Forgive my ignorance, I’ve been reading many docs and watching the video about the secure boot process and am trying to figure out a secure way of storing and retrieving a secret such that only I can retrieve it?
Am I right in thinking if I forego u-boot and use c-boot with SBK (secure boot key burned in and odm_production fuse burnt) that:
1 - I can still retrieve secret(s) / values from fuses
2 - my kernal/initrd / initramfs combo is encrypted and can not be tampered with?
3 - that an attacker can not retrieve the same secrets
I’m quite confused with the trusty / TEE environment and not clear how I would go about using it, how would I store and safely release secrets to trusted / un-tampered boot images?