dek_blob command on phyBOARD-Pollux i.MX8M Plus

Ekkab · ‎01-29-2024

Hello,

I'm working with a phyBOARD-Pollux i.MX8 M Plus Kit and I'm trying to set up a full secure boot (sign + encryption).

The signing part is working perfectly and I get no HAB events when an image is properly signed but I'm having trouble with the encryption part. Specifically with the DEK blob encryption.

I cannot get the 'dek_blob' command to work in any bootloader I've tried.

Things that I tried:

Compiling u-boot-imx, imx-atf and imx-optee-os from scratch (version lf-6.1.55-2.2.0). Here I get two kind of errors:
- If compiling ATF without SPD=opteed command I can get to u-boot and the dek_blob command fails with a "Cannot get OP-Tee Device" error.
- If compiling ATF with SPD=opteed the ATF code seems to get stuck in a call to the function "opteed_enter_sp".
I also tried every imx8-boot available on these builds: https://download.phytec.de/Software/Linux/BSP-Yocto-i.MX8MP/

Tried every target that includes a tee.bin without any luck. Every one of them throws the same error when trying to execute the "dek_blob" command: "Cannot get OP-TEE device".

I'm starting to run out of ideas. Could I get some help please?

Harvey021 · ‎02-01-2024

I'd suggest to raise the issue to phyetc to get assistance.

Regards

Harvey

在原帖中查看解决方案

Harvey021 · ‎01-30-2024

The device is in close, does it?

Regards

Harvey

Ekkab · ‎01-31-2024

No it's not. Should it be closed?

Harvey021 · ‎01-31-2024

Should be, uboot-imx/doc/imx/habv4/guides/mx8m_encrypted_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub

Regards

Harvey

Ekkab · ‎02-01-2024

I see the guide asks for an ATF compilation with the argument SPD=opteed.

Whenever I compile with this argument the ATF gets stuck after printing BL31: Initializing BL32. Specifically after the call to opteed_enter_sp().

Does the device need to be closed for this to work?

Maybe there is something wrong with my compilation of OP-TEE?

Can you tell me which specific values would I need for these OPTEE variables to make it run on the Pollux board? I've tried with the default values for the mx8mpevk flavor but they don't seem ok to me. So i've also tried with these:

CFG_DDR_SIZE = UL(0x80000000)
CFG_UART_BASE = UART1_BASE
CFG_TZDRAM_SIZE = 0x01e00000
CFG_TZDRAM_START = 0x56000000
CFG_SHMEM_SIZE = 0x00200000
CFG_SHMEM_START = 0x57e00000

For the u-boot I'm going with the "phycore-imx8mp" defconfig. Do I have to change something in the device tree? The one that the target is using is "imx8mp-phyboard-pollux-rdk"

Harvey021 · ‎02-01-2024

I'd suggest to raise the issue to phyetc to get assistance.

Regards

Harvey

Ekkab · ‎02-02-2024

Ooops, my bad. Kind of got the two companies mixed up in my head, sorry.