This allows loading OP-TEE binaries from FIT images. The main benefit
from this approach comes from the fact that FIT images can be signed
and therefore it can be ensured that the TEE binary is not malicious.
A shortened .its file to make use of this patch might look like this:
images {
...
tee@1 {
description = "OP-TEE trusted OS";
data = /incbin/("...");
type = "tee";
arch = "arm";
compression = "none";
hash@1 {
algo = "sha256";
};
};
};
configurations {
default = "config-1";
config-1 {
description = "...";
kernel = "kernel@1";
fdt = "fdt@1;
tee = "tee@1";
signature-1 {
algo = "sha256,rsa4096";
key-name-hint = "FIT-4096";
sign-images = "kernel", "fdt", "tee";
};
}
Best regards,
Albert
Albert Schwarzkopf (1):
bootm: Allow loading OP-TEE from FIT image
arch/arm/lib32/bootm.c | 44 +++++++++++++++++++++++++++++++++++++-----
1 file changed, 39 insertions(+), 5 deletions(-)
--
2.17.1
_______________________________________________
barebox mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/barebox
