FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

iMX8MN: OP-TEE Panics on CAAM RNG init

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX8MN: OP-TEE Panics on CAAM RNG init

‎02-06-2025 04:48 AM
2,254 Views
jg25
Contributor I

Hello,
I am trying to get OP-TEE (https://github.com/nxp-imx/imx-optee-os/tree/lf-6.6.36_2.1.0) running as BL32 on a i.MX-based (iMX8 Nano) board.

OP-TEE is loaded as BL32 by imx-atf BL31. If I build optee-os with `CFG_NXP_CAAM=n` OP-TEE seems to be loaded properly and boot proceeds with U-Boot (BL33) and Linux kernel.

Spoiler
CFG_UART_BASE=0x30860000 \
CFG_TZDRAM_START=0x56000000 \
CFG_DDR_SIZE=0x20000000 \
CFG_NXP_CAAM=n \

However, once I use following configuration, OP-TEE panics in `caam_rng_init()`, refer to console log in attachment:

Spoiler
CFG_UART_BASE=0x30860000 \
CFG_TZDRAM_START=0x56000000 \
CFG_DDR_SIZE=0x20000000 \
CFG_NXP_CAAM=y \
CFG_CRYPTO_DRIVER=y \
CFG_WITH_SOFTWARE_PRNG=n \
CFG_NXP_CAAM_RNG_DRV=y CFG_HWRNG_PTA=y CFG_HWRNG_QUALITY=1024 \
CFG_DBG_CAAM_TRACE=0x00000041 \

Using the original code from imx github repo, memory region for CAAM (0x30900000, size 0x40000) was mapped as `IO_NSEC` because on same page as `CFG_UART_BASE` resulting in CAAM memory beeing mapped to `RES_VASPACE` area.
I tried to fix this by limiting UART memory mapping to 0x10000 bytes and create an early explicit mapping for `CAAM_BASE` in `plat-imx/main.c`

Spoiler
#ifdef CONSOLE_UART_BASE
register_phys_mem(MEM_AREA_IO_NSEC, CONSOLE_UART_BASE, 0x10000);
#endif
#ifdef CAAM_BASE
register_phys_mem(MEM_AREA_IO_SEC, CAAM_BASE, CAAM_SIZE);
#endif

After that, at least the correct physical address seems to be used in CAAM driver. However, the `caam_rng_init()` still fails.

Is there any advice on how to fix this?

Best regards

Labels (1)
console-output.txt
0 Kudos
Reply
2 Replies

‎02-12-2025 07:43 AM
2,194 Views
jg25
Contributor I

Thanks.

As far as I understand the guidelines contained in in the u-boot-imx source tree (https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/doc/imx/habv4/guides/mx8m_secure_boot.txt) the "dek_blob" you mentioned is only required for encrypted boot. This is currently not my intention.

By looking into details described in the I.MX8MN Security Reference Manual, I found out, that secure boot (HAB) is necessary to be able to use CAAM (at least for some parts).

So my question is, do I need to burn the HAB SRK fuses and also close the device (burning SEC_CONFIG[1] fuse) to be able to init CAAM in OP-TEE?

0 Kudos
Reply

‎02-06-2025 07:01 AM
2,230 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

DEK blob must be created by a software running in Arm TrustZone Secure World, the CAAM block takes into consideration the TrustZone configuration when encapsulating the DEK and the resulting blob can be only decapsulated by a SW running in the same configuration. As ROM code is running in ARM TrustZone secure world we must encapsulate the blobs using OP-TEE.

 

- Building ATF to support OP-TEE:

$ make PLAT=<SoC Name> SPD=opteed bl31

 

- Building OP-TEE to support DEK blob encapsulation:

$ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name>

* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in command line above.

The imx-mkimage is used to combine all the images in a single flash.bin binary.

Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) into iMX8M directory and run the following commands according to the target device:

 

- Create a dummy DEK blob:

$ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync

 

- Assembly flash.bin binary:

$ make SOC=<SoC Name> flash_spl_uboot

Regards

0 Kudos
Reply