- Enable TPM Support
- Check if new patches fixed problem
- Remove rkbin dependency from rk3568 & rk3588
- TF-A upstreamed initial patches from rockchip
- U-boot modifications to use u-boot-tpl vs rockchip-tpl
- Resolve rk3588 issues - Enable TPL
- Resolve rk3568 issues - SPL_MAX
- Enable UEFI Secure Boot with Root CA only on a Yubikey
- Try higher bit RSA/ECDSA keys to protect against Quantum Attacks
- 4096 bit Fails on 5.7.1 Yubikey
- Test 3072 bit RSA
- Test ECDSA keys
- Create hybrid scheme fallback and use dbx revocations
- Try higher bit RSA/ECDSA keys to protect against Quantum Attacks
- Sign FIT images and enable COT (Chain of Trust) in ATF
- Setup Secure Bootflow
- U-Boot Secure boot with verified FIT -> TF-A -> Default: run bootcmd -> UEFI Secure Boot
- Protect against untrusted environment variables
- Restrict to BOOTM
- Remove BOOTDEV_*
- Change BOOTCMD to
efiload; reset; - Enable STACKPROTECTOR
- DISABLE_CONSOLE
- U-Boot Secure boot with verified FIT -> TF-A -> Default: run bootcmd -> UEFI Secure Boot
- Generate SBOM at buildtime
- Scan with Grype
- Display Status
- Fine tune for reproducibility and ephemerality
- Use-once model for next secure boot signing (Reset Yubikey after initial signing)
- 2025 Q4 signing
- Debian from trixie ISO shimaa64efi/bootaa64.efi
- Ubuntu from 25.04 ISO shimaa64.efi/bootaa64.efi
- Update autoinstall to current release
- 2025 Q4 signing
- Always erase & flash from ring-0
- Convert to docker build
- Build variants in one branch
- Make reproducible debian docker images
- Use-once model for next secure boot signing (Reset Yubikey after initial signing)
--> FLASHING AND INSTALLING --> FLASHING DEMO
--> SIGNING YOUR OWN