From 9ef54b7b8e3657324fcaa7d48ffece4df4ab89df Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 15 Jul 2024 16:25:02 +0200
Subject: [PATCH] optee-os-stm32mp: use OTP HUK when TrustFence enabled

When TrustFence is enabled, use the HUK programmed on the OTP
bits for the ccmp15 platform.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

https://onedigi.atlassian.net/browse/DEL-9121
---
 .../recipes-security/optee/optee-os-stm32mp_%.bbappend         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_%.bbappend
index 311ff6bae..bc204fe62 100644
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_%.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_%.bbappend
@@ -14,3 +14,6 @@ SRC_URI = " \
     ${OPTEE_GIT_URI};branch=${SRCBRANCH};name=os \
     file://fonts.tar.gz;subdir=git;name=fonts \
 "
+
+# If TF enabled, force use of HUK in OTP bits
+EXTRA_OEMAKE += "${@oe.utils.conditional('TRUSTFENCE_ENABLED', '1', 'CFG_OTP_HUK=1', '', d)}"