From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 24 Mar 2025 19:40:47 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1twmjA-003h9E-1L for lore@lore.pengutronix.de; Mon, 24 Mar 2025 19:40:47 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1twmj8-0002ur-QI; Mon, 24 Mar 2025 19:40:46 +0100 Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1twmj3-0002uC-OX; Mon, 24 Mar 2025 19:40:41 +0100 Message-ID: <791fbb47-5af2-4d9a-a67b-022e6c96a94e@pengutronix.de> Date: Mon, 24 Mar 2025 19:40:37 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Ahmad Fatoum To: Robert Schwebel References: <20241213095955.3308105-1-a.fatoum@pengutronix.de> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [DistroKit] [PATCH] reason: silence reason warning about CFG_INSECURE being set X-BeenThere: distrokit@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: DistroKit Mailinglist List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Olbrich , distrokit@pengutronix.de Sender: "DistroKit" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: distrokit-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Hello Robert, On 16.12.24 18:17, Ahmad Fatoum wrote: > On 16.12.24 15:10, Robert Schwebel wrote: >> On Fri, Dec 13, 2024 at 10:59:55AM +0100, Ahmad Fatoum wrote: >>> In actual products, CFG_INSECURE should be disabled after we verify >>> the configuration to be secure. DistroKit uses OP-TEE only on STM32MP13 >>> and not for security, but for power management, so we'll just override >>> the option and live with the boot-time warning. >>> >>> Reported-by: Michael Olbrich >>> Signed-off-by: Ahmad Fatoum >> >> Applied to next > > Please drop again. We only need this override with newer OP-TEE versions. > This will likely be the case with PTXdist v2025.01.0, but for now it's > not needed. With the v2025.03 bump now in next, can you cherry-pick this patch to next as well? Thanks, Ahmad > > Thanks, > Ahmad > >> >>> --- >>> configs/platform-v7a/bsp.ref | 8 ++++++++ >>> 1 file changed, 8 insertions(+) >>> >>> diff --git a/configs/platform-v7a/bsp.ref b/configs/platform-v7a/bsp.ref >>> index 169e555df53a..bda4db20af2c 100644 >>> --- a/configs/platform-v7a/bsp.ref >>> +++ b/configs/platform-v7a/bsp.ref >>> @@ -9,4 +9,12 @@ optee_disabled_features: >>> - CFG_ENABLE_EMBEDDED_TESTS >>> - CFG_TEE_CORE_TA_TRACE >>> >>> +optee_security_warning_disabled: >>> + description: | >>> + OP-TEE is used as secure monitor on STM32MP13x providing power >>> + management and clock/reset control support. We don't use it as >>> + part of a trusted boot setup, so it's apt for OP-TEE to warn >>> + about this at startup and thus we'll keep CFG_INSECURE enabled. >>> + value: True >>> + >>> # vim: filetype=yaml shiftwidth=2 expandtab >>> -- >>> 2.39.5 >> > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |