From 99080bd1273331007f0b2d6f64fed51ac6861bcd Mon Sep 17 00:00:00 2001
From: Yann Gautier <yann.gautier@foss.st.com>
Date: Mon, 16 Aug 2021 11:58:01 +0200
Subject: [PATCH] fix(plat/st): apply security at the end of BL2

Now that the DDR is mapped secured, the security settings (TZC400
firewall) have to be applied at the end of BL2 for the OP-TEE case.
This is required to avoid checskum computation error on U-Boot binary,
for which MMU and TZC400 would not be aligned.

Change-Id: I4a364f7117960e8fae1b579f341b9f140b766ea6
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
---
 plat/st/stm32mp1/bl2_plat_setup.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/plat/st/stm32mp1/bl2_plat_setup.c b/plat/st/stm32mp1/bl2_plat_setup.c
index 3e179fbbf..b4c42fc06 100644
--- a/plat/st/stm32mp1/bl2_plat_setup.c
+++ b/plat/st/stm32mp1/bl2_plat_setup.c
@@ -153,8 +153,6 @@ void bl2_platform_setup(void)
 
 #ifdef AARCH32_SP_OPTEE
 	INFO("BL2 runs OP-TEE setup\n");
-	/* Initialize tzc400 after DDR initialization */
-	stm32mp1_security_setup();
 #else
 	INFO("BL2 runs SP_MIN setup\n");
 #endif
@@ -384,4 +382,9 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
 
 	return err;
 }
+
+void bl2_el3_plat_prepare_exit(void)
+{
+	stm32mp1_security_setup();
+}
 #endif