From df9b1cf329c46b038c66c85a44d8084dd2681e58 Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Tue, 26 Sep 2023 14:29:49 +0200
Subject: [PATCH] ccmp1: add signed FIT image support

This commit adds signed FIT image support for the CCMP1
platforms when using Trustfence.

https://onedigi.atlassian.net/browse/DEL-8591

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
 .../classes/image_types_digi.bbclass          | 115 +++++++++++-------
 meta-digi-arm/conf/machine/ccmp13-dvk.conf    |   5 +-
 meta-digi-arm/conf/machine/ccmp15-dvk.conf    |   5 +-
 meta-digi-arm/conf/machine/include/ccmp1.inc  |   3 +
 .../recipes-bsp/u-boot/u-boot-dey.inc         |  14 ++-
 .../u-boot/u-boot-dey/ccmp1/fit_legacy.cfg    |   1 +
 .../u-boot/u-boot-dey/ccmp1/fit_signature.cfg |   4 +
 .../recipes-bsp/u-boot/u-boot-dey_2021.10.bb  |  29 ++++-
 .../recipes-kernel/linux/linux-dey_5.15.bb    |   6 +
 meta-digi-dey/classes/trustfence.bbclass      |  19 +++
 10 files changed, 150 insertions(+), 51 deletions(-)
 create mode 100644 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg
 create mode 100644 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg

diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index 5cabc03cd..83212e2a8 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -21,15 +21,18 @@ do_image_boot_vfat[depends] += " \
 IMAGE_CMD:boot.vfat() {
 	BOOTIMG_FILES="$(readlink -e ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin)"
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${DTB})"
-				BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${DTB})"
+					BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi
 
 	# Add Trustfence initramfs if enabled
@@ -57,12 +60,15 @@ IMAGE_CMD:boot.vfat() {
 	mkfs.vfat -n "Boot DEY" -S 512 -C ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_BLOCKS}
 	mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_FILES_SYMLINK} ::/
 
-	# Copy boot scripts into the VFAT image
-	for item in ${BOOT_SCRIPTS}; do
-		src=`echo $item | awk -F':' '{ print $1 }'`
-		dst=`echo $item | awk -F':' '{ print $2 }'`
-		mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat -s ${DEPLOY_DIR_IMAGE}/$src ::/$dst
-	done
+	# Exclude boot scripts from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Copy boot scripts into the VFAT image
+		for item in ${BOOT_SCRIPTS}; do
+			src=`echo $item | awk -F':' '{ print $1 }'`
+			dst=`echo $item | awk -F':' '{ print $2 }'`
+			mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat -s ${DEPLOY_DIR_IMAGE}/$src ::/$dst
+		done
+	fi
 
 	# Truncate the image to speed up the downloading/writing to the EMMC
 	if [ -n "${BOARD_BOOTIMAGE_PARTITION_SIZE}" ]; then
@@ -83,14 +89,17 @@ do_image_boot_ubifs[depends] += " \
 
 IMAGE_CMD:boot.ubifs() {
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi
 
 	# Add Trustfence initramfs if enabled
@@ -107,12 +116,15 @@ IMAGE_CMD:boot.ubifs() {
 		ln ${orig} ${TMP_BOOTDIR}/$(basename ${item})
 	done
 
-	# Hard-link boot scripts into the temporary folder
-	for item in ${BOOT_SCRIPTS}; do
-		src="$(echo ${item} | awk -F':' '{ print $1 }')"
-		dst="$(echo ${item} | awk -F':' '{ print $2 }')"
-		ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_BOOTDIR}/${dst}
-	done
+	# Exclude boot scripts from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Hard-link boot scripts into the temporary folder
+		for item in ${BOOT_SCRIPTS}; do
+			src="$(echo ${item} | awk -F':' '{ print $1 }')"
+			dst="$(echo ${item} | awk -F':' '{ print $2 }')"
+			ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_BOOTDIR}/${dst}
+		done
+	fi
 
 	# Build UBIFS boot image out of temp folder
 	mkfs.ubifs -r ${TMP_BOOTDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.ubifs ${MKUBIFS_BOOT_ARGS}
@@ -135,8 +147,11 @@ IMAGE_CMD:recovery.vfat() {
 	# Use 'boot.vfat' image as base
 	cp --remove-destination ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat
 
-	# Copy the recovery initramfs into the VFAT image
-	mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat -s ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ::/uramdisk-recovery.img
+	# Exclude initRAMFS from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Copy the recovery initramfs into the VFAT image
+		mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat -s ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ::/uramdisk-recovery.img
+	fi
 }
 
 # Remove the default ".rootfs." suffix for 'recovery.vfat' images
@@ -153,14 +168,17 @@ do_image_recovery_ubifs[depends] += " \
 
 IMAGE_CMD:recovery.ubifs() {
 	RECOVERYIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				RECOVERYIMG_FILES_SYMLINK="${RECOVERYIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					RECOVERYIMG_FILES_SYMLINK="${RECOVERYIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi
 
 	# Create temporary folder
@@ -172,15 +190,18 @@ IMAGE_CMD:recovery.ubifs() {
 		ln ${orig} ${TMP_RECOVERYDIR}/$(basename ${item})
 	done
 
-	# Hard-link boot scripts into the temporary folder
-	for item in ${BOOT_SCRIPTS}; do
-		src="$(echo ${item} | awk -F':' '{ print $1 }')"
-		dst="$(echo ${item} | awk -F':' '{ print $2 }')"
-		ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_RECOVERYDIR}/${dst}
-	done
+	# Exclude bootscript from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Hard-link boot scripts into the temporary folder
+		for item in ${BOOT_SCRIPTS}; do
+			src="$(echo ${item} | awk -F':' '{ print $1 }')"
+			dst="$(echo ${item} | awk -F':' '{ print $2 }')"
+			ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_RECOVERYDIR}/${dst}
+		done
 
-	# Copy the recovery initramfs into the temporary folder
-	cp ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ${TMP_RECOVERYDIR}/uramdisk-recovery.img
+		# Copy the recovery initramfs into the temporary folder
+		cp ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ${TMP_RECOVERYDIR}/uramdisk-recovery.img
+	fi
 
 	# Build UBIFS recovery image out of temp folder
 	mkfs.ubifs -r ${TMP_RECOVERYDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.ubifs ${MKUBIFS_BOOT_ARGS}
diff --git a/meta-digi-arm/conf/machine/ccmp13-dvk.conf b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
index ffe3de0fa..bda7d0664 100644
--- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
@@ -47,6 +47,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \
     _ov_som_bt_test_ccmp13.dtbo \
     _ov_som_wifi_ccmp13.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
 
 # =========================================================================
 # Machine features
@@ -106,7 +108,8 @@ OPTEE_CONF = "ccmp13-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"
diff --git a/meta-digi-arm/conf/machine/ccmp15-dvk.conf b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
index bf45951ff..c2631c2b1 100644
--- a/meta-digi-arm/conf/machine/ccmp15-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
@@ -54,6 +54,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \
     _ov_som_mca_ccmp15.dtbo \
     _ov_som_wifi_ccmp15.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
 
 # =========================================================================
 # Machine features
@@ -114,7 +116,8 @@ OPTEE_CONF = "ccmp15-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"
diff --git a/meta-digi-arm/conf/machine/include/ccmp1.inc b/meta-digi-arm/conf/machine/include/ccmp1.inc
index fd74a2ad8..049c14332 100644
--- a/meta-digi-arm/conf/machine/include/ccmp1.inc
+++ b/meta-digi-arm/conf/machine/include/ccmp1.inc
@@ -72,3 +72,6 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 
 # Disable the generation of flashlayout files
 do_create_flashlayout_config[noexec] = "1"
+
+# Include boot script into the FIT image
+UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
index 81c1418ba..75199b0b0 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
@@ -198,6 +198,18 @@ do_deploy:append:ccmp1() {
 	# Deploy u-boot-nodtb.bin and ccmp1x-dvk.dtb, to be packaged in fip binary by tf-a
 	install -d ${DEPLOYDIR}/${BOOT_TOOLS}
 	install -m 0777 ${B}/${config}/arch/arm/dts/${UBOOT_DTB_NAME} ${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${FIP_UBOOT_HEADER}.dtb
-
 	install -m 0777 ${B}/${config}/u-boot-nodtb.bin  ${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-nodtb.bin
+
+	# Append signature to u-boot DT
+	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
+		# get name of u-boot devicetree without signature
+		ubootdevicetree="${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-${UBOOT_DTB_NAME}"
+		namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
+		namewithsignature=`echo $ubootdevicetree | sed "s/\.dtb/-with-signature.dtb/g"`
+		mv $ubootdevicetree $namewithoutsignature
+		# get name of U-Boot device tree from DEPLOY_DIR
+		nameonkernel="${DEPLOY_DIR_IMAGE}/u-boot-${MACHINE}*.dtb"
+		cp $nameonkernel $namewithsignature
+		cp $nameonkernel $ubootdevicetree
+	fi
 }
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg
new file mode 100644
index 000000000..b4a52f46f
--- /dev/null
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg
@@ -0,0 +1 @@
+CONFIG_LEGACY_IMAGE_FORMAT=y
\ No newline at end of file
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg
new file mode 100644
index 000000000..eb5d7d683
--- /dev/null
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg
@@ -0,0 +1,4 @@
+CONFIG_FIT_SIGNATURE=y
+CONFIG_RSA=y
+CONFIG_ECDSA=y
+CONFIG_ECDSA_VERIFY=y
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
index 2bd448264..8f0dca3e6 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
@@ -1,4 +1,4 @@
-# Copyright (C) 2022 Digi International
+# Copyright (C) 2022,2023 Digi International
 
 require u-boot-dey.inc
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025"
@@ -9,4 +9,31 @@ DEPENDS += "python3-setuptools-native"
 SRCBRANCH = "v2021.10/master"
 SRCREV = "${AUTOREV}"
 
+UBOOT_FIT_CFG_FRAGMENTS = " \
+    file://fit_legacy.cfg \
+    file://fit_signature.cfg \
+"
+
+SRC_URI += " \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
+"
+# Install UBOOT_ENV_BINARY to datadir, so that kernel can use it
+# to include it into the FIT image.
+install_helper_bootscr() {
+	if [ -f "${D}/boot/${UBOOT_ENV_BINARY}" ]; then
+		# Install UBOOT_ENV_BINARY into datadir to share it with the kernel
+		install -Dm 0644 ${D}/boot/${UBOOT_ENV_BINARY} ${D}${datadir}/${UBOOT_ENV_IMAGE}
+		ln -sf ${UBOOT_ENV_IMAGE} ${D}${datadir}/${UBOOT_ENV_BINARY}
+	else
+		bbwarn "${D}/boot/${UBOOT_ENV_BINARY} not found"
+	fi
+}
+
+do_install:append() {
+	# Copy boot script, so kernel can include it when creating the FIT image 
+	if [ "${TRUSTFENCE_FIT_IMG}" = "1" ] && [ -n "${UBOOT_ENV_BINARY}" ]; then
+		install_helper_bootscr
+	fi
+}
+
 COMPATIBLE_MACHINE = "(ccmp1)"
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
index ecc10eef9..1f6141a39 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
@@ -7,4 +7,10 @@ SRCBRANCH:stm32mpcommon = "v5.15.118/stm/master"
 SRCREV = "${AUTOREV}"
 SRCREV:stm32mpcommon = "${AUTOREV}"
 
+do_assemble_fitimage:prepend:ccmp1() {
+	# Deploy u-boot script to be included into the FIT image
+	install -d ${STAGING_DIR_HOST}/boot
+	install -m 0644 ${RECIPE_SYSROOT}/${datadir}/${UBOOT_ENV_BINARY} ${STAGING_DIR_HOST}/boot/
+}
+
 COMPATIBLE_MACHINE = "(ccimx6|ccimx6ul|ccimx8m|ccimx8x|ccmp1)"
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index d559e9a29..5a210809b 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -26,6 +26,7 @@ TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
+TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
 
 # Partition encryption configuration
 TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
@@ -45,6 +46,24 @@ TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
 
 IMAGE_FEATURES += "dey-trustfence"
 
+# ---------------------------------
+#  Usage of FIT Image signed
+# ---------------------------------
+
+# Enable FIT image build when Trustfence is enabled
+MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
+# keys name in keydir (eg. "ubootfit.crt", "ubootfit.key")
+TRUSTFENCE_SIGN_KEYNAME ?= ""
+# Set variables required by poky to sign FIT image
+UBOOT_SIGN_KEYNAME ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${TRUSTFENCE_SIGN_KEYNAME}', '', d)}"
+UBOOT_MKIMAGE_DTCOPTS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '-I dts -O dtb -p 2000', '', d)}"
+# Enable FIT signing support
+UBOOT_SIGN_ENABLE ?= "${TRUSTFENCE_SIGN}"
+# Set path to FIT signing keys
+UBOOT_SIGN_KEYDIR ?= "${TRUSTFENCE_SIGN_KEYS_PATH}"
+# Create keys if not defined
+FIT_GENERATE_KEYS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN_KEYNAME', '', '1', '', d)}"
+
 # Function to generate a PKI tree (with lock dir protection)
 GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
 gen_pki_tree() {