Integrate OP-TEE with minimal effort #16
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit extends the boot sequence for the Kontron iMX8MM by a BL32 component, in this case OP-TEE: ROM -> SPL -> BL31 (ATF) -> BL32 (OP-TEE) -> BL33 (U-Boot) -> ... Since OP-TEE is about separation of memory for a secure world (TEE) and a normal world (REE) the integration of OP-TEE also means that DRAM now has 32MiB separated area for the TEE. This piece of memory sits at the end of the 1GiB memory that the board has (starting at 0x7e000000). The TEE can be accessed from user space (linux) using 'tee-supplicant' (started as daemon) and for example 'optee_example_hello_world' which is part of the optee_examples suite. For now OP-TEE is integrated in INSECURE mode as for production there are more things to integrate, e.g. the CAAM random number generator. This yields log warnings about insecure configurations which can be ignored for now. There are multiple ways to build and package OP-TEE: 1. Use Binman as part of U-Boot build process 2. Use a special version of mkimage (see NXP manual) 3. Manual scripting and padding All three methods are widely used, there is no 'best' way of doing this. For the sake of the changes in this commit option 1. is used. Note that this process can also be executed in a post-script, which can be interesting when artefacts need to be signed for HAB (i.MX CST tools are integrated with Binman in newer versions of U-Boot). The output of these build processes is usually a 'flash.bin' file which contains the SPL binary as well as a FIT image that consists of BL31, BL32 and BL33. The Kontron i.MX8MM just has 1GiB and needs a special configuration for this size in the ATF and OP-TEE artefacts, as the defaults in the respective build processes assume 2GiB memory. Also the memory region which was chosen here is purely subjective (but common), other vendors like Phytec put the TEE region at different places. Also note that in this build process the binary 'tee-raw.bin' is used. This is quite important as the normal 'tee.bin' (output from optee-os build) already contains FIT-ready headers, making it unsuitable for Binman (which would put these headers again on top).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit extends the boot sequence for the Kontron iMX8MM by a BL32 component, in this case OP-TEE:
ROM -> SPL -> BL31 (ATF) -> BL32 (OP-TEE) -> BL33 (U-Boot) -> ...
Since OP-TEE is about separation of memory for a secure world (TEE) and a normal world (REE) the integration of OP-TEE also means that DRAM now has 32MiB separated area for the TEE. This piece of memory sits at the end of the 1GiB memory that the board has (starting at 0x7e000000).
The TEE can be accessed from user space (linux) using 'tee-supplicant' (started as daemon) and for example 'optee_example_hello_world' which is part of the optee_examples suite.
For now OP-TEE is integrated in INSECURE mode as for production there are more things to integrate, e.g. the CAAM random number generator. This yields log warnings about insecure configurations which can be ignored for now.
There are multiple ways to build and package OP-TEE:
All three methods are widely used, there is no 'best' way of doing this. For the sake of the changes in this commit option 1. is used. Note that this process can also be executed in a post-script, which can be interesting when artefacts need to be signed for HAB (i.MX CST tools are integrated with Binman in newer versions of U-Boot). The output of these build processes is usually a 'flash.bin' file which contains the SPL binary as well as a FIT image that consists of BL31, BL32 and BL33.
The Kontron i.MX8MM just has 1GiB and needs a special configuration for this size in the ATF and OP-TEE artefacts, as the defaults in the respective build processes assume 2GiB memory. Also the memory region which was chosen here is purely subjective (but common), other vendors like Phytec put the TEE region at different places.
Also note that in this build process the binary 'tee-raw.bin' is used. This is quite important as the normal 'tee.bin' (output from optee-os build) already contains FIT-ready headers, making it unsuitable for Binman (which would put these headers again on top).