topic Re: i.MX91 Secure Storage in i.MX Processors

i.MX91 Secure Storage

Gunashree_MN — Fri, 09 May 2025 13:20:25 GMT

Hi Everyone,

I am planning to implement secure storage on the i.MX91 platform. Could anyone please let me know the capacity of the EdgeLock Enclave memory?

Additionally, I would appreciate it if you could share any reference documents or guidelines or procedure for implementing secure storage on the i.MX91 using the EdgeLock Enclave (ELE).

Thanks in advance for your help!

Re: i.MX91 Secure Storage

JorgeCas — Fri, 09 May 2025 16:06:21 GMT

Hello,

There are different sections of the memory map that can be secured, for more information related to this please take a look in table 4 in i.MX91 reference manual where it has TrustZone "Non-Secure (NS)" and "Secure (S)" world view of the system (Cortex-A) memory map. Access through the "Secure" memory region can only be performed by code with the appropriate security settings.

For more guidelines related to security topics, please take a look in the next link:

i.MX Security Features & Collateral - NXP Community

Best regards.

Re: i.MX91 Secure Storage

Gunashree_MN — Mon, 12 May 2025 06:45:35 GMT

Hi @JorgeCas

Thanks for your reply.

1. Can you please confirm if I have to follow the procedure mentioned in below guides to implement the secure storage in i.MX91

https://www.nxp.com/docs/en/application-note/AN14105.pdf?_gl=1*1pnx2xb*_ga*MjQ0NTk1ODIzLjE3NDcwMjk2Mjc.*_ga_WM5LE0KMSH*czE3NDcwMjk2MjYkbzEkZzEkdDE3NDcwMzE5NTUkajAkbDAkaDA.

https://www.nxp.com/webapp/Download?colCode=AN12714&location=null&_gl=1*1l7r9cl*_ga*MjQ0NTk1ODIzLjE3NDcwMjk2Mjc.*_ga_WM5LE0KMSH*czE3NDcwMjk2MjYkbzEkZzEkdDE3NDcwMzIwMzAkajAkbDAkaDA.

2. Capacity of ELE could be total size of Secure (S) registers is it?

Re: i.MX91 Secure Storage

JorgeCas — Mon, 12 May 2025 17:54:22 GMT

Hello,

The AN12714 used CAAM on i.MX8X series, but there is no CAAM on i.MX91. You can refer to HSM NVM storage https://github.com/nxp-imx/imx-secure-enclave/blob/master/test/hsm/hsm_test.c

The hsm_data_storage() is used to store/retrieve data in HSM NVM. The data stored in NVM are encrypted with a key derived from the device. If user want to generate their own key and use this key to encrypt/sign the data, the hsm_enc_data_ops() API can be used, you can also find the test example enc_data_storage_test() in secure enclave library.

All the keystores/data generated and stored in HSM NVM are in encrypted format, not only this API.

Yes, that is correct.

Best regards.

Re: i.MX91 Secure Storage

Gunashree_MN — Tue, 13 May 2025 03:31:40 GMT

Hi @JorgeCas

Thank you for your inputs.

I am planning to implement secure storage for a specific partition instead of encrypting the full disk.

To achieve this, I can use the APIs provided by ELE to generate encryption keys and encrypt the target partition. Is that correct?
The keys generated using ELE are, by default, securely stored within ELE and must be accessed through its APIs. Is that correct?

Re: i.MX91 Secure Storage

JorgeCas — Tue, 13 May 2025 15:42:21 GMT

Hello,

Yes, your understanding is correct.

Best regards.

Re: i.MX91 Secure Storage

Gunashree_MN — Thu, 22 May 2025 10:20:26 GMT

Hi @JorgeCas

Can you please share inputs on below questions.

1. Does the EdgeLock Enclave depends on OP-TEE to implement secure storage?

a. If yes, What is it's purpose?

b. If yes, Does it applicable to only secure storage? and processors having Edgelock enclave?

2. Is the OP-TEE mandatory to implement secure storage on iMX91?
3. Is it possible to implement the secure storage without using OP-TEE on i.MX 91?

Thanks in advance

Re: i.MX91 Secure Storage

Gunashree_MN — Mon, 16 Jun 2025 05:59:17 GMT

Hi @nxp

I As I have mentioned in my previous mails. I am trying to implement secure storage on i.MX91 by encrypting a partition.
Below are the steps I am following to for the same.

1. Enabled below features in OP-TEE

core/arch/arm/plat-imx/conf.mk

#CFG_IMX_TRUSTED_ARM_CE ?= y
CFG_HWRNG_QUALITY ?= 1024
CFG_WITH_SOFTWARE_PRNG ?= n

mk/config.mk

CFG_HWRNG_PTA ?= y

2. Kernel features

CONFIG_DM_CRYPT=y
CONFIG_TRUSTED_KEYS=y
CONFIG_TRUSTED_KEYS_TEE=y
CONFIG_TEE_CRYPTO=y
CONFIG_BLK_DEV_DM=y

3. Applied patches of above OP-TEE and kernel features in Yocto and built.

4. There was error in applying OP-TEE patch on debugging i got to know that CFG_IMX_TRUSTED_ARM_CE is not supported in i.MX91 from core/pta/imx/trusted_arm_ce.c

#if defined(CFG_MX93)
#define OCRAM_START 0x20518000
#define OCRAM_END 0x2051C000
#elif defined(CFG_MX95)
#define OCRAM_START 0x204BC000
#define OCRAM_END 0x204C0000
#else
#error "Platform not supported"
#endif

So i want to know,

1. What is the importance of CFG_IMX_TRUSTED_ARM_CE ?
2. Why CFG_IMX_TRUSTED_ARM_CE is supported for i.MX91?
3. Without using CFG_IMX_TRUSTED_ARM_CE, how do i implement secure storage on i.MX91?

Can someone guide me on this please?

Thanks in advance!