[nrf fromtree] tfm: Enforce initial attestation with required key provisioned

Enforce that the initial attestation partition has the required
initial attestation key provisioned.

If the initial attestation key (IAK) is not present during boot of
TF-M the system will panic during initialization.

Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 2687376)

Author: joerchan

boards/arm/b_u585i_iot02a/Kconfig.defconfig

@@ -22,6 +22,10 @@ config SYS_CLOCK_TICKS_PER_SEC
 
 if BUILD_WITH_TFM
 
+# Initial Attestation key provisioned by the BL1 bootloader
+config TFM_INITIAL_ATTESTATION_KEY
+	default y
+
 config TFM_DUMMY_PROVISIONING
 	default n
 

modules/trusted-firmware-m/Kconfig.tfm

@@ -179,6 +179,7 @@ config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT
 
 config TFM_DUMMY_PROVISIONING
 	bool "Provision with dummy values. NOT to be used in production"
+	select TFM_INITIAL_ATTESTATION_KEY
 	default y
 	help
 	  If this option is enabled (as it is by default), a set of dummy
@@ -188,6 +189,13 @@ config TFM_DUMMY_PROVISIONING
 	  This option MUST not be used in production hardware, as the keys are
 	  insecure.
 
+config TFM_INITIAL_ATTESTATION_KEY
+	bool
+	help
+	  Hidden option to mark that the TF-M platform has an initial
+	  attestation key, which is a requirement for the Initial Attestation
+	  partition.
+
 config TFM_BL2_NOT_SUPPORTED
 	bool
 	help

modules/trusted-firmware-m/Kconfig.tfm.partitions

@@ -44,6 +44,7 @@ config TFM_PARTITION_CRYPTO
 config TFM_PARTITION_INITIAL_ATTESTATION
 	bool "Secure partition 'Initial Attestation'"
 	depends on TFM_PARTITION_CRYPTO
+	depends on TFM_INITIAL_ATTESTATION_KEY
 	default n
 	help
 	  Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION'