cancel
Showing results for 
Search instead for 
Did you mean: 

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1" with yocto build?

GChin.1
Associate

Hi @OlivierK​ ,

I am using openstlinux ecosystem release v3.1.1 and trying to use secure boot feature with yocto and as per https://wiki.st.com/stm32mpu-ecosystem-v3/wiki/TF-A_overview we need to set "TRUSTED_BOARD_BOOT=1".

We need use "TF_A_SIGN_ENABLE=1" to use "TRUSTED_BOARD_BOOT=1" in meta-st-stm32mp.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc#L84.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/conf/machine/include/st-machine-common-stm32mp.inc#L524.

If TF_A_SIGN_ENABLE=1 then FIP_SIGN_ENABLE will get set as per ecosystem release v3.1.1 and which force to set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS and TF_A_SIGN_ENABLE as per https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package.

I do not want set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS at the time of build and want set after build seperatly with "cert_create".

For example "TRUSTED_BOARD_BOOT=1" and "GENERATE_COT=0" at the time of build.

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1"?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
OlivierK
ST Employee

Hi GChin.1 (Community Member)

Sorry for the late reply.

If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

Regards,

Olivier

View solution in original post

1 REPLY 1
OlivierK
ST Employee

Hi GChin.1 (Community Member)

Sorry for the late reply.

If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

Regards,

Olivier