FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to disable ROTPK_NOT_DEPLOYED in production build

GChin.1
Associate II

‎2025-07-08 8:04 PM

How to disable ROTPK_NOT_DEPLOYED in production build?

Porting guideline https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/docs/getting_started/porting-guide.rst  says that ROTPK_NOT_DEPLOYED This flag must not be used in a deployed production environment.

If secure boot enabled and if ROTPK_NOT_DEPLOYED flag not disabled then it gives message while boot.

  1. NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.

  2. NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.

  3. NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.

 

How to disable ROTPK_NOT_DEPLOYED in production build?

 I am using STM32MP157F-DK2 board and using TFA 2.6 https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/plat/st/common/stm32mp_trusted_boot.c#L168.

 

Thank you

 

Labels:
0 Kudos
1 REPLY 1
GChin.1
Associate II

‎2025-07-09 5:31 PM

In the function plat_get_rotpk_info in plat/st/common/stm32mp_trusted_boot.c if device is not closed then STM are enabling ROTPK_NOT_DEPLOYED.

https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/plat/st/common/stm32mp_trusted_boot.c#L168

if ((res == 0) && !stm32mp_is_closed_device()) {
*flags |= ROTPK_NOT_DEPLOYED;
}

Does it means that if device is closed then ROTPK_NOT_DEPLOYED will get disabled as expected in Porting guideline (https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/docs/getting_started/porting-guide.rst  says that ROTPK_NOT_DEPLOYED This flag must not be used in a deployed production environment).

@OlivierK 

0 Kudos
Top