Enabling Trusty OS on Android 13 for i.MX8QXP Board

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enabling Trusty OS on Android 13 for i.MX8QXP Board

6,384 Views
intelav
Contributor II

Hi 

I am using imx-automotive-13.0.0_1.3.0.tar.gz to make android build environment (on Ubuntu 22.04) for i.MX8qxp Board and following the guide Android User guide and Android Security (i.MX_AA_Security_User's_Guide.pdf and i.MX_AA_Security_User's_Guide.pdf) further to enable trusty OS  .

Following section 8.6.1 on User guide for this, I downloaded the code as 

 repo init -u https://github.com/nxp-imx/imx-manifest.git -b imx-android-13 -m imx-trusty-automotive-13.0.0_1.3.0.xml ( manifest file changed) 

repo sync -j32

source trusty/vendor/google/aosp/scripts/envsetup.sh

./trusty/vendor/google/aosp/scripts/build.py imx8qxp (Build command changed) 

cp build-root/build-imx8qxp/lk.bin ${MY_ANDROID}/vendor/nxp/fslproprietary/uboot-firmware/imx8q_car/tee-imx8qx.bin. 

Android Build here is done with below command.

lunch mek_8q_car-userdebug

./imx-make.sh -j4 2>&1 | tee build-log.txt

 

After booting the final image , I don't see  trusty OS related Logs like BL31.bin etc .  

 

Listing out reasons for changes on manifest file and build command 

While following the steps mentioned in 8.6.1 of Android User guide , I see a build failure (list below) where I had to get the latest with respect to Android 13 and try a different build command .

error: couldn't read trusty/user/base/lib/trusty-sys/src/./build-imx8qxp/generated/trusty/user/base/lib/syscall-stubs/trusty_syscalls.rs: No such file or directory (os error 2)
--> trusty/user/base/lib/trusty-sys/src/syscalls.rs:20:5
|
20 | include!(env!("SYSCALL_INC_FILE"));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this error originates in the macro `include` (in Nightly builds, run with -Z macro-backtrace for more info)

error: aborting due to previous error

Other Doubts related with Trusty OS

Quesiton 1 :

In the 3.2.2 section of Android Security Guide, the file structure mentioned are not matching what I got by following command in 8.6.1 in Android User guide, are the information mentioned in 3.2.2 section latest and correct?

Question 2 : 

When I used below build command initially without copying lk.bin from trusty build, I already saw vendor/nxp/fslproprietary/uboot-firmware/imx8q_car/tee-imx8qx.bin , is that created as part of current android build by default or just dummy to be replaced by correct lk.bin from trusty build from section 8.6.1 on User guide? 

lunch mek_8q_car-userdebug

./imx-make.sh -j4 2>&1 | tee build-log.txt

Please help me out with the correct steps for enabling Trusty OS for Android 13 and correct knowledge about its support on nxp board.

0 Kudos
Reply
10 Replies

6,314 Views
Rita_Wang
NXP TechSupport
NXP TechSupport

Following our guide, two section needed:

First, create a directory for Trusty OS code and enter this directory.
$ repo init -u https://github.com/nxp-imx/imx-manifest.git -b imx-android-13 -m
imx-trusty-automotive-automotive-13.0.0_1.1.0.xml
$ repo sync
$ source trusty/vendor/google/aosp/scripts/envsetup.sh
$ make imx8qxp #i.MX 8QuadXPlus MEK
$ cp ${TRUSTY_REPO_ROOT}/build-imx8qxp/lk.bin ${MY_ANDROID}/vendor/nxp/fsl-
proprietary/uboot-firmware/imx8q_car/tee-imx8qx.bin

Then, build the images, and tee-imx8qx.bin is integrated into bootloader-imx8qxp.img and
bootloader-imx8qxp-secure-unlock.img. Flash the spl-imx8qxp.bin and bootloader-
imx8qxp.img files to the target device.

0 Kudos
Reply

6,293 Views
intelav
Contributor II

 

Hi 

we are getting below issue when we run above build command. Pls see the attach build log file. 

generating documentation for trusty/user/base/lib/trusty-sys/src/lib.rs
warning: target json file contains unused fields: has-elf-tls, unsupported-abis

error: couldn't read trusty/user/base/lib/trusty-sys/src/./build-imx8qxp/generated/trusty/user/base/lib/syscall-stubs/trusty_syscalls.rs: No such file or directory (os error 2)
--> trusty/user/base/lib/trusty-sys/src/syscalls.rs:20:5
|
20 | include!(env!("SYSCALL_INC_FILE"));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this error originates in the macro `include` (in Nightly builds, run with -Z macro-backtrace for more info)

error: aborting due to previous error

regards

intelav

 

0 Kudos
Reply

6,277 Views
intelav
Contributor II

This looks some  relative path related issue. The build command is not taking absolute path.

 

error: couldn't read trusty/user/base/lib/trusty-sys/src/./build-imx8qxp/generated/trusty/user/base/lib/syscall-stubs/trusty_syscalls.rs: No such file or directory (os error 2)

 

Any suggestion where to make the  change  ?

0 Kudos
Reply

6,241 Views
intelav
Contributor II

Hello 

we could  get trusty build generating the image upto some extent after making changes in make files (changes related to using absolute path) and copied that to vendor/nxp/fsl-proprietary/uboot-firmware/imx8q_car/tee-imx8qx.bin . ( Pls see tee-image.png) . 

generating image: build-imx8qxp/lk.bin
text data bss dec hex filename
2835781 5216 50280 2891277 2c1e0d build-imx8qxp/lk.elf
generating symbols: build-imx8qxp/lk.elf.sym

After that we re-built android image (pls see build-android-car.txt ) and flashed via fastboot to device (pls see ap_console_logs.txt)  . but still see trusty not getting enabled . could you please re-validate our logs if trusty really got enabled or not and what should I do as next step ?

 

regards

intelav

0 Kudos
Reply

6,208 Views
intelav
Contributor II

Hi 

I am waiting for an active support from nxp . I am not sure if trusty is really enabled on my board . Just following your guide to set vendor RPMB key  as below but met with  falilure 

On The Host side

sudo fastboot stage my_rpmb_trusty.key.bin

sudo fastboot oem set-rpmb-staged-key

 

Console Log

Net: eth0: ethernet@5b040000 [PRIME]
Warning: ethernet@5b050000 (eth1) using random MAC address - 4a:97:f8:31:65:4
, eth1: ethernet@5b050000
INFO Initializing Trusty device
INFO selected trusty api version: 3 (requested 3)
INFO Initializing Trusty IPC device
INFO Initializing RPMB storage proxy service
INFO Initializing Trusty Keymaster client
INFO Initializing Trusty Hardware Crypto client
Fastboot: Got bootloader commands!
Starting download of 40 bytes

downloading of 40 bytes finished
General failure
ERROR - Key already programmed ?
ERROR set rpmb staged key failed!

 

regards

intelav

0 Kudos
Reply

6,151 Views
Rita_Wang
NXP TechSupport
NXP TechSupport

Have you finish these steps?

$ repo init -u https://github.com/nxp-imx/imx-manifest.git -b imx-android-13 -m
imx-trusty-automotive-automotive-13.0.0_1.1.0.xml
$ repo sync
$ source trusty/vendor/google/aosp/scripts/envsetup.sh
$ make imx8qxp #i.MX 8QuadXPlus MEK
$ cp ${TRUSTY_REPO_ROOT}/build-imx8qxp/lk.bin ${MY_ANDROID}/vendor/nxp/fsl-
proprietary/uboot-firmware/imx8q_car/tee-imx8qx.bin

0 Kudos
Reply

6,146 Views
intelav
Contributor II

Yes and flashed the images afterwards but setting the RPMB key failed. 

Just for basic sanity , I tested https://www.nxp.com/webapp/Download?colCode=13.0.0_1.3.0_AUTO_DEMO_8Q&appType=license  and here again setting the RPMB key failed.

See the snapshot  attached.  As I read document Android User's Guide (nxp.com) , section 4 android_automotive-13.0.0_1.3.0_image_8qmek_car.tar.gz has trusty OS enabled . so that's supposed to work , right ?

intelav_0-1694680567443.png

 

regards

Intelav

0 Kudos
Reply

5,958 Views
Rita_Wang
NXP TechSupport
NXP TechSupport

Have you try the android_automotive-13.0.0_1.3.0_image_8qmek_car.tar.gz  demo images? You can try it. Did it work?

0 Kudos
Reply

5,944 Views
intelav
Contributor II

Yes, below update is on your demo image " automotive-13.0.0_1.3.0_image_8qmek_car.tar.gz  " .It didn't work for me . Did it work for you ?

 

intelav_0-1695007439540.png

regards

intelav

0 Kudos
Reply

5,895 Views
intelav
Contributor II

HI 

Can we have an update this issue  soon ?

 

regards

intelav

0 Kudos
Reply