From f4f84881d7ef60521c6cad5ace12b7b919a48f99 Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 15 Nov 2021 11:55:52 +0100
Subject: [PATCH] trustfence: if read-only rootfs enabled, add config switch to
 U-Boot

When TrustFence and a read-only rootfs are enabled, U-Boot must
authenticate the SQUASHFS root file system. Add config switch to force
U-Boot to authenticate this image.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 meta-digi-dey/classes/trustfence.bbclass | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 6a82aa75b..62c36faf7 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -27,7 +27,10 @@ TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 
 # Partition encryption configuration
 TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
-TRUSTFENCE_ENCRYPT_ROOTFS ?= "1"
+TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "0", "1", d)}"
+
+# Read-only rootfs
+TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
 
 IMAGE_FEATURES += "dey-trustfence"
 
@@ -56,6 +59,8 @@ python () {
 
     if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
         d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
+        if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS", True) == "1"):
+            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
         if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True):
             d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True))
         if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"):