From 98c3e6427b06a378e32076498e4962f55c6a42e6 Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Wed, 3 Dec 2025 09:07:22 +0100 Subject: [PATCH] trustfence: make co-processor secure firmware optional Introduce a configurable variable to enable/disable secure co-processor firmware when TrustFence is enabled. https://onedigi.atlassian.net/browse/DEL-9813 Signed-off-by: Arturo Buzarra --- .../recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend | 4 ++-- meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb | 2 +- meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb | 2 +- meta-digi-dey/classes/trustfence.bbclass | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend index adef75396..32e0ec3c3 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_4.0.0.bbappend @@ -21,8 +21,8 @@ SRC_URI = " \ " SRC_URI:append:ccmp25 = " \ - ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ + ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ " # Enable remoteproc OTP public key verification for signed firmware support -EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}" +EXTRA_OEMAKE:append:ccmp25 = " ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1', 'CFG_REMOTEPROC_PUB_KEY_VERIFY=y', '', d)}" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb index 705c23b4c..028217fb6 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2023.10.bb @@ -14,7 +14,7 @@ SRC_URI += " \ " SRC_URI:append:ccmp25 = " \ - ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ + ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM-dts-ccmp25-add-signed-firmware-support-for-RPROC.patch', '', d)} \ " install_helper_files() { diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb index 586f8b079..eaf594b4e 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_6.6.bb @@ -23,7 +23,7 @@ SRC_URI:append = " \ " SRC_URI:append:ccmp25 = " \ - ${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \ + ${@oe.utils.conditional('TRUSTFENCE_COPRO_ENABLED', '1' , 'file://0001-ARM64-dts-ccmp25-add-signed-firmware-support-for-RPR.patch', '', d)} \ " SRC_URI:append:ccimx95 = " \ diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index a86228ac3..8683b6da9 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -45,6 +45,9 @@ TRUSTFENCE_ENCRYPT_ROOTFS:ccmp1 ?= "0" TRUSTFENCE_ENCRYPT_ROOTFS:ccmp2 ?= "0" TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}" +# Co-processor settings +TRUSTFENCE_COPRO_ENABLED ?= "1" + # Read-only rootfs TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"