imx-boot: fix sign conditions

Do not evaluate TRUSTFENCE_SIGN_MODE on conditions where the sign mode
is not relevant:

1) U-Boot binary file should be signed directly after building it when simple
U-Boot images are used, but it should not be signed when imx-boot bundled
images are used.
For those, the signing process is performed later over the whole imx-boot
bundled binary file on a different recipe.
We use BOOTLOADER_IMAGE_RECIPE variable to evaluate this distinction.
BOOTLOADER_IMAGE_RECIPE is set to "u-boot" by default and is set to "imx-boot"
on ccimx8x and ccimx8mn machine configuration files.

2) For signing imx-boot images we should treat differently those images that
include the RAM configuration in their name and those that don't, as we do
for the rest of the tasks in the same recipe. We can ignore the sign mode
method in this case.

https://jira.digi.com/browse/DEL-7023

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>

meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend

@@ -204,16 +204,20 @@ do_deploy () {
 }
 
 do_deploy_append () {
-	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 		# Sign U-boot image
-		for ramc in ${RAM_CONFIGS}; do
+		if [ "${UBOOT_RAM_COMBINATIONS}" = "" ]; then
+			trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-signed.bin
+		else
+			for ramc in ${UBOOT_RAM_COMBINATIONS}; do
 				trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
 			done
+		fi
 
 		cp ${B}/SRK_efuses.bin ${DEPLOYDIR}
 	fi

meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc

@@ -28,6 +28,8 @@ SRC_URI_append = " \
     ${@oe.utils.conditional('UBOOT_HAS_FASTBOOT', 'true', 'file://install_linux_fw_uuu.sh', '', d)} \
 "
 
+BOOTLOADER_IMAGE_RECIPE ?= "u-boot"
+
 LOCALVERSION ?= ""
 inherit fsl-u-boot-localversion
 
@@ -81,7 +83,7 @@ do_compile () {
 					unset k
 
 					# Secure boot artifacts
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]
 					then
 						cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
 						cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@@ -124,7 +126,7 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
 						install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
 
@@ -170,7 +172,7 @@ do_deploy_append() {
 		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 		# Sign boot script
-		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
 			TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
 			mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"