-stm32mp-digi @@ -17,3 +19,10 @@ SRC_URI = " \ ${OPTEE_GIT_URI};branch=${SRCBRANCH};name=os \ file://fonts.tar.gz;subdir=git;name=fonts \ " + +SRC_URI:append:ccmp25 = " \ + ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ +" + +# Enable remoteproc OTP public key verification for signed firmware support +EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp25-dvk/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp25-dvk/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch new file mode 100644 index 000000000..d910e2096 --- /dev/null +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp25-dvk/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch @@ -0,0 +1,32 @@ +From: Arturo Buzarra +Date: Thu, 30 Oct 2025 14:35:29 +0100 +Subject: [PATCH] ARM: dts: ccmp25: add signed firmware support for RPROC + +Declare only the shared memory used for inter-processor communication +(including the resource table) to allow remoteproc to load/authenticate signed +Cortex-M33 firmware. + +https://onedigi.atlassian.net/browse/DEL-9813 + +Signed-off-by: Arturo Buzarra +--- + arch/arm/dts/ccmp25.dtsi | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/dts/ccmp25.dtsi b/arch/arm/dts/ccmp25.dtsi +index 913eac366b9..51b65f2408a 100644 +--- a/arch/arm/dts/ccmp25.dtsi ++++ b/arch/arm/dts/ccmp25.dtsi +@@ -246,11 +246,8 @@ + &m33_rproc { + mboxes = <&ipcc1 0x100>, <&ipcc1 0x101>, <&ipcc1 2>; + mbox-names = "vq0", "vq1", "shutdown"; +- memory-region = <&cm33_cube_fw>, <&cm33_cube_data>, +- <&ipc_shmem_1>, <&vdev0vring0>, +- <&vdev0vring1>, <&vdev0buffer>, +- <&cm33_sram2>; +- st,syscfg-nsvtor = <&a35ss_syscfg 0xa8 0xffffff80>; ++ compatible = "st,stm32mp2-m33-tee"; ++ memory-region = <&vdev0vring0>, <&vdev0vring1>, <&vdev0buffer>, <&ipc_shmem_1>; + status = "okay"; + }; diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb index 2a25a9d10..adc47c11f 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb @@ -13,6 +13,10 @@ SRC_URI += " \ ${@oe.utils.conditional('TRUSTFENCE_SIGN_FIT_STM', '1', 'file://fit_signature.cfg', '', d)} \ " +SRC_URI:append:ccmp25 = " \ + ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ +" + install_helper_files() { # Install dtbs from UBOOT_DEVICETREE to datadir, so that kernel # can use it for signing, and kernel will deploy after signs it. diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey/ccmp2/0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch b/meta-digi-arm/recipes-kernel/linux/linux-dey/ccmp2/0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch new file mode 100644 index 000000000..33862daaa --- /dev/null +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey/ccmp2/0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch @@ -0,0 +1,32 @@ +From: Arturo Buzarra +Date: Thu, 30 Oct 2025 14:15:14 +0100 +Subject: [PATCH] ARM64: dts: ccmp25: add signed firmware support for RPROC + +Declare only the shared memory used for inter-processor communication +(including the resource table) to allow remoteproc to load/authenticate signed +Cortex-M33 firmware. + +https://onedigi.atlassian.net/browse/DEL-9813 + +Signed-off-by: Arturo Buzarra +--- + arch/arm64/boot/dts/digi/ccmp25.dtsi | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/digi/ccmp25.dtsi b/arch/arm64/boot/dts/digi/ccmp25.dtsi +index 153726203533..89f5bf75fd9f 100644 +--- a/arch/arm64/boot/dts/digi/ccmp25.dtsi ++++ b/arch/arm64/boot/dts/digi/ccmp25.dtsi +@@ -346,11 +346,8 @@ &m0_rproc { + &m33_rproc { + mboxes = <&ipcc1 0x100>, <&ipcc1 0x101>, <&ipcc1 2>; + mbox-names = "vq0", "vq1", "shutdown"; +- memory-region = <&cm33_cube_fw>, <&cm33_cube_data>, +- <&ipc_shmem_1>, <&vdev0vring0>, +- <&vdev0vring1>, <&vdev0buffer>, +- <&cm33_sram2>; +- st,syscfg-nsvtor = <&a35ss_syscfg 0xa8 0xffffff80>; ++ compatible = "st,stm32mp2-m33-tee"; ++ memory-region = <&vdev0vring0>, <&vdev0vring1>, <&vdev0buffer>, <&ipc_shmem_1>; + status = "okay"; + }; diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb index 685438ef8..83f41434f 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb @@ -21,6 +21,10 @@ SRC_URI:append = " \ ${@bb.utils.contains('DISTRO_FEATURES', 'rt', '${RT_FILES}', '', d)} \ " +SRC_URI:append:ccmp25 = " \ + ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \ +" + # Define RT config fragments per machine RT_CONFIG_FRAGS:use-nxp-bsp = " ${WORKDIR}/fragment-nxp-rt.config" RT_CONFIG_FRAGS:stm32mpcommon = " \