It is interesting, why Khadas doesn’t provide information about most fun part of the VIM1S board?
This is about playing with secure boot, at least, with the final part which we can control. It is BL30, BL33, Linux kernel.
Currently, secure boot is broken on the BL3.x level as one can install any unsigned BL30, BL33, and the Linux kernel. It would be nice to get information how to derive the device keys to encrypt and sign remaining secure boot components.
I believe, the keys can be generated by the script khadas/fenix/build/u-boot/fip/s4/generate-device-keys/gen_all_device_key.sh
…but one has to create conditions to use secure boot like storing some secret artefacts in OTP and creating proper FIP header.
How to correctly burn them in OTP after?
Did someone have experience with that? I didn’t find any public information how to proceed in this direction.
For normal user, the secureboot is not needed, if the board is secured, then it is unable to install any other unsecued OS images, e.g. 3rd party images.
VIM1S is pretty cheap board so, it is not a problem to have at least two boards. First is for the secure boot and the second is for the unsecured OS’s.
I was able to generate the whole key hierarchy required for encryption and signature checking from the device vendor perspective.
I am not sure why but it looks like generating of the key hierarchy is intentionally broken (bash scripts have 644 permissions and some paths are wrong).
So, I built required boot blobs and the FIP image by: