trustfence: make co-processor secure firmware optional

Introduce a configurable variable to enable/disable secure co-processor firmware when TrustFence is enabled. https://onedigi.atlassian.net/browse/DEL-9813 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2025-12-03 09:07:22 +01:00 · 2025-12-03 09:07:22 +01:00 · 98c3e6427b
parent 08637debae
commit 98c3e6427b
4 changed files with 7 additions and 4 deletions
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend
@ -21,8 +21,8 @@ SRC_URI = " \
 "

 SRC_URI:append:ccmp25 = " \
-    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
 "

 # Enable remoteproc OTP public key verification for signed firmware support
-EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}"
+EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}"
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb
@ -14,7 +14,7 @@ SRC_URI += " \
 "

 SRC_URI:append:ccmp25 = " \
-    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \
 "

 install_helper_files() {
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb
@ -23,7 +23,7 @@ SRC_URI:append = " \
 "

 SRC_URI:append:ccmp25 = " \
-    ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \
 "

 SRC_URI:append:ccimx95 = " \
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -45,6 +45,9 @@ TRUSTFENCE_ENCRYPT_ROOTFS:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ROOTFS:ccmp2 ?= "0"
 TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}"

+# Co-processor settings
+TRUSTFENCE_COPRO_ENABLED ?= "1"
+
 # Read-only rootfs
 TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"