Hi Jerry,
Thank you for the reply.
We had known about creating boot.scr and putting it in /boot in the APP partition. However, APP is not signed. Only boot.img is. So we cannot verify that an attacker has not changed APP in some way. We need to put our security code into boot.img instead. If we put a boot.scr into Linux_for_Tegra/bootloader/t210ref/p3450-0000 next to u-boot.bin will it be compiled into boot.img with mkbootimg?
Thank you for the link about Verified Boot, this might be something we can try if it fits in our use case.
The end result we are looking for is FDE using a key stored in the TPM and sealed with PCRs.
I am also having an issue getting commands sent to our TPM on SPI2 in u-boot: