[PATCH v2] arm: k3: Kconfig: Enable fTPM and RPMB support

Shiva Tripathi s-tripathi1 at ti.com
Wed Mar 18 12:01:19 CET 2026 


On 3/17/26 19:37, Tom Rini wrote:
> On Tue, Mar 17, 2026 at 05:04:29PM +0530, Shiva Tripathi wrote:
>>
>>
>> On 3/11/26 02:15, Tom Rini wrote:
>>> On Wed, 25 Feb 2026 16:54:38 +0530, Shiva Tripathi wrote:
>>>
>>>> Enable firmware TPM (fTPM) support via OP-TEE for K3 platforms with
>>>> MMC hardware. This provides TPM 2.0 functionality through
>>>> Microsoft's fTPM Trusted Application running in OP-TEE secure world,
>>>> using eMMC RPMB as persistent storage.
>>>>
>>>> fTPM support in U-Boot provides the foundation for measured boot
>>>> and disk encryption use cases.
>>>>
>>>> [...]
>>>
>>> Applied to u-boot/next, thanks!
>>
>> Hi Tom,
>>
>> Thanks for applying the patch. Following are the steps to test these
>> (I'll soon update the relevant docs for this):
>>
>> a. First step is to generate fTPM TA binary using ms-tpm-20-ref [1] and
>> optee_ftpm [2]. I have been using yocto to generate this fTPM TA Binary,
>> for reference, the binary I used [3].
>>
>> b. Second step is to use above fTPM TA and build optee-os with RPMB and
>> early TA enabled:
>>   make -j$(nproc) \
>>        CROSS_COMPILE=arm-linux-gnueabihf- \
>>        CROSS_COMPILE64=aarch64-linux-gnu- \
>>        PLATFORM=k3 \
>>        PLATFORM_FLAVOR=am62x \
>>        CFG_ARM64_core=y \
>>        CFG_RPMB_FS=y \
>>        CFG_REE_FS=n \
>>        CFG_EARLY_TA=y \
>>        CFG_RPMB_ANNOUNCE_PROBE_CAP=n \
>>
>> EARLY_TA_PATHS=/path/to/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf
>>
>> c. The optee binary can then be used to built final u-boot images,
>> testing logs for reference [4]
>>
>> [1]: https://github.com/microsoft/ms-tpm-20-ref.git
>> [2]: https://github.com/OP-TEE/optee_ftpm.git
>> [3]:
>> https://github.com/shiva-ti/ftpm-binaries/blob/main/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf
>> [4]: https://gist.github.com/shiva-ti/8ac6aded2bf0a3c9bd99627a45b50f6b
> 
> I will try this manually when I have a chance, thanks. Please update the
> generic TI K3 documents to include this as well, too.
> 

Yes, I'll update the TI K3 docs.

In the above steps, I missed mentioning the eMMC RPMB must have
authenticated keys programmed for fTPM to work since it uses the RPMB
persistence storage. "CFG_RPMB_WRITE_KEY=y" while building optee-os
enables OP-TEE to program the eMMC RPMB with authentication key on first
boot. This key is derived from the HUK (Hardware Unique Key).
Programming the RPMB key is a one-time, non-reversible operation.

Thanks,
Shiva

More information about the U-Boot mailing list