LS1012A OPTEE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LS1012A OPTEE

Jump to solution
1,237 Views
lizuobin
Contributor II

Hi,

   We designed our own board with reference to LS1012A-RDB. The software we used is LSDK-18.06. I tried the software configuration of LS1012A-RDB and LS1012A-FRWY, and the same error is indicated by optee during startup.

U-Boot 2018.03-dirty (Nov 28 2018 - 02:51:43 +0000)

SoC: LS1012A Rev2.0 (0x87040120)
Clock Configuration:
CPU0(A53):1000 MHz
Bus: 250 MHz DDR: 1000 MT/s
Reset Configuration Word (RCW):
00000000: 0800000a 00000000 00000000 00000000
00000010: 35080000 c000000c 40000000 00001800
00000020: 00000000 00000000 00000000 00014572
00000030: 00000000 1082a120 00000096 00000000
I2C: ready
DRAM: 446 MiB
Using SERDES1 Protocol: 13576 (0x3508)
PPA Firmware: Version LSDK-18.06-dirty
SEC Firmware: 'loadables' present in config
loadables: 'trustedOS@1'
ERROR: [0x0] TEE-CORE:tee_otp_get_hw_unique_key:195:
H/W Unique key is not fetched from the platform.
WARNING: Calling __hwconfig without a buffer and before environment is ready
MMC: FSL_SDHC: 0, FSL_SDHC: 1

TEE-CORE:tee_otp_get_hw_unique_key:195:

Is unique_key referring to OPTMK?

How to solve this problem?
thanks

0 Kudos
1 Solution
838 Views
bpe
NXP Employee
NXP Employee

No, chips without SEC cannot perform Secure boot because the on-chip ISBC ROM relies on SEC to verify signatures.

View solution in original post

4 Replies
838 Views
lizuobin
Contributor II

Sorry, I  reply you so late.The chip model we are using is LS1012AXN7KKB,It does not contain a sec engine.

Using a chip that does not contain a sec engine, can optee and secure boot still work?

thanks

0 Kudos
839 Views
bpe
NXP Employee
NXP Employee

No, chips without SEC cannot perform Secure boot because the on-chip ISBC ROM relies on SEC to verify signatures.

838 Views
bpe
NXP Employee
NXP Employee

tee_otp_get_hw_unique_key() actually generates a master key verification blob. The actual job is done by

get_hw_unq_key_blob_hw() defined in another package, PPA, file ppa/drivers/fsl_sec/src/hw_key_blob.c

One possible reason to fail is that you are using a security-disabled chip. If should not fail, however, if you

did not program OTPMK and don't attempt Secure Boot, as the predefined test key is used for the blob in this case.

To get to the exact reason of the failure, see what error is returned by the hardware after run_descriptor_jr()


Have a great day,
Platon

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

838 Views
lizuobin
Contributor II

Sorry, I  reply you so late.The chip model we are using is LS1012AXN7KKB,It does not contain a sec engine.

Using a chip that does not contain a sec engine, can optee and secure boot still work?

thanks

0 Kudos