2025-07-08 8:04 PM
How to disable ROTPK_NOT_DEPLOYED in production build?
Porting guideline https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/docs/getting_started/porting-guide.rst says that ROTPK_NOT_DEPLOYED This flag must not be used in a deployed production environment.
If secure boot enabled and if ROTPK_NOT_DEPLOYED flag not disabled then it gives message while boot.
NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.
NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.
NOTICE: ROTPK is not deployed on platform. Skipping ROTPK verification.
How to disable ROTPK_NOT_DEPLOYED in production build?
I am using STM32MP157F-DK2 board and using TFA 2.6 https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/plat/st/common/stm32mp_trusted_boot.c#L168.
Thank you
2025-07-09 5:31 PM
In the function plat_get_rotpk_info in plat/st/common/stm32mp_trusted_boot.c if device is not closed then STM are enabling ROTPK_NOT_DEPLOYED.
if ((res == 0) && !stm32mp_is_closed_device()) {
*flags |= ROTPK_NOT_DEPLOYED;
}
Does it means that if device is closed then ROTPK_NOT_DEPLOYED will get disabled as expected in Porting guideline (https://github.com/STMicroelectronics/arm-trusted-firmware/blob/v2.6-stm32mp-r2.1/docs/getting_started/porting-guide.rst says that ROTPK_NOT_DEPLOYED This flag must not be used in a deployed production environment).?