Unable to open OP-TEE session (err=-5)

What do you mean by "OPTEE flavor"?

I have already looked up the porting guide.

As mentioned in the post, I am using the same board files as imx8mn_evk machine, including the defconfig file and flash target (flash_evk). Most of the information in the porting guide discussed is detailed in soc.mak within imx-mkimage tool and the defconfig file configures uboot with the appropriate configurations. Not sure what we are missing...

Hello,

Sorry for the delayed response, could you provide more information, like which configuration are you using?

Best regards/Saludos,
Aldo.

@AldoG, can you be more specific about what extra information you need? I mentioned the yocto machine, flash target, and uboot configuration we are using. All this is part of the nxp bsp release. The imx8mn_evk machine selects the optee platform flavor "mx8mnevk". Please review this optee-os receipt if you are not familiar with it. I'm not sure what else I can provide. Have you tried booting an imnx8mn_evk board? Do you see the same error?

Also, not sure why you are saying we need to select stmm? I'm not familiar with stmm, but it sounds to me like something different, and the imx8mn_evk did not select it. You need to specifically include 'stem' in MACHINE_FEATURES, which the imx8mn_evk did not do, and it was tested against the security reference design. Can you elaborate on stmm?

Hello,

Sorry for the confusion, so in short you're using the normal build and trying to boot with this , same as on the EVK, correct?
I will try on my side, any other secure boot configuration that you're using?

Best regards/Saludos,
Aldo.

Correct. No special settings. When can you report on your EVK test?

Hello,

I just finished the test on my side using i.MX8MN LPDDR4 EVK, I see the same error message, but I said this this is because it expect UEFI secure boot, since for default settings this is not the case it shows the error message.

From your comments I understand that you're not interested in this kind of feature, correct?
Then if not used it can be disabled when building on yocto and the error will dissapear.

Best regards/Saludos,
Aldo.

@AldoG, we are using secure boot. Our image is signed, and the secure boot fuse is blown. The hardware does authenticate the image and boot fine, but we are still getting this error. If secure UEFI is a separate feature not related to secure boot, please clarify how to disable it. If it is the secure boot feature, then please troubleshoot how we can address the error.

In either case, please clarify what needs to be done to boot without this error message. 

Hello,

Sorry for the delayed response, if you're not interested in having op-tee enabled, it is not related to secure boot, you may disable in yocto by writing in your local.conf:
MACHINE_FEATURES_remove += "optee"
IMAGE_INSTALL_remove += "optee-test optee-os optee-client optee-examples"

Or by uncommenting at meta-imx/meta-bsp/conf/layer.conf the line:
MACHINE_FEATURES:remove = "optee"

Any of the above should be enough and have the same effect.

Best regards/Saludos,
Aldo.

@AldoG I never said we are not interested in optee! We use Optee to support encryption for a couple of run-time applications, so we need Optee regardless of secure boot.

Can you tell us how we address this issue without disabling optee?

Hello,

This is what I meant when asked if there was any special configuration you where using, if optee is needed I would say that this error does not impact on your secure boot environment, since the this error is shown when tee_open_session() tries to open a session to a Trusted Application and fails, unfortunately I do not have enough information on how this should be handled, I would suggest to reach the optee project mail list for assitance if you want to get rid of this "issue".

For your reference:
https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/lib/efi_loader/efi_variable_tee.c#L33
https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/include/tee.h#L355
https://github.com/OP-TEE/optee_os

Best regards/Saludos,
Aldo.