measured boot / fTPM and OpenWrt One

Michael Richardson mcr at
Fri May 10 14:37:27 PDT 2024

Daniel Golle <daniel at> wrote:
    >> Well, that's certainly true.  It is not always possible to talk to the
    >> outside world from inside that initial boot enclave.  That's the detail that
    >> we need.
    >> Do we even have a spare GPI(o) pin that can be used for this?
    >> (It can't be used for anything else)

    > While I see your point and believe this is generally possible, it's more
    > than just one bit needed here: It would mean to move the whole GPIO controller
    > into secure land and then make all the other bits again available to non-secure
    > land via SMC calls or something like that...

Since it would be polled once during boot, I don't think that would be
necessary, but I could wrong.  What I am concerned about is some way to
program it as an output and/or change the way pull-ups are done, and then do
a reboot.   That's something that reading the details would produce.

    >> > The only option of having secure boot enabled would be to allow users to
    >> > permanently disable it, otherwise the resulting hardware would not be
    >> > worth being called "Open", as it would, in fact, be closed.
    >> The board could ship with it disabled, and the user could blow the fuse to
    >> enable it.

    > If the fuse was documented or the tool for doing this available without
    > signing an NDA with MediaTek, then yes. Both is currently not the case.

That would be my goal of signing the NDA: then prepare a statement and get
MediaTek to approve it.

    >> Some would argue that a board that ships with a private key in storage that
    >> is not, at ship-time, protected, is worthless, but I disagree.  It's a
    >> risks/benefits tradeoff.
    >> (Note: I'm the lead editor for RFC9334)
    >> I've been down this road a few times with other boards, and the supply chain is
    >> generally very difficult to work with on this.  This is one reason I would
    >> really like to make some progress here.   It helps us get in front of the
    >> situation,   providing a good reference on how to do this sanely.
    >> And because I think that many of our (other) platforms will find themselves
    >> thinking they are forced down the secureboot path by recent UK, USA
    >> legislation: probably not quite literally by the legislation, but the lawyers
    >> and PHBs will think it.

    > It's a bit funny that the blame for that curse commonly goes to the
    > FCC and UK authorities, because the discussion started with the ETSI
    > Radio Emissions Directive (RED) 10 years ago...

Yes.  I don't think that the CRA and RED are gonna push the same thing at
this point.

    >> > dealing with it kinda means living in denial and darkness. Hence,
    >> > despite all the critizism, I do appreciate your work and effort to allow
    >> > people to get their hands on OP-TEE, fTPM, ... on the OpenWrt One.
    >> Yes, so this one place that is very hard for people to learn about, because
    >> the pre-uboot steps are hidden :-(

    > ARM TrustedFirmware-A is easy to understand code and released under an
    > Open Source license, we build it from source in OpenWrt for that platform.
    > OP-TEE is an Open Source project as well, and so is Microsoft's fTPM.
    > Just got to put the pieces together, but the pink elephant are the missing
    > documentation and tools for the efuses to make the BootROM validate bl2
    > signature...

I've read the source (OPTEE) code, compiled it, sat at IETF Hackathons with
ARM core people at hackathons who work on this stuff, but *their* test
hardware is almost always virtual.
So, it's exactly that pink elephant is what I'm after.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the openwrt-devel mailing list