This allows loading OP-TEE binaries from FIT images. The main benefit from this approach comes from the fact that FIT images can be signed and therefore it can be ensured that the TEE binary is not malicious. A shortened .its file to make use of this patch might look like this: images { ... tee@1 { description = "OP-TEE trusted OS"; data = /incbin/("..."); type = "tee"; arch = "arm"; compression = "none"; hash@1 { algo = "sha256"; }; }; }; configurations { default = "config-1"; config-1 { description = "..."; kernel = "kernel@1"; fdt = "fdt@1; tee = "tee@1"; signature-1 { algo = "sha256,rsa4096"; key-name-hint = "FIT-4096"; sign-images = "kernel", "fdt", "tee"; }; } Best regards, Albert Albert Schwarzkopf (1): bootm: Allow loading OP-TEE from FIT image arch/arm/lib32/bootm.c | 44 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) -- 2.17.1 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox