Add support to enable secure boot on rk3588 SoCs via the Rockchip Secure Boot PTA [0].
The OTP fuses for the secure boot configuration are only accessible from the secure world. Therefore, the actual hardware access is implemented in the aforementioned PTA. Thus, barebox is only able to enable secure boot, if this PTA is available. Patch 1 adds a helper script to calculate the Public Root Key hash, that needs to be burned into the OTP fuses. The script accepts a PEM file containing an RSA (public) key or an already signed rkimage, from which the key is extracted. Patch 2 adds a driver that interacts with the Rockchip Secure Boot PTA. The API header between the PTA and the driver has been copied from OP-TEE. Patch 3 adds a shell command that a user may use to actually interact with the PTA. The command options are inspired by the options for the i.MX hab command. This series is an RFC, because the Rockchip Secure Boot PTA is not merged into OP-TEE, yet. [0] https://github.com/OP-TEE/optee_os/pull/7661 Signed-off-by: Michael Tretter <[email protected]> --- Michael Tretter (3): scripts: rockchip: add script to calculate key hash tee: drivers: add driver for Rockchip Secure Boot PTA commands: implement rksecure command commands/Kconfig | 9 ++ commands/Makefile | 1 + commands/rksecure.c | 155 ++++++++++++++++++++++++++ drivers/tee/optee/Kconfig | 7 ++ drivers/tee/optee/Makefile | 1 + drivers/tee/optee/pta_rk_secure_boot.h | 48 ++++++++ drivers/tee/optee/rksecure.c | 196 +++++++++++++++++++++++++++++++++ include/rk_secure_boot.h | 21 ++++ scripts/rk-otp.sh | 70 ++++++++++++ 9 files changed, 508 insertions(+) --- base-commit: f4e96a91debc5fadc5d6280505dea72dbdafe257 change-id: 20260105-rockchip-secure-boot-bd2fa07bcc03 Best regards, -- Michael Tretter <[email protected]>
