adding optee hangs secure boot

greeran — Mon, 02 Oct 2023 08:45:54 GMT

hello

i would like to secure my imx8mp. i added a secure boot (HAB) and fit image that verifies the rootfs. the boot flow is secure and successful. now i would like to add optee but when i add configuration for optee the boot flow hangs (freezes). the configuration i add

conf:

MACHINE_FEATURES:append = " optee"
DISTRO_FEATURES:append = " optee"

TEE_CFG_DDR_SIZE = "0x100000000"

image:

IMAGE_INSTALL:append = " optee-os optee-client optee-test"

on boot i get:

U-Boot SPL 2022.04-lf_v2022.04_var01+g49ec7c516a (Jan 22 2023 - 09:08:56 +0000)
SEC0: RNG instantiated
Normal Boot
Trying to boot from BOOTROM
image offset 0x8000, pagesize 0x200, ivt offset 0x0
hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...

does someone know what i am missing

thanks

Re: adding optee hangs secure boot

Dhruvit — Wed, 04 Oct 2023 06:07:44 GMT

Hi @greeran,

I hope you are doing well.

Please try making changes in CFG_DDR_SIZE at imx-optee-os/core/arch/arm/plat-imx
/conf.mk

Please make sure that you have updated [Authenticate Data] Blocks in CSF according to generate info using print_fit_hab when op-tee is enabled.

Please make sure that you have referred to /doc/imx/habv4/guides/mx8m_secure_boot.txt in uboot-imx.

Thanks & Regards,
Dhruvit Vasavada

Re: adding optee hangs secure boot

greeran — Wed, 04 Oct 2023 08:31:56 GMT

hi Dhruvit

thanks for the reply. i went over the documents you sent and i see something that i cannot explain when the imx-boot creates the flash.bin. i am sending log.do_compile below

you can see that the tee.bin is found and its added to the fit image but in the print_fit_hab and [Authenticate Data] I do not see the TEE_LOAD_ADDR and in the list.

i am using Yocto and from the manual i added all the configuration needed in the conf so if you could point out what i am missing

thanks

BL32=tee.bin DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 ../iMX8M/mkimage_fit_atf.sh imx8mp-var-dart-dt8mcustomboard-legacy.dtb > u-boot.its
bl31.bin size:
45392
Building with TEE support, make sure bl31.bin is compiled with spd. If you do not want tee, please delete tee.bin
tee.bin size:
550176
u-boot-nodtb.bin size:
1062752
imx8mp-var-dart-dt8mcustomboard-legacy.dtb size:
45568
mkimage -E -p 0x3000 -f u-boot.its u-boot.itb
FIT description: Configuration to load ATF before U-Boot
Created: Wed Oct 19 06:29:00 2022
Image 0 (uboot-1)
Description: U-Boot (64-bit)
Created: Wed Oct 19 06:29:00 2022
Type: Standalone Program
Compression: uncompressed
Data Size: 1062752 Bytes = 1037.84 KiB = 1.01 MiB
Architecture: AArch64
Load Address: 0x40200000
Entry Point: unavailable
Image 1 (fdt-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Created: Wed Oct 19 06:29:00 2022
Type: Flat Device Tree
Compression: uncompressed
Data Size: 45568 Bytes = 44.50 KiB = 0.04 MiB
Architecture: Unknown Architecture
Image 2 (atf-1)
Description: ARM Trusted Firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 45392 Bytes = 44.33 KiB = 0.04 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x00970000
Image 3 (tee-1)
Description: TEE firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 550176 Bytes = 537.28 KiB = 0.52 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x56000000
Default Configuration: 'config-1'
Configuration 0 (config-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Kernel: unavailable
Firmware: uboot-1
FDT: fdt-1
Loadables: atf-1
tee-1
./mkimage_imx8 -version v2 -fit -loader u-boot-spl-ddr.bin 0x920000 -second_loader u-boot.itb 0x40200000 0x60000 -out flash.bin > hab.log 2<&1
./../scripts/pad_image.sh tee.bin
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin imx8mp-var-dart-dt8mcustomboard-legacy.dtb
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ../iMX8M/print_fit_hab.sh 0x60000 imx8mp-var-dart-dt8mcustomboard-legacy.dtb > hab2.log 2<&1
csf_assemble
csf_assemble 1
csf_assemble 1 SPL_BLOCKS 0x91ffc0 0x0 0x33800 "flash.bin"
csf_assemble 2
csf_assemble 2 FIT_BLOCK_1: 0x401fcdc0 0x58000 0x1020 "flash.bin"
csf_assemble 2 FIT_BLOCK_2: 0x40200000 0x5B000 0x103760 "flash.bin"
csf_assemble 2 FIT_BLOCK_3: 0x40303760 0x15E760 0xB200 "flash.bin"
csf_assemble 2 FIT_BLOCK_4: 0x970000 0x169960 0xB150 "flash.bin"
csf_assemble 3 csf_spl.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = MID
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x91ffc0 0x0 0x33800 "flash.bin"
CSF Processed successfully and signed data available in csf_spl.bin
csf_assemble 3 csf_fit.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x401fcdc0 0x58000 0x1020 "flash.bin", \
0x40200000 0x5B000 0x103760 "flash.bin", \
0x40303760 0x15E760 0xB200 "flash.bin", \
0x970000 0x169960 0xB150 "flash.bin"
CSF Processed successfully and signed data available in csf_fit.bin

Re: adding optee hangs secure boot

Dhruvit — Tue, 10 Oct 2023 14:27:10 GMT

Hello @greeran

I hope you are doing well.

Please refer to the below link and check the suggestion for HAB event enabling on i.MX8mp and share the observation.
https://community.nxp.com/t5/i-MX-Processors/imx8mp-HAB/m-p/1546498#M197035

I hope it helps!

Thanks & Regards,

Dhruvit Vasavada

Re: adding optee hangs secure boot

greeran — Sun, 05 Nov 2023 08:35:22 GMT

i found out what freezes the boot with optee. it seems that when i add the "CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4" configuration to the optee-os bbappend the boot freezes. without does configuration the boot is successful the the optee loads well also

i.MX Processors中的主题 Re: adding optee hangs secure boot

adding optee hangs secure boot

Re: adding optee hangs secure boot

Re: adding optee hangs secure boot

Re: adding optee hangs secure boot

Re: adding optee hangs secure boot