feat(stm32mp1): add the decryption support
Add the decryption support for STM32MP1 binaries.
Decryption is limited to the BL32 loaded images.
Limitation: STM32MP15 doesn't support the feature.
Change-Id: I96800bac7b22109f8471eb2953fc0dc269fc4fd1
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
diff --git a/plat/st/stm32mp1/platform.mk b/plat/st/stm32mp1/platform.mk
index def5eae..594fe0b 100644
--- a/plat/st/stm32mp1/platform.mk
+++ b/plat/st/stm32mp1/platform.mk
@@ -87,6 +87,11 @@
$(eval $(call add_defines,STM32MP15_OPTEE_RSV_SHM))
STM32MP_CRYPTO_ROM_LIB := 1
+
+# Decryption support
+ifneq ($(DECRYPTION_SUPPORT),none)
+$(error "DECRYPTION_SUPPORT not supported on STM32MP15")
+endif
endif
# STM32 image header binary type for BL2
@@ -221,10 +226,10 @@
# Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images
# in the FIP if the platform requires.
ifneq ($(BL32_EXTRA1),)
-$(eval $(call TOOL_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1))
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1,,$(ENCRYPT_BL32)))
endif
ifneq ($(BL32_EXTRA2),)
-$(eval $(call TOOL_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2))
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2,,$(ENCRYPT_BL32)))
endif
endif
endif
@@ -387,6 +392,10 @@
drivers/st/crypto/stm32_hash.c \
plat/st/stm32mp1/bl2_plat_setup.c
+ifneq (${DECRYPTION_SUPPORT},none)
+BL2_SOURCES += drivers/io/io_encrypted.c
+endif
+
ifeq (${TRUSTED_BOARD_BOOT},1)
AUTH_SOURCES := drivers/auth/auth_mod.c \
drivers/auth/crypto_mod.c \
diff --git a/plat/st/stm32mp1/stm32mp1_def.h b/plat/st/stm32mp1/stm32mp1_def.h
index 002b6aa..5d7c2ff 100644
--- a/plat/st/stm32mp1/stm32mp1_def.h
+++ b/plat/st/stm32mp1/stm32mp1_def.h
@@ -451,6 +451,7 @@
#define MONOTONIC_OTP "monotonic_otp"
#define UID_OTP "uid_otp"
#define PKH_OTP "pkh_otp"
+#define ENCKEY_OTP "enckey_otp"
#define BOARD_ID_OTP "board_id"
/* OTP mask */