ccmp25: add Cortex-M33 signed firmware support

Enable signed firmware to prevent unauthenticated code on the Cortex-M33
co-processor by verifying images against OTP-stored keys.

https://onedigi.atlassian.net/browse/DEL-9813

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch

@@ -0,0 +1,76 @@
+From: Arturo Buzarra <arturo.buzarra@digi.com>
+Date: Fri, 31 Oct 2025 09:26:02 +0100
+Subject: [PATCH] ARM: dts: ccmp25: add signed firmware support for RPROC
+
+Enable device-tree bindings required to load/authenticate signed
+Cortex-M33 firmware via remoteproc.
+
+https://onedigi.atlassian.net/browse/DEL-9813
+
+Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
+---
+ core/arch/arm/dts/ccmp25-dvk-rif.dtsi | 12 ++++++++++++
+ core/arch/arm/dts/ccmp25-dvk.dts      |  4 ++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/core/arch/arm/dts/ccmp25-dvk-rif.dtsi b/core/arch/arm/dts/ccmp25-dvk-rif.dtsi
+index f2f31dcdf..15121de46 100644
+--- a/core/arch/arm/dts/ccmp25-dvk-rif.dtsi
++++ b/core/arch/arm/dts/ccmp25-dvk-rif.dtsi
+@@ -869,6 +869,8 @@
+ 
+ &cm33_sram2 {
+ 	st,protreg = <RISABPROT(RIF_DDCID_DIS, RIF_UNUSED, RIF_NSEC, RIF_NPRIV, RIF_CFDIS, RIF_UNUSED, RIF_UNUSED, RIF_UNUSED)>;
++	access-controllers-conf-default = <&risab4 RISABPROT(RIF_DDCID_DIS, RIF_UNUSED, RIF_NSEC, RIF_UNUSED, RIF_CFEN, RIF_CID2_BF, RIF_CID2_BF, 0)>;
++	access-controllers-conf-load = <&risab4 RISABPROT(RIF_DDCID_DIS, RIF_UNUSED, RIF_SEC, RIF_PRIV, RIF_CFEN, RIF_CID1_BF, RIF_CID1_BF, RIF_CID1_BF)>;
+ };
+ 
+ &cm33_retram {
+@@ -948,22 +950,32 @@
+ 
+ &tfm_code {
+ 	st,protreg = <RISAFPROT(RISAF_REG_ID(1), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_SEC, RIF_ENC_EN, RIF_BREN_EN)>;
++	access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(1), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(1), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>;
+ };
+ 
+ &cm33_cube_fw {
+ 	st,protreg = <RISAFPROT(RISAF_REG_ID(2), RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(2), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(2), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>;
+ };
+ 
+ &tfm_data {
+ 	st,protreg = <RISAFPROT(RISAF_REG_ID(3), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_SEC, RIF_ENC_EN, RIF_BREN_EN)>;
++	access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(3), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(3), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>;
+ };
+ 
+ &cm33_cube_data {
+ 	st,protreg = <RISAFPROT(RISAF_REG_ID(4), RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(4), RIF_CID2_BF, RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(4), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>;
+ };
+ 
+ &ipc_shmem {
+ 	st,protreg = <RISAFPROT(RISAF_REG_ID(5), RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_CID0_BF|RIF_CID1_BF|RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-default = <&risaf4 RISAFPROT(RISAF_REG_ID(5), RIF_CID1_BF|RIF_CID2_BF, RIF_CID1_BF|RIF_CID2_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
++	access-controllers-conf-load = <&risaf4 RISAFPROT(RISAF_REG_ID(5), RIF_CID1_BF, RIF_CID1_BF, RIF_PRIV, RIF_SEC, RIF_ENC_DIS, RIF_BREN_EN)>;
+ };
+ 
+ &spare1 {
+diff --git a/core/arch/arm/dts/ccmp25-dvk.dts b/core/arch/arm/dts/ccmp25-dvk.dts
+index 7292b9be8..3ce64ccff 100644
+--- a/core/arch/arm/dts/ccmp25-dvk.dts
++++ b/core/arch/arm/dts/ccmp25-dvk.dts
+@@ -437,6 +437,10 @@
+ 
+ &m33_rproc {
+ 	status = "okay";
++	compatible = "st,stm32mp2-m33-tee";
++	memory-region = <&cm33_cube_fw>, <&cm33_cube_data>,
++			<&ipc_shmem>, <&tfm_code>, <&tfm_data>,
++			<&cm33_sram2>;
+ };
+ 
+ &ommanager {

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend

@@ -2,6 +2,8 @@
 # Copyright (C) 2022-2025, Digi International Inc.
 #
 
+FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:"
+
 # Inherit custom DIGI sign class to skip signing tool and key parsing restrictions
 inherit sign-stm32mp-digi
 
@@ -17,3 +19,10 @@ SRC_URI = " \
     ${OPTEE_GIT_URI};branch=${SRCBRANCH};name=os \
     file://fonts.tar.gz;subdir=git;name=fonts \
 "
+
+SRC_URI:append:ccmp25 = " \
+    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
+"
+
+# Enable remoteproc OTP public key verification for signed firmware support
+EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}"

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp25-dvk/0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch

@@ -0,0 +1,32 @@
+From: Arturo Buzarra <arturo.buzarra@digi.com>
+Date: Thu, 30 Oct 2025 14:35:29 +0100
+Subject: [PATCH] ARM: dts: ccmp25: add signed firmware support for RPROC
+
+Declare only the shared memory used for inter-processor communication
+(including the resource table) to allow remoteproc to load/authenticate signed
+Cortex-M33 firmware.
+
+https://onedigi.atlassian.net/browse/DEL-9813
+
+Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
+---
+ arch/arm/dts/ccmp25.dtsi | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/dts/ccmp25.dtsi b/arch/arm/dts/ccmp25.dtsi
+index 913eac366b9..51b65f2408a 100644
+--- a/arch/arm/dts/ccmp25.dtsi
++++ b/arch/arm/dts/ccmp25.dtsi
+@@ -246,11 +246,8 @@
+ &m33_rproc {
+ 	mboxes = <&ipcc1 0x100>, <&ipcc1 0x101>, <&ipcc1 2>;
+ 	mbox-names = "vq0", "vq1", "shutdown";
+-	memory-region = <&cm33_cube_fw>, <&cm33_cube_data>,
+-			<&ipc_shmem_1>, <&vdev0vring0>,
+-			<&vdev0vring1>, <&vdev0buffer>,
+-			<&cm33_sram2>;
+-	st,syscfg-nsvtor = <&a35ss_syscfg 0xa8 0xffffff80>;
++	compatible = "st,stm32mp2-m33-tee";
++	memory-region = <&vdev0vring0>, <&vdev0vring1>, <&vdev0buffer>, <&ipc_shmem_1>;
+ 	status = "okay";
+ };

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb

@@ -13,6 +13,10 @@ SRC_URI += " \
     ${@oe.utils.conditional('TRUSTFENCE_SIGN_FIT_STM', '1', 'file://fit_signature.cfg', '', d)} \
 "
 
+SRC_URI:append:ccmp25 = " \
+    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
+"
+
 install_helper_files() {
 	# Install dtbs from UBOOT_DEVICETREE to datadir, so that kernel
 	# can use it for signing, and kernel will deploy after signs it.

meta-digi-arm/recipes-kernel/linux/linux-dey/ccmp2/0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch

@@ -0,0 +1,32 @@
+From: Arturo Buzarra <arturo.buzarra@digi.com>
+Date: Thu, 30 Oct 2025 14:15:14 +0100
+Subject: [PATCH] ARM64: dts: ccmp25: add signed firmware support for RPROC
+
+Declare only the shared memory used for inter-processor communication
+(including the resource table) to allow remoteproc to load/authenticate signed
+Cortex-M33 firmware.
+
+https://onedigi.atlassian.net/browse/DEL-9813
+
+Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
+---
+ arch/arm64/boot/dts/digi/ccmp25.dtsi | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/digi/ccmp25.dtsi b/arch/arm64/boot/dts/digi/ccmp25.dtsi
+index 153726203533..89f5bf75fd9f 100644
+--- a/arch/arm64/boot/dts/digi/ccmp25.dtsi
++++ b/arch/arm64/boot/dts/digi/ccmp25.dtsi
+@@ -346,11 +346,8 @@ &m0_rproc {
+ &m33_rproc {
+ 	mboxes = <&ipcc1 0x100>, <&ipcc1 0x101>, <&ipcc1 2>;
+ 	mbox-names = "vq0", "vq1", "shutdown";
+-	memory-region = <&cm33_cube_fw>, <&cm33_cube_data>,
+-			<&ipc_shmem_1>, <&vdev0vring0>,
+-			<&vdev0vring1>, <&vdev0buffer>,
+-			<&cm33_sram2>;
+-	st,syscfg-nsvtor = <&a35ss_syscfg 0xa8 0xffffff80>;
++	compatible = "st,stm32mp2-m33-tee";
++	memory-region = <&vdev0vring0>, <&vdev0vring1>, <&vdev0buffer>, <&ipc_shmem_1>;
+ 	status = "okay";
+ };

meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb

@@ -21,6 +21,10 @@ SRC_URI:append = " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'rt', '${RT_FILES}', '', d)} \
 "
 
+SRC_URI:append:ccmp25 = " \
+    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \
+"
+
 # Define RT config fragments per machine
 RT_CONFIG_FRAGS:use-nxp-bsp = " ${WORKDIR}/fragment-nxp-rt.config"
 RT_CONFIG_FRAGS:stm32mpcommon = " \