Hello,
We want to boot OPTEE OS from a fit Image on a Colibri imx6ull. Currently we are able to boot Optee on the board using a uTee Image. However when having OPTEE inside a fitImage, uboot will not boot it as it doesn’t rcognize it as valid image. Error message is 'No Trusted Execution Environment ARM Kernel Image Image
ERROR: can’t get kernel image!
'. We followed instruction from this GitHub issue (OP-TEE boot flow · Issue #1887 · OP-TEE/optee_os · GitHub). As those seemed to have worked, we wonder whether Uboot toradex expects some additional information.
Below you can find documentation as on how we built the image as well as the output from uboot.
Steps to produce fitImage containing optee image:
Steps we conducted to try run OPTEE on imx6ull
-
Setup Toradex Yocto branch zeus:
repo init -u Index of /toradex-bsp-platform.git -b LinuxImage4.0
repo sync -
add layers needed for optee os
git clone -b zeus meta-linaro.git - Linaro layer for OpenEmbedded.
git clone -b zeus GitHub - priv-kweihmann/meta-sca: Layer for static code analysis and security hardening -
add meta-linaro/meta-optee and meta-sca to bblayers.conf
-
Adjust optee-os_git.bb
EXTRA_OEMAKE = "PLATFORM=${OPTEEMACHINE} CFG_ARM64_core=n \ CROSS_COMPILE_core=${HOST_PREFIX} \ CROSS_COMPILE_ta_arm32=${HOST_PREFIX} \ NOWERROR=1 \ ta-targets=ta_arm32 \ LDFLAGS= \ LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \ ARCH=arm \ CFG_PAGEABLE_ADDR=0 \ CFG_DT=y \ DEBUG=y \ CFG_TEE_CORE_LOG_LEVEL=1 \ "
- add optee os configuartion to local.conf
IMAGE_INSTALL_append = "optee-os optee-client optee-examples"
OPTEEMACHINE = "imx-mx6ullevk"
OPTEEOUTPUTMACHINE = "imx"
OPTEE_ARCH = "arm32"
-
Configure uboot to allow booting optee
CONFIG_TEE=y
CONFIG_OPTEE=y
CONFIG_BOOTM_OPTEE=y
CONFIG_OPTEE_LOAD_ADDR=0x9e000000
CONFIG_OPTEE_TZDRAM_SIZE=0x1f00000
CONFIG_OPTEE_TZDRAM_BASE=0x9e000000 -
Build images
. export
bitbake core-image-minimal
When building a uTee image after this step, it is possible to boot optee from the uTee image.
- Make fitImage
fitimage source:
/dts-v1/;
/ {
description = "U-Boot fitImage ";
#address-cells = <1>;
images {
kernel@1 {
description = "Linux kernel";
data = /incbin/("linux.bin");
type = "kernel";
arch = "arm";
os = "linux";
compression = "none";
load = <0x80800000>;
entry = <0x80800000>;
hash@1 {
algo = "sha256";
};
};
optee@1 {
description = "XXXX OP-TEE";
data = /incbin/("optee/tee.bin");
type = "kernel";
arch = "arm";
os = "tee";
compression = "none";
load = <0x9DFFFFE4>;
entry = <0x9E000000>;
hash@1 {
algo = "sha256";
};
};
fdt@1 {
description = "Flattened Device Tree blob";
data = /incbin/("imx6ull-colibri-wifi-eval-v3.dtb");
type = "flat_dt";
arch = "arm";
compression = "none";
hash@1 {
algo = "sha256";
};
};
};
configurations {
default = "conf@1";
conf@1 {
description = "1 Linux kernel, FDT blob";
kernel = "optee@1";
loadables = "kernel@1";
fdt = "fdt@1";
hash@1 {
algo = "sha256";
};
};
};
};
Make image: …/…/…/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkimage -f fitimageutee.its fitImage
-
Load fitImage to board and boot it
tftp fitImage
bootm ${loadaddr}
When trying to boot the fitimage, it stop with the following output:
Loading kernel from FIT Image at 82000000 …
Using ‘conf@1’ configuration
Trying ‘optee@1’ kernel subimage
Description: XXXX OP-TEE
Type: Kernel Image
Compression: uncompressed
Data Start: 0x8253d854
Data Size: 341180 Bytes = 333.2 KiB
Architecture: ARM
OS: Trusted Execution Environment
Load Address: 0x9dffffe4
Entry Point: 0x9e000000
Hash algo: sha256
Hash value: 2903fc3b758e66b7fd464187fd9c6f4af38b32b5ef9ba5aec77a7ef99f38cddc
Verifying Hash Integrity … sha256+ OK
No Trusted Execution Environment ARM Kernel Image Image
ERROR: can’t get kernel image!
We would be very happy if there is someone having experience with using OPTEE in that context or in general can shed some light on what may cause such an error to occur.
Best regards!