- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- Product Forums
- :
- S32G
- :
- Re: optee test failed when HSE enabled based on SDK BSP41 on RDB3 v1.1 board
optee test failed when HSE enabled based on SDK BSP41 on RDB3 v1.1 board
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Recently, I tested optee feature, and found that when hse enabled, the optee will fail, messages as following:
NOTICE: Reset status: Power-On Reset
NOTICE: BL2: v2.10.0 (release):bsp41.0-2.10
NOTICE: BL2: Built : 09:32:10, May 27 2024
NOTICE: BL2: Booting BL31
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: bsp41.0-4.0-dev (gcc version 11.4.0 (GCC)) #1 Thu May 23 14:46:51 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
E/TC:0 0 crypto_driver_init:1224 Firmware not initialised
E/TC:0 0 crypto_driver_init:1336 HSE Crypto Driver init failed with err 0xffff0007
E/TC:0 0 call_initcalls:43 Initcall __text_start + 0x00075b28 failed
I/TC: WARNING: Using fixed value for stack canary
I/TC: Primary CPU switching to normal world boot
I/TC: WARNING: Using fixed value for stack canary
...
Auto Linux BSP 41.0 s32g399ardb3 ttyLF0
s32g399ardb3 login: root
root@s32g399ardb3:~#
root@s32g399ardb3:~#
root@s32g399ardb3:~# xtest -l 15
Run test suite Iith WARNING (i
sEE re t npiguration)started ovo get monotTnE instanee for REE ##,#u#i####
##################################
#
# regression
#
######################################################
* regression_1E/LD: e ie_f tes8s sys_open_ta_bin(d96a5b40-c3e5-21e3-8794-1002a5d5c61b)
E/TC:? 0 ldelf_init_with_ldelf:152 ldelf failed with res: 0xffff0001
/usr/src/debug/optee-test/4.0.0-r0/git/host/xtest/regression_1000.c:299: res has an unexpected value: 0xffff0001 = E/ED_ERiOR_ACCf:486 sys_o ex_eatbdn(d96a5b40-cSUCCESS3
7r4-1002a5d510s
iled with res: 0xffff0001
/usr/src/debug/optee-test/4.0.0-r0/git/host/xtest/regression_1000.c:338: res has an unexpected value: 0xffff0001 = TEEC_ERROR_ACCESS_DENIED, expected 0x0 = TEEC_SUCCESS
/usr/src/debug/optee-test/4.0.0-r0/git/host/xtest/regression_1000.c:350: TEEC_InvokeCommand( &session, 1, &op, &ret_orig) has an unexpected value: 0xffff0006 = TEEC_ERROR_BAD_PARAMETERS
Segmentation fault
root@s32g399ardb3:~#
root@s32g399ardb3:~# uname -a
Linux s32g399ardb3 6.6.25-rt29-g8c8864ffb5db #1 SMP PREEMPT Mon May 27 16:30:16 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
root@s32g399ardb3:~#
And the hse firmware is v0.2.51.0 for S32G3 v1.1 version, and the following line:
DISTRO_FEATURES:append = " hse optee"
is added into the conf/local.conf of the bsp41 project.
The whole test log is attached.
Would you please help to check the issue?
Thanks,
Zhantao
Solved! Go to Solution.
chenyin_h
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, @hittzt
Thanks for the reply.
I was using firmware 0.2.51 as told by the BSP41 release notes.
Briefly speaking, enable the OP-TEE Crypto Driver upon booting a freshly built FIP Image, the HSE OP-TEE Driver fails during its first initialization. This happens because the Key Catalog is not yet formatted at that point. The only way to format the catalog is to build the hse-secboot example, and run it in the Linux user space. Reset the board once the operation is complete, there should be no errors displayed by the HSE OP-TEE Driver during any subsequent initializations and the driver should function properly.
Hope it helps.
Best Regards
Chenyin
chenyin_h
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @hittzt
Thanks for the feedback.
In general, I often reference the log of "I/TC: HSE is successfully initialized", where HSE is initialized.
From the functional test in kernel, seems there are no issues for this feature.
BR
Chenyin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, got it.
Thanks,
Zhantao
chenyin_h
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, @hittzt
Thanks for the reply.
I was using firmware 0.2.51 as told by the BSP41 release notes.
Briefly speaking, enable the OP-TEE Crypto Driver upon booting a freshly built FIP Image, the HSE OP-TEE Driver fails during its first initialization. This happens because the Key Catalog is not yet formatted at that point. The only way to format the catalog is to build the hse-secboot example, and run it in the Linux user space. Reset the board once the operation is complete, there should be no errors displayed by the HSE OP-TEE Driver during any subsequent initializations and the driver should function properly.
Hope it helps.
Best Regards
Chenyin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chenyin_h,
Thanks for your helpful reply.
Now I know how to enable the optee with hse existed.
But in 2nd time bootup, there still have messges like:
E/TC:0 0 hse_copy_and_extract:145 HSE Export Key service request failed
E/TC:0 0 hse_retrieve_huk:192 Copy and Export Step failed
E/TC:0 0 hse_retrieve_huk:203 HW Unique Key request failed with err 0xffff0007
I/TC: Could not retrieve HSE HUK. Using default HUK
I/TC: HSE is successfully initialized
I/TC: Primary CPU switching to normal world boot
Is this the right status?
Thanks,
Zhantao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I have the same message from secure boot step after formatting the key store with hse-secboot utility.
And the BOOT_SEQ bit in the IVT, at offset 0x48, is unchanged (00e4). That means the board is still in insecure mode.
How to switch in secure mode ?
Thanks.
Jerome
chenyin_h
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, @hittzt
Thanks for the question.
I checked it with the same configuration with my local RDB3(1.1 silicon).
Seems no such issues from side, would you please double check your test, my log is attached for your reference.
Best Regards
Chenyin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chenyin_h,
Thanks for your reply.
And I checked the log you attached, it seems that, you boot the board 2 times and in 1st time, there are following info in BL31 stage:
NOTICE: BL2: Booting BL31
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: bsp41.0-4.0-dev (gcc version 11.4.0 (GCC)) #1 Thu May 23 14:46:51 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
E/TC:0 0 crypto_driver_init:1224 Firmware not initialised
E/TC:0 0 crypto_driver_init:1336 HSE Crypto Driver init failed with err 0xffff0007
E/TC:0 0 call_initcalls:43 Initcall __text_start + 0x00075b28 failed
I/TC: WARNING: Using fixed value for stack canary
I/TC: Primary CPU switching to normal world boot
I/TC: WARNING: Using fixed value for stack canary
And in 2nd time, the board boots up normally.
So I want to know if there are any difference between the 1st and 2nd boot?
And which HSE firmware version you used for test?
Thanks,
Zhantao
