meta-digi-dey: trustfence: add Yocto macro to unlock key revocation

By default, on closed devices you cannot revoke any key. To do so, it is
required to compile a U-Boot which instructs the HAB not to set the sticky
bit which write protects that field in the OCOTP controller.

This patch introduces a Yocto macro which allows to configure U-Boot in
that way.

In the ConnectCore 6, the value of this settings is ignored, because HAB never
sets the sticky bit which write protects that field.

https://jira.digi.com/browse/DUB-665

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>

README.md

@@ -112,6 +112,10 @@ Bluetooth Low Energy mode
 hang the processor when trying to authenticate an encrypted kernel image after
 a failed attempt. Hence the target needs to be reset after an authentication
 failure.
+* NXP i.MX6 processor does not set the sticky bit which write protects the
+SRK_REVOKE eFuse on closed devices. This means that in the ConnectCore 6,
+key revocation is always possible, no matter the value of the Yocto macro
+TRUSTFENCE_UNLOCK_KEY_REVOCATION.
 
 ## Digi ConnectCore 6 SBC
 

meta-digi-dey/classes/trustfence.bbclass

@@ -56,6 +56,8 @@ python () {
         d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
         if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True):
             d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
+        if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"):
+            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
         if d.getVar("TRUSTFENCE_KEY_INDEX", True):
             d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
         if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):