LS1012A OPTEE

lizuobin · ‎11-27-2018

Hi,

We designed our own board with reference to LS1012A-RDB. The software we used is LSDK-18.06. I tried the software configuration of LS1012A-RDB and LS1012A-FRWY, and the same error is indicated by optee during startup.

U-Boot 2018.03-dirty (Nov 28 2018 - 02:51:43 +0000)

SoC: LS1012A Rev2.0 (0x87040120)
Clock Configuration:
CPU0(A53):1000 MHz
Bus: 250 MHz DDR: 1000 MT/s
Reset Configuration Word (RCW):
00000000: 0800000a 00000000 00000000 00000000
00000010: 35080000 c000000c 40000000 00001800
00000020: 00000000 00000000 00000000 00014572
00000030: 00000000 1082a120 00000096 00000000
I2C: ready
DRAM: 446 MiB
Using SERDES1 Protocol: 13576 (0x3508)
PPA Firmware: Version LSDK-18.06-dirty
SEC Firmware: 'loadables' present in config
loadables: 'trustedOS@1'
ERROR: [0x0] TEE-CORE:tee_otp_get_hw_unique_key:195:
H/W Unique key is not fetched from the platform.
WARNING: Calling __hwconfig without a buffer and before environment is ready
MMC: FSL_SDHC: 0, FSL_SDHC: 1

TEE-CORE:tee_otp_get_hw_unique_key:195:

Is unique_key referring to OPTMK?

How to solve this problem?
thanks

bpe · ‎01-24-2019

No, chips without SEC cannot perform Secure boot because the on-chip ISBC ROM relies on SEC to verify signatures.

在原帖中查看解决方案

lizuobin · ‎01-23-2019

Sorry, I reply you so late.The chip model we are using is LS1012AXN7KKB，It does not contain a sec engine.

Using a chip that does not contain a sec engine, can optee and secure boot still work?

thanks

bpe · ‎01-24-2019

No, chips without SEC cannot perform Secure boot because the on-chip ISBC ROM relies on SEC to verify signatures.

bpe · ‎12-21-2018

tee_otp_get_hw_unique_key() actually generates a master key verification blob. The actual job is done by

get_hw_unq_key_blob_hw() defined in another package, PPA, file ppa/drivers/fsl_sec/src/hw_key_blob.c

One possible reason to fail is that you are using a security-disabled chip. If should not fail, however, if you

did not program OTPMK and don't attempt Secure Boot, as the predefined test key is used for the blob in this case.

To get to the exact reason of the failure, see what error is returned by the hardware after run_descriptor_jr()

Have a great day,
Platon

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

lizuobin · ‎01-23-2019

Sorry, I reply you so late.The chip model we are using is LS1012AXN7KKB，It does not contain a sec engine.

Using a chip that does not contain a sec engine, can optee and secure boot still work?

thanks