* [PATCH RFC 1/3] scripts: rockchip: add script to calculate key hash
2026-01-05 14:32 [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Michael Tretter
@ 2026-01-05 14:32 ` Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 2/3] tee: drivers: add driver for Rockchip Secure Boot PTA Michael Tretter
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tretter @ 2026-01-05 14:32 UTC (permalink / raw)
To: Sascha Hauer, BAREBOX; +Cc: Michael Tretter
The script calculates the key hash that needs to be written to the fuses
of a Rockchip rk3588 SoC to enable secure boot.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
scripts/rk-otp.sh | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/scripts/rk-otp.sh b/scripts/rk-otp.sh
new file mode 100755
index 000000000000..f059f74aa563
--- /dev/null
+++ b/scripts/rk-otp.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# rk-otp.sh - Print the key hash that needs to be written to the OTP of a
+# Rockchip SoC to enable secure boot.
+
+set -e
+
+if [ "$#" -lt "1" ]; then
+ echo "Usage: $0 [FILE]>"
+ exit 1
+fi
+
+FILE=$1
+
+# Pad INPUT to SIZE bytes and reverse byte order
+pad_reverse () {
+ SIZE=$1
+ INPUT=$2
+
+ # A byte consists of two hex values
+ SIZE=$((SIZE * 2))
+
+ # Pad using sed since numbers are too large
+ PAD=$(printf "%0${SIZE}x" 0 | sed -nE "s/0{${#INPUT}}$/${INPUT}/p")
+
+ # TODO Replace bashism with POSIX sh
+ REVERSE=""
+ for (( i = 0; i < SIZE; i += 2 )); do
+ REVERSE+="${PAD:${SIZE} - 2 - $i:2}"
+ done
+
+ echo "$REVERSE"
+}
+
+rkss_read () {
+ RKSS=$1
+
+ # Extract the public key from the image
+ xxd -ps -s 512 -l 560 "$RKSS"
+}
+
+pem_read () {
+ PEM=$1
+
+ KEY=$(openssl rsa -in "$PEM" -pubin -modulus -text -noout)
+ # Extract size of key in bits
+ KEY_SIZE=$(echo "$KEY" | sed -nE 's/Public-Key: \(([0-9]+) bit\)/\1/p')
+
+ # Extract modulus as hex value
+ MODULUS=$(echo "$KEY" | sed -nE 's/Modulus=([0-9ABCDEF]+)/\1/p')
+ # Extract exponent and convert it to hex value
+ EXPONENT=$(echo "$KEY" | sed -nE 's/Exponent: ([0-9]+) (.*)/obase=16;\1/p' | BC_LINE_LENGTH=0 bc)
+ # Calculate acceleration factor as hex value
+ NP=$(echo "ibase=16;modulus=$MODULUS;ibase=A;obase=16;2 ^ ($KEY_SIZE + 132) / modulus" | BC_LINE_LENGTH=0 bc)
+
+ # Build the public key with padding in reverse byte order
+ pad_reverse 512 "$MODULUS"
+ pad_reverse 16 "$EXPONENT"
+ pad_reverse 32 "$NP"
+}
+
+if [ "$(head -c 4 "$FILE")" = "RKSS" ]; then
+ KEYHEX=$(rkss_read "$FILE")
+else
+ KEYHEX=$(pem_read "$FILE")
+fi
+
+# Convert hex format of public key to binary and calculate sha256 as hex
+echo "$KEYHEX" | xxd -r -p | sha256sum | sed -nE 's/([0-9abcdef]+).*/\1/p'
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH RFC 2/3] tee: drivers: add driver for Rockchip Secure Boot PTA
2026-01-05 14:32 [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 1/3] scripts: rockchip: add script to calculate key hash Michael Tretter
@ 2026-01-05 14:32 ` Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 3/3] commands: implement rksecure command Michael Tretter
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tretter @ 2026-01-05 14:32 UTC (permalink / raw)
To: Sascha Hauer, BAREBOX; +Cc: Michael Tretter
The OTP fuses for secure boot are only accessible from the secure world.
Therefore, burning the fuses has to be delegated to the Rockchip Secure
Boot PTA running in the secure world.
The alternative to burn the fuses while barebox is still in the secure
world prevents user interaction and costs a lot of flexibility.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
drivers/tee/optee/Kconfig | 7 ++
drivers/tee/optee/Makefile | 1 +
drivers/tee/optee/pta_rk_secure_boot.h | 48 ++++++++
drivers/tee/optee/rksecure.c | 196 +++++++++++++++++++++++++++++++++
include/rk_secure_boot.h | 21 ++++
5 files changed, 273 insertions(+)
diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
index 805aba65edb7..fcaca29a5df7 100644
--- a/drivers/tee/optee/Kconfig
+++ b/drivers/tee/optee/Kconfig
@@ -40,6 +40,13 @@ config OPTEE_AVB_PERSISTENT_VALUES
pairs. AVB itself is not implemented in barebox, but enabling this option
allows barebox to use the AVB persistent value store.
+config OPTEE_RKSECURE
+ bool "Rockchip Secure Boot PTA support"
+ depends on OPTEE
+ help
+ Enable this option to use the Rockchip Secure Boot PTA to read or
+ write the secure boot OTP fuses of an rk3588 SoC.
+
endif
config OF_FIXUP_OPTEE
diff --git a/drivers/tee/optee/Makefile b/drivers/tee/optee/Makefile
index 1fbeb39fb8ba..e89edc876d6f 100644
--- a/drivers/tee/optee/Makefile
+++ b/drivers/tee/optee/Makefile
@@ -8,3 +8,4 @@ optee-objs += device.o
optee-objs += smc_abi.o
obj-$(CONFIG_MCI_MMC_RPMB) += rpmb.o
obj-$(CONFIG_OPTEE_AVB_PERSISTENT_VALUES) += avb.o
+obj-$(CONFIG_OPTEE_RKSECURE) += rksecure.o
diff --git a/drivers/tee/optee/pta_rk_secure_boot.h b/drivers/tee/optee/pta_rk_secure_boot.h
new file mode 100644
index 000000000000..13fa59d9908a
--- /dev/null
+++ b/drivers/tee/optee/pta_rk_secure_boot.h
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*
+ * Copyright (C) 2025, Pengutronix, Michael Tretter <entwicklung@pengutronix.de>
+ */
+
+#ifndef __PTA_RK_SECURE_BOOT_H
+#define __PTA_RK_SECURE_BOOT_H
+
+#include <types.h>
+
+#define PTA_RK_SECURE_BOOT_UUID \
+ UUID_INIT(0x5cfa57f6, 0x1a4c, 0x407f, \
+ 0x94, 0xa7, 0xa5, 0x6c, 0x8c, 0x47, 0x01, 0x9d)
+
+struct pta_rk_secure_boot_hash {
+ /* sha256 has 256 bit */
+ uint8_t value[32];
+};
+
+struct pta_rk_secure_boot_info {
+ uint8_t enabled;
+ uint8_t simulation;
+ struct pta_rk_secure_boot_hash hash;
+};
+
+/*
+ * PTA_RK_SECURE_BOOT_GET_INFO - Get secure boot status info
+ *
+ * [out] memref[0] buffer memory reference containing a struct
+ * pta_rk_secure_boot_info
+ */
+#define PTA_RK_SECURE_BOOT_GET_INFO 0x0
+
+/*
+ * PTA_RK_SECURE_BOOT_BURN_HASH - Burn the RSA key hash to fuses
+ *
+ * [in] memref[0] buffer memory reference containing a struct
+ * pta_rk_secure_boot_hash
+ * [in] value[1].a bit length of signing key
+ */
+#define PTA_RK_SECURE_BOOT_BURN_HASH 0x1
+
+/*
+ * PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE - Lockdown the device with secure boot
+ */
+#define PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE 0x2
+
+#endif /* __PTA_ROCKCHIP_OTP_H */
diff --git a/drivers/tee/optee/rksecure.c b/drivers/tee/optee/rksecure.c
new file mode 100644
index 000000000000..6bc9a61571c2
--- /dev/null
+++ b/drivers/tee/optee/rksecure.c
@@ -0,0 +1,196 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) Pengutronix, Michael Tretter <m.tretter@pengutronix.de>
+ */
+
+#include <linux/tee_drv.h>
+#include <linux/uuid.h>
+#include <uapi/linux/tee.h>
+
+#include <rk_secure_boot.h>
+
+#include "optee_private.h"
+#include "pta_rk_secure_boot.h"
+
+const uuid_t ta_uuid = PTA_RK_SECURE_BOOT_UUID;
+
+static int optee_ctx_match(struct tee_ioctl_version_data *ver, const void *data)
+{
+ return ver->impl_id == TEE_IMPL_ID_OPTEE ? 1 : 0;
+}
+
+static int rk_secure_open_session(struct tee_context *ctx, __u32 *session)
+{
+ struct tee_ioctl_open_session_arg sess_arg = {};
+ int res = 0;
+
+ export_uuid(sess_arg.uuid, &ta_uuid);
+ sess_arg.clnt_login = TEE_IOCTL_LOGIN_PUBLIC;
+ sess_arg.num_params = 0;
+
+ res = tee_client_open_session(ctx, &sess_arg, NULL);
+ if (res < 0)
+ return res;
+ switch (sess_arg.ret) {
+ case TEEC_SUCCESS:
+ res = 0;
+ break;
+ case TEEC_ERROR_ITEM_NOT_FOUND:
+ pr_err("cannot find TA %pU\n", &sess_arg.uuid);
+ return -ENOENT;
+ default:
+ pr_err("TA %pU: error 0x%x\n", &sess_arg.uuid, sess_arg.ret);
+ return -EINVAL;
+ }
+
+ *session = sess_arg.session;
+ return res;
+}
+
+int rk_secure_boot_get_info(struct rk_secure_boot_info *out)
+{
+ struct tee_context *ctx = NULL;
+ struct tee_ioctl_invoke_arg inv_arg;
+ struct tee_param param[1];
+ struct tee_shm *info_shm;
+ struct pta_rk_secure_boot_info *info;
+ __u32 session = 0;
+ int res = 0;
+
+ ctx = tee_client_open_context(NULL, optee_ctx_match, NULL, NULL);
+ if (IS_ERR(ctx))
+ return -ENODEV;
+
+ res = rk_secure_open_session(ctx, &session);
+ if (res < 0)
+ goto out_ctx;
+
+ info_shm = tee_shm_alloc_kernel_buf(ctx, sizeof(*info));
+ if (IS_ERR(info_shm)) {
+ res = -ENOMEM;
+ goto close_session;
+ }
+ info = info_shm->kaddr;
+
+ memset(param, 0, sizeof(param));
+ param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
+ param[0].u.memref.shm = info_shm;
+ param[0].u.memref.size = sizeof(*info);
+
+ inv_arg.func = PTA_RK_SECURE_BOOT_GET_INFO;
+ inv_arg.session = session;
+ inv_arg.num_params = ARRAY_SIZE(param);
+
+ res = tee_client_invoke_func(ctx, &inv_arg, param);
+ if (res)
+ goto out;
+ if (inv_arg.ret) {
+ pr_err("invoke func failed with 0x%08x\n", inv_arg.ret);
+ res = -EIO;
+ }
+
+ memcpy(out->hash, info->hash.value, sizeof(out->hash));
+ out->lockdown = info->enabled;
+ out->simulation = info->simulation;
+
+out:
+ tee_shm_free(info_shm);
+close_session:
+ tee_client_close_session(ctx, session);
+out_ctx:
+ tee_client_close_context(ctx);
+
+ return res;
+}
+
+int rk_secure_boot_burn_hash(const u8 *hash, u32 key_size_bits)
+{
+ struct tee_context *ctx = NULL;
+ struct tee_ioctl_invoke_arg inv_arg;
+ struct tee_param param[2];
+ struct tee_shm *shm_hash;
+ struct pta_rk_secure_boot_hash *pta_hash;
+ __u32 session = 0;
+ int res = 0;
+
+ ctx = tee_client_open_context(NULL, optee_ctx_match, NULL, NULL);
+ if (IS_ERR(ctx))
+ return -ENODEV;
+
+ res = rk_secure_open_session(ctx, &session);
+ if (res < 0)
+ goto out_ctx;
+
+ shm_hash = tee_shm_alloc_kernel_buf(ctx, sizeof(*pta_hash));
+ if (IS_ERR(shm_hash)) {
+ res = -ENOMEM;
+ goto close_session;
+ }
+ pta_hash = shm_hash->kaddr;
+
+ memcpy(pta_hash->value, hash, sizeof(pta_hash->value));
+
+ memset(param, 0, sizeof(param));
+ param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
+ param[0].u.memref.shm = shm_hash;
+ param[0].u.memref.size = sizeof(*pta_hash);
+
+ param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT;
+ param[1].u.value.a = key_size_bits;
+
+ inv_arg.func = PTA_RK_SECURE_BOOT_BURN_HASH;
+ inv_arg.session = session;
+ inv_arg.num_params = ARRAY_SIZE(param);
+
+ res = tee_client_invoke_func(ctx, &inv_arg, param);
+ if (res)
+ goto out;
+ if (inv_arg.ret) {
+ pr_err("invoke func failed with 0x%08x\n", inv_arg.ret);
+ res = -EIO;
+ }
+
+out:
+ tee_shm_free(shm_hash);
+close_session:
+ tee_client_close_session(ctx, session);
+out_ctx:
+ tee_client_close_context(ctx);
+
+ return res;
+}
+
+int rk_secure_boot_lockdown_device(void)
+{
+ struct tee_context *ctx = NULL;
+ struct tee_ioctl_invoke_arg inv_arg;
+ __u32 session = 0;
+ int res = 0;
+
+ ctx = tee_client_open_context(NULL, optee_ctx_match, NULL, NULL);
+ if (IS_ERR(ctx))
+ return -ENODEV;
+
+ res = rk_secure_open_session(ctx, &session);
+ if (res < 0)
+ goto out_ctx;
+
+ inv_arg.func = PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE;
+ inv_arg.session = session;
+ inv_arg.num_params = 0;
+
+ res = tee_client_invoke_func(ctx, &inv_arg, NULL);
+ if (res)
+ goto close_session;
+ if (inv_arg.ret) {
+ pr_err("invoke func failed with 0x%08x\n", inv_arg.ret);
+ res = -EIO;
+ }
+
+close_session:
+ tee_client_close_session(ctx, session);
+out_ctx:
+ tee_client_close_context(ctx);
+
+ return res;
+}
diff --git a/include/rk_secure_boot.h b/include/rk_secure_boot.h
new file mode 100644
index 000000000000..6e247aa7eef3
--- /dev/null
+++ b/include/rk_secure_boot.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (C) 2025 Pengutronix, Michael Tretter <m.tretter@pengutronix.de>
+ */
+
+#ifndef __RK_SECURE_BOOT_H
+#define __RK_SECURE_BOOT_H
+
+#include <linux/types.h>
+
+struct rk_secure_boot_info {
+ bool lockdown;
+ bool simulation;
+ u8 hash[32];
+};
+
+int rk_secure_boot_get_info(struct rk_secure_boot_info *info);
+int rk_secure_boot_burn_hash(const u8 *hash, u32 key_size_bits);
+int rk_secure_boot_lockdown_device(void);
+
+#endif /* __RK_SECURE_BOOT_H */
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH RFC 3/3] commands: implement rksecure command
2026-01-05 14:32 [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 1/3] scripts: rockchip: add script to calculate key hash Michael Tretter
2026-01-05 14:32 ` [PATCH RFC 2/3] tee: drivers: add driver for Rockchip Secure Boot PTA Michael Tretter
@ 2026-01-05 14:32 ` Michael Tretter
2026-01-06 7:33 ` [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Sascha Hauer
2026-01-06 13:18 ` Sascha Hauer
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tretter @ 2026-01-05 14:32 UTC (permalink / raw)
To: Sascha Hauer, BAREBOX; +Cc: Michael Tretter
The rksecure command allows the user to read the current status of
secure boot of a Rockchip board. Furthermore, it allows to burn a
Public Root Key hash and enable secure boot on rk3588 via the Rockchip
Secure Boot PTA.
The command and its options are inspired by the hab command for i.MX
SoCs.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
commands/Kconfig | 9 +++
commands/Makefile | 1 +
commands/rksecure.c | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 165 insertions(+)
diff --git a/commands/Kconfig b/commands/Kconfig
index 76e56835f625..f94c7278e72e 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -2328,6 +2328,15 @@ config CMD_K3_KEYWRITER
help
The K3 keywriter command provides support for fusing TI AM62Lx SoCs
+config CMD_RKSECURE
+ bool
+ depends on OPTEE_RKSECURE
+ select PRINTF_HEXSTR
+ prompt "Rockchip Secure Boot"
+ help
+ The rksecure command allows to retrieve information about and enable
+ secure boot for Rockchip rk3588 SoCs.
+
# end Hardware manipulation commands
endmenu
diff --git a/commands/Makefile b/commands/Makefile
index d92adc7138a3..2563efb12f4e 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -172,4 +172,5 @@ obj-$(CONFIG_CMD_HOST) += host.o
obj-$(CONFIG_CMD_DMSETUP) += dmsetup.o
obj-$(CONFIG_CMD_VERITYSETUP) += veritysetup.o
obj-$(CONFIG_CMD_SCONFIG) += sconfig.o
+obj-$(CONFIG_CMD_RKSECURE) += rksecure.o
UBSAN_SANITIZE_ubsan.o := y
diff --git a/commands/rksecure.c b/commands/rksecure.c
new file mode 100644
index 000000000000..e9b7e204c1bd
--- /dev/null
+++ b/commands/rksecure.c
@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <common.h>
+
+#include <command.h>
+#include <crypto/sha.h>
+#include <errno.h>
+#include <getopt.h>
+#include <libfile.h>
+#include <linux/kstrtox.h>
+
+#include <rk_secure_boot.h>
+
+static int rksecure_write_hash_hex(const char *hex, u32 key_size_bits)
+{
+ int ret;
+ u8 digest[SHA256_DIGEST_SIZE];
+
+ if (strlen(hex) != SHA256_DIGEST_SIZE * 2) {
+ pr_err("%s has wrong size: Expected %d characters\n",
+ hex, SHA256_DIGEST_SIZE * 2);
+ return -EINVAL;
+ }
+
+ ret = hex2bin(digest, hex, SHA256_DIGEST_SIZE);
+ if (ret < 0) {
+ pr_err("Failed to parse hash %s\n", hex);
+ return -EINVAL;
+ }
+
+ return rk_secure_boot_burn_hash(digest, key_size_bits);
+}
+
+static int rksecure_write_hash_file(const char *filename, u32 key_size_bits)
+{
+ int ret;
+ size_t size;
+ void *digest;
+
+ ret = read_file_2(filename, &size, &digest, SHA256_DIGEST_SIZE + 1);
+ if (ret)
+ return ret;
+ if (size != SHA256_DIGEST_SIZE) {
+ pr_err("%s has wrong size: Expected %d bytes\n",
+ filename, SHA256_DIGEST_SIZE);
+ return -EINVAL;
+ }
+
+ ret = rk_secure_boot_burn_hash(digest, key_size_bits);
+
+ free(digest);
+
+ return ret;
+}
+
+static int rksecure_print_info(void)
+{
+ struct rk_secure_boot_info info;
+ int ret;
+
+ ret = rk_secure_boot_get_info(&info);
+ if (ret)
+ pr_err("Failed to read secure boot info\n");
+ return ret;
+
+ printf("Public Root Key hash: %*phN\n"
+ "Secure boot: %s\n"
+ "Simulation: %s\n",
+ (int)sizeof(info.hash), info.hash,
+ info.lockdown ? "enabled" : "disabled",
+ info.simulation ? "enabled" : "disabled");
+
+ return 0;
+}
+
+static int do_rksecure(int argc, char *argv[])
+{
+ int opt;
+ int ret;
+ char *hashfile = NULL;
+ char *hash = NULL;
+ int lockdown = 0;
+ int info = 0;
+ int key_size_bits = 0;
+
+ while ((opt = getopt(argc, argv, "s:x:b:li")) > 0) {
+ switch (opt) {
+ case 's':
+ hashfile = optarg;
+ break;
+ case 'x':
+ hash = optarg;
+ break;
+ case 'b':
+ kstrtouint(optarg, 10, &key_size_bits);
+ break;
+ case 'l':
+ lockdown = 1;
+ break;
+ case 'i':
+ info = 1;
+ break;
+ default:
+ return COMMAND_ERROR_USAGE;
+ }
+ }
+
+ if (!info && !lockdown && !hashfile && !hash)
+ return COMMAND_ERROR_USAGE;
+
+ if (info)
+ return rksecure_print_info();
+
+ if (hashfile && hash) {
+ printf("-s and -x options may not be given together\n");
+ return COMMAND_ERROR_USAGE;
+ }
+
+ if (hashfile) {
+ ret = rksecure_write_hash_file(hashfile, key_size_bits);
+ if (ret)
+ return ret;
+ } else if (hash) {
+ ret = rksecure_write_hash_hex(hash, key_size_bits);
+ if (ret)
+ return ret;
+ }
+
+ if (lockdown) {
+ ret = rk_secure_boot_lockdown_device();
+ if (ret)
+ return ret;
+ printf("Device successfully locked down\n");
+ }
+
+ return 0;
+}
+
+BAREBOX_CMD_HELP_START(rksecure)
+BAREBOX_CMD_HELP_TEXT("Manage Rockchip Secure Boot")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_OPT ("-i", "Print info about secure boot status")
+BAREBOX_CMD_HELP_OPT ("-s <file>", "Burn Super Root Key hash from <file>")
+BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string")
+BAREBOX_CMD_HELP_OPT ("-b <bits>", "Bit length of signing key")
+BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(rksecure)
+ .cmd = do_rksecure,
+ BAREBOX_CMD_DESC("Manage Rockchip Secure Boot")
+ BAREBOX_CMD_OPTS("isxbl")
+ BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+ BAREBOX_CMD_HELP(cmd_rksecure_help)
+BAREBOX_CMD_END
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot
2026-01-05 14:32 [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Michael Tretter
` (2 preceding siblings ...)
2026-01-05 14:32 ` [PATCH RFC 3/3] commands: implement rksecure command Michael Tretter
@ 2026-01-06 7:33 ` Sascha Hauer
2026-01-06 13:18 ` Sascha Hauer
4 siblings, 0 replies; 6+ messages in thread
From: Sascha Hauer @ 2026-01-06 7:33 UTC (permalink / raw)
To: Michael Tretter; +Cc: BAREBOX
On Mon, Jan 05, 2026 at 03:32:30PM +0100, Michael Tretter wrote:
> Add support to enable secure boot on rk3588 SoCs via the Rockchip Secure
> Boot PTA [0].
>
> The OTP fuses for the secure boot configuration are only accessible from
> the secure world. Therefore, the actual hardware access is implemented
> in the aforementioned PTA. Thus, barebox is only able to enable secure
> boot, if this PTA is available.
>
> Patch 1 adds a helper script to calculate the Public Root Key hash, that
> needs to be burned into the OTP fuses. The script accepts a PEM file
> containing an RSA (public) key or an already signed rkimage, from which
> the key is extracted.
>
> Patch 2 adds a driver that interacts with the Rockchip Secure Boot PTA.
> The API header between the PTA and the driver has been copied from
> OP-TEE.
>
> Patch 3 adds a shell command that a user may use to actually interact
> with the PTA. The command options are inspired by the options for the
> i.MX hab command.
>
> This series is an RFC, because the Rockchip Secure Boot PTA is not
> merged into OP-TEE, yet.
Looks all good to me, so let's wait until it's merged into OP-TEE.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot
2026-01-05 14:32 [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Michael Tretter
` (3 preceding siblings ...)
2026-01-06 7:33 ` [PATCH RFC 0/3] ARM: rockchip: add rockchip secure boot Sascha Hauer
@ 2026-01-06 13:18 ` Sascha Hauer
4 siblings, 0 replies; 6+ messages in thread
From: Sascha Hauer @ 2026-01-06 13:18 UTC (permalink / raw)
To: BAREBOX, Michael Tretter
On Mon, 05 Jan 2026 15:32:30 +0100, Michael Tretter wrote:
> Add support to enable secure boot on rk3588 SoCs via the Rockchip Secure
> Boot PTA [0].
>
> The OTP fuses for the secure boot configuration are only accessible from
> the secure world. Therefore, the actual hardware access is implemented
> in the aforementioned PTA. Thus, barebox is only able to enable secure
> boot, if this PTA is available.
>
> [...]
Applied, thanks!
[1/3] scripts: rockchip: add script to calculate key hash
https://git.pengutronix.de/cgit/barebox/commit/?id=183ab30d8ab1 (link may not be stable)
[2/3] tee: drivers: add driver for Rockchip Secure Boot PTA
https://git.pengutronix.de/cgit/barebox/commit/?id=a18cd546d7f0 (link may not be stable)
[3/3] commands: implement rksecure command
https://git.pengutronix.de/cgit/barebox/commit/?id=36179589b6d5 (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 6+ messages in thread