fix(tc): enable certificate on the last secure partition

Distros (e.g. Buildroot and Android) can have different secure partition
layout.

This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:

   i + NUM_SP - 1

Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.

Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9

plat/arm/board/tc/tc_bl2_dpe.c

@@ -120,7 +120,7 @@ struct dpe_metadata tc_dpe_metadata[] = {
 		.sw_type = MBOOT_SP1_STRING,
 		.allow_new_context_to_derive = false,
 		.retain_parent_context = true,
-		.create_certificate = true, /* With Trusty only one SP is loaded */
+		.create_certificate = false,
 		.target_locality = LOCALITY_NONE, /* won't derive don't care */
 		.pk_oid = NULL },
 	{
@@ -230,10 +230,33 @@ void plat_dpe_get_context_handle(int *ctx_handle)
 
 void bl2_plat_mboot_init(void)
 {
+	size_t i;
+	const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
+
 	/* Initialize the communication channel between AP and RSE */
 	(void)rse_comms_init(PLAT_RSE_AP_SND_MHU_BASE,
 			     PLAT_RSE_AP_RCV_MHU_BASE);
 
+#if defined(SPD_spmd)
+	for (i = 0U; i < array_size; i++) {
+		if (tc_dpe_metadata[i].id != SP_PKG1_ID) {
+			continue;
+		}
+
+		if ((i + NUM_SP > array_size) || (i - 1 + NUM_SP < 0)) {
+			ERROR("Secure partition number is out-of-range\n");
+			ERROR("  Non-Secure partition number: %ld\n", i);
+			ERROR("  Secure partition number: %d\n", NUM_SP);
+			ERROR("  Metadata array size: %ld\n", array_size);
+			panic();
+		}
+
+		/* Finalize the certificate on the last secure partition */
+		tc_dpe_metadata[i - 1 + NUM_SP].create_certificate = true;
+		break;
+	}
+#endif
+
 	dpe_init(tc_dpe_metadata);
 }