About TRUSTED_BOARD_BOOT and CryptoCell on Hikey

[spiderkiss]

Hi:

I am a researcher in computer security, so I quite concern about the security part of OP-TEE.

I am reading the codes of ARM_TRUSTED_FIRMWARE and try to open the flag of "TRUSTED_BOARD_BOOT" to enable the verification during the ARM trusted boot process on Hikey620 with (a little) obsolete codes.

However, after adding configurations in ARM-TF as follow:

GENERATE_COT := 1
CREATE_KEYS := 1
TRUSTED_BOARD_BOOT := 1
AUTH_MOD := polarssl
POLARSSL_DIR := /home/user/Downloads/polarssl-1.3.9

I didn't modify other parts of OP-TEE. And I successfully "make" the whole OP-TEE project with no errors. However, when I try to make flash the whole OP-TEE into Hikey, I get the following information:

root@ubuntu:/media/user/apps/devel/hikey_optee# make flash
LLOADER
+----------------------+
Serial: /dev/serial/by-id/usb-???_?????-if00-port0
Image1: l-loader/l-loader.bin
Image2:
+----------------------+

Sending l-loader/l-loader.bin ...
Done

FLASH ptable
< waiting for device >
target reported max download size of 268435456 bytes
sending 'ptable' (17 KB)...
OKAY [ 0.007s]
writing 'ptable'...
OKAY [ 0.004s]
finished. total time: 0.011s
FLASH fastboot
target reported max download size of 268435456 bytes
sending 'fastboot' (1397 KB)...
...

It's jammed when 'fastboot' is being sent to Hikey. Although I tried many times, I got the same output every time. Maybe the latest codes won't have this problem, I guess.

P.S. Since CryptoCell can offer hardware security guarantee for ARM development, my question is that d
does Hikey (620 & 960) support CryptoCell? If supports, does OP-TEE on Hikey support CryptoCell.

Thanks in advance

Shiwei

[pokitoz]

Hello,

I am not sure about your first question. By "jammed" you mean that the fastboot image is never written to the end?

About cryptocell, you can have a look at https://discuss.96boards.org/t/cryptocell-on-hikey960/4003 and https://discuss.96boards.org/t/crypto-engine-in-hikey-96-boards/1126/5 .
Unfortunately, even if the two boards have cryptocell, it seems that there is no support yet.. It is mostly because the specification is not open for public.

[spiderkiss]

Hi pokitoz:

About the first question, the fastboot stops there without any output, I don't know whether it's writing or not. Maybe the codes for Hikey620 is obsolete, and I should use the most recent codes.

About the cryptocell, thanks for the information. Hope the specification will be public soon.

[gitfineon]

Hi @spiderkiss ,
which Hikey Board are you using, the older 620 or the recent 690? Can you add version or commit IDs for ARM-TF, OP-TEE and the tools you use to build an flash? Had a similar issue in the past, caused by image alignment.

[spiderkiss]

We are using Hikey 620, with ARM-TF 1.1, OP-TEE 1.0.0, and adb 1.0.31 (with fastboot). Is this the similar to your platform configuration.

[jbech-linaro]

I've seen this problems many times too and I know about two possible reasons for this. One is that fip.bin has to be aligned on 512 byte boundary (@igoropaniuk found this out a while ago). In the upstream TF, there is a fix. Other issues I've seen related to this has been due to the local l-loader sgdisk vs the sgdisk on your Linux system. See more about that here.

[gitfineon]

Read this: ARM-software/arm-trusted-firmware#1166 (comment)

I used this workaround from @raw-bin to manually add padding.
ARM-software/tf-issues#528

Tell me if that solves your problem.

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.