[PATCH 0/1] bootm: Allow loading OP-TEE from FIT image
Albert Schwarzkopf
a.schwarzkopf at phytec.de
Tue Sep 15 09:36:29 EDT 2020
This allows loading OP-TEE binaries from FIT images. The main benefit
from this approach comes from the fact that FIT images can be signed
and therefore it can be ensured that the TEE binary is not malicious.
A shortened .its file to make use of this patch might look like this:
images {
...
tee at 1 {
description = "OP-TEE trusted OS";
data = /incbin/("...");
type = "tee";
arch = "arm";
compression = "none";
hash at 1 {
algo = "sha256";
};
};
};
configurations {
default = "config-1";
config-1 {
description = "...";
kernel = "kernel at 1";
fdt = "fdt at 1;
tee = "tee at 1";
signature-1 {
algo = "sha256,rsa4096";
key-name-hint = "FIT-4096";
sign-images = "kernel", "fdt", "tee";
};
}
Best regards,
Albert
Albert Schwarzkopf (1):
bootm: Allow loading OP-TEE from FIT image
arch/arm/lib32/bootm.c | 44 +++++++++++++++++++++++++++++++++++++-----
1 file changed, 39 insertions(+), 5 deletions(-)
--
2.17.1
More information about the barebox
mailing list