adding optee hangs secure boot

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

adding optee hangs secure boot

跳至解决方案
1,728 次查看
greeran
Contributor III

hello

i would like to secure my imx8mp. i added a secure boot (HAB) and fit image that verifies the rootfs. the boot flow is secure and successful. now i would like to add optee but when i add configuration for optee the boot flow hangs (freezes). the configuration i add

conf:

MACHINE_FEATURES:append = " optee"
DISTRO_FEATURES:append = " optee"

TEE_CFG_DDR_SIZE = "0x100000000"

image:

IMAGE_INSTALL:append = " optee-os optee-client optee-test"

 

on boot i get:

U-Boot SPL 2022.04-lf_v2022.04_var01+g49ec7c516a (Jan 22 2023 - 09:08:56 +0000)
SEC0: RNG instantiated
Normal Boot
Trying to boot from BOOTROM
image offset 0x8000, pagesize 0x200, ivt offset 0x0
hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...

 

does someone know what i am missing

thanks

 

标记 (3)
0 项奖励
回复
1 解答
1,539 次查看
greeran
Contributor III

hi

i found out what freezes the boot with optee. it seems that when i add the "CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4" configuration to the optee-os bbappend the boot freezes. without does configuration the boot is successful the the optee loads well also

在原帖中查看解决方案

0 项奖励
回复
4 回复数
1,540 次查看
greeran
Contributor III

hi

i found out what freezes the boot with optee. it seems that when i add the "CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4" configuration to the optee-os bbappend the boot freezes. without does configuration the boot is successful the the optee loads well also

0 项奖励
回复
1,711 次查看
Dhruvit
NXP TechSupport
NXP TechSupport

Hi @greeran,

I hope you are doing well.

Please try making changes in CFG_DDR_SIZE at imx-optee-os/core/arch/arm/plat-imx
/conf.mk
 

Please make sure that you have updated  [Authenticate Data] Blocks in CSF according to generate info using print_fit_hab when op-tee is enabled.

Please make sure that you have referred to /doc/imx/habv4/guides/mx8m_secure_boot.txt in uboot-imx.

Thanks & Regards,
Dhruvit Vasavada

0 项奖励
回复
1,703 次查看
greeran
Contributor III

hi Dhruvit

thanks for the reply. i went over the documents you sent and i see something that i cannot explain when the imx-boot creates the flash.bin. i am sending log.do_compile below

you can see that the tee.bin is found and its added to the fit image but in the print_fit_hab and [Authenticate Data] I do not see the TEE_LOAD_ADDR and in the list.

i am using Yocto and from the manual i added all the configuration needed in the conf so if you could point out what i am missing 

thanks 

BL32=tee.bin DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 ../iMX8M/mkimage_fit_atf.sh imx8mp-var-dart-dt8mcustomboard-legacy.dtb > u-boot.its
bl31.bin size:
45392
Building with TEE support, make sure bl31.bin is compiled with spd. If you do not want tee, please delete tee.bin
tee.bin size:
550176
u-boot-nodtb.bin size:
1062752
imx8mp-var-dart-dt8mcustomboard-legacy.dtb size:
45568
mkimage -E -p 0x3000 -f u-boot.its u-boot.itb
FIT description: Configuration to load ATF before U-Boot
Created: Wed Oct 19 06:29:00 2022
Image 0 (uboot-1)
Description: U-Boot (64-bit)
Created: Wed Oct 19 06:29:00 2022
Type: Standalone Program
Compression: uncompressed
Data Size: 1062752 Bytes = 1037.84 KiB = 1.01 MiB
Architecture: AArch64
Load Address: 0x40200000
Entry Point: unavailable
Image 1 (fdt-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Created: Wed Oct 19 06:29:00 2022
Type: Flat Device Tree
Compression: uncompressed
Data Size: 45568 Bytes = 44.50 KiB = 0.04 MiB
Architecture: Unknown Architecture
Image 2 (atf-1)
Description: ARM Trusted Firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 45392 Bytes = 44.33 KiB = 0.04 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x00970000
Image 3 (tee-1)
Description: TEE firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 550176 Bytes = 537.28 KiB = 0.52 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x56000000
Default Configuration: 'config-1'
Configuration 0 (config-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Kernel: unavailable
Firmware: uboot-1
FDT: fdt-1
Loadables: atf-1
tee-1
./mkimage_imx8 -version v2 -fit -loader u-boot-spl-ddr.bin 0x920000 -second_loader u-boot.itb 0x40200000 0x60000 -out flash.bin > hab.log 2<&1
./../scripts/pad_image.sh tee.bin
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin imx8mp-var-dart-dt8mcustomboard-legacy.dtb
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ../iMX8M/print_fit_hab.sh 0x60000 imx8mp-var-dart-dt8mcustomboard-legacy.dtb > hab2.log 2<&1
csf_assemble
csf_assemble 1
csf_assemble 1 SPL_BLOCKS 0x91ffc0 0x0 0x33800 "flash.bin"
csf_assemble 2
csf_assemble 2 FIT_BLOCK_1: 0x401fcdc0 0x58000 0x1020 "flash.bin"
csf_assemble 2 FIT_BLOCK_2: 0x40200000 0x5B000 0x103760 "flash.bin"
csf_assemble 2 FIT_BLOCK_3: 0x40303760 0x15E760 0xB200 "flash.bin"
csf_assemble 2 FIT_BLOCK_4: 0x970000 0x169960 0xB150 "flash.bin"
csf_assemble 3 csf_spl.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = MID
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x91ffc0 0x0 0x33800 "flash.bin"
CSF Processed successfully and signed data available in csf_spl.bin
csf_assemble 3 csf_fit.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x401fcdc0 0x58000 0x1020 "flash.bin", \
0x40200000 0x5B000 0x103760 "flash.bin", \
0x40303760 0x15E760 0xB200 "flash.bin", \
0x970000 0x169960 0xB150 "flash.bin"
CSF Processed successfully and signed data available in csf_fit.bin

0 项奖励
回复
1,651 次查看
Dhruvit
NXP TechSupport
NXP TechSupport

Hello @greeran 

I hope you are doing well.

Please refer to the below link and check the suggestion for HAB event enabling on i.MX8mp and share the observation.
https://community.nxp.com/t5/i-MX-Processors/imx8mp-HAB/m-p/1546498#M197035

I hope it helps!

Thanks & Regards,

Dhruvit Vasavada

0 项奖励
回复