帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Enabling OP-TEE in i.MX8MM EVK FIT image

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Enabling OP-TEE in i.MX8MM EVK FIT image

跳至解决方案
‎09-29-2020 01:26 AM
5,995 次查看
kanimozhi_t
Contributor V

Hello all,

    I've followed Manually build Boot binary for i.MX8M Mini document for building i.MX 8MM FIT image. My interest lies in signing and encrypting the FIT image and I've successfully verified the signing with the FIT image produced from the doc above.

    However, when I try to encrypt the FIT image it fails and closer examination of document mx8m_encrypted_boot.txt reveals that the OP-TEE is required for the encryption of FIT image. OP-TEE component is not mentioned anywhere in the build steps and I would like to know,

  1. How can I include OP-TEE in i.MX 8MM FIT build?
  2. How can I build this OP-TEE repo imx-optee-os and include it in the FIT image?

Thanks in advance.

0 项奖励
回复
1 解答

跳至解决方案
‎09-29-2020 03:11 AM
5,984 次查看
igorpadykov
NXP Employee
NXP Employee

Hi kanimozhi_t

 

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

 

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

 

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0

 

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

 

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

 

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

 

Best regards
igor

 

在原帖中查看解决方案

回复
6 回复数

跳至解决方案
3 周之前
247 次查看
deepakbeniya
Contributor III

Hi @igorpadykov 
Could you send the addition file to me .

I am also facing the same issue.

0 项奖励
回复

跳至解决方案
‎03-01-2022 06:21 AM
4,632 次查看
frix
Contributor II

Good day,

I've already managed to lock the HAB e-fuses in my i.MX8M Mini device and boot a signed u-boot image successfully. I'm stuck at creating the dek.blob file in preparation of creating an encrypted u-boot image. The OP-TEE that I've build gives an error message when u-boot loads.

My build steps are as follow:

Sources used:
ATF: https://source.codeaurora.org/external/imx/imx-atf
OP-TEE: http://source.codeaurora.org/external/imx/imx-optee-os
mk-image: https://source.codeaurora.org/external/imx/imx-mkimage/
Checked out tag: lf-5.10.72-2.2.0

I've followed the guide in uboot/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
Section 1.4 covers how to build OP-TEE support in ATF & how to compile OP-TEE:
ATF:
Documentation:
  $ make PLAT=<SoC Name> SPD=opteed bl31
Actual:
  $ make PLAT=imx8mm SPD=opteed bl31 LDFLAGS=


OP-TEE-os:
Documentation:
  $ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
Actual:
  $ ARCH=arm CFG_TEE_CORE_LOG_LEVEL=4 CROSS_COMPILE64=${CROSS_COMPILE}

    CFLAGS="--sysroot=${SDKTARGETSYSROOT}" LDFLAGS= CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y 

    source ./scripts/nxp_build.sh imx-mx8mmevk

I've enabled the required flags in the uboot config file:
CONFIG_FSL_CAAM=y
CONFIG_SYS_FSL_SEC_COMPAT_4=y
CONFIG_SYS_FSL_SEC_COMPAT=4
CONFIG_SYS_FSL_SEC_LE=y
CONFIG_CMD_DEKBLOB=y
CONFIG_OPTEE_LOAD_ADDR=0xbe000000
(What about CONFIG_OPTEE_TZDRAM_SIZE and CONFIG_OPTEE_TZDRAM_BASE ?)

I've assembled all the files in mk-image/iMX8M:
cp ../OK8MM-linux-uboot/spl/u-boot-spl.bin iMX8M/
cp ../OK8MM-linux-uboot/u-boot-nodtb.bin iMX8M/
cp ../OK8MM-linux-uboot/tools/mkimage iMX8M/mkimage_uboot
cp ../imx-atf/build/imx8mm/release/bl31.bin iMX8M/
cp ../imx-optee-os/build.imx-mx8mmevk/core/tee.bin iMX8M/
cp ../OK8MM-linux-uboot/arch/arm/dts/imx8mm-ddr4-evk.dtb iMX8M/
dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
make SOC=iMX8MM flash_ddr4_evk 1>iMX8M/flash.log 2>&1
make SOC=iMX8MM print_fit_hab 1>>iMX8M/flash.log 2>&1


I've created the CSF spl & fit files and signed the u-boot image. The signed u-boot was programmed to a SD card.

I've booted the u-boot binary on my HAB locked i.MX8M Mini device:
U-Boot SPL 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0, image_size=0x3020, ivt_offset=0x1000
NOTICE: BL31: v2.4(release):lf-5.10.72-2.2.0-0-g5782363f9
NOTICE: BL31: Built : 19:24:31, Feb 27 2022
ERROR: Error initializing runtime service opteed_fast                <<< First error message

U-Boot 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)

CPU: i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU: Commercial temperature grade (0C to 95C) at 32C
Reset cause: POR
Model: FORLINX
DRAM: 2 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
...
...
Hit any key to stop autoboot: 0
u-boot=> dek_blob 0x40402000 0x40403000 128
Cannot get OP-TEE device                                            <<<< Second error message

 

Any help will be much appreciated.

Regards,

Frikkie

0 项奖励
回复

跳至解决方案
‎01-30-2021 02:57 AM
5,583 次查看
vinothkumars
Senior Contributor IV

Hi @igorpadykov  @kanimozhi_t 

 

Will you please give some details,

https://community.nxp.com/t5/i-MX-Processors/Build-FIT-image-for-IMX8MNano/m-p/1223538#M168684

Regards,
Vinothkumar Sekar
标记 (2)
0 项奖励
回复

跳至解决方案
‎09-29-2020 03:11 AM
5,985 次查看
igorpadykov
NXP Employee
NXP Employee

Hi kanimozhi_t

 

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

 

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

 

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0

 

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

 

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

 

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

 

Best regards
igor

 

回复

跳至解决方案
‎09-30-2020 04:54 AM
5,968 次查看
kanimozhi_t
Contributor V

Thanks for the quick reply.


  However, the encypted FIT built with the above instructions fail with following error. A thing to note here is, SPL succeed in authentication but FIT (U-Boot, ATF or OP-TEE) is failing.

 

U-Boot SPL 2019.04-04771-g4d377539a1 (Sep 30 2020 - 16:31:54 +0530)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0...
spl: ERROR: image authentication unsuccessful

 

 

Any help would be much appreciated. Thanks in advance.

0 项奖励
回复

跳至解决方案
‎09-30-2020 06:11 PM
5,957 次查看
igorpadykov
NXP Employee
NXP Employee

Hi kanimozhi_t

 

I sent additional document by mail.

 

Best regards
igor

 

回复