I tried booting a Yocto SystemReady image with the standard binary firmware images from NXP, like LF_v5.15.71_2.2.0_boot_IMX8MEVK(SystemReady-IR certified):imx-boot-imx8mqevk-sd.bin-flash_evk, LF_v5.15.71-2.2.0_images_IMX8MQEVK:imx-boot-imx8mqevk-sd.bin-flash_evk. Firmware is loaded on eMMC, the image is on an SD card. This image boots on other SystemReady systems.
I get the following:
mmc1 is current device
Scanning mmc 1:1...
52632 bytes read in 2 ms (25.1 MiB/s)
Scanning disk mmc@30b40000.blk...
Scanning disk mmc@30b50000.blk...
Found 5 disks
optee optee: OP-TEE api uid mismatch
Unable to open OP-TEE session (err=-19)
mm_communicate failed!
Error: Cannot initialize UEFI sub-system, r = 3
Found EFI removable media binary efi/boot/bootaa64.efi
114977 bytes read in 3 ms (36.5 MiB/s)
Error: Cannot initialize UEFI sub-system, r = 3
EFI LOAD FAILED: continuing...
So, after fighting for a while building my own firmware image (the documentation on this is a mess), I got the same error.
I traced it down to the fact that uboot in the standard images is build with OPTEE support, but OPTEE is not part of the standard images that are built. Specifically, the efiboot command calls efi_init_variables(), which if OPTEE is enabled tries to get the EFI variables from OPTEE, which obviously fails. So it's nothing to do with the image
Turning off OPTEE in u-boot allowed me to boot the SystemReady image. I didn't try to build OPTEE, I would have to fight some more because of vague and lacking instructions.
I assume I'm doing everything right, but if I'm not, well, I guess I'm asking someone to point out my error :-).
Can we get standard images that are SystemReady operational? And test releases for it? I can supply Yocto image builds or instructions if necessary. You can build them from https://github.com/MontaVista-OpenSourceTechnology/opencgx-armsr too.
Thanks,
-corey
已解决! 转到解答。
I have a working version of all this with optee enabled, including getting the optee examples working, at https://github.com/MontaVista-OpenSourceTechnology/imx-systemready-firmware
Trusted boot it not in it yet, I'm trying to figure out how to make that work.
Hopefully this will help people trying to do the same thing.
It was trying to fetch EFI variables from OPTEE, but there's no memory set up for this. Turning off CONFIG_EFI_MM_COMM_TEE allowed me to boot. But I probably need to figure out how to set up the secure memory. But there's no trusted application for this with the default. But I'm booting and OPTEE appears to be working.
I was able to figure this out. I needed to add SPD=opteed to the imx-atf build to make it start up optee. Then it crashed at boot.
That was because, inexplicably, the tee binary to use with mkimage is tee-raw.bin, not tee.bin.
So now optee starts up ok, it appears. Now I'm getting:
u-boot=> run bootcmd_mmc1
switch to partitions #0, OK
mmc1 is current device
Scanning mmc 1:1...
E/LD: init_elf:486 sys_open_ta_bin(ed32d533-99e6-4209-9cc0-2d72cdd998a7)
E/TC:? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff0009
Unable to open OP-TEE session (err=-5)
mm_communicate failed!
Error: Cannot initialize UEFI sub-system, r = 3
Found EFI removable media binary efi/boot/bootaa64.efi
114977 bytes read in 4 ms (27.4 MiB/s)
Error: Cannot initialize UEFI sub-system, r = 3
I'm trying to figure out the ldelf thing. FFFF0009 is TEE_ERROR_NOT_IMPLEMENTED.
In uboot I have RPMB enabled. There is something about a secure key on the eMMC controller. I tried enabling CFG_RPMB_WRITE_KEY=y when building imx-optee-op, but that didn't help.
I'm not sure what it's trying to load into optee. There's nothing on the SD card that looks loadable.
One more thing. Ethernet wasn't working, at least on a 5.10 kernel. It acted like it was transmitting and receiving packets, but no packets when out. I traced it down to a change in uboot-imx:
a604b67b87 arm: dts: imx8mq-evk: add phy-reset-gpios for fec1
If I remove that, ethernet works fine.
Update on this. I built and image with OPTEE and enabled OPTEE in u-boot, but it still didn't work. So the standard builds may have OPTEE built in them, but it doesn't appear to be working correctly with u-boot.
I have a working version of all this with optee enabled, including getting the optee examples working, at https://github.com/MontaVista-OpenSourceTechnology/imx-systemready-firmware
Trusted boot it not in it yet, I'm trying to figure out how to make that work.
Hopefully this will help people trying to do the same thing.
