For our custom board based on imx6ulevk with yocto/Freescale branch: 4.14.98_2.0.0_ga we have Optee-os working, it boots and we can launch client apps through OPTEE.
The next step is to access devices securely through OPTEE (I2C / SPI). We have integrated the drivers and also registered the secure memory for the peripheral bus and initialized the driver at boot.
Unfortunately when we try to start an I2c or spi transaction the system panics and freezes.
We checked the mmu for the virtual address to physical address and they are correct.
We think the ARM trustzone kicks in and refuses the access to the peripheral(s) but we do not know where to set the access/policy control bits.
Does anybody know how to get peripheral access working within OPTEE-OS? or where to look to get things working.
Good to know: We start uboot (non secure/ no HAB at this moment / no SPL) and jumps to OPTEE-OS after that, followed by the Linux kernel.
We have found the cause and it was not what we expected.
It has nothing to do with the access control bits / policy of OPTEE-OS, but with the ownership of the peripheral clocks (the CCGRx registers)
It turned out that during optee initialization all peripheral clocks were enabled, but when the linux kernel starts some were turned off.
When starting a optee client app accessing secure hardware the peripheral clocks were disabled resulting in 'freezing' OPTEE-OS. So, we check the required peripheral clocks when needed in the Opensession in the PTA.