feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip

Add a security check to enforce the usage of TRUSTED_BOARD_BOOT on closed device. It will guarantee the secure bootchain. Change-Id: Id6120d0e5041e8f2d3866e5710876ec96b6d0216 Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
2025-04-16 09:34:18 +00:00 · 2022-10-05 16:52:09 +02:00 · 2022-10-05 16:52:09 +02:00 · 54007c37d5
commit 54007c37d5
parent cd791164a9
1 changed files with 8 additions and 0 deletions
--- a/plat/st/stm32mp1/bl2_plat_setup.c
+++ b/plat/st/stm32mp1/bl2_plat_setup.c
@ -341,6 +341,14 @@ void bl2_el3_plat_arch_setup(void)
 	}

 skip_console_init:
+#if !TRUSTED_BOARD_BOOT
+	if (stm32mp_is_closed_device()) {
+		/* Closed chip mandates authentication */
+		ERROR("Secure chip: TRUSTED_BOARD_BOOT must be enabled\n");
+		panic();
+	}
+#endif
+
 	if (fixed_regulator_register() != 0) {
 		panic();
 	}