2023-04-12 10:42 PM
What is boot scheme lables.
I am refering to link below it is given as " defines which kind of boot is supported on the board"
What it means.
referring to link below:
https://wiki.st.com/stm32mpu/wiki/STM32_MPU_OpenSTLinux_release_note_-_v4.1.0#Bootscheme_labels
Solved! Go to Solution.
2023-04-14 03:28 AM
Hello @Shashikanth ,
First, thank you for the real good explanations of @Awell.1 that made a really great summary of the difference between "optee" and "trusted" boot. Thanks for your contribution !
@Shashikanth , since OSTL 4.X version, OP-TEE is mandatory for the boot of the system, and trusted boot is not adviced/supported anymore. Trusted boot is using SPMIN that is a different mechanism handled by TF-A. That is why on recent deliveries, you will have to use OPTEE !
Kind regards,
Erwan.
2023-04-12 11:36 PM
Trusted and OP-TEE (Open Portable Trusted Execution Environment) are two different boot schemes used in secure systems.
Trusted boot is a security mechanism that verifies the integrity of a device's firmware and software during boot-up. It ensures that the system boots with only trusted and verified components, preventing any malicious code from executing at boot time. Trusted boot relies on a chain of trust, where each component verifies the next before allowing it to execute.
On the other hand, OP-TEE is a secure environment that runs in a separate, isolated part of the system's memory, typically referred to as the Trusted Execution Environment (TEE). OP-TEE provides a secure execution environment for sensitive operations such as cryptography and secure storage. It also enables secure interprocess communication between normal world (NW) and secure world (SW) components.
While both trusted boot and OP-TEE aim to enhance the security of a system, they operate at different levels of the system. Trusted boot focuses on ensuring that only trusted and verified components are loaded during boot-up, while OP-TEE provides a secure environment for executing sensitive operations.
2023-04-12 11:46 PM
Thank you @Awell.1 for your explanation.
Even though i am aware of these terms i wanted to understand in STM32MP BSP yocto build what is the use of these labels.
whether it affects the booting flow.
In my yocto build the variable is assigned with value as below.
BOOTSCHEME_LABELS=" optee"
But the boot flow is TF-A ->Optee->Uboot->kernel
whether setting optee alone will auto select the trusted BOOTSCHEME_LABELS.
What is the case if i set only trusted in BOOTSCHEME_LABELS.
2023-04-14 03:28 AM
Hello @Shashikanth ,
First, thank you for the real good explanations of @Awell.1 that made a really great summary of the difference between "optee" and "trusted" boot. Thanks for your contribution !
@Shashikanth , since OSTL 4.X version, OP-TEE is mandatory for the boot of the system, and trusted boot is not adviced/supported anymore. Trusted boot is using SPMIN that is a different mechanism handled by TF-A. That is why on recent deliveries, you will have to use OPTEE !
Kind regards,
Erwan.
2023-04-14 03:34 AM
Thank you @Erwan SZYMANSKI,
This clarifies my doubt.
2024-09-26 06:47 AM
Great. We have devices in the field running with the "trusted" boot scheme.
Can I even boot kernels built with the "optee" boot scheme with a "trusted" U-Boot?
Because I cannot currently upgrade the bootloaders.
As far as I understand, the other way around it definitely won't work - I cannot
boot a legacy kernel built without optee support on bootloaders built with the "optee"
boot scheme.
But I guess I'll find out.
Once I get it to build that is. Because "optee-os" forces me to customize yet another
device tree for our particular hardware.
It's 4 now: tf-a, u-boot, linux (obviously) and optee-os.
Unfortunately we cannot generate them with CubeMX as that never worked with our
SOM (Seeed's Odyssey). We rely on device tree includes written by Seeed instead.