<rgolledge>
Has anyone managaged to get optee trust solution working with mainline kernel? I have got signed spl, uboot, atf and fitimage but i can seem to get the rockchip atf to load the tee binary?
<qschulz>
rgolledge: which SoC
<qschulz>
mainline OP-TEE OS or ROckchip's blob?
<rgolledge>
rk3566 with rockchips blob
<rgolledge>
i could not get the opensource atf to build and produce BL31 and BL32 binaries, only ended up with lib files and struggled to find documentaion to help
<qschulz>
rgolledge: you should be able to build upstream TF-A for RK3566 by using the RK3568 target
<qschulz>
but I think it may still be half broken support
<qschulz>
is it Rockchip's U-Boot fork or upstream U-Boot you're trying to use?
<qschulz>
I don't think we support Rockchip's OP-TEE OS blob in upstream U-Boot
<rgolledge>
upstream uboot
<CounterPillow>
On RK3566/RK3568, optee with upstream u-boot/kernel is something where as far as I know you're the first to do it.
<rgolledge>
everything working except i dont get the optee messages when the BL31 part is running and it says WARNING: No OPTEE provided .... before Uboot starts
<qschulz>
rgolledge: did you set the env variable TEE to the path to the OP-TEE OS binary?
<qschulz>
when building U-Boot?
<qschulz>
but also, pretty sure this won't work, I don't think we support ROckchip's OP-TEE OS blob (using a different header/format from upstream IIRC)
<qschulz>
CounterPillow: though the conclusion for now is "doesn't work quite well atm and Rockchip doesn't provide feedback" from what I understood
<rgolledge>
I have had no luck getting support as rockchip uboot if failing to build using their scripts for rk3566 when secure boot is enabled. i have not even asked about mainlin stuff
<rgolledge>
qschulz: If i use the upstream uboot and add the TEE variable i get a binman failure as the tee file is a binfile not an elf. I use yocto to build the uboot.itb i had to grap some stuff from rockchips uboot to place the atf file in the correct place but that works now. I also have the tee file in the itb file and it is signed and loaded into ram but i have no idea how the atf loads it and
<rgolledge>
where it should be
<rgolledge>
Kwiboo: i will try that linker thing without yocto invvolved and see what happens
<rgolledge>
Good news is customer is happy for me to push fixes back once finished.
franoosh has quit [Remote host closed the connection]
<mmind00>
qschulz: also looking at that optee PR, it seems someone has taken it upon themself to RE the needed DDR firewall parts
<mmind00>
just stumbled upon that comment in there
<qschulz>
yeah, but the phrasing seems to indicate this won't be made public unless someone wants to join efforts?
<mmind00>
I'd also like to have that in TF-A
* mmind00
is about to sort of raise his hand ;-)
<qschulz>
yeah I didn't want to volunteer someone :)
ldevulder has quit [Ping timeout: 260 seconds]
<Ermine>
did rockchip also fork op-tee? geez
<qschulz>
I believe that's how they setup Secure Boot, and everybody knows secure boot needs to be secret sauce
<qschulz>
/s of course
<Ermine>
they could mess with trusty instead, given that they ship android everywhere