FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

adding optee hangs secure boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

adding optee hangs secure boot

Jump to solution
‎10-02-2023 01:45 AM
934 Views
greeran
Contributor III

hello

i would like to secure my imx8mp. i added a secure boot (HAB) and fit image that verifies the rootfs. the boot flow is secure and successful. now i would like to add optee but when i add configuration for optee the boot flow hangs (freezes). the configuration i add

conf:

MACHINE_FEATURES:append = " optee"
DISTRO_FEATURES:append = " optee"

TEE_CFG_DDR_SIZE = "0x100000000"

image:

IMAGE_INSTALL:append = " optee-os optee-client optee-test"

 

on boot i get:

U-Boot SPL 2022.04-lf_v2022.04_var01+g49ec7c516a (Jan 22 2023 - 09:08:56 +0000)
SEC0: RNG instantiated
Normal Boot
Trying to boot from BOOTROM
image offset 0x8000, pagesize 0x200, ivt offset 0x0
hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...

 

does someone know what i am missing

thanks

 

Tags (3)
0 Kudos
Reply
1 Solution

Jump to solution
‎11-05-2023 01:35 AM
745 Views
greeran
Contributor III

hi

i found out what freezes the boot with optee. it seems that when i add the "CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4" configuration to the optee-os bbappend the boot freezes. without does configuration the boot is successful the the optee loads well also

View solution in original post

0 Kudos
Reply
4 Replies

Jump to solution
‎11-05-2023 01:35 AM
746 Views
greeran
Contributor III

hi

i found out what freezes the boot with optee. it seems that when i add the "CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4" configuration to the optee-os bbappend the boot freezes. without does configuration the boot is successful the the optee loads well also

0 Kudos
Reply

Jump to solution
‎10-03-2023 11:07 PM
917 Views
Dhruvit
NXP TechSupport
NXP TechSupport

Hi @greeran,

I hope you are doing well.

Please try making changes in CFG_DDR_SIZE at imx-optee-os/core/arch/arm/plat-imx
/conf.mk 

Please make sure that you have updated  [Authenticate Data] Blocks in CSF according to generate info using print_fit_hab when op-tee is enabled.

Please make sure that you have referred to /doc/imx/habv4/guides/mx8m_secure_boot.txt in uboot-imx.

Thanks & Regards,
Dhruvit Vasavada

0 Kudos
Reply

Jump to solution
‎10-04-2023 01:31 AM
909 Views
greeran
Contributor III

hi Dhruvit

thanks for the reply. i went over the documents you sent and i see something that i cannot explain when the imx-boot creates the flash.bin. i am sending log.do_compile below

you can see that the tee.bin is found and its added to the fit image but in the print_fit_hab and [Authenticate Data] I do not see the TEE_LOAD_ADDR and in the list.

i am using Yocto and from the manual i added all the configuration needed in the conf so if you could point out what i am missing 

thanks 

BL32=tee.bin DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 ../iMX8M/mkimage_fit_atf.sh imx8mp-var-dart-dt8mcustomboard-legacy.dtb > u-boot.its
bl31.bin size:
45392
Building with TEE support, make sure bl31.bin is compiled with spd. If you do not want tee, please delete tee.bin
tee.bin size:
550176
u-boot-nodtb.bin size:
1062752
imx8mp-var-dart-dt8mcustomboard-legacy.dtb size:
45568
mkimage -E -p 0x3000 -f u-boot.its u-boot.itb
FIT description: Configuration to load ATF before U-Boot
Created: Wed Oct 19 06:29:00 2022
Image 0 (uboot-1)
Description: U-Boot (64-bit)
Created: Wed Oct 19 06:29:00 2022
Type: Standalone Program
Compression: uncompressed
Data Size: 1062752 Bytes = 1037.84 KiB = 1.01 MiB
Architecture: AArch64
Load Address: 0x40200000
Entry Point: unavailable
Image 1 (fdt-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Created: Wed Oct 19 06:29:00 2022
Type: Flat Device Tree
Compression: uncompressed
Data Size: 45568 Bytes = 44.50 KiB = 0.04 MiB
Architecture: Unknown Architecture
Image 2 (atf-1)
Description: ARM Trusted Firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 45392 Bytes = 44.33 KiB = 0.04 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x00970000
Image 3 (tee-1)
Description: TEE firmware
Created: Wed Oct 19 06:29:00 2022
Type: Firmware
Compression: uncompressed
Data Size: 550176 Bytes = 537.28 KiB = 0.52 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x56000000
Default Configuration: 'config-1'
Configuration 0 (config-1)
Description: imx8mp-var-dart-dt8mcustomboard-legacy
Kernel: unavailable
Firmware: uboot-1
FDT: fdt-1
Loadables: atf-1
tee-1
./mkimage_imx8 -version v2 -fit -loader u-boot-spl-ddr.bin 0x920000 -second_loader u-boot.itb 0x40200000 0x60000 -out flash.bin > hab.log 2<&1
./../scripts/pad_image.sh tee.bin
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin imx8mp-var-dart-dt8mcustomboard-legacy.dtb
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ../iMX8M/print_fit_hab.sh 0x60000 imx8mp-var-dart-dt8mcustomboard-legacy.dtb > hab2.log 2<&1
csf_assemble
csf_assemble 1
csf_assemble 1 SPL_BLOCKS 0x91ffc0 0x0 0x33800 "flash.bin"
csf_assemble 2
csf_assemble 2 FIT_BLOCK_1: 0x401fcdc0 0x58000 0x1020 "flash.bin"
csf_assemble 2 FIT_BLOCK_2: 0x40200000 0x5B000 0x103760 "flash.bin"
csf_assemble 2 FIT_BLOCK_3: 0x40303760 0x15E760 0xB200 "flash.bin"
csf_assemble 2 FIT_BLOCK_4: 0x970000 0x169960 0xB150 "flash.bin"
csf_assemble 3 csf_spl.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = MID
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x91ffc0 0x0 0x33800 "flash.bin"
CSF Processed successfully and signed data available in csf_spl.bin
csf_assemble 3 csf_fit.bin
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File = "/workdir/build_secure_real/../keys/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x401fcdc0 0x58000 0x1020 "flash.bin", \
0x40200000 0x5B000 0x103760 "flash.bin", \
0x40303760 0x15E760 0xB200 "flash.bin", \
0x970000 0x169960 0xB150 "flash.bin"
CSF Processed successfully and signed data available in csf_fit.bin

0 Kudos
Reply

Jump to solution
‎10-10-2023 07:27 AM
857 Views
Dhruvit
NXP TechSupport
NXP TechSupport

Hello @greeran 

I hope you are doing well.

Please refer to the below link and check the suggestion for HAB event enabling on i.MX8mp and share the observation.
https://community.nxp.com/t5/i-MX-Processors/imx8mp-HAB/m-p/1546498#M197035

I hope it helps!

Thanks & Regards,

Dhruvit Vasavada

0 Kudos
Reply