From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 13 Dec 2024 10:59:58 +0100
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <distrokit-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1tM2Sk-007XdA-0d
	for lore@lore.pengutronix.de;
	Fri, 13 Dec 2024 10:59:58 +0100
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <distrokit-bounces@pengutronix.de>)
	id 1tM2Sk-00024B-5o; Fri, 13 Dec 2024 10:59:58 +0100
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <a.fatoum@pengutronix.de>)
 id 1tM2Si-00023r-3K; Fri, 13 Dec 2024 10:59:56 +0100
Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54])
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96)
 (envelope-from <a.fatoum@pengutronix.de>) id 1tM2Sh-003BDe-0T;
 Fri, 13 Dec 2024 10:59:55 +0100
Received: from localhost ([::1] helo=dude05.red.stw.pengutronix.de)
 by dude05.red.stw.pengutronix.de with esmtp (Exim 4.96)
 (envelope-from <a.fatoum@pengutronix.de>) id 1tM2Sh-00Dsan-2f;
 Fri, 13 Dec 2024 10:59:55 +0100
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: distrokit@pengutronix.de
Date: Fri, 13 Dec 2024 10:59:55 +0100
Message-Id: <20241213095955.3308105-1-a.fatoum@pengutronix.de>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [DistroKit] [PATCH] reason: silence reason warning about
 CFG_INSECURE being set
X-BeenThere: distrokit@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DistroKit Mailinglist <distrokit.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/distrokit>,
 <mailto:distrokit-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/distrokit/>
List-Post: <mailto:distrokit@pengutronix.de>
List-Help: <mailto:distrokit-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/distrokit>,
 <mailto:distrokit-request@pengutronix.de?subject=subscribe>
Cc: Michael Olbrich <m.olbrich@pengutronix.de>,
 Ahmad Fatoum <a.fatoum@pengutronix.de>
Sender: "DistroKit" <distrokit-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: distrokit-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

In actual products, CFG_INSECURE should be disabled after we verify
the configuration to be secure. DistroKit uses OP-TEE only on STM32MP13
and not for security, but for power management, so we'll just override
the option and live with the boot-time warning.

Reported-by: Michael Olbrich <m.olbrich@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 configs/platform-v7a/bsp.ref | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/configs/platform-v7a/bsp.ref b/configs/platform-v7a/bsp.ref
index 169e555df53a..bda4db20af2c 100644
--- a/configs/platform-v7a/bsp.ref
+++ b/configs/platform-v7a/bsp.ref
@@ -9,4 +9,12 @@ optee_disabled_features:
     - CFG_ENABLE_EMBEDDED_TESTS
     - CFG_TEE_CORE_TA_TRACE
 
+optee_security_warning_disabled:
+  description: |
+    OP-TEE is used as secure monitor on STM32MP13x providing power
+    management and clock/reset control support. We don't use it as
+    part of a trusted boot setup, so it's apt for OP-TEE to warn
+    about this at startup and thus we'll keep CFG_INSECURE enabled.
+  value: True
+
 # vim: filetype=yaml shiftwidth=2 expandtab
-- 
2.39.5