Index: install_linux_fw_uuu.sh
===================================================================
diff -u -r58b5d8853668a5ff7d8a5a4f59510b55edd2bc76 -r53ac5d316a30e4bc20855db9a40220503058922d
--- install_linux_fw_uuu.sh	(.../install_linux_fw_uuu.sh)	(revision 58b5d8853668a5ff7d8a5a4f59510b55edd2bc76)
+++ install_linux_fw_uuu.sh	(.../install_linux_fw_uuu.sh)	(revision 53ac5d316a30e4bc20855db9a40220503058922d)
@@ -1,7 +1,7 @@
 #!/bin/sh
 #===============================================================================
 #
-#  Copyright (C) 2020-2024 by Digi International Inc.
+#  Copyright (C) 2020-2025 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -27,6 +27,15 @@
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -42,7 +51,6 @@
 	echo "   -k <dek-filename>      Update includes dek file."
 	echo "                          (implies -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
-	echo "   -t                     Install TrustFence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -61,23 +69,27 @@
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
-		uuu fb: download -f "${2}"
-		if [ -n "${DEK_FILE}" ]; then
-			uuu fb: ucmd setenv uboot_size \${filesize}
-			uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
-			uuu fb: download -f "${3}"
-			uuu fb: ucmd setenv dek_size \${filesize}
-			uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+	if [ "${1}" = "bootloader" ]; then
+		if [ "${ENCRYPTED}" = "true" ]; then
+			uuu fb: download -f "${2}"
+			if [ -n "${DEK_FILE}" ]; then
+				# Encrypted bootloader + dek
+				uuu fb: ucmd setenv uboot_size \${filesize}
+				uuu fb: ucmd setenv fastboot_buffer \${initrd_addr}
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size \${filesize}
+				uuu fb: ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				# Encrypted bootloader (re-use existing dek)
+				uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
 		else
-			uuu fb: ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
-		fi
-	else
-		if [ "${1}" = "bootloader" ]; then
+			# Non-encrypted bootloader (can be signed or not)
 			uuu fb: flash "${1}" "${2}"
-		else
-			uuu fb: flash -raw2sparse "${1}" "${2}"
 		fi
+	else
+		# Non-bootloader image
+		uuu fb: flash -raw2sparse "${1}" "${2}"
 	fi
 }
 
@@ -91,7 +103,7 @@
 # -i <image-name>
 # -u <u-boot-filename>
 # -k <dek-filename>
-while getopts ':bdhi:k:ntu:' c
+while getopts ':bdhi:k:nu:' c
 do
 	if [ "${c}" = ":" ]; then
 		c="${OPTARG}"
@@ -105,9 +117,8 @@
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
-	k) DEK_FILE=${OPTARG} && TRUSTFENCE=true ;;
+	k) DEK_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
-	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -121,9 +132,6 @@
 	DUALBOOT=true;
 fi
 
-# remove redirect
-uuu fb: ucmd setenv stdout serial
-
 echo ""
 echo "Determining image files to use..."
 
@@ -132,11 +140,43 @@
 	INSTALL_UBOOT_FILENAME="imx-boot-ccimx8mm-dvk.bin"
 fi
 
+# Determine if bootloader is signed and/or encrypted
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "signed"; then
+	SIGNED=true
+fi
+if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
+	ENCRYPTED=true
+fi
+
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
+# remove redirect
+uuu fb: ucmd setenv stdout serial
+
 # Determine linux, recovery, and rootfs image filenames to update
 if [ -z "${IMAGE_NAME}" ]; then
 	IMAGE_NAME="dey-image-qt"
 fi
-GRAPHICAL_IMAGES="dey-image-crank dey-image-qt dey-image-webkit dey-image-lvgl"
+GRAPHICAL_IMAGES="dey-image-qt dey-image-webkit dey-image-lvgl"
 for g in ${GRAPHICAL_IMAGES}; do
 	if [ "${IMAGE_NAME}" = "${g}" ]; then
 		BASEFILENAME="${IMAGE_NAME}-fb"
@@ -329,7 +369,7 @@
 fi
 
 # Enable the enable the touchscreen support
-uuu fb: ucmd setenv overlays _ov_board_lvds_ccimx8m-dvk.dtbo
+uuu fb: ucmd setenv overlays leahi-display.dtbo
 
 # Save the U-Boot environment variables
 uuu fb: ucmd saveenv