Hello everyone!
I read the AN12096.pdf, and checked the imx-seco-libs & she_hsm_example sources but there are still some unclear points, could you please clarify them?
". The NVM manager must be only one on the system, it is subordinated to SECO requests and there is no specific domain in which it should run".
Because I want to have HSM storage per cores/domains (HSM storage for M4_0, another for M4_1, and another for A53 domain, and one more on A72).
2. How the SECO FW will handle parallel requests to the HSM service? The request from another domain will be blocked until the first one will not complete fully or it can be handled in parallel?
Regards,
Bulat
Hi have similar issues running wolfssl echoserver and echoclient, both would open nvm session, and this seems not possible since the channel is fixed to _mu2_ch1
Tried to check hsm lib about nvm, README is mostly blank.
What are "domains" ? I know processes in linux.
Could you tell us which version BSP are you using?
One important note for you. We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.
Customer can try i.MX8QXP C0 or i.MX8DXL if they want to use HSM.
1.Please just keep one NVM manager for each domains. This single NVM storage session can support the key store from all users. User can open different session from each domain, and one single NVM session is enough for the user case.
2. There is no parallel in SECO HSM FW, new request will be blocked until SECO complete the previous HSM request.
Hi!
One important note for you. We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.
@Rita_Wang Could you provide a source for this information? The AN12906 document says: "The HSM architecture is compatible with only i.MX 8QXP Rev C0 and i.MX 8DXL.". This sounds like that the i.MX8QM does not; however,
- Both the IMX8QMAEC and the IMX8QMIEC datasheet document says: "Dedicated Security Controller for Flashless SHE and HSM support, Trustzone" (Page 3, Security row)
- And the IMX8QMSWSTACKDOC document says that "Security firmware supporting HSM, SHE and secure boot".
So which information is correct?
Sincerely,
Csongor
Thanks for your reply, now it's more clear.
"We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.", now I see in the documentation, I missed that part, thanks!
Do you know what this is related to?, because looks like some parts between the imx8 family are the same, for example, security subsystem with cortex-m0, I thought the HSM library it's just SW implementation of ROM code that should be common. or there is an HW difference in?
2. There is no parallel in SECO HSM FW, a new request will be blocked until SECO completes the previous HSM request.
"There is no parallel in SECO HSM FW" - it's clear, also I'm worried about how the SECO FW will work with 2 SHE storages due to anti-rollback counter.
About:
"User can open different session from each domain, and one single NVM session is enough for the user case."
The NVM session services handles replies from SECO, via RX channel of MUx