IMX8 OPTEE: Difference between revisions
(Add support for Debian build with Yocto) |
|||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
<!-- Set release according to "release" parameter in URL and use mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0 as default | <!-- Set release according to "release" parameter in URL and use mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0 as default | ||
--> {{# | --> {{INIT_RELEASE_PARAM|mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0}}<!-- | ||
--> {{#lst: | --> {{#lst:Yocto_Platform_Customization|{{#var:RELEASE_PARAM}}}} <!-- | ||
--> {{#vardefine: | --> {{#lst:Debian_Platform_Customization|{{#var:RELEASE_PARAM}}}} <!-- | ||
--> {{#vardefine:OS | {{#varexists:B2QT_GIT | B2QT | {{#varexists:DEBIAN_NAME | Debian | Yocto }} }} }} <!-- | |||
--> {{#vardefine:BUILD_RELEASE_GUIDE | {{#varexists:DEBIAN_NAME | Yocto_Debian_Build_Release | {{#var:OS}}_Build_Release }} }} <!-- | |||
--> {{PageHeader|{{#var:HARDWARE_NAME}} OPTEE}} {{DocImage|category1=Yocto|category2={{#var:HARDWARE_NAME}}}} __toc__ | --> {{PageHeader|{{#var:HARDWARE_NAME}} OPTEE}} {{DocImage|category1=Yocto|category2={{#var:HARDWARE_NAME}}}} __toc__ | ||
= OP-TEE Introduction = | = OP-TEE Introduction = | ||
NXP Platforms support the use of Open Portable Trusted Execution Environment (OP-TEE). | NXP i.MX Platforms support the use of OP-TEE. | ||
OP-TEE (Open Portable Trusted Execution Environment) is an open-source Trusted Execution Environment (TEE) designed for ARM-based devices. A TEE is a secure area of a processor, isolated from the main operating system, that provides a secure environment for executing trusted applications. OP-TEE is designed to provide a secure environment for executing sensitive code and protecting the confidentiality and integrity of data on the device. | |||
OP-TEE is based on the ARM TrustZone technology, which provides hardware-enforced isolation between the trusted and non-trusted parts of a system. | |||
The main design goals are: | |||
* Isolation - the TEE provides isolation from the non-secure OS and protects the loaded Trusted Applications (TAs) from each other using underlying hardware support. | |||
* Small footprint - the TEE should remain small enough to reside in a reasonable amount of on-chip memory as found on ARM-based systems. | |||
* Portability - the TEE aims at being easily pluggable to different architectures and available HW and has to support various setups such as multiple client OSes or multiple TEEs. | |||
For more information, please see the following resources from NXP: | For more information, please see the following resources from NXP: | ||
* https://www.nxp.com/docs/en/user-guide/IMX_PORTING_GUIDE.pdf | * See the OP-TEE section in https://www.nxp.com/docs/en/user-guide/IMX_PORTING_GUIDE.pdf | ||
* https://www.nxp.com/design/training/trusted-execution-environment-getting-started-with-op-tee-on-i-mx-processors:TIP-TRUSTED-EXECUTION-ENVIRONMENT-GETTING-STARTED | * https://www.nxp.com/design/training/trusted-execution-environment-getting-started-with-op-tee-on-i-mx-processors:TIP-TRUSTED-EXECUTION-ENVIRONMENT-GETTING-STARTED | ||
= Enable OP-TEE with {{#var: | = Enable OP-TEE with {{#var:OS}} = | ||
To enable OP-TEE, add the following to conf/local.conf: | To enable OP-TEE, add the following to conf/local.conf: | ||
Line 21: | Line 32: | ||
IMAGE_INSTALL:append = " optee-os optee-test" | IMAGE_INSTALL:append = " optee-os optee-test" | ||
Then, rebuild the {{#var: | Then, rebuild the {{#var:OS}} image and test OP-TEE using the xtest utility. | ||
For more information about how to rebuild the {{#var: | For more information about how to rebuild the {{#var:OS}}, follow the steps here: {{Varlink|{{#var:BUILD_RELEASE_GUIDE}}|{{#var:RELEASE_LINK}}|Build {{#var:OS}} from source code}}. | ||
= OP-TEE Memory Configuration = | = OP-TEE Memory Configuration = |
Latest revision as of 15:35, 22 May 2024
This page is using the default release mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0.
To view this page for a specific Variscite SoM and software release, please follow these steps:
- Visit variwiki.com
- Select your SoM
- Select the software release
OP-TEE Introduction
NXP i.MX Platforms support the use of OP-TEE.
OP-TEE (Open Portable Trusted Execution Environment) is an open-source Trusted Execution Environment (TEE) designed for ARM-based devices. A TEE is a secure area of a processor, isolated from the main operating system, that provides a secure environment for executing trusted applications. OP-TEE is designed to provide a secure environment for executing sensitive code and protecting the confidentiality and integrity of data on the device.
OP-TEE is based on the ARM TrustZone technology, which provides hardware-enforced isolation between the trusted and non-trusted parts of a system.
The main design goals are:
- Isolation - the TEE provides isolation from the non-secure OS and protects the loaded Trusted Applications (TAs) from each other using underlying hardware support.
- Small footprint - the TEE should remain small enough to reside in a reasonable amount of on-chip memory as found on ARM-based systems.
- Portability - the TEE aims at being easily pluggable to different architectures and available HW and has to support various setups such as multiple client OSes or multiple TEEs.
For more information, please see the following resources from NXP:
- See the OP-TEE section in https://www.nxp.com/docs/en/user-guide/IMX_PORTING_GUIDE.pdf
- https://www.nxp.com/design/training/trusted-execution-environment-getting-started-with-op-tee-on-i-mx-processors:TIP-TRUSTED-EXECUTION-ENVIRONMENT-GETTING-STARTED
Enable OP-TEE with Yocto
To enable OP-TEE, add the following to conf/local.conf:
MACHINE_FEATURES:append = " optee" DISTRO_FEATURES:append = " optee" IMAGE_INSTALL:append = " optee-os optee-test"
Then, rebuild the Yocto image and test OP-TEE using the xtest utility.
For more information about how to rebuild the Yocto, follow the steps here: Build Yocto from source code.
OP-TEE Memory Configuration
The DRAM memory size is hardcoded in optee-os and needs to be updated according to the memory configuration of your SoM.
The DRAM size is configured by the variable TEE_CFG_DDR_SIZE, which is initialized in https://github.com/varigit/meta-variscite-bsp/blob/kirkstone/conf/machine/imx8mp-var-dart.conf and may be updated directly or overidden in conf/local.conf.
For example, override TEE_CFG_DDR_SIZE to 4GB:
TEE_CFG_DDR_SIZE = "0x100000000"