Hi tee-dev experts,
I am trying to port optee to our custom arm platform.I have gone through some documents but i didn't get a clear picture on this. I have some concerns like below to clarify:
1. Is arm-trusted firmware really required in the optee bringup? 2. Can we boot optee directly from u-boot without arm-trusted firmware? 3. Is there any good documentation for optee porting for custom arm soc? 4. Is there any specific hardware requirements to run optee? 5. Can you please share me , if anybody have boot flow of optee?
I appreciate your comments.
Thanks in advance.
one of the source of public documentation is : https://github.com/OP-TEE/optee_os/tree/master/documentation
[https://avatars2.githubusercontent.com/u/7488961?v=3&s=400]https://github.com/OP-TEE/optee_os/tree/master/documentation
optee_os/documentation at master · OP-TEE/optee_os · GitHubhttps://github.com/OP-TEE/optee_os/tree/master/documentation github.com optee_os - Trusted side of the TEE ... You signed in with another tab or window. Reload to refresh your session.
This is high level optee design: https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md, it has high level boot flow.
[https://avatars2.githubusercontent.com/u/7488961?v=3&s=400]https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md
optee_os/optee_design.md at master · OP-TEE/optee_os - GitHubhttps://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md github.com optee_os - Trusted side of the TEE ... Type Name Comment; uint32_t: magic: Holds the magic number 0x4f545348: uint32_t: img_type
Filtered google results regarding porting:
https://www.youtube.com/watch?v=QgaGJow7hws
[https://www.bing.com/th?id=OVP.V250c653a8ed502c91ceaac78881a8e6f&pid=Api]https://www.youtube.com/watch?v=QgaGJow7hws
LCU14-302: OP-TEE Porting and Future Enhancementshttps://www.youtube.com/watch?v=QgaGJow7hws www.youtube.com LCU14-302: OP-TEE Porting and Future Enhancements --------------------------------------------------- Speaker: Sun Yangbang Track: Security Location: Grand P...
http://www.slideshare.net/linaroorg/hkg15311-optee-for-beginners-and-porting... [http://image.slidesharecdn.com/hkg15-311op-teebasicsandportingreview-1502191...]http://www.slideshare.net/linaroorg/hkg15311-optee-for-beginners-and-porting-review
HKG15-311: OP-TEE for Beginners and Porting Reviewhttp://www.slideshare.net/linaroorg/hkg15311-optee-for-beginners-and-porting-review www.slideshare.net HKG15-311: OP-TEE for Beginners and Porting Review ----- Speaker: Victor Chong Date: February 11, 2015
________________________________ From: Tee-dev tee-dev-bounces@lists.linaro.org on behalf of Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com Sent: Thursday, October 6, 2016 5:03:49 AM To: tee-dev@lists.linaro.org Subject: [Tee-dev] OPtee Porting.
Hi tee-dev experts,
I am trying to port optee to our custom arm platform.I have gone through some documents but i didn't get a clear picture on this. I have some concerns like below to clarify:
1. Is arm-trusted firmware really required in the optee bringup? 2. Can we boot optee directly from u-boot without arm-trusted firmware? 3. Is there any good documentation for optee porting for custom arm soc? 4. Is there any specific hardware requirements to run optee? 5. Can you please share me , if anybody have boot flow of optee?
I appreciate your comments.
Thanks in advance.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Siva,
GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console.
You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular.
By the way, are you sure that your chip supports this extensions?
But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode.
And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format.
On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hi,
We are using our own soc (which is provided by our company only). It also supports security extensions. But vault ip support is not there.
Thanks
From: Volodymyr Babchuk Sent: Friday, October 7, 4:31 PM Subject: Re: [Tee-dev] OPtee Porting. To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org
Siva, GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console. You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular. By the way, are you sure that your chip supports this extensions? But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode. And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format. On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala wrote: > > Thanks for your reply vlad. > > > Our processor is arm cortex A5. It supports armv7-A instruction > set.According to you , we don't need to bother about trusted firmware. > > And we are not using standard arm gic interrupt controller , we are using > custom interrupt controller. > > > How much porting effort should be there as we are not using gic? > > Can you please suggest me any reference for cortex A5(armvV7a) for > understanding. > > > > > Thanks. > > ________________________________ > From: Volodymyr Babchuk > Sent: Thursday, October 6, 2016 7:04:45 PM > To: Siva Krishna Reddy Yaramala > Cc: tee-dev@lists.linaro.org > Subject: Re: [Tee-dev] OPtee Porting. > > Hi Siva, > > On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala > wrote: > >> Is arm-trusted firmware really required in the optee bringup? > arm trusted firmware is a standard component on ARMv8 architecture. It > is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure > monitor (without ARM TF). > Technically you can throw away ARM TF on ARMv8 and use OP-TEE in > standalone mode. You will need some changes in optee in this case. > AFAIK no one did this before. > >> Can we boot optee directly from u-boot without arm-trusted firmware? > Usually op-tee boots before u-boot. But it is platform dependent. If > u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, > you can boot optee from u-boot. > But usually u-boot operates in EL1 (supervisor) mode, so it is too > late to boot up op-tee. Also, in case of booting optee from u-boot you > need to develop a way to return back to u-boot to boot linux kernel. > >> Is there any specific hardware requirements to run optee? > Processor core need to support ARM Security Extensions. This is only > one hardware requirement. > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ -- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hi ,
I created separate platform folder by taking plat-imx platform reference. I made changes for serial console for debugging and TZDRAM_BASE address in platform_config.h (tee load address) .After these changes , i was able to build tee.bin image (with serial console only) and loaded it (only tee.bin independantly) on our board.I was able to see some prints on the terminal , after this , it is hanging in between .I tried debug it , but that hang position is not consistent.
Can i load tee.bin independently (without boot loaders and Normal world OS)?
Please comment on this.
Thanks&Regards, ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Friday, October 7, 2016 4:31 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Siva,
GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console.
You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular.
By the way, are you sure that your chip supports this extensions?
But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode.
And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format.
On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hi Siva,
Could you please at least share your console output? Also, please make sure that you correctly implemented flush() function for your console driver. This can be crucial in some circumstances. You can load tee.bin as you wish. Just make sure that it is located at CFG_TEE_LOAD_ADDR. Then you need to run it with NS bit set to 0 and in Secure Monitor Mode.
On 14 October 2016 at 14:33, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Hi ,
I created separate platform folder by taking plat-imx platform reference. I made changes for serial console for debugging and TZDRAM_BASE address in platform_config.h (tee load address) .After these changes , i was able to build tee.bin image (with serial console only) and loaded it (only tee.bin independantly) on our board.I was able to see some prints on the terminal , after this , it is hanging in between .I tried debug it , but that hang position is not consistent.
Can i load tee.bin independently (without boot loaders and Normal world OS)?
Please comment on this.
Thanks&Regards, ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Friday, October 7, 2016 4:31 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Siva,
GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console.
You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular.
By the way, are you sure that your chip supports this extensions?
But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode.
And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format.
On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hi Vlad , Thanks for your reply. I am sharing log file as an attachment for your reference. tee.bin is located at CFG_TEE_LOAD_ADDR only (TZDRAM_BASE is pointing to CFG_TEE_LOAD_ADDR ).
Thanks &Regards, Siva . ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Monday, October 17, 2016 6:16 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
Could you please at least share your console output? Also, please make sure that you correctly implemented flush() function for your console driver. This can be crucial in some circumstances. You can load tee.bin as you wish. Just make sure that it is located at CFG_TEE_LOAD_ADDR. Then you need to run it with NS bit set to 0 and in Secure Monitor Mode.
On 14 October 2016 at 14:33, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Hi ,
I created separate platform folder by taking plat-imx platform reference. I made changes for serial console for debugging and TZDRAM_BASE address in platform_config.h (tee load address) .After these changes , i was able to build tee.bin image (with serial console only) and loaded it (only tee.bin independantly) on our board.I was able to see some prints on the terminal , after this , it is hanging in between .I tried debug it , but that hang position is not consistent.
Can i load tee.bin independently (without boot loaders and Normal world OS)?
Please comment on this.
Thanks&Regards, ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Friday, October 7, 2016 4:31 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Siva,
GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console.
You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular.
By the way, are you sure that your chip supports this extensions?
But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode.
And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format.
On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hi Siva,
Looks like op-tee hangs somewhere in "generic_entry_a32.S". Check out lines 327-331. You can add more trace logs in C functions to locate exact place where it hangs up. Also you can put simple traces in .S files in this way:
mov r0, #0x31 bl console_putc
this will print '1' to the console.
In such way you can trace assembler code. Just try to carefully select places for this traces. You don't want to destroy meaningful contents of r0.
On 18 October 2016 at 08:45, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Hi Vlad , Thanks for your reply. I am sharing log file as an attachment for your reference. tee.bin is located at CFG_TEE_LOAD_ADDR only (TZDRAM_BASE is pointing to CFG_TEE_LOAD_ADDR ).
Thanks &Regards, Siva . ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Monday, October 17, 2016 6:16 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
Could you please at least share your console output? Also, please make sure that you correctly implemented flush() function for your console driver. This can be crucial in some circumstances. You can load tee.bin as you wish. Just make sure that it is located at CFG_TEE_LOAD_ADDR. Then you need to run it with NS bit set to 0 and in Secure Monitor Mode.
On 14 October 2016 at 14:33, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Hi ,
I created separate platform folder by taking plat-imx platform reference. I made changes for serial console for debugging and TZDRAM_BASE address in platform_config.h (tee load address) .After these changes , i was able to build tee.bin image (with serial console only) and loaded it (only tee.bin independantly) on our board.I was able to see some prints on the terminal , after this , it is hanging in between .I tried debug it , but that hang position is not consistent.
Can i load tee.bin independently (without boot loaders and Normal world OS)?
Please comment on this.
Thanks&Regards, ________________________________________ From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Friday, October 7, 2016 4:31 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Siva,
GIC is not needed at all for basic op-tee porting. Later. when you'll start writing drivers for secure HW you may need to work with GIC. All you need is a serial console driver, and you need it only for debugging purposes. So if you can debug op-tee in other way, you don't need even the serial console.
You can start from ARM Technical Reference Manual which is available there: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.h... You will need to register at ARM.com but this is free. Refer to sections describing Security Extensions. You need to familiarize yourself with execution modes in general and Secure Monitor Mode in particular.
By the way, are you sure that your chip supports this extensions?
But this documentations is about armv7 architecture itself. The way how op-tee (or any other TEE) is loaded into memory and then executed is heavily dependent on vendor-specific ROM code. So you will need to contact vendor of your chip for the details. Or at least check a TRM (datasheet) for your chip regading boot sequence. There should be a way to execute your code in Secure Monitor Mode.
And one more thing. Most of the mailing lists allow only plain text e-mails (contrary to Rich Text or HTML emails). I suppose that tee-dev is one of such lists. So it will be great if you'll configure your e-mail client to write e-mails in plain text format.
On 7 October 2016 at 07:57, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Thanks for your reply vlad.
Our processor is arm cortex A5. It supports armv7-A instruction set.According to you , we don't need to bother about trusted firmware.
And we are not using standard arm gic interrupt controller , we are using custom interrupt controller.
How much porting effort should be there as we are not using gic?
Can you please suggest me any reference for cortex A5(armvV7a) for understanding.
Thanks.
From: Volodymyr Babchuk vlad.babchuk@gmail.com Sent: Thursday, October 6, 2016 7:04:45 PM To: Siva Krishna Reddy Yaramala Cc: tee-dev@lists.linaro.org Subject: Re: [Tee-dev] OPtee Porting.
Hi Siva,
On 6 October 2016 at 15:03, Siva Krishna Reddy Yaramala SivaKrishnaReddy.Yaramala@inedasystems.com wrote:
Is arm-trusted firmware really required in the optee bringup?
arm trusted firmware is a standard component on ARMv8 architecture. It is unavailable on ARMv7. On ARMv7 OP-TEE works as standalone secure monitor (without ARM TF). Technically you can throw away ARM TF on ARMv8 and use OP-TEE in standalone mode. You will need some changes in optee in this case. AFAIK no one did this before.
Can we boot optee directly from u-boot without arm-trusted firmware?
Usually op-tee boots before u-boot. But it is platform dependent. If u-boot on your platform boots in EL3 (secure monitor) mode, then, yes, you can boot optee from u-boot. But usually u-boot operates in EL1 (supervisor) mode, so it is too late to boot up op-tee. Also, in case of booting optee from u-boot you need to develop a way to return back to u-boot to boot linux kernel.
Is there any specific hardware requirements to run optee?
Processor core need to support ARM Security Extensions. This is only one hardware requirement.
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- WBR Volodymyr Babchuk aka lorc [+380976646013] mailto: vlad.babchuk@gmail.com
This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-
machiry aravind -
Siva Krishna Reddy Yaramala -
Volodymyr Babchuk