IMX8QM HSM SECO implementation

bulat_a · ‎10-08-2021

Hello everyone!

I read the AN12096.pdf, and checked the imx-seco-libs & she_hsm_example sources but there are still some unclear points, could you please clarify them?

". The NVM manager must be only one on the system, it is subordinated to SECO requests and there is no specific domain in which it should run".

Only one on the system - on the SoC ? or I can, for example, run 2 Linux (by separating domains A72 and A53) and the system in this context it 2 OS's, thus, I will have 2 thread NVM managers works in parallel in 2 different OS on different domains?

Because I want to have HSM storage per cores/domains (HSM storage for M4_0, another for M4_1, and another for A53 domain, and one more on A72).

2. How the SECO FW will handle parallel requests to the HSM service? The request from another domain will be blocked until the first one will not complete fully or it can be handled in parallel?

Regards,

Bulat

_angelo_ · ‎10-18-2023

Hi have similar issues running wolfssl echoserver and echoclient, both would open nvm session, and this seems not possible since the channel is fixed to _mu2_ch1

Tried to check hsm lib about nvm, README is mostly blank.

What are "domains" ? I know processes in linux.

Rita_Wang · ‎10-21-2021

Could you tell us which version BSP are you using?

bulat_a · ‎10-21-2021

Based on

https://source.codeaurora.org/external/imx/meta-imx/log/?h=zeus-5.4.70-2.3.3

Rita_Wang · ‎10-26-2021

One important note for you. We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.

Customer can try i.MX8QXP C0 or i.MX8DXL if they want to use HSM.

1.Please just keep one NVM manager for each domains. This single NVM storage session can support the key store from all users. User can open different session from each domain, and one single NVM session is enough for the user case.

2. There is no parallel in SECO HSM FW, new request will be blocked until SECO complete the previous HSM request.

Csongor · ‎03-16-2022

Hi!

One important note for you. We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.

@Rita_Wang Could you provide a source for this information? The AN12906 document says: "The HSM architecture is compatible with only i.MX 8QXP Rev C0 and i.MX 8DXL.". This sounds like that the i.MX8QM does not; however,

- Both the IMX8QMAEC and the IMX8QMIEC datasheet document says: "Dedicated Security Controller for Flashless SHE and HSM support, Trustzone" (Page 3, Security row)
- And the IMX8QMSWSTACKDOC document says that "Security firmware supporting HSM, SHE and secure boot".

So which information is correct?

Sincerely,
Csongor

bulat_a · ‎10-26-2021

@Rita_Wang

Thanks for your reply, now it's more clear.

"We DON"T support HSM API for i.MX8QM device, SHE API can be used in i.MX8QM.", now I see in the documentation, I missed that part, thanks!

Do you know what this is related to?, because looks like some parts between the imx8 family are the same, for example, security subsystem with cortex-m0, I thought the HSM library it's just SW implementation of ROM code that should be common. or there is an HW difference in?

2. There is no parallel in SECO HSM FW, a new request will be blocked until SECO completes the previous HSM request.

"There is no parallel in SECO HSM FW" - it's clear, also I'm worried about how the SECO FW will work with 2 SHE storages due to anti-rollback counter.

About:

"User can open different session from each domain, and one single NVM session is enough for the user case."

The NVM session services handles replies from SECO, via RX channel of MUx

static char SECO_MU_SHE_PATH[] = "/dev/seco_mu1_ch0";

static char SECO_MU_SHE_NVM_PATH[] = "/dev/seco_mu1_ch1";

Thus, I have to send messages to SECO via seco_mu1_ch0 in each domain, but

MU1 cannot be shared between 2 OS's to use it simultaneously. (Or, need to find a way to have some global lock between domains).

I guess that I have to assign MU1 to OS1(A53) and MU2 to OS2(A72), for example.

So, I was thinking about fixing the she_hsm library for another OS in that way:

static char SECO_MU_HSM_PATH_PRIMARY[] = "/dev/seco_mu2_ch0"; -> static char SECO_MU_SHE_PATH[] = "/dev/seco_mu2_ch0";

static char SECO_MU_HSM_NVM_PATH[] = "/dev/seco_mu2_ch1"; -> static char SECO_MU_SHE_NVM_PATH[] = "/dev/seco_mu2_ch1";

And for M4s

SECO_MU3 -> to M4_0

SECO_MU4 -> to M4_1

so, each domain will have access to the SHE API.