Feature Request: Add derived keys from seed efuse

[hoinzy]

As a User I would like to write a public key hash to efuses (rotpk), and only load signed sunxi-spl.toc0 for production use-cases.

Ideally, we can implement something along the lines of Nvidia, where we have PTA functions inside OP-Tee, that can derive Keys from this fuse data:

"Encrypted Keyblob Generation and Device Provisioning NVIDIA recommends that the EKB content be encrypted with a 128-bit symmetric key that is derived from a hardware-backed fuse key." Nvidia OpTee

This mechanism could then be used to bootstrap Nvidia Jetson Modules with the same fuse settings, hence with a custom built image, they have access to the same derived keys at runtime inside the op-tee trusted zone.

Some valuable details provided for a similar SoC https://forum.armbian.com/topic/3033-h3-soc-boot-rom-security-e-fuse/?do=findComment&comment=84051

[svenrademakers]

Great input! I cannot say anything on when we will start looking at secure boot though. There are current efforts going on to migrate to mainline u-boot together with some improvements in this area. I would propose to wait at least until this is in.