Boot OPTEE from fitImage on colibri imx6ull

Technical Support
, , , ,
1

Hello,

We want to boot OPTEE OS from a fit Image on a Colibri imx6ull. Currently we are able to boot Optee on the board using a uTee Image. However when having OPTEE inside a fitImage, uboot will not boot it as it doesn’t rcognize it as valid image. Error message is 'No Trusted Execution Environment ARM Kernel Image Image
ERROR: can’t get kernel image!
'. We followed instruction from this GitHub issue (OP-TEE boot flow · Issue #1887 · OP-TEE/optee_os · GitHub). As those seemed to have worked, we wonder whether Uboot toradex expects some additional information.
Below you can find documentation as on how we built the image as well as the output from uboot.

Steps to produce fitImage containing optee image:

Steps we conducted to try run OPTEE on imx6ull

  1. Setup Toradex Yocto branch zeus:

    repo init -u Index of /toradex-bsp-platform.git -b LinuxImage4.0
    repo sync

  2. add layers needed for optee os

    git clone -b zeus meta-linaro.git - Linaro layer for OpenEmbedded.
    git clone -b zeus GitHub - priv-kweihmann/meta-sca: Layer for static code analysis and security hardening

  3. add meta-linaro/meta-optee and meta-sca to bblayers.conf

  4. Adjust optee-os_git.bb

EXTRA_OEMAKE = "PLATFORM=${OPTEEMACHINE} CFG_ARM64_core=n \ CROSS_COMPILE_core=${HOST_PREFIX} \ CROSS_COMPILE_ta_arm32=${HOST_PREFIX} \ NOWERROR=1 \ ta-targets=ta_arm32 \ LDFLAGS= \ LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \ ARCH=arm \ CFG_PAGEABLE_ADDR=0 \ CFG_DT=y \ DEBUG=y \ CFG_TEE_CORE_LOG_LEVEL=1 \ "

  1. add optee os configuartion to local.conf
IMAGE_INSTALL_append = "optee-os optee-client optee-examples"
OPTEEMACHINE = "imx-mx6ullevk"
OPTEEOUTPUTMACHINE = "imx"
OPTEE_ARCH = "arm32"

  1. Configure uboot to allow booting optee

    CONFIG_TEE=y
    CONFIG_OPTEE=y
    CONFIG_BOOTM_OPTEE=y
    CONFIG_OPTEE_LOAD_ADDR=0x9e000000
    CONFIG_OPTEE_TZDRAM_SIZE=0x1f00000
    CONFIG_OPTEE_TZDRAM_BASE=0x9e000000

  2. Build images

    . export

    bitbake core-image-minimal

When building a uTee image after this step, it is possible to boot optee from the uTee image.

  1. Make fitImage

fitimage source:

/dts-v1/;

/ {
        description = "U-Boot fitImage ";
        #address-cells = <1>;

        images {
                kernel@1 {
                        description = "Linux kernel";
                        data = /incbin/("linux.bin");
                        type = "kernel";
                        arch = "arm";
                        os = "linux";
                        compression = "none";
                        load = <0x80800000>;
                        entry = <0x80800000>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
		optee@1 {
        		description = "XXXX OP-TEE";
        		data = /incbin/("optee/tee.bin");
        		type = "kernel";
        		arch = "arm";
        		os = "tee";
        		compression = "none";
        		load = <0x9DFFFFE4>;
        		entry = <0x9E000000>;
        		hash@1 {
        		    algo = "sha256";
        		};
    		};
		fdt@1 {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("imx6ull-colibri-wifi-eval-v3.dtb");
                        type = "flat_dt";
                        arch = "arm";
                        compression = "none";
                        
                        hash@1 {
                                algo = "sha256";
                        };
                };
	};

        configurations {
                default = "conf@1";
                conf@1 {
			description = "1 Linux kernel, FDT blob";
			kernel = "optee@1";
			loadables = "kernel@1";
			fdt = "fdt@1";
			
			
                        hash@1 {
                                algo = "sha256";
                        };
                };
	};
};

Make image: …/…/…/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkimage -f fitimageutee.its fitImage

  1. Load fitImage to board and boot it

    tftp fitImage
    bootm ${loadaddr}

When trying to boot the fitimage, it stop with the following output:

Loading kernel from FIT Image at 82000000 …
Using ‘conf@1’ configuration
Trying ‘optee@1’ kernel subimage
Description: XXXX OP-TEE
Type: Kernel Image
Compression: uncompressed
Data Start: 0x8253d854
Data Size: 341180 Bytes = 333.2 KiB
Architecture: ARM
OS: Trusted Execution Environment
Load Address: 0x9dffffe4
Entry Point: 0x9e000000
Hash algo: sha256
Hash value: 2903fc3b758e66b7fd464187fd9c6f4af38b32b5ef9ba5aec77a7ef99f38cddc
Verifying Hash Integrity … sha256+ OK
No Trusted Execution Environment ARM Kernel Image Image
ERROR: can’t get kernel image!

We would be very happy if there is someone having experience with using OPTEE in that context or in general can shed some light on what may cause such an error to occur.

Best regards!

2

Hi @corinna ,

I’m analyzing your problem and I’ll com back with feedbacks as soon as possible.

In the meantime:

  • If you are working on development and wand to use our latest changes, I suggest you to use our BSP 5, not the BSP 4, as I observed in our repo setup with the LinuxImage4.0. The BSP 4.0 is deferred and we don’t offer support for it.
  • If you are working on development and want to use our LTS BSP, I suggest you to use our BSP 3.

You can check which repo to use here:

Best regards,
André Curvello

3

Hi @corinna ,

Officially we don’t support OP-TEE in our BSP, however just a couple of suggestions that could make life easier in getting it running on our mobudle:

  1. By default the addresses that are used will work only on Colibri iMX6ULL 512MB version (and won’t on 256MB)

  2. The best way to debug stuff here is to build U-Boot image and FIT image with OP-TEE and kernel manually, just to be sure that everything is in place and corresponds to correct config values (I personally follow this approach before getting hands dirty with OE/Yocto layers).
    For U-Boot and Linux you can find instructions here, for building FIT image just use help for mkimage.

  3. If you still want to continue playing with OE layers, I would suggest to use meta-freescale/recipes-security/optee-imx at master · Freescale/meta-freescale · GitHub instead the one, that Linaro provides. The one from NXP uses their own fork with fixes, which could have not been upstreamed yet.

  4. Basically, yhe steps to get it working should be the same across all imx6ull boards (even from other board manufacturers; the only place you can mess up - providing wrong DRAM size). You can post the same question on OP-TEE github and probably you’ll get the issue addressed (and don’t forget to tag MrVan (Peng Fan) · GitHub, he is the right guy fir this type of question)

  5. If you finally get OP-TEE booting, just don’t forget about additional adjustments in kernel (memreserve for OP-TEE shared memory + op-tee node for the driver in device tree; TEE/OP-TEE also should be enabled in defconfig)

Hope it helps!

4

Hi @igor.tx ,

Thanks a lot for your suggestions. I will post here when I managed to find a solution.

Best regards!

5

For people having the same/similar problem: I actually managed to get it booting when I ‘os = “linux”’ instead of ‘os = “tee”’ in optee@1.

6

Nice!

Thanks for the feedback.

Glad to know that it’s working.

7

Hello corinna,
I’m having similar issues with an imx7d and just stumbled upon your post. Where do you get the fitimage source file from? Is it autogenerated by bitbake/make/nconf or did you write it yourself? I can’t seem to find an its file on my system.

Thank you for helping.

Kind regards,
marcer1

8

Hi @marcer1

This is an old post from 2020.
It would be better if you could open a new thread with your issue.