Hello all,
I've followed Manually build Boot binary for i.MX8M Mini document for building i.MX 8MM FIT image. My interest lies in signing and encrypting the FIT image and I've successfully verified the signing with the FIT image produced from the doc above.
However, when I try to encrypt the FIT image it fails and closer examination of document mx8m_encrypted_boot.txt reveals that the OP-TEE is required for the encryption of FIT image. OP-TEE component is not mentioned anywhere in the build steps and I would like to know,
Thanks in advance.
Solved! Go to Solution.
Hi kanimozhi_t
DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.
- Building ATF to support OP-TEE:
$ make PLAT=<SoC Name> SPD=opteed bl31
- Building OP-TEE to support DEK blob encapsulation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.
The imx-mkimage is used to combine all the images in a single flash.bin binary.
https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0
Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:
- Create a dummy DEK blob:
$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
- Assembly flash.bin binary:
$ make SOC=<SoC Name> flash_spl_uboot
Best regards
igor
Hi @igorpadykov
Could you send the addition file to me .
I am also facing the same issue.
Good day,
I've already managed to lock the HAB e-fuses in my i.MX8M Mini device and boot a signed u-boot image successfully. I'm stuck at creating the dek.blob file in preparation of creating an encrypted u-boot image. The OP-TEE that I've build gives an error message when u-boot loads.
My build steps are as follow:
Sources used:
ATF: https://source.codeaurora.org/external/imx/imx-atf
OP-TEE: http://source.codeaurora.org/external/imx/imx-optee-os
mk-image: https://source.codeaurora.org/external/imx/imx-mkimage/
Checked out tag: lf-5.10.72-2.2.0
I've followed the guide in uboot/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
Section 1.4 covers how to build OP-TEE support in ATF & how to compile OP-TEE:
ATF:
Documentation:
$ make PLAT=<SoC Name> SPD=opteed bl31
Actual:
$ make PLAT=imx8mm SPD=opteed bl31 LDFLAGS=
OP-TEE-os:
Documentation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
Actual:
$ ARCH=arm CFG_TEE_CORE_LOG_LEVEL=4 CROSS_COMPILE64=${CROSS_COMPILE}
CFLAGS="--sysroot=${SDKTARGETSYSROOT}" LDFLAGS= CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y
source ./scripts/nxp_build.sh imx-mx8mmevk
I've enabled the required flags in the uboot config file:
CONFIG_FSL_CAAM=y
CONFIG_SYS_FSL_SEC_COMPAT_4=y
CONFIG_SYS_FSL_SEC_COMPAT=4
CONFIG_SYS_FSL_SEC_LE=y
CONFIG_CMD_DEKBLOB=y
CONFIG_OPTEE_LOAD_ADDR=0xbe000000
(What about CONFIG_OPTEE_TZDRAM_SIZE and CONFIG_OPTEE_TZDRAM_BASE ?)
I've assembled all the files in mk-image/iMX8M:
cp ../OK8MM-linux-uboot/spl/u-boot-spl.bin iMX8M/
cp ../OK8MM-linux-uboot/u-boot-nodtb.bin iMX8M/
cp ../OK8MM-linux-uboot/tools/mkimage iMX8M/mkimage_uboot
cp ../imx-atf/build/imx8mm/release/bl31.bin iMX8M/
cp ../imx-optee-os/build.imx-mx8mmevk/core/tee.bin iMX8M/
cp ../OK8MM-linux-uboot/arch/arm/dts/imx8mm-ddr4-evk.dtb iMX8M/
dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
make SOC=iMX8MM flash_ddr4_evk 1>iMX8M/flash.log 2>&1
make SOC=iMX8MM print_fit_hab 1>>iMX8M/flash.log 2>&1
I've created the CSF spl & fit files and signed the u-boot image. The signed u-boot was programmed to a SD card.
I've booted the u-boot binary on my HAB locked i.MX8M Mini device:
U-Boot SPL 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0, image_size=0x3020, ivt_offset=0x1000
NOTICE: BL31: v2.4(release):lf-5.10.72-2.2.0-0-g5782363f9
NOTICE: BL31: Built : 19:24:31, Feb 27 2022
ERROR: Error initializing runtime service opteed_fast <<< First error message
U-Boot 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
CPU: i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU: Commercial temperature grade (0C to 95C) at 32C
Reset cause: POR
Model: FORLINX
DRAM: 2 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
...
...
Hit any key to stop autoboot: 0
u-boot=> dek_blob 0x40402000 0x40403000 128
Cannot get OP-TEE device <<<< Second error message
Any help will be much appreciated.
Regards,
Frikkie
Will you please give some details,
https://community.nxp.com/t5/i-MX-Processors/Build-FIT-image-for-IMX8MNano/m-p/1223538#M168684
Hi kanimozhi_t
DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.
- Building ATF to support OP-TEE:
$ make PLAT=<SoC Name> SPD=opteed bl31
- Building OP-TEE to support DEK blob encapsulation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.
The imx-mkimage is used to combine all the images in a single flash.bin binary.
https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0
Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:
- Create a dummy DEK blob:
$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
- Assembly flash.bin binary:
$ make SOC=<SoC Name> flash_spl_uboot
Best regards
igor
Thanks for the quick reply.
However, the encypted FIT built with the above instructions fail with following error. A thing to note here is, SPL succeed in authentication but FIT (U-Boot, ATF or OP-TEE) is failing.
U-Boot SPL 2019.04-04771-g4d377539a1 (Sep 30 2020 - 16:31:54 +0530)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0...
spl: ERROR: image authentication unsuccessful
Any help would be much appreciated. Thanks in advance.
Hi kanimozhi_t
I sent additional document by mail.
Best regards
igor