IMX8 OPTEE: Difference between revisions

From Variscite Wiki
(Add support for Debian build with Yocto)
 
(2 intermediate revisions by 2 users not shown)
Line 2: Line 2:
--> {{INIT_RELEASE_PARAM|mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0}}<!--
--> {{INIT_RELEASE_PARAM|mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0}}<!--
--> {{#lst:Yocto_Platform_Customization|{{#var:RELEASE_PARAM}}}} <!--
--> {{#lst:Yocto_Platform_Customization|{{#var:RELEASE_PARAM}}}} <!--
--> {{#vardefine:B2QT_OR_YOCTO | {{#varexists: B2QT_GIT | B2QT | Yocto }} }} <!--
--> {{#lst:Debian_Platform_Customization|{{#var:RELEASE_PARAM}}}} <!--
--> {{#vardefine:OS | {{#varexists:B2QT_GIT | B2QT | {{#varexists:DEBIAN_NAME | Debian | Yocto }} }} }} <!--
--> {{#vardefine:BUILD_RELEASE_GUIDE | {{#varexists:DEBIAN_NAME | Yocto_Debian_Build_Release | {{#var:OS}}_Build_Release }} }} <!--
--> {{PageHeader|{{#var:HARDWARE_NAME}} OPTEE}} {{DocImage|category1=Yocto|category2={{#var:HARDWARE_NAME}}}} __toc__
--> {{PageHeader|{{#var:HARDWARE_NAME}} OPTEE}} {{DocImage|category1=Yocto|category2={{#var:HARDWARE_NAME}}}} __toc__


= OP-TEE Introduction =
= OP-TEE Introduction =


NXP i.MX Platforms support the use of Open Portable Trusted Execution Environment (OP-TEE).
NXP i.MX Platforms support the use of OP-TEE.


OP-TEE is designed primarily to rely on the Arm TrustZone technology as the underlying hardware isolation mechanism. However, it has been structured to be compatible with any isolation technology suitable for the TEE concept and goals, such as running as a virtual machine or on a dedicated CPU.
OP-TEE (Open Portable Trusted Execution Environment) is an open-source Trusted Execution Environment (TEE) designed for ARM-based devices. A TEE is a secure area of a processor, isolated from the main operating system, that provides a secure environment for executing trusted applications. OP-TEE is designed to provide a secure environment for executing sensitive code and protecting the confidentiality and integrity of data on the device.


The main design goals for OP-TEE are:
OP-TEE is based on the ARM TrustZone technology, which provides hardware-enforced isolation between the trusted and non-trusted parts of a system.
 
The main design goals are:
* Isolation - the TEE provides isolation from the non-secure OS and protects the loaded Trusted Applications (TAs) from each other using underlying hardware support.
* Isolation - the TEE provides isolation from the non-secure OS and protects the loaded Trusted Applications (TAs) from each other using underlying hardware support.
* Small footprint - the TEE should remain small enough to reside in a reasonable amount of on-chip memory as found on Arm based systems.
* Small footprint - the TEE should remain small enough to reside in a reasonable amount of on-chip memory as found on ARM-based systems.
* Portability - the TEE aims at being easily pluggable to different architectures and available HW and has to support various setups such as multiple client OSes or multiple TEEs.
* Portability - the TEE aims at being easily pluggable to different architectures and available HW and has to support various setups such as multiple client OSes or multiple TEEs.


Line 20: Line 24:
* https://www.nxp.com/design/training/trusted-execution-environment-getting-started-with-op-tee-on-i-mx-processors:TIP-TRUSTED-EXECUTION-ENVIRONMENT-GETTING-STARTED
* https://www.nxp.com/design/training/trusted-execution-environment-getting-started-with-op-tee-on-i-mx-processors:TIP-TRUSTED-EXECUTION-ENVIRONMENT-GETTING-STARTED


= Enable OP-TEE with {{#var:B2QT_OR_YOCTO}} =
= Enable OP-TEE with {{#var:OS}} =


To enable OP-TEE, add the following to conf/local.conf:
To enable OP-TEE, add the following to conf/local.conf:
Line 28: Line 32:
  IMAGE_INSTALL:append = " optee-os optee-test"
  IMAGE_INSTALL:append = " optee-os optee-test"


Then, rebuild the {{#var:B2QT_OR_YOCTO}} image and test OP-TEE using the xtest utility.
Then, rebuild the {{#var:OS}} image and test OP-TEE using the xtest utility.


For more information about how to rebuild the {{#var:B2QT_OR_YOCTO}}, follow the steps here: {{Varlink|{{#var:B2QT_OR_YOCTO}}_Build_Release|{{#var:RELEASE_LINK}}|Build {{#var:B2QT_OR_YOCTO}} from source code}}.
For more information about how to rebuild the {{#var:OS}}, follow the steps here: {{Varlink|{{#var:BUILD_RELEASE_GUIDE}}|{{#var:RELEASE_LINK}}|Build {{#var:OS}} from source code}}.


= OP-TEE Memory Configuration =
= OP-TEE Memory Configuration =

Latest revision as of 15:35, 22 May 2024

Warning: This page is designed to be used with a 'release' URL parameter.

This page is using the default release mx8mp-yocto-kirkstone-5.15-2.0.x-v1.0.
To view this page for a specific Variscite SoM and software release, please follow these steps:

  1. Visit variwiki.com
  2. Select your SoM
  3. Select the software release
DART-MX8M-PLUS OPTEE

OP-TEE Introduction

NXP i.MX Platforms support the use of OP-TEE.

OP-TEE (Open Portable Trusted Execution Environment) is an open-source Trusted Execution Environment (TEE) designed for ARM-based devices. A TEE is a secure area of a processor, isolated from the main operating system, that provides a secure environment for executing trusted applications. OP-TEE is designed to provide a secure environment for executing sensitive code and protecting the confidentiality and integrity of data on the device.

OP-TEE is based on the ARM TrustZone technology, which provides hardware-enforced isolation between the trusted and non-trusted parts of a system.

The main design goals are:

  • Isolation - the TEE provides isolation from the non-secure OS and protects the loaded Trusted Applications (TAs) from each other using underlying hardware support.
  • Small footprint - the TEE should remain small enough to reside in a reasonable amount of on-chip memory as found on ARM-based systems.
  • Portability - the TEE aims at being easily pluggable to different architectures and available HW and has to support various setups such as multiple client OSes or multiple TEEs.

For more information, please see the following resources from NXP:

Enable OP-TEE with Yocto

To enable OP-TEE, add the following to conf/local.conf:

MACHINE_FEATURES:append = " optee"
DISTRO_FEATURES:append = " optee"
IMAGE_INSTALL:append = " optee-os optee-test"

Then, rebuild the Yocto image and test OP-TEE using the xtest utility.

For more information about how to rebuild the Yocto, follow the steps here: Build Yocto from source code.

OP-TEE Memory Configuration

The DRAM memory size is hardcoded in optee-os and needs to be updated according to the memory configuration of your SoM.

The DRAM size is configured by the variable TEE_CFG_DDR_SIZE, which is initialized in https://github.com/varigit/meta-variscite-bsp/blob/kirkstone/conf/machine/imx8mp-var-dart.conf and may be updated directly or overidden in conf/local.conf.


For example, override TEE_CFG_DDR_SIZE to 4GB:

TEE_CFG_DDR_SIZE = "0x100000000"