tf-a-stm32mp: force verbose hexdump for FIP encryption key

When TrustFence encryption is enabled, the TF-A recipe converts the binary FIP encryption key to a hexadecimal string and passes it to the TF-A build as ENC_KEY. hexdump suppresses repeated output by default and emits '*' when it folds duplicate data. If that happens while converting the key, the generated ENC_KEY contains the '*' marker instead of the full hex string. The malformed value then breaks the make command line, and make can interpret the remaining key fragment as a target, failing for example with: make ... ENC_KEY=13eb911dfcc316b1b99bbbbf10a7000c3055e863* 166d3c8c9cd6f888b720a9 all make: *** No rule to make target '166d3c8c9cd6f888b720a9'. Stop. Use hexdump -v so every byte of the binary key is emitted and ENC_KEY is always a complete, contiguous hex string. https://onedigi.atlassian.net/browse/DEL-10115 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2026-05-11 12:25:02 +02:00 · 2026-05-11 12:25:02 +02:00 · 8293eddb57
parent 351a8df4ef
commit 8293eddb57
1 changed files with 1 additions and 1 deletions
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend
@ -212,7 +212,7 @@ do_compile() {
                        # The encryption key is already available in hexadecimal format, so just extract it from file
                        encrypt_key="$(cat ${encrypt_key})"
                    else
-                        encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})"
+                        encrypt_key="$(hexdump -ve '/1 "%02x"' "${encrypt_key}")"
                    fi
                    encrypt_extra_opt="ENC_KEY=${encrypt_key}"
            fi