[Librem-5-dev] Plans for boot flow / secure world
Andy Green
andy at warmcat.com
Fri Dec 28 17:13:52 PST 2018
Hi -
iMX8 has boot support in Arm Trusted Firmware
https://github.com/ARM-software/arm-trusted-firmware/tree/master/plat/imx
I'm wondering what the plans / goals for boot, trustzone and TEE on the
final product are. One way to look at it is that you need a TEE to
support some applications that are coming that are split between a
regular application and a TA. Another equally valid way to look at it
is this simply enables "trusted" (by whom...) code to mess with your
device at a low level. So I am curious about the approach.
OP-TEE has support up to imx7 from a quick look
https://github.com/OP-TEE/optee_os/tree/master/core/arch/arm/plat-imx
so probably not a huge amount needed there.
From the boot console at the moment, either ATF is silent or not
present, presumably the latter.
ATF has some advantages that it can provide chain-of-trust boot for
Secure World TEE as you would expect, but also with some minor
modifications it can boot a Linux image directly from the signed BL3
payload.
However it needs both some support from NXP in terms of disclosing the
trustzone implementation a bit, and ultimately how to read keys from
fuses etc to actually make it secure.
-Andy
More information about the Librem-5-dev
mailing list