Michael Tretter
Michael Tretter works as a software developer at Pengutronix. Even though his main field of work is the Linux graphics infrastructure and media drivers, his interests also include bootloaders and SoC support in the Linux kernel.
Michael previously gave talks about the internals of the Linux graphics stack at ELC-E, the development of the upstream ZynqMP video encoder driver at FOSDEM, and the importance of maintainable open source tools at the FPGA Conference Europe.
Session
Secure boot is a security feature that enables device manufacturers to ensure that a device only boots trusted and signed software. This feature depends on certain hardware capabilities like a hardware root of trust and signature verification.
The Rockchip RK3588 SoC supports these features. However, limited documentation and reliance on a closed-source vendor OP-TEE binary and development tools raise concerns regarding security and maintainability. With OP-TEE 4.9.0 and barebox v2026.02.0, users may enable and use Secure Boot on RK3588 without needing any special Rockchip tools.
In this session, Michael will show you how to enable Secure Boot on RK3588 with upstream barebox and upstream OP-TEE. He will also highlight differences between the upstream implementation and Rockchips downstream solution. Lastly, he will briefly explain technical details to help you with adapting the implementation for other Rockchip SoCs and with using the OP-TEE PTA from Linux or U-Boot.