[Librem-5-dev] Plans for boot flow / secure world

Andy Green andy at warmcat.com
Fri Dec 28 17:13:52 PST 2018


Hi -

iMX8 has boot support in Arm Trusted Firmware

https://github.com/ARM-software/arm-trusted-firmware/tree/master/plat/imx

I'm wondering what the plans / goals for boot, trustzone and TEE on the 
final product are.  One way to look at it is that you need a TEE to 
support some applications that are coming that are split between a 
regular application and a TA.  Another equally valid way to look at it 
is this simply enables "trusted" (by whom...) code to mess with your 
device at a low level.  So I am curious about the approach.

OP-TEE has support up to imx7 from a quick look

https://github.com/OP-TEE/optee_os/tree/master/core/arch/arm/plat-imx

so probably not a huge amount needed there.

 From the boot console at the moment, either ATF is silent or not 
present, presumably the latter.

ATF has some advantages that it can provide chain-of-trust boot for 
Secure World TEE as you would expect, but also with some minor 
modifications it can boot a Linux image directly from the signed BL3 
payload.

However it needs both some support from NXP in terms of disclosing the 
trustzone implementation a bit, and ultimately how to read keys from 
fuses etc to actually make it secure.

-Andy


More information about the Librem-5-dev mailing list