Commit 52a1111da6d72446530da26e135b65a34b48e279 ("OPTEE: MANAGE signature,
M33TD") in the ST layer incorrectly enables CFG_REMOTEPROC_PUB_KEY_VERIFY=y for
all platforms when SIGN_ENABLE is set.
However, co-processor public key verification against OTP fuses is not
supported on stm32mp1x platforms and causes the build to fail.
Remove CFG_REMOTEPROC_PUB_KEY_VERIFY for ccmp15.
https://onedigi.atlassian.net/browse/DEL-10022
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Update secure boot support for Cortex-M processors by refreshing the patch set
and dropping patches already integrated, aligning the implementation with ST
release openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18.
https://onedigi.atlassian.net/browse/DEL-10022
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Enable signed firmware to prevent unauthenticated code on the Cortex-M4
co-processor by verifying images against custom public key from OP-TEE.
https://onedigi.atlassian.net/browse/DEL-9920
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Introduce a configurable variable to enable/disable secure co-processor
firmware when TrustFence is enabled.
https://onedigi.atlassian.net/browse/DEL-9813
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Enable signed firmware to prevent unauthenticated code on the Cortex-M33
co-processor by verifying images against OTP-stored keys.
https://onedigi.atlassian.net/browse/DEL-9813
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Starting with OP-TEE v4.0.0, the use of a test key is no longer supported.
The Hardware Unique Key (HUK) is now always derived from the programmed OTP bits.
As a result, the Digi custom `CFG_OTP_HUK` flag is obsolete and has been removed.
https://onedigi.atlassian.net/browse/DEL-9634
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit imports the sign-stm32mp bbclass from the meta-st-stm32mp layer to
allow customization. The main customization ensures that the search_path()
function does not raise a build exception if the signing tool or keys are not
present in the PATH before starting the build process.
In our case, we do not need to manually install the tools or generate the keys
beforehand, as this is automatically handled by Yocto in our DEY distribution.
https://onedigi.atlassian.net/browse/DEL-9442
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit removes all outdated OPTEE-OS recipes and synchronizes the Digi custom
.bbappend with the latest v4.0.0 from the ST BSP release, based on the
openstlinux-6.6-yocto-scarthgap-mpu-v24.11.06 tag for Yocto 5.0 (scarthgap).
https://onedigi.atlassian.net/browse/DEL-9381
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Mike Engel
Javier Viguera