From: Lionel Debieve <lionel.debieve@foss.st.com>
Date: Wed, 5 Oct 2022 14:52:09 +0000 (+0200)
Subject: feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip
X-Git-Tag: baikal/aarch64/sdk5.9~16^2~5
X-Git-Url: https://git.baikalelectronics.ru/?a=commitdiff_plain;h=54007c37d560dd170efa52a79feb206aefb90ed4;p=arm-tf.git

feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip

Add a security check to enforce the usage of TRUSTED_BOARD_BOOT
on closed device. It will guarantee the secure bootchain.

Change-Id: Id6120d0e5041e8f2d3866e5710876ec96b6d0216
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
---

diff --git a/plat/st/stm32mp1/bl2_plat_setup.c b/plat/st/stm32mp1/bl2_plat_setup.c
index 57efb80ef..c64a618e2 100644
--- a/plat/st/stm32mp1/bl2_plat_setup.c
+++ b/plat/st/stm32mp1/bl2_plat_setup.c
@@ -341,6 +341,14 @@ void bl2_el3_plat_arch_setup(void)
 	}
 
 skip_console_init:
+#if !TRUSTED_BOARD_BOOT
+	if (stm32mp_is_closed_device()) {
+		/* Closed chip mandates authentication */
+		ERROR("Secure chip: TRUSTED_BOARD_BOOT must be enabled\n");
+		panic();
+	}
+#endif
+
 	if (fixed_regulator_register() != 0) {
 		panic();
 	}