Re: Failure loading optee-os on IMX93 custom board

[Oquirella]

I am using u-boot-imx 2024.04.
I am using optee-os-imx 4.4.0

This is the output that i get from optee-os and dmesg:

tee_ta_init_pseudo_ta_session:303 Lookup pseudo TA 560c5231-71bc-476d-8c2e-4ba107991e72
D/TC:? 0 ldelf_load_ldelf:110 ldelf load address 0x40007000
D/LD: ldelf:142 Loading TS 560c5231-71bc-476d-8c2e-4ba107991e72
F/TC:? 0 trace_syscall:147 syscall #3 (syscall_get_property)
F/TC:? 0 trace_syscall:147 syscall #5 (syscall_open_ta_session)
D/TC:? 0 ldelf_syscall_open_bin:163 Lookup user TA ELF 560c5231-71bc-476d-8c2e-4ba107991e72 (early TA)
D/TC:? 0 ldelf_syscall_open_bin:167 res=0xffff0008
D/TC:? 0 ldelf_syscall_open_bin:163 Lookup user TA ELF 560c5231-71bc-476d-8c2e-4ba107991e72 (Secure Storage TA)
F/TC:? 0 plat_prng_add_jitter_entropy:68 0xC9
F/TC:? 0 plat_prng_add_jitter_entropy:68 0x70
F/TC:? 0 plat_prng_add_jitter_entropy:68 0xD2
D/TC:? 0 ldelf_syscall_open_bin:167 res=0xffff0008
D/TC:? 0 ldelf_syscall_open_bin:163 Lookup user TA ELF 560c5231-71bc-476d-8c2e-4ba107991e72 (REE)
D/TC:? 0 ldelf_syscall_open_bin:167 res=0xffff0008
E/LD: init_elf:493 sys_open_ta_bin(560c5231-71bc-476d-8c2e-4ba107991e72)
E/TC:? 0 ldelf_init_with_ldelf:152 ldelf failed with res: 0xffff0008
D/TC:? 0 tee_ta_open_session:696 init session failed 0xffff0008
[ 39.166586] tee_client_open_session failed, err: ffff0008
[ 39.172875] TEE-Crypto: Init failed[0xffffffea].

[jforissier]

Hi @Oquirella, 0xffff0008 is TEE_ERROR_ITEM_NOT_FOUND. The logs show that your TA isn't found by OP-TEE. You need to make sure that 560c5231-71bc-476d-8c2e-4ba107991e72.ta is at the proper place in the Linux filesystem.

For that you may need to check how tee-supplicant is invoked. The TA path may be specified on the command line and the default path may also be given at build time, so it is impossible to say what directory it should be without looking.
On my test system (QEMUv8):

# ps -a | grep tee-supplicant | grep -v grep
   97 tee      /usr/sbin/tee-supplicant -d /dev/teepriv0
# tee-supplicant -h
Usage: tee-supplicant [options] [<device-name>]
        -h, --help: this help
        -d, --daemonize: run as a daemon (fork and return after child has opened the TEE device or on error)
        -f, --fs-parent-path: secure fs parent path [var/lib/tee]
        -l, --ta-path: TA load path
        -t, --ta-dir: TAs dirname under /lib [optee_armtz] (deprecated, cannot be used with --ta-path)
        -p, --plugin-path: plugin load path [/usr/lib/tee-supplicant/plugins/]
        -r, --rpmb-cid: RPMB device identification register (CID) in hexadecimal

I see no -l/--ta-path option so it is the default that is used, which as shown by the -t/--ta-dir help is /lib/optee_armtz.

[Oquirella]

560c5231-71bc-476d-8c2e-4ba107991e72 is referenced in:
nxp-imx/imx-optee-os@c8ad76d#diff-9ddedc2619422fc61be6f4ac13f77e4f2c61835d32c296c009cf7a6741fa88e5R10

But no 560c5231-71bc-476d-8c2e-4ba107991e72.ta file is created...

[jforissier]

560c5231-71bc-476d-8c2e-4ba107991e72 is referenced in: nxp-imx/imx-optee-os@c8ad76d#diff-9ddedc2619422fc61be6f4ac13f77e4f2c61835d32c296c009cf7a6741fa88e5R10

But no 560c5231-71bc-476d-8c2e-4ba107991e72.ta file is created...

Oh I see, it is a pseudo-TA, not a user space TA. I can see in core/pta/imx/sub.mk that CFG_IMX_TRUSTED_ARM_CE needs to be enabled for this PTA to be built. Have you set CFG_IMX_TRUSTED_ARM_CE=y when building OP-TEE?

Please note that this PTA is not (yet) part of the official ("upstream") OP-TEE repository (here), so any issues should preferably be discussed in the downstream project https://github.com/nxp-imx/imx-optee-os. Thanks!

[Oquirella]

I am sorry that i put my issue here. But the imx-optee-os repo doesn't have support for issues. I verified that CFG_IMX_TRUSTED_ARM_CE is enabled. But why does optee-os tries to open a binary if it is not one:

E/LD: init_elf:493 sys_open_ta_bin(560c5231-71bc-476d-8c2e-4ba107991e72)
E/TC:? 0 ldelf_init_with_ldelf:152 ldelf failed with res: 0xffff0008

[jforissier]

When a UUID is not found as a PTA, then it is looked up as a TA in various places: early TA, secure storage, Linux FS (REE FS). The following patch will help to see what PTAs are included in your OP-TEE OS binary:

diff --git a/core/kernel/pseudo_ta.c b/core/kernel/pseudo_ta.c
index 587faa41a..939e671e1 100644
--- a/core/kernel/pseudo_ta.c
+++ b/core/kernel/pseudo_ta.c
@@ -307,6 +307,7 @@ TEE_Result tee_ta_init_pseudo_ta_session(const TEE_UUID *uuid,
                if (ta >= SCATTERED_ARRAY_END(pseudo_tas,
                                              struct pseudo_ta_head))
                        return TEE_ERROR_ITEM_NOT_FOUND;
+               DMSG("... %pUl", (void *)&ta->uuid)
                if (memcmp(&ta->uuid, uuid, sizeof(TEE_UUID)) == 0)
                        break;
                ta++;

[sahilnxp]

Hi @Oquirella,

Do you want to run DM-Crypt solution on i.MX93?
Are you talking about lf-6.6.52-2.2.0 branch of imx-optee-os ? If yes, this branch is not yet released, it will be relleeased by end of next week.

Btw you can reach out to https://community.nxp.com/ for any query regarding nxp releases.

Regards,
Sahil Malhotra

[Oquirella]

Hi sahilnxp, yes indeed, i want to run the DM-crypt solution on i.MX93.
But i also get the same problem with the previous release (lf-6.6.36_2.1.0).
And i already posted something on the forum, but nobody resolved my problem.

[sahilnxp]

Hi @Oquirella

Sorry if you found that issue, We have updated the documentation regarding this in latest release.

Please refer to section "10.5.5 DM-Crypt usage on i.MX Platforms without CAAM hardware IP" in https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

Let me know if you still face any issue after following that

[Oquirella]

Now it works, thanks. In my opinion this should be set as default for the imx9 instead of letting the developer add this manually...

[Oquirella]

@sahilnxp Disabling CONFIG_SEC_ENCLAVE like stated in the document, disables CONFIG_SOC_IMX9 which causes a lot of problems. Something is not right. Even systemd doesn't start.