update: i think i have found another problem - as we are using the trust.img we have to unmap the trust memory area from the kernel, otherwise it will panic whenever it will try to access memory in that region. this can be done with a reserved memory region in the dtb: /* seems to be required to not touch the trust area - see: - https://forum.manjaro.org/t/rockpro64-kernel-panics-caused-by-firmware/117900 - https://lore.kernel.org/linux-arm-kernel/006d3ee0-2711-1b4e-d8cf-6a226fcad0e4@a