Is there anyway to add a TPM for VIM3 for security boot?

I have a project needs to test the security boot(Google said Verified Boot) for Linux system, But I have a hard time finding a method and instructions for using security boot in VIM3(Or A311D), so I am thinking that is it possible to use external TPM module in VIM3 Linux system to control the security boot?

Read up on OP-TEE ( which is part of ATF (ARM Trusted Firmware).

1 Like

Yep, it’s possiable for hardware but need some efforts on software development :crazy_face:

The SPI interface can be used for TPM 1.2 chip and is available on the 40PIN GPIO Header:

We did try it by SPI on the 40 pin header with TPM2.0 module, But after we enable the software drivers then will cause VIM3 cold boot failed at into kernel, but the warm boot is ok into kernal.

Still trying to figure out this issue.

Unfortunately, the platform does not yet support AMLOGIC products, and AMLOGIC didn’t disclose any tools and documents related to security coding. It may also be a lot of pain to porting OP-TEE by self.

OP-TEE is widely used with Amlogic. It’s how Widevine L1 and Playready DRM certs are embedded into the BL32 firmware (an alement of ATF) for Netflix playback under Android (TV and AOSP). The obstacles that I foresee are that the ecosystem around Amlogic SoCs is heavily geared towards that DRM use-case, and Amlogic will only provide their secure-world toolkit under NDA to customers. From their perspective you’re a consumer/end-user not a customer (Khadas is the customer).

To “work within the system” I suspect you need to open direct dialog with Amlogic; the goal will be to become a customer who orders chips, which an ODM contactor (could be Khadas) implements into a board design for your application. Once you’re a customer (under NDA) you have the full SDK which includes the secure-world bits that you need.

I would also start conversations with some of the ARM oriented contract development houses like Baylibre (Amlogic experts), Linnaro (96boards), Pengutronix, Collabora, and similar. They likely have the secure-world expertise on-hand (or know where to get it) to deliver something for you. The old Engineering saying “You can have it fast or cheap, but not both” usually applies in these situations.

1 Like

Thank you for your detailed explanation. Our company really intends to design products with A311D NPU and Web applications’ products(For industrial controller), and also contacted AMLOGIC. AMLOGIC asked us to find their agent first, but when we asked AMLOGIC for the contact information of the agent(For in China), AMLOGIC did not reply to me anymore.

I will try to find the OP-TEE example software reference for A311D chip. Thank you.

Lots of orgs in China are a bit slow and dysfunctional at the moment, be patient and be persistent - I’m sure there’s an inbox with a lot of emails in it somewhere. One of the reasons for reaching out to some of the software development houses is … 99% of their staff work remote already so operations are not so impacted with all the disruption. If you’re keen to use Amlogic designs Baylibre(.com) is the go-to name for expertise.

1 Like