Hi experts,
I just got my i.MX 8M Evaluation Kit and I want to enable the OPTEE OS on the board.
I found one tutorial about Yocto Project to enable optee on i.MX8. So far, I already boot the device up and I can run the xtest of OPTEE correctly.
However, I do not find any instruction about how should I build a TA for the OPTEE-OS on imx8, and it looks like imx8 is not listed as a support platform on OP-TEE website.
Any suggestion for building TA for imx8 is welcomed!
Thank you in advance.
Simon
Hi, Simon
I'm also playing with i.MX8M device, and want to enable op-tee on it. The tutorial link one tutorial about Yocto Projectis not effective any more.
Can you share with me the tutorial?
Thank you!
Ethan
if you optee does not work,
please see my post for help.
I played two board pico-pi-imx7 and maaxboard , the both worked well.
Hi Simon
next steps can be copy OP-TEE client and test to rootfs on SD card.
OP-TEE client
$ sudo cp out/export/bin/tee-supplicant <ext4 partition>/usr/bin
$ sudo cp out/export/lib/libteec.so.1.0 <ext4 partition>/usr/lib
OP-TEE test
$ sudo cp out/xtest/xtest <ext4 partition>/usr/bin
$ find out/ta/ -name \*.ta | sudo xargs cp -t <ext4 partition>/lib/optee_armtz
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
I have opened an issue here: https://github.com/TechNexion/edm-yocto-bsp/issues/22
but nobody to answer me, so I open here again:
In yocto local.conf I added: DISTRO_FEATURES_append=" optee"
IMAGE_INSTALL_append = " optee-client-imx optee-os-imx-tn optee-test-imx"
and
config CONFIG_OPTEE in kernel config,but I still can not find the device /dev/tee ?
any suggestion? how can I do? individually to build kernel,boot and rootfs?
Thanks
error:
ls /dev/tee*
ls: cannot access '/dev/tee*': No such file or directory
fortress:/usr/include# xtest
Run test suite with level=0
TEE test application started with device [(null)]
Failed to open TEE context: 0xffff0008
fortress:/usr/include# tee-supplicant
ERR [576] TEES:main:663: failed to find an OP-TEE supplicant device
fortress:/usr/include#
Hi, I suggest you make sure MACHINE_FEATURES includes "optee" as well, so that it appears inside COMBINED_FEATURES:
"bitbake -e <YOUR_IMAGE> | grep COMBINED_FEATURES=.*optee"
When this is set up properly, you should not have to include optee-xxx manually inside local.conf, but packagegroup-fsl-optee should be added to your image.
This helped me when I had a similar issue.
Hi Igor,
Thank you for the reply. I will try the OP-TEE CA and TA as you indicated. Meanwhile, I'm still wondering if the OP-TEE TA(*.ta) outputs some information from the secure world, is there any method for me to read that output (such as serial port)?
Thank you and wish you have a great holiday ahead!
Simon
Hi simonwan igorpadykov
I have followed all the steps and now I have this error when running an application:
optee_example_hello_world: TEEC_Opensession failed with code 0xffff000f origin 0x3
It seems that this error comes from a security error. Do you know how it can be solved?
simonwan Do you know how you can see information from the secure world?
Best regards
Iñigo
Hello, I also encountered a similar problem. When I was running xtest, I was prompted that opening TEE context failed. Did you solve it later? Can you share the solution with me?
root@verdin-imx8mp-06965616:~# xtest
Run test suite with level=0
TEE test application started with device [(null)]
Failed to open TEE context: 0xffff0008
root@verdin-imx8mp-06965616:~# TEE test application started with device [(null)]
-sh: syntax error near unexpected token `('
root@verdin-imx8mp-06965616:~# Failed to open TEE context: 0xffff0008
-sh: Failed: command not found
I am playing maaxboard which is porting from imx8mqevk
I use the below yocto version. works well. you can try.
$ mkdir imx-yocto-bsp
$ cd imx-yocto-bsp
$ repo init -u https://source.codeaurora.org/external/imx/imx-manifest -b imx-linux-sumo -m
imx-4.14.98-2.0.0_ga.xml
$ repo sync
..
2.the board is imx8mqevk
1.make sure to run xtest to test the optee works well
ls /dev/tee* find device node
-sh-4.4# ls /dev/tee*
/dev/tee0 /dev/teepriv0
xtest
...
16081 subtests of which 0 failed
74 test cases of which 0 failed
0 test case was skipped
TEE test application done!
...
2. bitbake fsl-image-validation-imx -c populate_sdk. ; generate toolchains and install
3. in optee_examples code to generate host code and tar code, my toolchain installed in /usr/local/optee/
. /usr/local/optee/environment-setup-aarch64-poky-linux
export TEEC_EXPORT=/usr/local/optee/sysroots/aarch64-poky-linux/usr/
export TA_DEV_KIT_DIR=/usr/local/optee/sysroots/aarch64-poky-linux/usr/include/optee/export-user_ta_arm64/
make
3. scp 1234-3456.7890-11111.ta file to board. /lib/optee_armtz/. (UUID is example)
4. now you can run host code use make by step 3
done
5 after that you can install ta in secure store
xtest --install-ta /lib/optee_armtz/1234-3456.7890-11111.ta , you should rm /lib/ptee_armtz/1234-3456.7890-11111.ta
so hide the ta at
/data/tee
6.so the host code only can run in this board, can not use the data at /data/tee in another board if no same ta installed
Hi!
> Do you know how you can see information from the secure world?
For OP-TEE OS: Make sure you have a sufficiently high log-Level enabled, e.g., compile optee-os-imx with
`CFG_TEE_CORE_LOG_LEVEL=3 CFG_TEE_TA_LOG_LEVEL=3`
To see output from optee-os during boot initialization.
For Trusted Firmware: I did the following: Edit `imx-atf/plat/imx/imx8mq/include/platform_def.h` and set `#define DEBUG_CONSOLE 1`. This Shows Output from 'NOTICE' in my configuration.
This assumes you connect to the configured UART port via a Serial Connection.
> optee_example_hello_world: TEEC_Opensession failed with code 0xffff000f origin 0x3
Not sure what this is, have you tried running xtest?
Just to add some information regarding setting the op-tee log levels.
If you're building optee-os via Yocto, the optee-os_x.y.z.imx.bb recipe disables the LOG using:
EXTRA_OEMAKE:append = " \ CFG_TEE_TA_LOG_LEVEL=0 \ CFG_TEE_CORE_LOG_LEVEL=0 \ "
This means that if you've created a patch and bbappend to update mk/config.mk the log levels you've set get overwritten by the recipe.
To fix this, In the bbappend add something like this:
EXTRA_OEMAKE:remove = " \ CFG_TEE_TA_LOG_LEVEL=0 \ CFG_TEE_CORE_LOG_LEVEL=0 \ " EXTRA_OEMAKE:append = " \ CFG_TEE_TA_LOG_LEVEL=3 \ CFG_TEE_CORE_LOG_LEVEL=3 \ "
Hi @Matthias Stauber and peterzhang
Can the TA application be debugged on the imx8m board? with gdbserver?
How can I do it?
Thank you very much for the help.
Iñigo.
I am not sure how to debug TA app with gdbserver. I only use printf or MSG (?) to print out the debug info. I guess it can not.
of course , for host apps we can use gdbserver.
you can ask at there for more about optee: GitHub - OP-TEE/optee_os: Trusted side of the TEE the technical supporters are very nice. I asked my questions at there.
Hi Iñigo,
I haven't tried this myself, but try searching for "BKK19-419: Debugging with OP-TEE". This presentation may help you.
Kind regards,
Matthias
P.S.: Make sure to try running xtest to validate your OP-TEE Installation. It is possible something is going wrong when compiling OP-TEE examples, but the environment itself is actually o.k.