- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Enabling OP-TEE in i.MX8MM EVK FIT image
Enabling OP-TEE in i.MX8MM EVK FIT image
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I've followed Manually build Boot binary for i.MX8M Mini document for building i.MX 8MM FIT image. My interest lies in signing and encrypting the FIT image and I've successfully verified the signing with the FIT image produced from the doc above.
However, when I try to encrypt the FIT image it fails and closer examination of document mx8m_encrypted_boot.txt reveals that the OP-TEE is required for the encryption of FIT image. OP-TEE component is not mentioned anywhere in the build steps and I would like to know,
- How can I include OP-TEE in i.MX 8MM FIT build?
- How can I build this OP-TEE repo imx-optee-os and include it in the FIT image?
Thanks in advance.
Solved! Go to Solution.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kanimozhi_t
DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.
- Building ATF to support OP-TEE:
$ make PLAT=<SoC Name> SPD=opteed bl31
- Building OP-TEE to support DEK blob encapsulation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.
The imx-mkimage is used to combine all the images in a single flash.bin binary.
https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0
Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:
- Create a dummy DEK blob:
$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
- Assembly flash.bin binary:
$ make SOC=<SoC Name> flash_spl_uboot
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good day,
I've already managed to lock the HAB e-fuses in my i.MX8M Mini device and boot a signed u-boot image successfully. I'm stuck at creating the dek.blob file in preparation of creating an encrypted u-boot image. The OP-TEE that I've build gives an error message when u-boot loads.
My build steps are as follow:
Sources used:
ATF: https://source.codeaurora.org/external/imx/imx-atf
OP-TEE: http://source.codeaurora.org/external/imx/imx-optee-os
mk-image: https://source.codeaurora.org/external/imx/imx-mkimage/
Checked out tag: lf-5.10.72-2.2.0
I've followed the guide in uboot/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
Section 1.4 covers how to build OP-TEE support in ATF & how to compile OP-TEE:
ATF:
Documentation:
$ make PLAT=<SoC Name> SPD=opteed bl31
Actual:
$ make PLAT=imx8mm SPD=opteed bl31 LDFLAGS=
OP-TEE-os:
Documentation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
Actual:
$ ARCH=arm CFG_TEE_CORE_LOG_LEVEL=4 CROSS_COMPILE64=${CROSS_COMPILE}
CFLAGS="--sysroot=${SDKTARGETSYSROOT}" LDFLAGS= CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y
source ./scripts/nxp_build.sh imx-mx8mmevk
I've enabled the required flags in the uboot config file:
CONFIG_FSL_CAAM=y
CONFIG_SYS_FSL_SEC_COMPAT_4=y
CONFIG_SYS_FSL_SEC_COMPAT=4
CONFIG_SYS_FSL_SEC_LE=y
CONFIG_CMD_DEKBLOB=y
CONFIG_OPTEE_LOAD_ADDR=0xbe000000
(What about CONFIG_OPTEE_TZDRAM_SIZE and CONFIG_OPTEE_TZDRAM_BASE ?)
I've assembled all the files in mk-image/iMX8M:
cp ../OK8MM-linux-uboot/spl/u-boot-spl.bin iMX8M/
cp ../OK8MM-linux-uboot/u-boot-nodtb.bin iMX8M/
cp ../OK8MM-linux-uboot/tools/mkimage iMX8M/mkimage_uboot
cp ../imx-atf/build/imx8mm/release/bl31.bin iMX8M/
cp ../imx-optee-os/build.imx-mx8mmevk/core/tee.bin iMX8M/
cp ../OK8MM-linux-uboot/arch/arm/dts/imx8mm-ddr4-evk.dtb iMX8M/
dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
make SOC=iMX8MM flash_ddr4_evk 1>iMX8M/flash.log 2>&1
make SOC=iMX8MM print_fit_hab 1>>iMX8M/flash.log 2>&1
I've created the CSF spl & fit files and signed the u-boot image. The signed u-boot was programmed to a SD card.
I've booted the u-boot binary on my HAB locked i.MX8M Mini device:
U-Boot SPL 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0, image_size=0x3020, ivt_offset=0x1000
NOTICE: BL31: v2.4(release):lf-5.10.72-2.2.0-0-g5782363f9
NOTICE: BL31: Built : 19:24:31, Feb 27 2022
ERROR: Error initializing runtime service opteed_fast <<< First error message
U-Boot 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
CPU: i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU: Commercial temperature grade (0C to 95C) at 32C
Reset cause: POR
Model: FORLINX
DRAM: 2 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
...
...
Hit any key to stop autoboot: 0
u-boot=> dek_blob 0x40402000 0x40403000 128
Cannot get OP-TEE device <<<< Second error message
Any help will be much appreciated.
Regards,
Frikkie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will you please give some details,
https://community.nxp.com/t5/i-MX-Processors/Build-FIT-image-for-IMX8MNano/m-p/1223538#M168684
Vinothkumar Sekar
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kanimozhi_t
DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.
- Building ATF to support OP-TEE:
$ make PLAT=<SoC Name> SPD=opteed bl31
- Building OP-TEE to support DEK blob encapsulation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.
The imx-mkimage is used to combine all the images in a single flash.bin binary.
https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0
Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:
- Create a dummy DEK blob:
$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
- Assembly flash.bin binary:
$ make SOC=<SoC Name> flash_spl_uboot
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick reply.
However, the encypted FIT built with the above instructions fail with following error. A thing to note here is, SPL succeed in authentication but FIT (U-Boot, ATF or OP-TEE) is failing.
U-Boot SPL 2019.04-04771-g4d377539a1 (Sep 30 2020 - 16:31:54 +0530)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0...
spl: ERROR: image authentication unsuccessful
Any help would be much appreciated. Thanks in advance.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kanimozhi_t
I sent additional document by mail.
Best regards
igor
