i.MX91 Secure Storage

Hi @JorgeCas 

Thanks for your reply.

1. Can you please confirm if I have to follow the procedure mentioned in below guides to implement the secure storage in i.MX91 

https://www.nxp.com/docs/en/application-note/AN14105.pdf?_gl=1*1pnx2xb*_ga*MjQ0NTk1ODIzLjE3NDcwMjk2M....

https://www.nxp.com/webapp/Download?colCode=AN12714&location=null&_gl=1*1l7r9cl*_ga*MjQ0NTk1ODIzLjE3....

2. Capacity of ELE could be total size of Secure (S) registers is it?

Hello,

Q1

The AN12714 used CAAM on i.MX8X series, but there is no CAAM on i.MX91. You can refer to HSM NVM storage https://github.com/nxp-imx/imx-secure-enclave/blob/master/test/hsm/hsm_test.c 

The hsm_data_storage() is used to store/retrieve data in HSM NVM. The data stored in NVM are encrypted with a key derived from the device. If user want to generate their own key and use this key to encrypt/sign the data, the hsm_enc_data_ops() API can be used, you can also find the test example enc_data_storage_test() in secure enclave library.

All the keystores/data generated and stored in HSM NVM are in encrypted format, not only this API.

Q2

Yes, that is correct.

Best regards.

Hi @JorgeCas 

Thank you for your inputs.

I am planning to implement secure storage for a specific partition instead of encrypting the full disk.

1. To achieve this, I can use the APIs provided by ELE to generate encryption keys and encrypt the target partition. Is that correct?

2. The keys generated using ELE are, by default, securely stored within ELE and must be accessed through its APIs. Is that correct?

Hello,

Yes, your understanding is correct.

Best regards.

Hi @JorgeCas 

Can you please share inputs on below questions.

1. Does the EdgeLock Enclave depends on OP-TEE to implement secure storage?

a. If yes, What is it's purpose?

b. If yes, Does it applicable to only secure storage? and processors having Edgelock enclave?

2. Is the OP-TEE mandatory to implement secure storage on iMX91?
3. Is it possible to implement the secure storage without using OP-TEE on i.MX 91?

Thanks in advance

Hi @nxp

I As I have mentioned in my previous mails. I am trying to implement secure storage on i.MX91 by encrypting a partition.
Below are the steps I am following to for the same.

1. Enabled below features in OP-TEE

core/arch/arm/plat-imx/conf.mk

#CFG_IMX_TRUSTED_ARM_CE ?= y
CFG_HWRNG_QUALITY ?= 1024
CFG_WITH_SOFTWARE_PRNG ?= n

 mk/config.mk

CFG_HWRNG_PTA ?= y

2. Kernel features

CONFIG_DM_CRYPT=y
CONFIG_TRUSTED_KEYS=y
CONFIG_TRUSTED_KEYS_TEE=y
CONFIG_TEE_CRYPTO=y
CONFIG_BLK_DEV_DM=y

3. Applied patches of above OP-TEE and kernel features in Yocto and built.

4. There was error in applying OP-TEE patch on debugging i got to know that CFG_IMX_TRUSTED_ARM_CE is not supported in i.MX91 from core/pta/imx/trusted_arm_ce.c

#if defined(CFG_MX93)
#define OCRAM_START 0x20518000
#define OCRAM_END 0x2051C000
#elif defined(CFG_MX95)
#define OCRAM_START 0x204BC000
#define OCRAM_END 0x204C0000
#else
#error "Platform not supported"
#endif


So i want to know,

1. What is the importance of CFG_IMX_TRUSTED_ARM_CE ?
2. Why CFG_IMX_TRUSTED_ARM_CE is supported for i.MX91?
3. Without using CFG_IMX_TRUSTED_ARM_CE, how do i implement secure storage on i.MX91?

Can someone guide me on this please?

Thanks in advance!