FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1" with yocto build?

Go to solution
GChin.1
Associate II

‎2023-02-12 2:48 AM

Hi @OlivierK​ ,

I am using openstlinux ecosystem release v3.1.1 and trying to use secure boot feature with yocto and as per https://wiki.st.com/stm32mpu-ecosystem-v3/wiki/TF-A_overview we need to set "TRUSTED_BOARD_BOOT=1".

We need use "TF_A_SIGN_ENABLE=1" to use "TRUSTED_BOARD_BOOT=1" in meta-st-stm32mp.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc#L84.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/conf/machine/include/st-machine-common-stm32mp.inc#L524.

If TF_A_SIGN_ENABLE=1 then FIP_SIGN_ENABLE will get set as per ecosystem release v3.1.1 and which force to set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS and TF_A_SIGN_ENABLE as per https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package.

I do not want set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS at the time of build and want set after build seperatly with "cert_create".

For example "TRUSTED_BOARD_BOOT=1" and "GENERATE_COT=0" at the time of build.

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1"?

Thank you.

Labels:
0 Kudos
This discussion is locked. Please start a new topic to ask your question.
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
OlivierK
ST Employee

‎2023-03-16 10:32 AM

Hi GChin.1 (Community Member)

Sorry for the late reply.

If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

Regards,

Olivier


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

0 Kudos
1 REPLY 1
Go to solution
OlivierK
ST Employee

‎2023-03-16 10:32 AM

Hi GChin.1 (Community Member)

Sorry for the late reply.

If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

Regards,

Olivier


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
Top