From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 16 Dec 2024 18:17:55 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tNEjD-008uAR-0a for lore@lore.pengutronix.de; Mon, 16 Dec 2024 18:17:55 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1tNEjC-0007O1-VF; Mon, 16 Dec 2024 18:17:54 +0100 Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1tNEj8-0007Mz-IG; Mon, 16 Dec 2024 18:17:50 +0100 Message-ID: Date: Mon, 16 Dec 2024 18:17:50 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Robert Schwebel References: <20241213095955.3308105-1-a.fatoum@pengutronix.de> Content-Language: en-US From: Ahmad Fatoum In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [DistroKit] [PATCH] reason: silence reason warning about CFG_INSECURE being set X-BeenThere: distrokit@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: DistroKit Mailinglist List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Olbrich , distrokit@pengutronix.de Sender: "DistroKit" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: distrokit-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false On 16.12.24 15:10, Robert Schwebel wrote: > On Fri, Dec 13, 2024 at 10:59:55AM +0100, Ahmad Fatoum wrote: >> In actual products, CFG_INSECURE should be disabled after we verify >> the configuration to be secure. DistroKit uses OP-TEE only on STM32MP13 >> and not for security, but for power management, so we'll just override >> the option and live with the boot-time warning. >> >> Reported-by: Michael Olbrich >> Signed-off-by: Ahmad Fatoum > > Applied to next Please drop again. We only need this override with newer OP-TEE versions. This will likely be the case with PTXdist v2025.01.0, but for now it's not needed. Thanks, Ahmad > >> --- >> configs/platform-v7a/bsp.ref | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/configs/platform-v7a/bsp.ref b/configs/platform-v7a/bsp.ref >> index 169e555df53a..bda4db20af2c 100644 >> --- a/configs/platform-v7a/bsp.ref >> +++ b/configs/platform-v7a/bsp.ref >> @@ -9,4 +9,12 @@ optee_disabled_features: >> - CFG_ENABLE_EMBEDDED_TESTS >> - CFG_TEE_CORE_TA_TRACE >> >> +optee_security_warning_disabled: >> + description: | >> + OP-TEE is used as secure monitor on STM32MP13x providing power >> + management and clock/reset control support. We don't use it as >> + part of a trusted boot setup, so it's apt for OP-TEE to warn >> + about this at startup and thus we'll keep CFG_INSECURE enabled. >> + value: True >> + >> # vim: filetype=yaml shiftwidth=2 expandtab >> -- >> 2.39.5 > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |