FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OPTEE + PKCS11 + RPMB on imx8mp evk

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OPTEE + PKCS11 + RPMB on imx8mp evk

‎09-09-2024 04:32 AM
4,846 Views
msivanesancq
Contributor I

Dear Staff,

I am planning to use PKCS11 with OP-TEE in IMX8MP board.

I am getting below error when I was running PKCS tool

root:~# p11tool --list-tokens --provider=/usr/lib/libckteec.so.0
ERR [1181] LT:ckteec_invoke_init:304: TEEC open session failed ffff000f from 3

pkcs11_add_provider: PKCS #11 error in device

I have enabled below CFG_ flags when building OPTEE os and client. 

RPMB_EMU=0 \
CFG_TEE_CORE_LOG_LEVEL=4 \
CFG_TEE_TA_LOG_LEVEL=4 \
CFG_TEE_CLIENT_LOG_LEVEL=4 \
CFG_TEE_SUPP_LOG_LEVEL=4 \
CFG_TEE_SUPP_PLUGINS=y \
CFG_BUILT_IN_ARGS=y \
CFG_PKCS11_TA=y \
CFG_STMM_PATH=BL32_AP_MM.fd \
CFG_RPMB_FS=y \
CFG_IMX_SNVS=n \
CFG_NXP_CAAM=n \
CFG_RPMB_WRITE_KEY=y \
CFG_RPMB_FS_DEV_ID=2 \
CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
CFG_REE_FS=n \
CFG_SCTLR_ALIGNMENT_CHECK=n \
CFG_CORE_HEAP_SIZE=2097152 \
CFG_TEE_RAM_VA_SIZE=4194304 \
CFG_PREALLOC_RPC_CACHE=n \
CFG_WERROR=y \

 

When I was refereeing i.MX 6 / i.MX 8 Security Manual (L-1004e.A2) I could see below information. Does it means we cannot use OPTEE with iMX8M Plus platforms?

Please confirm. Thank you

msivanesancq_0-1725881494387.png

msivanesancq_1-1725881519116.png

 

 

Labels (1)
0 Kudos
Reply
7 Replies

‎09-10-2024 01:17 AM
4,806 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

I'm not sure of these from PHYTEC, would suggest you to raise a ticket there. 

Meanwhile, you can refer to the section of <10.4.7 Running OpenSSL asymmetric tests with PKCS#11 based engine> of IMX_LINUX_USERS_GUIDE.pdf and the section <5 Configuring OP-TEE> of IMX_PORTING_GUIDE.pdf 

 

Regards

Harvey

0 Kudos
Reply

‎09-10-2024 06:34 AM
4,801 Views
msivanesancq
Contributor I

Hi Harvey,

Thank you for the response.

Now I am able to generate keys.

Still I have one more question about RPMB.

How can we confirm that the RPMB is used when the keys are being generated and stored with PKCS11?

Thank you

0 Kudos
Reply

‎09-11-2024 08:47 AM
4,778 Views
msivanesancq
Contributor I

Hi Harvey,

The error(ERR [1282] LT:ckteec_invoke_init:304: TEEC open session failed ffff000f from 3) still appearing when I force the device to use RPMB.

It seems the system works without RPMB enablement which I think not safe from security perspective.

It is failing on this line where the user data of ioctl call happening inside tee_client_api.c

rc = ioctl(ctx->fd, TEE_IOC_OPEN_SESSION, &buf_data);

 

Is this a driver issue? Should I add any drivers to the board? Expecting your advice on this.

Thank you 

Tags (1)
0 Kudos
Reply

‎09-19-2024 08:04 PM
4,662 Views
Harvey021
NXP TechSupport
NXP TechSupport

1. You can verify with u-boot command to determine RPMB is enable.

u-boot=> mmc rpmb counter
RPMB Write counter= 148c

 2. According to OP-TEE secure storage document,

https://optee.readthedocs.io/en/3.17.0/architecture/secure_storage.html

Harvey021_0-1726801232627.png

The 'dirfile.db.hash' will be stored in RPMB. We think this is a default way in optee to protect the private key in REE FS.

3. For ioctl problem, please check tee-supplicant is running or not.
Harvey021_1-1726801232206.png

 

Regards

Harvey

0 Kudos
Reply

‎09-19-2024 03:16 AM
4,680 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

What version of BSP are you using?

 

Regards

Harvey

0 Kudos
Reply

‎09-16-2024 01:35 AM
4,710 Views
msivanesancq
Contributor I
Hi NXP,
Do you have any update on this?
0 Kudos
Reply

‎09-23-2024 03:36 AM
4,621 Views
msivanesancq
Contributor I

Linux version 5.15.52

0 Kudos
Reply