Failure loading TEE-Crypto kernel module on IMX93 custom board

Indeed, in the document it says we have to disable CONFIG_SEC_ENCLAVE, but disabling that causes CONFIG_SOC_IMX9 to be disabled, which causes a lot of different problems.

I got the same problem with version 6.6.36

Hi @omar_aberkan!

 

How are compiling your custom image?

Are you using Yocto or You are compiling standalone?

 

Are you coping the tee.bin to the mkimage?

 

Please follow the steps described in our Linux Users Guide page 40.

 

Best Regards!

Chavira

I am using yocto and. The tee.bin is added to the mkimage. And the optee-os starts. But i get errors when i try to load the kernel module tee-crypto. I want to use capi:cbc-aes-tee-plain.

Hi @omar_aberkan!

Can you confirm if you are using NXP BSP scartgap 6.6.36 with no custom firmware or modification?

What steps are you taking to get that output from dmesg and optee-os? Is it on boot?

Is this an i.MX93 EVK or custom board?

 

 

Yes, i am using NXP BSP scartgap 6.6.36 with no custom firmware or modification. These messages are indeed on boot. And it is a custom board.

Hi @omar_aberkan!

Sorry for my late response!

Here are the steps I followed that worked for me on 6.6.52-2.2.0 (the scarthgap release in initial post which worked for me). For recreating steps on 6.6.36-2.1.0, the steps should be the same and this is what I am doing at the moment:

1. Compile Kernel Image with following KCONFIG
   1. Either download stand alone linux-imx or use yocto devtool to modify linux-imx (Following Linux User's Guide / Yocto Project User's Guide)
   2. initalize board config
      1. make imx_v8_defconfig
   3. modify .config file
      

      1. CONFIG_DM_CRYPT=y

         CONFIG_TRUSTED_KEYS=m

         CONFIG_TRUSTED_KEYS_TEE=y

         CONFIG_IMX_SEC_ENCLAVE=n

         CONFIG_IMX_ELE_TRNG=n

   4. (Optional if building standalone) make kernel image
      1. make
2. Compile new OP-TEE OS image
   1. Either download stand alone optee-os or use Yocto devtool or .bbappends to modify source
   2. add configuration to device conf.h
      1. #define CFG_WITH_SOFTWARE_PRNG 1
      2. OR
      3. when building stand alone, add config to the build command
         1. CFG_WITH_SOFTWARE_PRNG=y source ./scripts/nxp_build.sh imx-mx93evk
3. For yocto build, this should be all you need and the final yocto image will have correct configuration
4. (Optional) if building stand alone (Linux User's Guide)
   1. build imx-boot image with required components following Section 4.5.13
   2. build bootable SD card following steps 4.3

 

I was not able to complete all these steps today for working 6.6.36 image. Will continue tomorrow and see if 6.6.36 fails, while 6.6.52 succeeds.

 

I was able to get it working by enabling the following options which are stated in the document: 

CFG_WITH_SOFTWARE_PRNG=y
CFG_HWRNG_PTA=y
CFG_IMX_TRUSTED_ARM_CE=y
CFG_HWRNG_QUALITY=1024

 

But i still got problems when starting systemd:

[UNSUPP] Starting of Root Slice unsupported.
[DEPEND] Dependency failed for Kernel Configuration File System.
[DEPEND] Dependency failed for Root Mount.
[DEPEND] Dependency failed for Bind mount volatile /srv.
[DEPEND] Dependency failed for Local File Systems.
[DEPEND] Dependency failed for FUSE Control File System.
[DEPEND] Dependency failed for Load/Save OS Random Seed.
[DEPEND] Dependency failed for POSIX Message Queue File System.
[DEPEND] Dependency failed for Network Configuration.
[DEPEND] Dependency failed for Kernel Debug File System.
[DEPEND] Dependency failed for initctl Compatibility Named Pipe.
[DEPEND] Dependency failed for User Database Manager Socket.
[DEPEND] Dependency failed for Journal Socket.
[DEPEND] Dependency failed for Journal Service.
[DEPEND] Dependency failed for Bind mount volatile /var/cache.
[DEPEND] Dependency failed for Record System Boot/Shutdown in UTMP.
[DEPEND] Dependency failed for Record Runlevel Change in UTMP.
[DEPEND] Dependency failed for Flush Journal to Persistent Storage.
[DEPEND] Dependency failed for udev Control Socket.
[DEPEND] Dependency failed for Bind mount volatile /var/spool.
[DEPEND] Dependency failed for Kernel Trace File System.
[DEPEND] Dependency failed for /var/volatile.
[DEPEND] Dependency failed for Bind mount volatile /var/lib.
[DEPEND] Dependency failed for Journal Socket (/dev/log).
[DEPEND] Dependency failed for Network Name Resolution.
[DEPEND] Dependency failed for Huge Pages File System.
[DEPEND] Dependency failed for Temporary Directory /tmp.
[DEPEND] Dependency failed for User and Session Slice.
[DEPEND] Dependency failed for System Slice.
[DEPEND] Dependency failed for Network Service Netlink Socket.
[DEPEND] Dependency failed for Commit a transient machine-id on disk.
[DEPEND] Dependency failed for Rebuild Journal Catalog.
[DEPEND] Dependency failed for udev Kernel Socket.
[DEPEND] Dependency failed for Slice /system/getty.
[DEPEND] Dependency failed for Remount Root and Kernel File Systems.
[DEPEND] Dependency failed for Create Static Device Nodes in /dev.
[DEPEND] Dependency failed for Create Static Device Nodes in /dev gracefully.
[DEPEND] Dependency failed for Coldplug All udev Devices.
[DEPEND] Dependency failed for Load Kernel Modules.
[DEPEND] Dependency failed for Create System Users.
[DEPEND] Dependency failed for Emergency Shell.
[DEPEND] Dependency failed for Emergency Mode.
[DEPEND] Dependency failed for Rebuild Hardware Database.
[DEPEND] Dependency failed for Slice /system/modprobe.
[DEPEND] Dependency failed for Load Kernel Module drm.
[DEPEND] Dependency failed for Load Kernel Module configfs.
[DEPEND] Dependency failed for Load Kernel Module fuse.
[DEPEND] Dependency failed for Create System Files and Directories.
[DEPEND] Dependency failed for File System Check on Root Device.
[DEPEND] Dependency failed for Rule-based Manager for Device Events and Files.
[DEPEND] Dependency failed for Create List of Static Device Nodes.
[DEPEND] Dependency failed for Apply Kernel Variables.
[DEPEND] Dependency failed for Update is Completed.
[DEPEND] Dependency failed for Slice /system/serial-getty.
[DEPEND] Dependency failed for Generate network units from Kernel command line.
[DEPEND] Dependency failed for Sets the hostname and FQDN.
[DEPEND] Dependency failed for Journal Audit Socket.
[DEPEND] Dependency failed for Rebuild Dynamic Linker Cache.
[UNSUPP] Starting of Root Slice unsupported.
[DEPEND] Dependency failed for System Slice.
[DEPEND] Dependency failed for Emergency Shell.
[DEPEND] Dependency failed for Emergency Mode.

 

 

Hi @omar_aberkan!

You say you enabled

CFG_WITH_SOFTWARE_PRNG=y
CFG_HWRNG_PTA=y
CFG_IMX_TRUSTED_ARM_CE=y
CFG_HWRNG_QUALITY=1024

This appears to only be OP-TEE OS changes. Did you make appropriate changes to the Linux Kernel config? Following the document, you need changes to BOTH, i.e. these need to be added to the Kernel .conf file:

CONFIG_DM_CRYPT=y

CONFIG_TRUSTED_KEYS=m

CONFIG_TRUSTED_KEYS_TEE=y

CONFIG_IMX_SEC_ENCLAVE=n

CONFIG_IMX_ELE_TRNG=n

Please reply,

It even doesn't work with the latest styhead release. Systemd and/or other applications are not able to start. Many people have reported issues related to dm-crypt. But the support is very bad.

Yes, i did that. Disabling CONFIG_IMX_SEC_ENCLAVE causes CONFIG_SOC_IMX9 to be disabled, which if find very strange, maybe this is the cause why it gives problems?