Enabling OP-TEE in i.MX8MM EVK FIT image

cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling OP-TEE in i.MX8MM EVK FIT image

Jump to solution
140 Views
Contributor III

Hello all,

    I've followed Manually build Boot binary for i.MX8M Mini document for building i.MX 8MM FIT image. My interest lies in signing and encrypting the FIT image and I've successfully verified the signing with the FIT image produced from the doc above.

    However, when I try to encrypt the FIT image it fails and closer examination of document mx8m_encrypted_boot.txt reveals that the OP-TEE is required for the encryption of FIT image. OP-TEE component is not mentioned anywhere in the build steps and I would like to know,

  1. How can I include OP-TEE in i.MX 8MM FIT build?
  2. How can I build this OP-TEE repo imx-optee-os and include it in the FIT image?

Thanks in advance.

0 Kudos
1 Solution
129 Views
NXP TechSupport
NXP TechSupport

Hi kanimozhi_t

 

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

 

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

 

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0

 

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

 

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

 

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

 

Best regards
igor

 

View solution in original post

3 Replies
130 Views
NXP TechSupport
NXP TechSupport

Hi kanimozhi_t

 

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

 

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

 

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

https://source.codeaurora.org/external/imx/imx-mkimage/tree/?h=imx_5.4.24_2.1.0

 

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

 

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

 

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

 

Best regards
igor

 

View solution in original post

113 Views
Contributor III

Thanks for the quick reply.


  However, the encypted FIT built with the above instructions fail with following error. A thing to note here is, SPL succeed in authentication but FIT (U-Boot, ATF or OP-TEE) is failing.

 

U-Boot SPL 2019.04-04771-g4d377539a1 (Sep 30 2020 - 16:31:54 +0530)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0...
spl: ERROR: image authentication unsuccessful

 

 

Any help would be much appreciated. Thanks in advance.

0 Kudos
102 Views
NXP TechSupport
NXP TechSupport

Hi kanimozhi_t

 

I sent additional document by mail.

 

Best regards
igor