From: Michael Tretter <m.tretter@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Michael Tretter <m.tretter@pengutronix.de>
Subject: [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot
Date: Mon, 05 Jan 2026 15:32:30 +0100 [thread overview]
Message-ID: <20260105-rockchip-secure-boot-v1-0-eaf5053a7d7e@pengutronix.de> (raw)
Add support to enable secure boot on rk3588 SoCs via the Rockchip Secure
Boot PTA [0].
The OTP fuses for the secure boot configuration are only accessible from
the secure world. Therefore, the actual hardware access is implemented
in the aforementioned PTA. Thus, barebox is only able to enable secure
boot, if this PTA is available.
Patch 1 adds a helper script to calculate the Public Root Key hash, that
needs to be burned into the OTP fuses. The script accepts a PEM file
containing an RSA (public) key or an already signed rkimage, from which
the key is extracted.
Patch 2 adds a driver that interacts with the Rockchip Secure Boot PTA.
The API header between the PTA and the driver has been copied from
OP-TEE.
Patch 3 adds a shell command that a user may use to actually interact
with the PTA. The command options are inspired by the options for the
i.MX hab command.
This series is an RFC, because the Rockchip Secure Boot PTA is not
merged into OP-TEE, yet.
[0] https://github.com/OP-TEE/optee_os/pull/7661
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Michael Tretter (3):
scripts: rockchip: add script to calculate key hash
tee: drivers: add driver for Rockchip Secure Boot PTA
commands: implement rksecure command
commands/Kconfig | 9 ++
commands/Makefile | 1 +
commands/rksecure.c | 155 ++++++++++++++++++++++++++
drivers/tee/optee/Kconfig | 7 ++
drivers/tee/optee/Makefile | 1 +
drivers/tee/optee/pta_rk_secure_boot.h | 48 ++++++++
drivers/tee/optee/rksecure.c | 196 +++++++++++++++++++++++++++++++++
include/rk_secure_boot.h | 21 ++++
scripts/rk-otp.sh | 70 ++++++++++++
9 files changed, 508 insertions(+)
---
base-commit: f4e96a91debc5fadc5d6280505dea72dbdafe257
change-id: 20260105-rockchip-secure-boot-bd2fa07bcc03
Best regards,
--
Michael Tretter <m.tretter@pengutronix.de>
next reply other threads:[~2026-01-05 14:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-05 14:32 Michael Tretter [this message]
2026-01-05 14:32 ` [PATCH RFC 1/3] scripts: rockchip: add script to calculate key hash Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 2/3] tee: drivers: add driver for Rockchip Secure Boot PTA Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 3/3] commands: implement rksecure command Michael Tretter
2026-01-06 7:33 ` [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Sascha Hauer
2026-01-06 13:18 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260105-rockchip-secure-boot-v1-0-eaf5053a7d7e@pengutronix.de \
--to=m.tretter@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox