Good day,
I've already managed to lock the HAB e-fuses in my i.MX8M Mini device and boot a signed u-boot image successfully. I'm stuck at creating the dek.blob file in preparation of creating an encrypted u-boot image. The OP-TEE that I've build gives an error message when u-boot loads.
The SOM is a Forlinx i.MX8M Mini board with 2GB RAM & 8GB eMMC.
I think my build steps matches what is discussed in post: Enabling OP-TEE in i.MX8MM EVK FIT image
My build steps are as follow:
Sources used:
ATF: https://source.codeaurora.org/external/imx/imx-atf
OP-TEE: http://source.codeaurora.org/external/imx/imx-optee-os
mk-image: https://source.codeaurora.org/external/imx/imx-mkimage/
Version checked out tag: lf-5.10.72-2.2.0
I've followed the guide included with u-boot: /doc/imx/habv4/guides/mx8m_encrypted_boot.txt
Section 1.4 covers how to build OP-TEE support in ATF & how to compile OP-TEE:
ATF:
Documentation:
$ make PLAT=<SoC Name> SPD=opteed bl31
My command:
$ make PLAT=imx8mm SPD=opteed bl31 LDFLAGS=
OP-TEE-os:
Documentation:
$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>
My command
$ ARCH=arm CFG_TEE_CORE_LOG_LEVEL=4 CROSS_COMPILE64=${CROSS_COMPILE} CFLAGS="--sysroot=${SDKTARGETSYSROOT}" LDFLAGS= CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh imx-mx8mmevk
I've enabled the required flags in the uboot config file:
CONFIG_FSL_CAAM=y
CONFIG_SYS_FSL_SEC_COMPAT_4=y
CONFIG_SYS_FSL_SEC_COMPAT=4
CONFIG_SYS_FSL_SEC_LE=y
CONFIG_CMD_DEKBLOB=y
CONFIG_OPTEE_LOAD_ADDR=0xbe000000
(What about CONFIG_OPTEE_TZDRAM_SIZE and CONFIG_OPTEE_TZDRAM_BASE ?)
Assemble the files in mk-image/iMX8M:
cp ../OK8MM-linux-uboot/spl/u-boot-spl.bin iMX8M/
cp ../OK8MM-linux-uboot/u-boot-nodtb.bin iMX8M/
cp ../OK8MM-linux-uboot/tools/mkimage iMX8M/mkimage_uboot
cp ../imx-atf/build/imx8mm/release/bl31.bin iMX8M/
cp ../imx-optee-os/build.imx-mx8mmevk/core/tee.bin iMX8M/
cp ../OK8MM-linux-uboot/arch/arm/dts/imx8mm-ddr4-evk.dtb iMX8M/
dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync
make SOC=iMX8MM flash_ddr4_evk 1>iMX8M/flash.log 2>&1
make SOC=iMX8MM print_fit_hab 1>>iMX8M/flash.log 2>&1
I've created the CSF spl & fit files and signed the u-boot image. The signed u-boot was programmed to a SD card.
I've booted the u-boot binary on my HAB locked i.MX8M Mini device:
U-Boot SPL 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0, image_size=0x3020, ivt_offset=0x1000
NOTICE: BL31: v2.4(release):lf-5.10.72-2.2.0-0-g5782363f9
NOTICE: BL31: Built : 19:24:31, Feb 27 2022
ERROR: Error initializing runtime service opteed_fast <<< First error message
U-Boot 2021.04-dirty (Feb 28 2022 - 23:02:25 +0200)
CPU: i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU: Commercial temperature grade (0C to 95C) at 32C
Reset cause: POR
Model: FORLINX
DRAM: 2 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
...
...
Hit any key to stop autoboot: 0
u-boot=> dek_blob 0x40402000 0x40403000 128
Cannot get OP-TEE device <<<< Second error message
Any help to get past the initialisation error will be much appreciated.
Regards,
Frikkie
Good day,
I've confirmed that I get the same error when repeating the steps on the imx_5.4.70_2.3.0 branch.
I've attached the log file from the mkimage command as well as the SPL and FIT csf files for the code signing tool.
U-Boot log
U-Boot SPL 2020.04-00001-g44f5949dd9-dirty (Mar 03 2022 - 11:40:33 +0200)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1
Authenticate image from DDR location 0x401fcdc0, image_size=0x3020, ivt_offset=0x1000
NOTICE: BL31: v2.4(release):lf-5.10.72-2.2.0-0-g5782363f9
NOTICE: BL31: Built : 19:24:31, Feb 27 2022
ERROR: Error initializing runtime service opteed_fast
...
...
u-boot=> dek_blob 0x40402000 0x40403000 128
Cannot get OP-TEE device