FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX91 Secure Storage

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX91 Secure Storage

‎05-09-2025 06:20 AM
3,069 Views
Gunashree_MN
Contributor II

Hi Everyone,

I am planning to implement secure storage on the i.MX91 platform. Could anyone please let me know the capacity of the EdgeLock Enclave memory?

Additionally, I would appreciate it if you could share any reference documents or guidelines or procedure for implementing secure storage on the i.MX91 using the EdgeLock Enclave (ELE).

Thanks in advance for your help!

0 Kudos
Reply
7 Replies

‎05-09-2025 09:06 AM
3,047 Views
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

There are different sections of the memory map that can be secured, for more information related to this please take a look in table 4 in i.MX91 reference manual where it has TrustZone "Non-Secure (NS)" and "Secure (S)" world view of the system (Cortex-A) memory map. Access through the "Secure" memory region can only be performed by code with the appropriate security settings.

For more guidelines related to security topics, please take a look in the next link:

i.MX Security Features & Collateral - NXP Community

Best regards.

0 Kudos
Reply

‎05-11-2025 11:45 PM
2,995 Views
Gunashree_MN
Contributor II

Hi @JorgeCas 

Thanks for your reply.

1. Can you please confirm if I have to follow the procedure mentioned in below guides to implement the secure storage in i.MX91 

https://www.nxp.com/docs/en/application-note/AN14105.pdf?_gl=1*1pnx2xb*_ga*MjQ0NTk1ODIzLjE3NDcwMjk2M....

 

https://www.nxp.com/webapp/Download?colCode=AN12714&location=null&_gl=1*1l7r9cl*_ga*MjQ0NTk1ODIzLjE3....

2. Capacity of ELE could be total size of Secure (S) registers is it?

0 Kudos
Reply

‎05-12-2025 10:54 AM
2,979 Views
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

Q1

The AN12714 used CAAM on i.MX8X series, but there is no CAAM on i.MX91. You can refer to HSM NVM storage https://github.com/nxp-imx/imx-secure-enclave/blob/master/test/hsm/hsm_test.c 

The hsm_data_storage() is used to store/retrieve data in HSM NVM. The data stored in NVM are encrypted with a key derived from the device. If user want to generate their own key and use this key to encrypt/sign the data, the hsm_enc_data_ops() API can be used, you can also find the test example enc_data_storage_test() in secure enclave library.

All the keystores/data generated and stored in HSM NVM are in encrypted format, not only this API.

Q2

Yes, that is correct.

Best regards.

 

0 Kudos
Reply

‎05-12-2025 08:31 PM
2,963 Views
Gunashree_MN
Contributor II

Hi @JorgeCas 

Thank you for your inputs.

I am planning to implement secure storage for a specific partition instead of encrypting the full disk.

  1. To achieve this, I can use the APIs provided by ELE to generate encryption keys and encrypt the target partition. Is that correct?

  2. The keys generated using ELE are, by default, securely stored within ELE and must be accessed through its APIs. Is that correct?

0 Kudos
Reply

‎05-13-2025 08:42 AM
2,942 Views
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

Yes, your understanding is correct.

Best regards.

0 Kudos
Reply

‎05-22-2025 03:20 AM
2,800 Views
Gunashree_MN
Contributor II

Hi @JorgeCas 

Can you please share inputs on below questions.

1. Does the EdgeLock Enclave depends on OP-TEE to implement secure storage?

a. If yes, What is it's purpose?

b. If yes, Does it applicable to only secure storage? and processors having Edgelock enclave?

2. Is the OP-TEE mandatory to implement secure storage on iMX91?
3. Is it possible to implement the secure storage without using OP-TEE on i.MX 91?

Thanks in advance

 

0 Kudos
Reply

‎06-15-2025 10:59 PM
2,457 Views
Gunashree_MN
Contributor II

Hi @nxp

I As I have mentioned in my previous mails. I am trying to implement secure storage on i.MX91 by encrypting a partition.
Below are the steps I am following to for the same.

1. Enabled below features in OP-TEE

core/arch/arm/plat-imx/conf.mk

#CFG_IMX_TRUSTED_ARM_CE ?= y
CFG_HWRNG_QUALITY ?= 1024
CFG_WITH_SOFTWARE_PRNG ?= n


 mk/config.mk

CFG_HWRNG_PTA ?= y

2. Kernel features

CONFIG_DM_CRYPT=y
CONFIG_TRUSTED_KEYS=y
CONFIG_TRUSTED_KEYS_TEE=y
CONFIG_TEE_CRYPTO=y
CONFIG_BLK_DEV_DM=y

3. Applied patches of above OP-TEE and kernel features in Yocto and built.

4. There was error in applying OP-TEE patch on debugging i got to know that CFG_IMX_TRUSTED_ARM_CE is not supported in i.MX91 from core/pta/imx/trusted_arm_ce.c

#if defined(CFG_MX93)
#define OCRAM_START 0x20518000
#define OCRAM_END 0x2051C000
#elif defined(CFG_MX95)
#define OCRAM_START 0x204BC000
#define OCRAM_END 0x204C0000
#else
#error "Platform not supported"
#endif


So i want to know,

1. What is the importance of CFG_IMX_TRUSTED_ARM_CE ?
2. Why CFG_IMX_TRUSTED_ARM_CE is supported for i.MX91?
3. Without using CFG_IMX_TRUSTED_ARM_CE, how do i implement secure storage on i.MX91?

Can someone guide me on this please?

Thanks in advance!

0 Kudos
Reply