ISSUE: error during i.MX 6ULL optee + hab(secure boot) booting together

Karun · ‎05-26-2025

Hello NXP Team ,

I am currently trying to boot with HAB + Optee into I.mx 6ULL processor,

The only Hab booting is working properly with signed uboot and kernel.

but when we add optee by flashing it into partition and booting with it as per Linux porting guide , we are getting key verification fail logs when uboot loads optee as shown below :

[2025-05-26 14:34:36.673] NAND read: device 0 offset 0x600000, size 0xa00000
[2025-05-26 14:34:37.557] 10485760 bytes read: OK
[2025-05-26 14:34:37.557]
[2025-05-26 14:34:37.557] NAND read: device 0 offset 0x1000000, size 0x100000
[2025-05-26 14:34:37.657] 1048576 bytes read: OK
[2025-05-26 14:34:37.657]
[2025-05-26 14:34:37.657] NAND read: device 0 offset 0x1100000, size 0x200000
[2025-05-26 14:34:37.890] 2097152 bytes read: OK
[2025-05-26 14:34:37.890] hab fuse not enabled
[2025-05-26 14:34:37.890]
[2025-05-26 14:34:37.890] Authenticate image from DDR location 0x84000000...
[2025-05-26 14:34:37.890] bad magic magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] bad length magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] bad version magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] Error: Invalid IVT structure

Whole logs are attached here for reference ,

So based on this we are having 3 Questions :

1) Is optee + Hab booting supported together ?

2) If yes then what is the steps to sign optee because uboot is verifying optee image at 0x84000000 where optee is loaded ?

3) We can not able to see any logs when optee boots just seeing optee driver logs during kernel booting as shown below :

[2025-05-26 14:34:43.509] [ 2.264359] optee: probing for conduit method.
[2025-05-26 14:34:43.509] [ 2.269199] optee: revision 3.19 (00919403)
[2025-05-26 14:34:43.509] [ 2.270081] optee: dynamic shared memory is enabled
[2025-05-26 14:34:43.509] [ 2.280783] optee: initialized driver

So How can we verify optee is properly booted and secure environment generated ?

because we can not able to see any steps into NXP's linux porting guide to verify optee is loaded and working. so provide us the steps and logs to verify it.

Harvey021 · ‎05-26-2025

Hello @Karun

To sign tee as like signing kernel. Run "xtest" for tee working as stated <5.6 How to compile OP-TEE> of Porting guide.

Regards

Harvey

Karun · ‎05-26-2025

Thank you @Harvey021,

From below logs it seems it authenticate tee image, and it is giving error: Error: Invalid IVT structure,

then it is starting kernel.

[2025-05-26 14:34:37.890] Authenticate image from DDR location 0x84000000...
[2025-05-26 14:34:37.890] bad magic magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] bad length magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] bad version magic=0xff length=0xffff version=0xff
[2025-05-26 14:34:37.890] Error: Invalid IVT structure
[2025-05-26 14:34:37.890] Kernel image @ 0x80800000 [ 0x000000 - 0x916208 ]
[2025-05-26 14:34:37.890] hab fuse not enabled
[2025-05-26 14:34:37.890]
[2025-05-26 14:34:37.890] Authenticate image from DDR location 0x80800000...
[2025-05-26 14:34:39.307]
[2025-05-26 14:34:39.307] Secure boot disabled
[2025-05-26 14:34:39.307]
[2025-05-26 14:34:39.307] HAB Configuration: 0xf0, HAB State: 0x66
[2025-05-26 14:34:39.307] No HAB Events Found!

here DDR location 0x84000000 is my tee address: ([2025-05-26 14:34:20.040] tee_addr=0x84000000)

below shows my nandtee partition.

[2025-05-26 14:34:20.040] bootargs=console=ttymxc0,115200 ubi.mtd=5 root=ubi0:nandrootfs rootfstype=ubifs mtdparts=gpmi-nand:5m(nandboot),1m(env),10m(nandkernel),1m(nanddtb),2m(nandtee),-(nandrootfs)

- in section 5.6 How to compile OP-TEE> of Porting guide, they have just given steps to compile it. but not mentioned tee signing steps.

- Does our understanding is correct that there is required to sign tee? Because we haven't came through any such signing steps in HAB documents. but we get this tee image authentication in boot log.

Harvey021 · ‎05-27-2025

tee is optional, you don't need to integrate it if that is not necessary.

Regards

Harvey

Karun · ‎06-02-2025

Thank you @Harvey021

I have signed the tee same way as kernel and now it is working(means not giving authentication error).