i.MX ProcessorsのトピックRe: iMX8MN: OP-TEE Panics on CAAM RNG init

iMX8MN: OP-TEE Panics on CAAM RNG init

jg25 — Thu, 06 Feb 2025 11:48:54 GMT

Hello,
I am trying to get OP-TEE (https://github.com/nxp-imx/imx-optee-os/tree/lf-6.6.36_2.1.0) running as BL32 on a i.MX-based (iMX8 Nano) board.

OP-TEE is loaded as BL32 by imx-atf BL31. If I build optee-os with `CFG_NXP_CAAM=n` OP-TEE seems to be loaded properly and boot proceeds with U-Boot (BL33) and Linux kernel.

CFG_UART_BASE=0x30860000 \
CFG_TZDRAM_START=0x56000000 \
CFG_DDR_SIZE=0x20000000 \
CFG_NXP_CAAM=n \

However, once I use following configuration, OP-TEE panics in `caam_rng_init()`, refer to console log in attachment:

CFG_UART_BASE=0x30860000 \
CFG_TZDRAM_START=0x56000000 \
CFG_DDR_SIZE=0x20000000 \
CFG_NXP_CAAM=y \
CFG_CRYPTO_DRIVER=y \
CFG_WITH_SOFTWARE_PRNG=n \
CFG_NXP_CAAM_RNG_DRV=y CFG_HWRNG_PTA=y CFG_HWRNG_QUALITY=1024 \
CFG_DBG_CAAM_TRACE=0x00000041 \

Using the original code from imx github repo, memory region for CAAM (0x30900000, size 0x40000) was mapped as `IO_NSEC` because on same page as `CFG_UART_BASE` resulting in CAAM memory beeing mapped to `RES_VASPACE` area.
I tried to fix this by limiting UART memory mapping to 0x10000 bytes and create an early explicit mapping for `CAAM_BASE` in `plat-imx/main.c`

#ifdef CONSOLE_UART_BASE
register_phys_mem(MEM_AREA_IO_NSEC, CONSOLE_UART_BASE, 0x10000);
#endif
#ifdef CAAM_BASE
register_phys_mem(MEM_AREA_IO_SEC, CAAM_BASE, CAAM_SIZE);
#endif

After that, at least the correct physical address seems to be used in CAAM driver. However, the `caam_rng_init()` still fails.

Is there any advice on how to fix this?

Best regards

Re: iMX8MN: OP-TEE Panics on CAAM RNG init

Bio_TICFSL — Thu, 06 Feb 2025 14:01:19 GMT

Hello,

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

Regards

Re: iMX8MN: OP-TEE Panics on CAAM RNG init

jg25 — Wed, 12 Feb 2025 14:43:02 GMT

Thanks.

As far as I understand the guidelines contained in in the u-boot-imx source tree (https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/doc/imx/habv4/guides/mx8m_secure_boot.txt) the "dek_blob" you mentioned is only required for encrypted boot. This is currently not my intention.

By looking into details described in the I.MX8MN Security Reference Manual, I found out, that secure boot (HAB) is necessary to be able to use CAAM (at least for some parts).

So my question is, do I need to burn the HAB SRK fuses and also close the device (burning SEC_CONFIG[1] fuse) to be able to init CAAM in OP-TEE?