[PATCH v6 03/11] ARM: dts: imx8mm-verdin: prepare for dek blob encapsulation

From: Marcel Ziswiler <marcel@ziswiler.com>
To: u-boot@lists.denx.de
Cc: Heiko Thiery <heiko.thiery@gmail.com>,
	Frieder Schrempf <frieder.schrempf@kontron.de>,
	Fabio Estevam <festevam@gmail.com>,
	Stefano Babic <sbabic@denx.de>,
	Marcel Ziswiler <marcel.ziswiler@toradex.com>,
	"NXP i.MX U-Boot Team" <uboot-imx@nxp.com>,
	Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>
Subject: [PATCH v6 03/11] ARM: dts: imx8mm-verdin: prepare for dek blob encapsulation
Date: Sat,  9 Oct 2021 22:41:05 +0200	[thread overview]
Message-ID: <20211009204113.1208641-4-marcel@ziswiler.com> (raw)
In-Reply-To: <20211009204113.1208641-1-marcel@ziswiler.com>

From: Marcel Ziswiler <marcel.ziswiler@toradex.com>

Prepare for DEK blob encapsulation support through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application
call. U-boot sends and receives the DEK and the DEK blob binaries
through OP-TEE dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Taken from NXP's commit 56d2050f4028 ("imx8m: Add DEK blob encapsulation
for imx8m").

Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
---

(no changes since v1)

 arch/arm/dts/imx8mm-verdin-u-boot.dtsi | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm/dts/imx8mm-verdin-u-boot.dtsi b/arch/arm/dts/imx8mm-verdin-u-boot.dtsi
index 67c31c49b6c..a97626fa0c1 100644
--- a/arch/arm/dts/imx8mm-verdin-u-boot.dtsi
+++ b/arch/arm/dts/imx8mm-verdin-u-boot.dtsi
@@ -6,6 +6,13 @@
 #include "imx8mm-u-boot.dtsi"
 
 / {
+	firmware {
+		optee {
+			compatible = "linaro,optee-tz";
+			method = "smc";
+		};
+	};
+
 	wdt-reboot {
 		compatible = "wdt-reboot";
 		wdt = <&wdog1>;
-- 
2.26.2

