TZASC misconfiguration on i.mx8m

Ye Li ye.li at oss.nxp.com
Tue Jun 9 11:56:18 CEST 2026 


On 6/9/2026 2:53 PM, Richard Weinberger wrote:
> Ye Li,
> 
> On Dienstag, 9. Juni 2026 03:44 Ye Li wrote:
>>>      We have discussed this with iMX optee owner. The fix should be done in
>>>      OPTEE not u-boot.
>>>      1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
>>>      meet secure requirement not depending on SPL setting.
>>>      2. SPL also supports Non-optee case.
>>>
>>>      Best regards,
>>>      Ye Li
>>>
>>>
>>> Can you please point to this discussion?
>>
>> It is our internal discussion not on community thread. I add Sahil to
>> comment for optee. And please notice, trustzone should be enabled before
>> DDR initialization. So it should be in SPL not optee. Optee can
>> reconfigure trustzone setting.
> 
> But U-Boot right now harms the TZASC settings.
> 
> This is exactly why upstream OP-TEE has the following guard:
> commit 443c5817de47f1bd19091b419806898070382a67
> Author: Marco Felsch <m.felsch at pengutronix.de>
> Date:   Tue Jun 17 13:27:53 2025 +0200
> 
>      drivers: imx: tzc380: add support to verify region0
>      
>      There are platforms where memory aliasing can't be prevented, e.g. the
>      i.MX8M. If the previous running firmware configured region0, which
>      covers the whole AXI address space, to be accessible from secure and
>      non-secure world the OP-TEE core memory would be accessible via memory
>      aliasing.
>      
>      To prevent such attacks we need to ensure that region0 is accessible
>      from the secure world only.
>      
>      Reviewed-by: Sahil Malhotra <sahil.malhotra at nxp.com>
>      Signed-off-by: Marco Felsch <m.felsch at pengutronix.de>
> 
> Upstream A-TF also used to misconfigure region0, this got fixed by:
> https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd
> 
> So, why is U-Boot working *against* upstream?
> Instead of using the sledgehammer and enable normal world access to the whole
> region0, apply a more precise fix to make these USB masters work.
> I know, with downstream IMX OP-TEE it's less of a problem, because you carry this change:
> 
> commit c09d6e9da171f8c5ee42b42ff144b320761a5f16
> Author: Sahil Malhotra <sahil.malhotra at nxp.com>
> Date:   Mon Aug 4 20:08:59 2025 +0200
> 
>      LFOPTEE-468 core: plat-imx: tzc380: update TZASC configuration
>      
>      In order to prevent Memory aliasing, need to ensure that region0
>      is accessible from secure world only.
>      
>      Signed-off-by: Sahil Malhotra <sahil.malhotra at nxp.com>
> 
Why can't this optee patch apply to optee upstream? It is optee using 
secure memory, then it should be optee's responsibility to configure 
trustzone correctly. Optee can't depends on default value of trustzone, 
since trustzone is not enabled by optee.

Best regards,
Ye Li

> Thanks,
> //richard

More information about the U-Boot mailing list