imx8m: Add DEK blob encapsulation for imx8m
Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.
To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 27b0b08..3bcfced 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -75,12 +75,29 @@
config CMD_DEKBLOB
bool "Support the 'dek_blob' command"
+ select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP
+ select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M
help
This enables the 'dek_blob' command which is used with the
Freescale secure boot mechanism. This command encapsulates and
creates a blob of data. See also CMD_BLOB and doc/imx/habv4/* for
more information.
+config IMX_CAAM_DEK_ENCAP
+ bool "Support the DEK blob encapsulation with CAAM U-Boot driver"
+ help
+ This enables the DEK blob encapsulation with the U-Boot CAAM driver.
+ This option is only available on imx6, imx7 and imx7ulp.
+
+config IMX_OPTEE_DEK_ENCAP
+ select TEE
+ select OPTEE
+ bool "Support the DEK blob encapsulation with OP-TEE"
+ help
+ This enabled the DEK blob encapsulation with OP-TEE. The communication
+ with OP-TEE is done through a SMC call and OP-TEE shared memory. This
+ option is available on imx8mm.
+
config CMD_PRIBLOB
bool "Support the set_priblob_bitfield command"
depends on HAS_CAAM && IMX_HAB