[PATCH v2] arm: k3: Kconfig: Enable fTPM and RPMB support

Andrew Davis afd at ti.com
Wed May 13 15:49:31 CEST 2026 

On 5/13/26 8:06 AM, Shiva Tripathi wrote:
> 
> 
> On 5/12/26 22:14, Ernest Van Hoecke wrote:
>> On Wed, Feb 25, 2026 at 04:54:38PM +0530, Shiva Tripathi wrote:
>>> Enable firmware TPM (fTPM) support via OP-TEE for K3 platforms with
>>> MMC hardware. This provides TPM 2.0 functionality through
>>> Microsoft's fTPM Trusted Application running in OP-TEE secure world,
>>> using eMMC RPMB as persistent storage.
>>>
>>> fTPM support in U-Boot provides the foundation for measured boot
>>> and disk encryption use cases.
>>>
>>> The ARM64 condition ensures these apply only to A53/A72 cores and the
>>> MMC condition ensures fTPM is enabled only on platforms with eMMC
>>> hardware support.
>>>
>>> Signed-off-by: Shiva Tripathi <s-tripathi1 at ti.com>
>>> ---
>>> Changes in v2:
>>> - Moved fTPM enablement from per-board defconfig files to common Kconfig
>>> - Added configs to ARCH_K3 (arch/arm/Kconfig) to enable for all K3 platforms
>>> - Added command configs to TI_COMMON_CMD_OPTIONS (board/ti/common/Kconfig)
>>> - Added MMC dependency to address concern about boards without eMMC hardware
>>> - Link to v1: https://lore.kernel.org/all/20260223091314.586968-1-s-tripathi1@ti.com/
>>>
>>> ---
>>>   arch/arm/Kconfig        | 3 +++
>>>   board/ti/common/Kconfig | 2 ++
>>>   2 files changed, 5 insertions(+)
>>>
>>> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
>>> index 5508fce796a..eb83b5c35f1 100644
>>> --- a/arch/arm/Kconfig
>>> +++ b/arch/arm/Kconfig
>>> @@ -834,6 +834,9 @@ config ARCH_K3
>>>   	imply DM_RNG if ARM64
>>>   	imply TEE if ARM64
>>>   	imply OPTEE if ARM64
>>> +	imply TPM if ARM64 && MMC
>>> +	imply TPM2_FTPM_TEE if ARM64 && MMC
>>> +	imply SUPPORT_EMMC_RPMB if ARM64 && MMC
>>>   
>>>   config ARCH_OMAP2PLUS
>>>   	bool "TI OMAP2+"
>>> diff --git a/board/ti/common/Kconfig b/board/ti/common/Kconfig
>>> index 409454813f3..149909093b3 100644
>>> --- a/board/ti/common/Kconfig
>>> +++ b/board/ti/common/Kconfig
>>> @@ -61,4 +61,6 @@ config TI_COMMON_CMD_OPTIONS
>>>   	imply CMD_SPL
>>>   	imply CMD_TIME
>>>   	imply CMD_USB if USB
>>> +	imply CMD_TPM if TPM
>>> +	imply CMD_OPTEE_RPMB if OPTEE && SUPPORT_EMMC_RPMB
>>>   
>>> -- 
>>> 2.34.1
>>>
>>
>> Hi Shiva,
>>
>> Do these changes mean you expect any K3-based board to follow by
>> building OP-TEE with RPMB support (and in production provisioning an
>> authentication key on first boot) now?
>>
>> I'm asking because we noticed errors in the below form appeared during
>> boot of our Verdin AM62P and Aquila AM69 now:
>> E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
>> E/LD:   arch: aarch64
>> E/LD:  region  0: va 0x40005000 pa 0x9e900000 size 0x002000 flags rw-s (ldelf)
>> E/LD:  region  1: va 0x40007000 pa 0x9e902000 size 0x008000 flags r-xs (ldelf)
>> E/LD:  region  2: va 0x4000f000 pa 0x9e90a000 size 0x001000 flags rw-s (ldelf)
>> E/LD:  region  3: va 0x40010000 pa 0x9e90b000 size 0x004000 flags rw-s (ldelf)
>> E/LD:  region  4: va 0x40014000 pa 0x9e90f000 size 0x001000 flags r--s
>> E/LD:  region  5: va 0x40015000 pa 0x9e980000 size 0x011000 flags rw-s (stack)
>> E/LD:  region  6: va 0x4005a000 pa 0x9e910000 size 0x055000 flags r-xs [0]
>> E/LD:  region  7: va 0x400af000 pa 0x9e965000 size 0x01b000 flags rw-s [0]
>> E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x4005a000
>> E/LD:  Call stack:
>> E/LD:   0x4005b7b0
>> E/LD:   0x4008f220
>> E/LD:   0x40083298
>>
>> Interestingly this did not appear on our Verdin AM62 SoM.
>>
>> Of course, we can simply disable the fTPM until our support improves, or
>> ignore this error if it is harmless, but I wanted to ask about your
>> intentions before digging much deeper.
>>
>> Thanks!
>>
>> Kind regards,
>> Ernest
> 
> Hi Ernest,
> 
> It's not expected for all K3-platforms to build OP-TEE with RPMB
> support, some platforms lack eMMC entirely. fTPM is an optional
> configuration for users who need measured boot, disk encryption, or
> similar TPM related use-cases.
> 
> The Yocto SDK we release for K3 platforms includes the fTPM TA embedded
> in the OP-TEE, not sure if the same is true in your case.
> 
> RPMB provisioning is needed for full functionality, but even without it
> you shouldn't see these errors. Maybe the fTPM TA is missing from your
> OP-TEE build, or something similar is causing loader error.
> 

Given the above log shows the fTPM UUID, the fTPM does look to be
loaded and running in this case. Given a more complete log from
a different thread on this issue I'm seeing:

> Cannot persist EFI variables without system partition
> <error printout above>
> Missing TPMv2 device for EFI_TCG_PROTOCOL

This makes me think we are at the stage in boot where EFI variables
are trying to be persisted to some media, and when trying to use
the fTPM for this it fails (as would be expected without RPMB).
So this should be harmless, but why there is such a large error
printout we need to investigate and try to make it less verbose.

Andrew

> Regards,
> Shiva
> 
>>
>

More information about the U-Boot mailing list