i.MX8QM SECO 5.9.0 error handling

ambrice · ‎01-25-2024

I am trying to use she_get_info() from the imx-seco-libs to determine the chip lifecycle in linux. The problem is if I run into any error, the SECO will fail until I reset the system. For example, if I call she_storage_create() with a storage id that already exists, or if I call she_open_session() with a storage identifier that doesn't exist then all attempts to call she_open_session() will fail until reset.

This is with imx-seco-5.9.0.bin firmware and lf-5.15.5_1.0.0 branch of imx-seco-libs. When I try using imx-seco-3.7.4.bin firmware I do not see these errors. example code attached.

Harvey021 · ‎01-29-2024

This is because NVM manager is not closed so cannot create another SHE keystore again and looks that it causes NVM manager status incorrect later.

You can refer to the example script in attachment, which will start and close NVM session each time. Then it can run ./she_test_get_info repeatedly.

root@imx8qxpc0mek:~# ./she_test_get_info
she_storage_create ret:0x1
she_open_session handle:0xe8c063c0
she_get_info ret:0x0
she_get_info: user_sab_id 0x1,chip_unique_id 0xb 0x6 0xa0 0xe 0x82 0x8e 0x41 0xdb,chip_monotonic_counter 0x0,chip_life_cycle 0x20,version 0x30085, version_ext 0x0, fips_mode 0xf9650fa0
she_close_session
Closed nvm session
root@imx8qxpc0mek:~# [ 33.870490] usb_otg1_vbus: disabling

root@imx8qxpc0mek:~# ./she_test_get_info
she_storage_create ret:0x1
she_open_session handle:0xde8e23c0
she_get_info ret:0x0
she_get_info: user_sab_id 0x1,chip_unique_id 0xb 0x6 0xa0 0xe 0x82 0x8e 0x41 0xdb,chip_monotonic_counter 0x0,chip_life_cycle 0x20,version 0x30085, version_ext 0x0, fips_mode 0xc662de70
she_close_session
Closed nvm session

Regards

Harvey

ambrice · ‎02-02-2024

Which SECO FW is this running with? When I run attached she_test_get_info I just get:

nvm manager failed to start
Closed nvm session

Looking at my original she_info it doesn't look like I was checking the seco_nvm_manager status and it's always going into a stopped state (3)

ambrice · ‎02-02-2024

Seems like my problem was there was another process running that used seco_nvm_manager() and I guess you can only have one.

After killing that one, the attached she_test_get_info works, but if I run it with "-n" it fails and then all future runs fail with or without the -n. In case of error is there a way to recover without having to reset?

Harvey021 · ‎02-04-2024

1. Can you please confirm you use SECO 5.9.0 on i.MX8 QM device? I only see SECO 5.9.0 for i.MX8DXL device.

I tested with BSP version lf-5.15.5_1.0.0, the corresponding SECO FW version is QM B0 3.8.5 - c9de51c0e88.

The SECO FW version can also check from boot log like:

BuildInfo:
- SCFW c1e35e09, SECO-FW c9de51c0, IMX-MKIMAGE 22346a32, ATF 05f788b
- U-Boot 2021.04-lf_v2021.04+gf7b43f8b4c

2. Correct, only one SHE NVM manager can exist.

Can you please run ps -ef|grep nvm in linux to check if any other NVM daemon in backend?

3. I can reproduce the case with lf-5.15.5_1.0.0. Once it fails to create keystore, seems that it needs reset to recover. Checking internal team, will reply back to you once update.

Regards

Harvey

ambrice · ‎02-05-2024

I can confirm that I am using 3.8.5 FW on i.MX8QM. I am using the imx-seco-5.9.0.bin release package, which looks like it contains FW 3.8.5 on the i.MX8QM.

If I make the same imx-boot container with imx-seco-3.7.4.bin it does not seem to have this problem, SECO calls continue to work after an error occurs.

What I would really like is a way to call she_get_info() without having to call she_storage_create() and she_open_session(). My use case is I have an initramfs in an authenticated kernel container that will mount a dm-verity rootfs if the lifecycle is "OEM Closed" or normal ext4 mount if "NXP Closed" and I am not at that point handling any encrypted data.

Harvey021 · ‎02-05-2024

It's necessary to call she_storage_create() and she_open_session() before she_get_info() in imx-seco-libs. The she_storage_create() must be called at least once on every device before using any other SHE API and the generated key_storage_identifier will be used in she_open_session(), and then the session id will be used in she_get_info().

Checking reason with internal team about this case on SECO 3.8.5, will keep you informed if any update.

If you just want to check chip lifecycle, I think you can also consider using SECO baseline API sc_seco_chip_info(). The usage of this API can be found in SCFW API guide. The example of calling this API can be found in arch/arm/mach-imx/imx8/ahab.c.

Regards

Harvey

ambrice · ‎02-20-2024

Harvey,

Any update on how to recover from error on SECO FW 3.8.5?

Thanks,
Aaron

Harvey021 · ‎01-29-2024

Hi,

The she_get_info() API format changes in L5.15.5_1.0.0. Please check the definition here: imx-seco-libs/src/she_lib.c at lf-5.15.5_1.0.0 · nxp-imx/imx-seco-libs · GitHub. There is no "fips_mode" parameter, so the test script doesn't match with the API calling.

I saw the "fips_mode" parameter exists in some verion like imx-seco-libs/src/she_lib.c at imx_5.4.70_2.3.11 · nxp-imx/imx-seco-libs · GitHub. So maybe that's the reason you can use it successfully before.

Please modify the API parameters according to the definition in imx-seco-lib L5.15.5_1.0.0.

Regards

Harvey