Incomplete secure boot of the S4 SoC family

It is interesting, why Khadas doesn’t provide information about most fun part of the VIM1S board?
This is about playing with secure boot, at least, with the final part which we can control. It is BL30, BL33, Linux kernel.
Currently, secure boot is broken on the BL3.x level as one can install any unsigned BL30, BL33, and the Linux kernel.
It would be nice to get information how to derive the device keys to encrypt and sign remaining secure boot components.
I believe, the keys can be generated by the script khadas/fenix/build/u-boot/fip/s4/generate-device-keys/gen_all_device_key.sh
…but one has to create conditions to use secure boot like storing some secret artefacts in OTP and creating proper FIP header.
How to correctly burn them in OTP after?

Did someone have experience with that? I didn’t find any public information how to proceed in this direction.

For normal user, the secureboot is not needed, if the board is secured, then it is unable to install any other unsecued OS images, e.g. 3rd party images.

Do you mean Android or Linux ?

I am looking for the solution for the Linux platform, say Ubuntu.

VIM1S is pretty cheap board so, it is not a problem to have at least two boards. First is for the secure boot and the second is for the unsecured OS’s.

I was able to generate the whole key hierarchy required for encryption and signature checking from the device vendor perspective.
I am not sure why but it looks like generating of the key hierarchy is intentionally broken (bash scripts have 644 permissions and some paths are wrong).
So, I built required boot blobs and the FIP image by:

  1. Running the gen_all_device_key.sh
  2. Uncommenting CONFIG_AML_SIGNED_UBOOT 1
**diff --git a/board/khadas/configs/kvim1s.h b/board/khadas/configs/kvim1s.h**

**index 09f0b13d12..1e41b61110 100644**

**--- a/board/khadas/configs/kvim1s.h**

**+++ b/board/khadas/configs/kvim1s.h**

@@ -450,7 +450,7 @@

/* unify build for generate encrypted bootloader "u-boot.bin.encrypt" */

#define CONFIG_AML_CRYPTO_UBOOT 1

-//#define CONFIG_AML_SIGNED_UBOOT 1

+#define CONFIG_AML_SIGNED_UBOOT 1

From the uboot source, one can find the OTP addresses responsible for enabling encrypting and/or checking the signature of BL30, BL33, Linux kernel.

Checking of the LIC area of the OTP looks.

kvim1s# md.l 0xFE440040 128
00000000: 14000000 00000000 00000000 00000000    ................
00000010: 00000000 00000000 00000000 00000000    ................
00000020: 00000000 00000000 00000000 00000000    ................
00000030: 00000000 00000000 00000000 00000000    ................
00000040: 00000000 00000000 00000000 00000000    ................
00000050: 00000000 00000000 00000000 00000000    ................

If I correctly understood, it is necessary to generate the OTP blobs and then burn it…