[Librem-5-dev] Plans for boot flow / secure world

Angus Ainslie angus.ainslie at puri.sm
Sun Dec 30 07:34:04 PST 2018


Hi Andy,

On 2018-12-28 5:13 p.m., Andy Green via Librem-5-dev wrote:
> Hi -
>
> iMX8 has boot support in Arm Trusted Firmware
>
> https://github.com/ARM-software/arm-trusted-firmware/tree/master/plat/imx
>
> I'm wondering what the plans / goals for boot, trustzone and TEE on
> the final product are.  One way to look at it is that you need a TEE
> to support some applications that are coming that are split between a
> regular application and a TA.  Another equally valid way to look at it
> is this simply enables "trusted" (by whom...) code to mess with your
> device at a low level.  So I am curious about the approach.
>
> OP-TEE has support up to imx7 from a quick look
>
> https://github.com/OP-TEE/optee_os/tree/master/core/arch/arm/plat-imx
>
> so probably not a huge amount needed there.
>
> From the boot console at the moment, either ATF is silent or not
> present, presumably the latter.
>
ATF is being installed as part of the the u-boot/build install

https://source.puri.sm/Librem5/image-builder/blob/master/build/build_uboot.sh#L111

Angus


> ATF has some advantages that it can provide chain-of-trust boot for
> Secure World TEE as you would expect, but also with some minor
> modifications it can boot a Linux image directly from the signed BL3
> payload.
>
> However it needs both some support from NXP in terms of disclosing the
> trustzone implementation a bit, and ultimately how to read keys from
> fuses etc to actually make it secure.
>
> -Andy
> _______________________________________________
> Librem-5-dev mailing list
> Librem-5-dev at lists.community.puri.sm
> https://lists.community.puri.sm/listinfo/librem-5-dev


More information about the Librem-5-dev mailing list