[PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot
Michael Tretter
m.tretter at pengutronix.de
Mon Jan 5 06:32:30 PST 2026
Add support to enable secure boot on rk3588 SoCs via the Rockchip Secure
Boot PTA [0].
The OTP fuses for the secure boot configuration are only accessible from
the secure world. Therefore, the actual hardware access is implemented
in the aforementioned PTA. Thus, barebox is only able to enable secure
boot, if this PTA is available.
Patch 1 adds a helper script to calculate the Public Root Key hash, that
needs to be burned into the OTP fuses. The script accepts a PEM file
containing an RSA (public) key or an already signed rkimage, from which
the key is extracted.
Patch 2 adds a driver that interacts with the Rockchip Secure Boot PTA.
The API header between the PTA and the driver has been copied from
OP-TEE.
Patch 3 adds a shell command that a user may use to actually interact
with the PTA. The command options are inspired by the options for the
i.MX hab command.
This series is an RFC, because the Rockchip Secure Boot PTA is not
merged into OP-TEE, yet.
[0] https://github.com/OP-TEE/optee_os/pull/7661
Signed-off-by: Michael Tretter <m.tretter at pengutronix.de>
---
Michael Tretter (3):
scripts: rockchip: add script to calculate key hash
tee: drivers: add driver for Rockchip Secure Boot PTA
commands: implement rksecure command
commands/Kconfig | 9 ++
commands/Makefile | 1 +
commands/rksecure.c | 155 ++++++++++++++++++++++++++
drivers/tee/optee/Kconfig | 7 ++
drivers/tee/optee/Makefile | 1 +
drivers/tee/optee/pta_rk_secure_boot.h | 48 ++++++++
drivers/tee/optee/rksecure.c | 196 +++++++++++++++++++++++++++++++++
include/rk_secure_boot.h | 21 ++++
scripts/rk-otp.sh | 70 ++++++++++++
9 files changed, 508 insertions(+)
---
base-commit: f4e96a91debc5fadc5d6280505dea72dbdafe257
change-id: 20260105-rockchip-secure-boot-bd2fa07bcc03
Best regards,
--
Michael Tretter <m.tretter at pengutronix.de>
More information about the barebox
mailing list