Secure Boot on STM32MP157C: "ERROR: Secured chip must enable TRUSTED_BOARD_BOOT

Hello @ao2-yekeen ,

if you have the trace

NOTICE: Bootrom authentication succeeded

It means that the ROM code authentication succeeded.

After that the next step is to flash a TF-A built with the TRUSTED_BOARD_BOOT enabled as explained in the wiki page "How To Enable Secure Boot on STM32MPU".

The option TRUSTED_BOARD_BOOT=1 is normally enabled in the distribution package if you followed this chapter of the page:

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package#Generate_Distribution_package_with_signed_binaries

Where you add SIGN_ENABLE in the local.conf:

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 

If you look at the trusted-firmware-a layer, you can see that enabling "SIGN_ENABLE" enables "TRUSTED_BOARD_BOOT, which seems missing in your setup.

tf-a-stm32mp.inc:134:EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"

Hope it helps,

Best Regards,

Kevin

Hi Kevin,

 I already have it enabled in  my yocto build as shown below but the error persist.

Kind regards,

Basit

Hello @ao2-yekeen ,

This should normally works. I will give it a try on my side and see if it works.

Just to be sure, in the screenshot that you shared, it looks like there is "#" at the beginning of each lines. Which means that the lines are commented in the "local.conf" and therefore not taken into account.

Can you confirm that they appear without the "#" at the beginning of the line in the configuration file?

Or if you can share the whole local.conf file (without the passkey).

Best Regards,
Kevin

Hi, Kevin,

Attached below is the contents of my local.conf file.

Kind regards,

Basit