Skip to main content
Visitor II
February 12, 2023
Solved

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1" with yocto build?

  • February 12, 2023
  • 1 reply
  • 2097 views

Hi @OlivierK​ ,

I am using openstlinux ecosystem release v3.1.1 and trying to use secure boot feature with yocto and as per https://wiki.st.com/stm32mpu-ecosystem-v3/wiki/TF-A_overview we need to set "TRUSTED_BOARD_BOOT=1".

We need use "TF_A_SIGN_ENABLE=1" to use "TRUSTED_BOARD_BOOT=1" in meta-st-stm32mp.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc#L84.

https://github.com/STMicroelectronics/meta-st-stm32mp/blob/dunfell-3.0.x/conf/machine/include/st-machine-common-stm32mp.inc#L524.

If TF_A_SIGN_ENABLE=1 then FIP_SIGN_ENABLE will get set as per ecosystem release v3.1.1 and which force to set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS and TF_A_SIGN_ENABLE as per https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package.

I do not want set FIP_SIGN_KEY_EXTERNAL FIP_SIGN_KEY FIP_SIGN_KEY_PASS at the time of build and want set after build seperatly with "cert_create".

For example "TRUSTED_BOARD_BOOT=1" and "GENERATE_COT=0" at the time of build.

How to set "TRUSTED_BOARD_BOOT=1" without "TF_A_SIGN_ENABLE=1"?

Thank you.

    This topic has been closed for replies.
    Best answer by OlivierK

    Hi GChin.1 (Community Member)

    Sorry for the late reply.

    If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

    Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

    https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

    You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

    Regards,

    Olivier

    1 reply

    OlivierKAnswer
    Technical Moderator
    March 16, 2023

    Hi GChin.1 (Community Member)

    Sorry for the late reply.

    If you are only interested to test the secure boot, you don't need TRUSTED_BOARD_BOOT=1. You just want to sign your TF-A (TF_A_SIGN_ENABLE=1), in that case there is no need to sign the FIP.

    Only If you've secure closed your chip (in OTP) , then you must build your TF-A with TRUSTED_BOARD_BOOT=1, it means that at build time TF-A will check that X509 certificates are present in the FIP. In Yocto it may means that having TF_A_SIGN_ENABLE=1 might also be linked to the FIP signature.

    https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package

    You can refer to this page to sign your binaries before building the image, it is based on the OSTL DV4.1 but worth a try on DV3.1.1.

    Regards,

    Olivier