meta-freescale.lists.yoctoproject.org archive mirror
 help / color / mirror / Atom feed
* Anyone have experience with adding op-tee to fsl-community-bsp for imx8mm?
@ 2021-07-13 14:21 Brian Hutchinson
  2021-07-26 22:27 ` [meta-freescale] " Ricardo Salveti
  0 siblings, 1 reply; 2+ messages in thread
From: Brian Hutchinson @ 2021-07-13 14:21 UTC (permalink / raw)
  To: meta-freescale

[-- Attachment #1: Type: text/plain, Size: 768 bytes --]

It's been over a year now since I ran NXP's yocto release on imx8mm-evk but
I believe that op-tee was included.  I now find myself needing to use our
eMMC RPMB for key storage since our TPM modules have supply chain issues :(.

So I understand op-tee works with RPMB so looks like I probably need to
move that direction and would like to know if anyone has done one of these
setups before adding op-tee to fsl-community-bsp configured for RPMB.

What I'm really wanting to do is have an application filesystem that's
encrypted and get key to mount/decrypt from RPMB.

I've not done any of this before so reading and watching videos trying to
weed out noise from what's important which is fun when you don't know what
you don't know.

Regards,

Brian

[-- Attachment #2: Type: text/html, Size: 940 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [meta-freescale] Anyone have experience with adding op-tee to fsl-community-bsp for imx8mm?
  2021-07-13 14:21 Anyone have experience with adding op-tee to fsl-community-bsp for imx8mm? Brian Hutchinson
@ 2021-07-26 22:27 ` Ricardo Salveti
  0 siblings, 0 replies; 2+ messages in thread
From: Ricardo Salveti @ 2021-07-26 22:27 UTC (permalink / raw)
  To: Brian Hutchinson; +Cc: meta-freescale

Hi Brian,

On Tue, Jul 13, 2021 at 11:21 AM Brian Hutchinson <b.hutchman@gmail.com> wrote:
>
> It's been over a year now since I ran NXP's yocto release on imx8mm-evk but I believe that op-tee was included.  I now find myself needing to use our eMMC RPMB for key storage since our TPM modules have supply chain issues :(.
>
> So I understand op-tee works with RPMB so looks like I probably need to move that direction and would like to know if anyone has done one of these setups before adding op-tee to fsl-community-bsp configured for RPMB.
>
> What I'm really wanting to do is have an application filesystem that's encrypted and get key to mount/decrypt from RPMB.

Latest OP-TEE from NXP supports generating HUK for closed devices, so
that should be all you need. You might need to configure the OP-TEE to
enable RPMB, but that should be all you need to be able to access it.

The main problem with RPMB is that you will have to generate and write
a key in order to protect the RPMB access, and for this you will have
to close your device (HUK is only available when the device is closed
and booted in secure mode), and compile and boot a specific OP-TEE
binary that has the capability of writing the RPMB key on first access
(CFG_RPMB_WRITE_KEY=y). The current OP-TEE implementation derives the
RPMB key out of HUK, which forces it to be specific to the device and
makes it available only when the device is in secure mode.

https://docs.foundries.io/latest/reference-manual/security/secure-boot-imx.html
might be useful for understanding how that access is made and how to
close/fuse your board.

Cheers,

--
Ricardo Salveti

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-26 22:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-13 14:21 Anyone have experience with adding op-tee to fsl-community-bsp for imx8mm? Brian Hutchinson
2021-07-26 22:27 ` [meta-freescale] " Ricardo Salveti

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).