TZASC misconfiguration on i.mx8m

Ye Li ye.li at oss.nxp.com
Tue Jun 9 03:44:40 CEST 2026 


On 6/8/2026 11:07 AM, Richard Weinberger wrote:
> Ye Li <ye.li at oss.nxp.com <mailto:ye.li at oss.nxp.com>> schrieb am Mo., 8. 
> Juni 2026, 03:43:
> 
>     Hi Richard,
> 
>     On 6/5/2026 10:52 PM, Richard Weinberger wrote:
>      > CC'ing Ye Li.
>      >
>      > On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
>      >> Hello!
>      >>
>      >> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot
>     configures
>      >> region0 to allow secure and non-secure world access.
>      >> This is known to be problematic and allows circumventing the
>     TrustZone due to
>      >> memory aliasing[0][1].
>      >>
>      >> It causes also recent OP-TEE to panic at startup:
>      >> E/TC:0 0 Panic 'region0 is not secure configured, non-secure
>     memory alias access possible!' at core/arch/arm/plat-imx/
>     tzc380.c:217 <imx_configure_tzasc>
>      >>
>      >> This is not a theoretical issue.
>      >> On my i.mx8mm evk Board I was able to exploit this and dump all
>     OP-TEE memory from Linux.
>      >
>      > I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
>      > Author: Ye Li <ye.li at nxp.com <mailto:ye.li at nxp.com>>
>      > Date:   Tue Aug 27 06:25:34 2019 +0000
>      >
>      >      imx8m: Configure trustzone region 0 for non-secure access
>      >
>      >      Set trustzone region 0 to allow both non-secure and secure
>     access
>      >      when trust zone is enabled. We found USB controller fails to
>     access
>      >      DDR if the default region 0 is secure access only.
>      >
>      >      Signed-off-by: Ye Li <ye.li at nxp.com <mailto:ye.li at nxp.com>>
>      >      Signed-off-by: Peng Fan <peng.fan at nxp.com
>     <mailto:peng.fan at nxp.com>>
>      >
>      > Thanks,
>      > //richard
>     We have discussed this with iMX optee owner. The fix should be done in
>     OPTEE not u-boot.
>     1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
>     meet secure requirement not depending on SPL setting.
>     2. SPL also supports Non-optee case.
> 
>     Best regards,
>     Ye Li
> 
> 
> Can you please point to this discussion?

It is our internal discussion not on community thread. I add Sahil to 
comment for optee. And please notice, trustzone should be enabled before 
DDR initialization. So it should be in SPL not optee. Optee can 
reconfigure trustzone setting.

Best regards,
Ye Li
> 
> Thanks,
> //richard
>

More information about the U-Boot mailing list