topic Re: OPTEE + PKCS11 + RPMB on imx8mp evk in i.MX Processors

OPTEE + PKCS11 + RPMB on imx8mp evk

msivanesancq — Mon, 09 Sep 2024 11:32:56 GMT

Dear Staff,

I am planning to use PKCS11 with OP-TEE in IMX8MP board.

I am getting below error when I was running PKCS tool

root:~# p11tool --list-tokens --provider=/usr/lib/libckteec.so.0
ERR [1181] LT:ckteec_invoke_init:304: TEEC open session failed ffff000f from 3

pkcs11_add_provider: PKCS #11 error in device

I have enabled below CFG_ flags when building OPTEE os and client.

RPMB_EMU=0 \
CFG_TEE_CORE_LOG_LEVEL=4 \
CFG_TEE_TA_LOG_LEVEL=4 \
CFG_TEE_CLIENT_LOG_LEVEL=4 \
CFG_TEE_SUPP_LOG_LEVEL=4 \
CFG_TEE_SUPP_PLUGINS=y \
CFG_BUILT_IN_ARGS=y \
CFG_PKCS11_TA=y \
CFG_STMM_PATH=BL32_AP_MM.fd \
CFG_RPMB_FS=y \
CFG_IMX_SNVS=n \
CFG_NXP_CAAM=n \
CFG_RPMB_WRITE_KEY=y \
CFG_RPMB_FS_DEV_ID=2 \
CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
CFG_REE_FS=n \
CFG_SCTLR_ALIGNMENT_CHECK=n \
CFG_CORE_HEAP_SIZE=2097152 \
CFG_TEE_RAM_VA_SIZE=4194304 \
CFG_PREALLOC_RPC_CACHE=n \
CFG_WERROR=y \

When I was refereeing i.MX 6 / i.MX 8 Security Manual (L-1004e.A2) I could see below information. Does it means we cannot use OPTEE with iMX8M Plus platforms?

Please confirm. Thank you

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

Harvey021 — Tue, 10 Sep 2024 08:17:10 GMT

Hi,

I'm not sure of these from PHYTEC, would suggest you to raise a ticket there.

Meanwhile, you can refer to the section of <10.4.7 Running OpenSSL asymmetric tests with PKCS#11 based engine> of IMX_LINUX_USERS_GUIDE.pdf and the section <5 Configuring OP-TEE> of IMX_PORTING_GUIDE.pdf

Regards

Harvey

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

msivanesancq — Tue, 10 Sep 2024 13:34:42 GMT

Hi Harvey,

Thank you for the response.

Now I am able to generate keys.

Still I have one more question about RPMB.

How can we confirm that the RPMB is used when the keys are being generated and stored with PKCS11?

Thank you

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

msivanesancq — Wed, 11 Sep 2024 15:47:23 GMT

Hi Harvey,

The error(ERR [1282] LT:ckteec_invoke_init:304: TEEC open session failed ffff000f from 3) still appearing when I force the device to use RPMB.

It seems the system works without RPMB enablement which I think not safe from security perspective.

It is failing on this line where the user data of ioctl call happening inside tee_client_api.c

rc = ioctl(ctx->fd, TEE_IOC_OPEN_SESSION, &buf_data);

Is this a driver issue? Should I add any drivers to the board? Expecting your advice on this.

Thank you

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

msivanesancq — Mon, 16 Sep 2024 08:35:17 GMT

Hi NXP,
Do you have any update on this?

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

Harvey021 — Thu, 19 Sep 2024 10:16:26 GMT

Hi,

What version of BSP are you using?

Regards

Harvey

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

Harvey021 — Fri, 20 Sep 2024 03:04:56 GMT

1. You can verify with u-boot command to determine RPMB is enable.

u-boot=> mmc rpmb counter
RPMB Write counter= 148c

2. According to OP-TEE secure storage document,

https://optee.readthedocs.io/en/3.17.0/architecture/secure_storage.html

The 'dirfile.db.hash' will be stored in RPMB. We think this is a default way in optee to protect the private key in REE FS.

3. For ioctl problem, please check tee-supplicant is running or not.

Regards

Harvey

Re: OPTEE + PKCS11 + RPMB on imx8mp evk

msivanesancq — Mon, 23 Sep 2024 10:36:44 GMT

Linux version 5.15.52