From eb49d927a54c31c3e2340524fc4841f03e2bbebf Mon Sep 17 00:00:00 2001 From: Hector Palacios Date: Wed, 10 May 2023 17:33:00 +0200 Subject: [PATCH] trustfence: enable auth capabilities on TF-A independently of TRUSTFENCE_SIGN Sometimes, it may be desired that the DEY project does not sign the artifacts, for example, if they are going to be externally signed on a secure server. In this case, the user sets TRUSTFENCE_SIGN="0". On STM platforms, all the variables were being set if TRUSTFENCE_SIGN="1" and authentication support is not enabled on TF_A otherwise. Set TF_A_SIGN_ENABLE (which adds authentication support to TF_A) always for STM platforms (as long as the project inherits the trustfence class) and set FIP_SIGN_ENABLE="0" if its sibling TRUSTFENCE_SIGN="0", so that DEY doesn't sign the FIP image either. Signed-off-by: Hector Palacios --- meta-digi-dey/classes/trustfence.bbclass | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6eda06492..7cce60c06 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -58,11 +58,16 @@ python () { if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin"); + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + # Enable authentication capabilities on TF-A independently + # of whether the images are going to be signed by DEY or externally + d.setVar("TF_A_SIGN_ENABLE", "1") + if (d.getVar("TRUSTFENCE_SIGN") == "0"): + d.setVar("FIP_SIGN_ENABLE", "0") if (d.getVar("TRUSTFENCE_SIGN") == "1"): # Set STM-specific variables for signing images if (d.getVar("DEY_SOC_VENDOR") == "STM"): - d.setVar("TF_A_SIGN_ENABLE", "1") d.setVar("FIP_SIGN_ENABLE", "1") d.setVar("FIP_SIGN_KEY_EXTERNAL", "1") if (d.getVar("DIGI_SOM") == "ccmp15" ):