Prepare for DEK blob encapsulation support through "dek_blob" command. On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call. U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE dynamic shared memory.
To enable the DEK blob encapsulation, add to the defconfig: CONFIG_SECURE_BOOT=y CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y
Taken from NXP's commit 56d2050f4028 ("imx8m: Add DEK blob encapsulation for imx8m").
Signed-off-by: Tim Harvey tharvey@gateworks.com --- arch/arm/dts/imx8mm-venice-u-boot.dtsi | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm/dts/imx8mm-venice-u-boot.dtsi b/arch/arm/dts/imx8mm-venice-u-boot.dtsi index 8337c4aea807..b232002b8937 100644 --- a/arch/arm/dts/imx8mm-venice-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-venice-u-boot.dtsi @@ -11,6 +11,13 @@ wdt = <&wdog1>; bootph-pre-ram; }; + + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; };
&gpio1 {