MA-17144 Only do security check for rpmb key flashed boards

Only check the bootloader rollback index and trusty keyslot package
for rpmb key flashed boards.

Test: boots on boards without rpmb key.

Change-Id: I130e4d906c0f08d602eac820ec5612214e01ff55
Signed-off-by: Ji Luo <ji.luo@nxp.com>

1 files changed, 14 insertions, 10 deletions

diff --git a/lib/avb/fsl/fsl_avb_ab_flow.c b/lib/avb/fsl/fsl_avb_ab_flow.c
index de384eac7b..e56d350a0b 100644
--- a/lib/avb/fsl/fsl_avb_ab_flow.c
+++ b/lib/avb/fsl/fsl_avb_ab_flow.c
@@ -377,12 +377,14 @@ int mmc_load_image_raw_sector_dual_uboot(struct spl_image_info *spl_image,
 
 #if !defined(CONFIG_XEN) && defined(CONFIG_IMX_TRUSTY_OS)
 			/* Image loaded successfully, go to verify rollback index */
-			if (!ret)
-				ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image);
+			if (rpmbkey_is_set()) {
+				if (!ret)
+					ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image);
 
-			/* Copy rpmb keyslot to secure memory. */
-			if (!ret)
-				fill_secure_keyslot_package(&kp);
+				/* Copy rpmb keyslot to secure memory. */
+				if (!ret)
+					fill_secure_keyslot_package(&kp);
+			}
 #endif
 		}
 
@@ -457,12 +459,14 @@ int mmc_load_image_raw_sector_dual_uboot(struct spl_image_info *spl_image,
 
 #if !defined(CONFIG_XEN) && defined(CONFIG_IMX_TRUSTY_OS)
 			/* Image loaded successfully, go to verify rollback index */
-			if (!ret)
-				ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image);
+			if (rpmbkey_is_set()) {
+				if (!ret)
+					ret = spl_verify_rbidx(mmc, &ab_data.slots[target_slot], spl_image);
 
-			/* Copy rpmb keyslot to secure memory. */
-			if (!ret)
-				fill_secure_keyslot_package(&kp);
+				/* Copy rpmb keyslot to secure memory. */
+				if (!ret)
+					fill_secure_keyslot_package(&kp);
+			}
 #endif
 		}