[PATCH v2] arm: k3: Kconfig: Enable fTPM and RPMB support

Ernest Van Hoecke ernestvanhoecke at gmail.com
Tue May 12 18:44:22 CEST 2026 

On Wed, Feb 25, 2026 at 04:54:38PM +0530, Shiva Tripathi wrote:
> Enable firmware TPM (fTPM) support via OP-TEE for K3 platforms with
> MMC hardware. This provides TPM 2.0 functionality through
> Microsoft's fTPM Trusted Application running in OP-TEE secure world,
> using eMMC RPMB as persistent storage.
> 
> fTPM support in U-Boot provides the foundation for measured boot
> and disk encryption use cases.
> 
> The ARM64 condition ensures these apply only to A53/A72 cores and the
> MMC condition ensures fTPM is enabled only on platforms with eMMC
> hardware support.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1 at ti.com>
> ---
> Changes in v2:
> - Moved fTPM enablement from per-board defconfig files to common Kconfig
> - Added configs to ARCH_K3 (arch/arm/Kconfig) to enable for all K3 platforms
> - Added command configs to TI_COMMON_CMD_OPTIONS (board/ti/common/Kconfig)
> - Added MMC dependency to address concern about boards without eMMC hardware
> - Link to v1: https://lore.kernel.org/all/20260223091314.586968-1-s-tripathi1@ti.com/
> 
> ---
>  arch/arm/Kconfig        | 3 +++
>  board/ti/common/Kconfig | 2 ++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 5508fce796a..eb83b5c35f1 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -834,6 +834,9 @@ config ARCH_K3
>  	imply DM_RNG if ARM64
>  	imply TEE if ARM64
>  	imply OPTEE if ARM64
> +	imply TPM if ARM64 && MMC
> +	imply TPM2_FTPM_TEE if ARM64 && MMC
> +	imply SUPPORT_EMMC_RPMB if ARM64 && MMC
>  
>  config ARCH_OMAP2PLUS
>  	bool "TI OMAP2+"
> diff --git a/board/ti/common/Kconfig b/board/ti/common/Kconfig
> index 409454813f3..149909093b3 100644
> --- a/board/ti/common/Kconfig
> +++ b/board/ti/common/Kconfig
> @@ -61,4 +61,6 @@ config TI_COMMON_CMD_OPTIONS
>  	imply CMD_SPL
>  	imply CMD_TIME
>  	imply CMD_USB if USB
> +	imply CMD_TPM if TPM
> +	imply CMD_OPTEE_RPMB if OPTEE && SUPPORT_EMMC_RPMB
>  
> -- 
> 2.34.1
> 

Hi Shiva,

Do these changes mean you expect any K3-based board to follow by
building OP-TEE with RPMB support (and in production provisioning an
authentication key on first boot) now?

I'm asking because we noticed errors in the below form appeared during
boot of our Verdin AM62P and Aquila AM69 now:
E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
E/LD:   arch: aarch64
E/LD:  region  0: va 0x40005000 pa 0x9e900000 size 0x002000 flags rw-s (ldelf)
E/LD:  region  1: va 0x40007000 pa 0x9e902000 size 0x008000 flags r-xs (ldelf)
E/LD:  region  2: va 0x4000f000 pa 0x9e90a000 size 0x001000 flags rw-s (ldelf)
E/LD:  region  3: va 0x40010000 pa 0x9e90b000 size 0x004000 flags rw-s (ldelf)
E/LD:  region  4: va 0x40014000 pa 0x9e90f000 size 0x001000 flags r--s
E/LD:  region  5: va 0x40015000 pa 0x9e980000 size 0x011000 flags rw-s (stack)
E/LD:  region  6: va 0x4005a000 pa 0x9e910000 size 0x055000 flags r-xs [0]
E/LD:  region  7: va 0x400af000 pa 0x9e965000 size 0x01b000 flags rw-s [0]
E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x4005a000
E/LD:  Call stack:
E/LD:   0x4005b7b0
E/LD:   0x4008f220
E/LD:   0x40083298

Interestingly this did not appear on our Verdin AM62 SoM.

Of course, we can simply disable the fTPM until our support improves, or
ignore this error if it is harmless, but I wanted to ask about your
intentions before digging much deeper.

Thanks!

Kind regards,
Ernest

More information about the U-Boot mailing list