TZASC misconfiguration on i.mx8m

Richard Weinberger richard at sigma-star.at
Tue Jun 9 08:53:25 CEST 2026 

Ye Li,

On Dienstag, 9. Juni 2026 03:44 Ye Li wrote:
> >     We have discussed this with iMX optee owner. The fix should be done in
> >     OPTEE not u-boot.
> >     1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
> >     meet secure requirement not depending on SPL setting.
> >     2. SPL also supports Non-optee case.
> > 
> >     Best regards,
> >     Ye Li
> > 
> > 
> > Can you please point to this discussion?
> 
> It is our internal discussion not on community thread. I add Sahil to 
> comment for optee. And please notice, trustzone should be enabled before 
> DDR initialization. So it should be in SPL not optee. Optee can 
> reconfigure trustzone setting.

But U-Boot right now harms the TZASC settings.

This is exactly why upstream OP-TEE has the following guard:
commit 443c5817de47f1bd19091b419806898070382a67
Author: Marco Felsch <m.felsch at pengutronix.de>
Date:   Tue Jun 17 13:27:53 2025 +0200

    drivers: imx: tzc380: add support to verify region0
    
    There are platforms where memory aliasing can't be prevented, e.g. the
    i.MX8M. If the previous running firmware configured region0, which
    covers the whole AXI address space, to be accessible from secure and
    non-secure world the OP-TEE core memory would be accessible via memory
    aliasing.
    
    To prevent such attacks we need to ensure that region0 is accessible
    from the secure world only.
    
    Reviewed-by: Sahil Malhotra <sahil.malhotra at nxp.com>
    Signed-off-by: Marco Felsch <m.felsch at pengutronix.de>

Upstream A-TF also used to misconfigure region0, this got fixed by:
https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd

So, why is U-Boot working *against* upstream?
Instead of using the sledgehammer and enable normal world access to the whole
region0, apply a more precise fix to make these USB masters work.
I know, with downstream IMX OP-TEE it's less of a problem, because you carry this change:

commit c09d6e9da171f8c5ee42b42ff144b320761a5f16
Author: Sahil Malhotra <sahil.malhotra at nxp.com>
Date:   Mon Aug 4 20:08:59 2025 +0200

    LFOPTEE-468 core: plat-imx: tzc380: update TZASC configuration
    
    In order to prevent Memory aliasing, need to ensure that region0
    is accessible from secure world only.
    
    Signed-off-by: Sahil Malhotra <sahil.malhotra at nxp.com>

Thanks,
//richard
-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

More information about the U-Boot mailing list