Hi By Yinhua,
Your experiment fails for two main reasons: 1/ you're attempting to load OP-TEE as a normal world VM whereas OP-TEE is a TEE meant to run in TZ secure world. 2/ you're using qemu which is not yet capable of emulating S-EL2. At present, you'd need to use Arm's FVP.
Can you confirm you wish to run OP-TEE as TEE on top of Hafnium in the secure world?
Clearer instructions on how to run OP-TEE as a Secure Partition shall follow in coming days from Arm's platform team.
Regards, Olivier.
________________________________________ From: Hafnium hafnium-bounces@lists.trustedfirmware.org on behalf of 陈 胤桦 via Hafnium hafnium@lists.trustedfirmware.org Sent: 15 January 2021 09:48 To: hafnium@lists.trustedfirmware.org Subject: [Hafnium] load TEE systems(like OPTEE) on hafnium
Hi all :
I follow the "Getting Started" instructions and run linux as the primary VM on hafnium successfully.
Then, I try to load OP-TEE system as a secondary VM on hafnium but fail.
Is there any document which can help me load TEE system on hafnium?
If not, could you give me some guidance and tips?
The following is the efforts I made :
------
1. I write the file "manifest.dts" as follows:
/dts-v1/;
/ { hypervisor { compatible = "hafnium,hafnium";
ffa_tee;
vm1 { debug_name = "primary VM -chenyinhua"; kernel_filename = "vmlinuz"; ramdisk_filename = "initrd.img";
smc_whitelist = < 0x04000000 0x3200ffff >; };
vm2 { debug_name = "secondary VM 1"; kernel_filename = "kernel0"; vcpu_count = <2>; mem_size = <0x100000>;
smc_whitelist_permissive; }; }; };
1.
Run prebuilts/linux-x64/dtc/dtc -I dts -O dtb --out-version 17 -o manifest.dtb manifest.dts
2.
Move "manifest.dtb" into "initrd" directory
3.
Follow this blog to build OP-TEE: https://blog.csdn.net/dddddttttt/article/details/80793453, now I can run optee_examples successfully.
4.
In <opentee-root-dir>/optee_os/out/arm/core, copy the file "tee.bin" into <hafnium-root-dir>/initrd
5.
Rename <hafnium-root-dir>/initrd/tee.bin to <hafnium-root-dir>/initrd/kernel0
6.
In <hafnium-root-dir>/initrd/ , run the following command (The linux's vmlinuz and initrd.img are already in the directory)
find . | cpio -o > ../initrd.img
8. In <hafnium-root-dir>, run
qemu-system-aarch64 \ -M virt,gic_version=3 \ -cpu cortex-a57 -nographic -machine virtualization=true \ -kernel out/reference/qemu_aarch64_clang/hafnium.bin \ -initrd initrd.img -append "rdinit=/sbin/init"
9. The result is as follows:
NOTICE: Initialising hafnium INFO: text: 0x40001000 - 0x4001b000 INFO: rodata: 0x4001b000 - 0x4001f000 INFO: data: 0x4001f000 - 0x400b7000 INFO: Supported bits in physical address: 44 INFO: Stage 2 has 4 page table levels with 1 pages at the root. INFO: Found PSCI version: 0x2 INFO: Memory range: 0x40000000 - 0x47ffffff INFO: Ramdisk range: 0x44000000 - 0x45aa8bff WARNING: Device memory not provided, defaulting to 1 TB. INFO: Loaded primary VM with 8 vCPUs, entry at 0x40280000. INFO: Loading VM id 0x2: secondary VM 1. INFO: Loaded with 2 vCPUs, entry at 0x47f00000. INFO: Loading VM id 0x3: secondary VM 2. INFO: Loaded with 4 vCPUs, entry at 0x47d00000. ./qboot.sh: line 5: 3397 Segmentation fault (core dumped) qemu-system-aarch64 -M virt,gic_version=3 -cpu cortex-a57 -nographic -machine virtualization=true -kernel out/reference/qemu_aarch64_clang/hafnium.bin -initrd initrd.img -append "rdinit=/sbin/init"
I appreciate for any possible help!
Thanks.
------
By Yinhua
-- Hafnium mailing list Hafnium@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium
Hi Olivier Deprez,
Thanks for your guidance, it really helps me a lot!
I do really want to run OP-TEE as TEE on top of Hafnium in the secure world, and now I am just exploring how to achieve the goal.
Just one more question: Do I need to recompile ATF if I want to load TEE systems?
When I read ATF's document, I see that a "sp_layout.json" file is required when compile ATF.
Here is an example of "sp_layout.json":
{ "tee1" : { "image": "tee1.bin", "pm": "tee1.dts", "owner": "SiP" },
"tee2" : { "image": "tee2.bin", "pm": "tee2.dts", "owner": "Plat" } }
It seems that the "manifest.dts" file mentioned in hafnium document is not the only file specifying the layout of secure partitions.
Should I change both "sp_layout.json" and "manifest.dts" files and recompile ATF to load TEE systems on hafnium?
I appreciate for your help!
Sincerely, Yinhua
________________________________ 发件人: Olivier Deprez Olivier.Deprez@arm.com 发送时间: 2021年1月15日 18:57 收件人: hafnium@lists.trustedfirmware.org hafnium@lists.trustedfirmware.org; 陈 胤桦 yinhua_chen@outlook.com 主题: Re: load TEE systems(like OPTEE) on hafnium
Hi By Yinhua,
Your experiment fails for two main reasons: 1/ you're attempting to load OP-TEE as a normal world VM whereas OP-TEE is a TEE meant to run in TZ secure world. 2/ you're using qemu which is not yet capable of emulating S-EL2. At present, you'd need to use Arm's FVP.
Can you confirm you wish to run OP-TEE as TEE on top of Hafnium in the secure world?
Clearer instructions on how to run OP-TEE as a Secure Partition shall follow in coming days from Arm's platform team.
Regards, Olivier.
________________________________________ From: Hafnium hafnium-bounces@lists.trustedfirmware.org on behalf of 陈 胤桦 via Hafnium hafnium@lists.trustedfirmware.org Sent: 15 January 2021 09:48 To: hafnium@lists.trustedfirmware.org Subject: [Hafnium] load TEE systems(like OPTEE) on hafnium
Hi all :
I follow the "Getting Started" instructions and run linux as the primary VM on hafnium successfully.
Then, I try to load OP-TEE system as a secondary VM on hafnium but fail.
Is there any document which can help me load TEE system on hafnium?
If not, could you give me some guidance and tips?
The following is the efforts I made :
------
1. I write the file "manifest.dts" as follows:
/dts-v1/;
/ { hypervisor { compatible = "hafnium,hafnium";
ffa_tee;
vm1 { debug_name = "primary VM -chenyinhua"; kernel_filename = "vmlinuz"; ramdisk_filename = "initrd.img";
smc_whitelist = < 0x04000000 0x3200ffff >; };
vm2 { debug_name = "secondary VM 1"; kernel_filename = "kernel0"; vcpu_count = <2>; mem_size = <0x100000>;
smc_whitelist_permissive; }; }; };
1.
Run prebuilts/linux-x64/dtc/dtc -I dts -O dtb --out-version 17 -o manifest.dtb manifest.dts
2.
Move "manifest.dtb" into "initrd" directory
3.
Follow this blog to build OP-TEE: https://blog.csdn.net/dddddttttt/article/details/80793453, now I can run optee_examples successfully.
4.
In <opentee-root-dir>/optee_os/out/arm/core, copy the file "tee.bin" into <hafnium-root-dir>/initrd
5.
Rename <hafnium-root-dir>/initrd/tee.bin to <hafnium-root-dir>/initrd/kernel0
6.
In <hafnium-root-dir>/initrd/ , run the following command (The linux's vmlinuz and initrd.img are already in the directory)
find . | cpio -o > ../initrd.img
8. In <hafnium-root-dir>, run
qemu-system-aarch64 \ -M virt,gic_version=3 \ -cpu cortex-a57 -nographic -machine virtualization=true \ -kernel out/reference/qemu_aarch64_clang/hafnium.bin \ -initrd initrd.img -append "rdinit=/sbin/init"
9. The result is as follows:
NOTICE: Initialising hafnium INFO: text: 0x40001000 - 0x4001b000 INFO: rodata: 0x4001b000 - 0x4001f000 INFO: data: 0x4001f000 - 0x400b7000 INFO: Supported bits in physical address: 44 INFO: Stage 2 has 4 page table levels with 1 pages at the root. INFO: Found PSCI version: 0x2 INFO: Memory range: 0x40000000 - 0x47ffffff INFO: Ramdisk range: 0x44000000 - 0x45aa8bff WARNING: Device memory not provided, defaulting to 1 TB. INFO: Loaded primary VM with 8 vCPUs, entry at 0x40280000. INFO: Loading VM id 0x2: secondary VM 1. INFO: Loaded with 2 vCPUs, entry at 0x47f00000. INFO: Loading VM id 0x3: secondary VM 2. INFO: Loaded with 4 vCPUs, entry at 0x47d00000. ./qboot.sh: line 5: 3397 Segmentation fault (core dumped) qemu-system-aarch64 -M virt,gic_version=3 -cpu cortex-a57 -nographic -machine virtualization=true -kernel out/reference/qemu_aarch64_clang/hafnium.bin -initrd initrd.img -append "rdinit=/sbin/init"
I appreciate for any possible help!
Thanks.
------
By Yinhua
-- Hafnium mailing list Hafnium@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium
Hi Yinhua,
For starters you can try below list of commands. This effectively boots Hafnium and OP-TEE in the SWd.
There is a sample sp_layout.json file in the instructions.
The SPMC manifest is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/bo...
The OP-TEE partition manifest is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/fdts/optee_...
Notice the NWd payload (BL33) is not linux but the sample TF-A-tests framework. It requires additional steps to boot linux including the FF-A driver.
Those instructions are just for the sake of experimenting, as said earlier proper releases shall come from the Arm platforms team.
Regards, Olivier.
========================================
# NOTE: make sure gcc-arm-9.2-2019.12-x86_64-aarch64-none-elf/bin is in PATH
mkdir workspace; cd workspace
# Hafnium # https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/HEAD/do...
git clone https://git.trustedfirmware.org/hafnium/hafnium.git; cd hafnium git fetch "https://review.trustedfirmware.org/hafnium/hafnium" refs/changes/11/6011/16 && git checkout FETCH_HEAD git checkout -b spmc git submodule update --init make PROJECT=reference cd ..
# OPTEE # https://optee.readthedocs.io/en/latest/building/prerequisites.html#prerequis...
git clone https://git.trustedfirmware.org/OP-TEE/optee_os.git -b ffa_rel_proto; cd optee_os
# Adjust TEE start address perl -pi -e 's/CFG_TZDRAM_START ?= 0x06280000/CFG_TZDRAM_START ?= 0x06281000/' core/arch/arm/plat-vexpress/conf.mk
CROSS_COMPILE64=aarch64-none-elf- PLATFORM=vexpress PLATFORM_FLAVOR=fvp CFG_ARM_GICV3=y CFG_CORE_SEL2_SPMC=y CFG_ARM64_core=y CFG_USER_TA_TARGETS=ta_arm64 CFG_TEE_CORE_DEBUG=y CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_BENCHMARK=n CFG_WITH_STATS=y make cd ..
# TF-A-tests
git clone https://git.trustedfirmware.org/TF-A/tf-a-tests.git; cd tf-a-tests make CROSS_COMPILE=aarch64-none-elf- PLAT=fvp DEBUG=1 TESTS=spm -j4 cd ..
# TF-A # git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git; cd trusted-firmware-a git checkout b4b23c780c0763ce01ac21de1a0e79287677405f -b spmc
#{ # "op-tee" : { # "image": "../optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin", # "pm": "fdts/optee_sp_manifest.dts" # } #} echo \ "{ \ "op-tee" : { \ "image": "../optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin", \ "pm": "fdts/optee_sp_manifest.dts" \ } }" > sp_layout.json
make CROSS_COMPILE=aarch64-none-elf- SPD=spmd CTX_INCLUDE_EL2_REGS=1 PLAT=fvp BL33=../tf-a-tests/build/fvp/debug/tftf.bin DEBUG=1 BL32=../hafnium/out/reference/secure_aem_v8a_fvp_clang/hafnium.bin ARM_ARCH_MINOR=4 SP_LAYOUT_FILE=sp_layout.json ARM_SPMC_MANIFEST_DTS=plat/arm/board/fvp/fdts/fvp_spmc_optee_sp_manifest.dts all fip cd ..
# Run FVP
../fvp/Base_RevC_AEMv8A_pkg/models/Linux64_GCC-6.4/FVP_Base_RevC-2xAEMv8A -C pctl.startup=0.0.0.0 -C cluster0.NUM_CORES=4 -C cluster1.NUM_CORES=4 -C bp.secure_memory=1 -C bp.secureflashloader.fname=trusted-firmware-a/build/fvp/debug/bl1.bin -C bp.flashloader0.fname=trusted-firmware-a/build/fvp/debug/fip.bin -C cluster0.has_arm_v8-4=1 -C cluster1.has_arm_v8-4=1 -C cache_state_modelled=0 -C bp.pl011_uart0.out_file=fvp-uart0.log -C bp.pl011_uart1.out_file=fvp-uart1.log -C bp.vis.disable_visualisation=1
==================================
________________________________________ From: 陈 胤桦 yinhua_chen@outlook.com Sent: 16 January 2021 04:23 To: Olivier Deprez; hafnium@lists.trustedfirmware.org Subject: 回复: load TEE systems(like OPTEE) on hafnium
Hi Olivier Deprez,
Thanks for your guidance, it really helps me a lot!
I do really want to run OP-TEE as TEE on top of Hafnium in the secure world, and now I am just exploring how to achieve the goal.
Just one more question: Do I need to recompile ATF if I want to load TEE systems?
When I read ATF's document, I see that a "sp_layout.json" file is required when compile ATF.
Here is an example of "sp_layout.json":
{ "tee1" : { "image": "tee1.bin", "pm": "tee1.dts", "owner": "SiP" },
"tee2" : { "image": "tee2.bin", "pm": "tee2.dts", "owner": "Plat" } }
It seems that the "manifest.dts" file mentioned in hafnium document is not the only file specifying the layout of secure partitions.
Should I change both "sp_layout.json" and "manifest.dts" files and recompile ATF to load TEE systems on hafnium?
I appreciate for your help!
Sincerely, Yinhua
________________________________ 发件人: Olivier Deprez Olivier.Deprez@arm.com 发送时间: 2021年1月15日 18:57 收件人: hafnium@lists.trustedfirmware.org hafnium@lists.trustedfirmware.org; 陈 胤桦 yinhua_chen@outlook.com 主题: Re: load TEE systems(like OPTEE) on hafnium
Hi By Yinhua,
Your experiment fails for two main reasons: 1/ you're attempting to load OP-TEE as a normal world VM whereas OP-TEE is a TEE meant to run in TZ secure world. 2/ you're using qemu which is not yet capable of emulating S-EL2. At present, you'd need to use Arm's FVP.
Can you confirm you wish to run OP-TEE as TEE on top of Hafnium in the secure world?
Clearer instructions on how to run OP-TEE as a Secure Partition shall follow in coming days from Arm's platform team.
Regards, Olivier.
________________________________________ From: Hafnium hafnium-bounces@lists.trustedfirmware.org on behalf of 陈 胤桦 via Hafnium hafnium@lists.trustedfirmware.org Sent: 15 January 2021 09:48 To: hafnium@lists.trustedfirmware.org Subject: [Hafnium] load TEE systems(like OPTEE) on hafnium
Hi all :
I follow the "Getting Started" instructions and run linux as the primary VM on hafnium successfully.
Then, I try to load OP-TEE system as a secondary VM on hafnium but fail.
Is there any document which can help me load TEE system on hafnium?
If not, could you give me some guidance and tips?
The following is the efforts I made :
------
1. I write the file "manifest.dts" as follows:
/dts-v1/;
/ { hypervisor { compatible = "hafnium,hafnium";
ffa_tee;
vm1 { debug_name = "primary VM -chenyinhua"; kernel_filename = "vmlinuz"; ramdisk_filename = "initrd.img";
smc_whitelist = < 0x04000000 0x3200ffff >; };
vm2 { debug_name = "secondary VM 1"; kernel_filename = "kernel0"; vcpu_count = <2>; mem_size = <0x100000>;
smc_whitelist_permissive; }; }; };
1.
Run prebuilts/linux-x64/dtc/dtc -I dts -O dtb --out-version 17 -o manifest.dtb manifest.dts
2.
Move "manifest.dtb" into "initrd" directory
3.
Follow this blog to build OP-TEE: https://blog.csdn.net/dddddttttt/article/details/80793453, now I can run optee_examples successfully.
4.
In <opentee-root-dir>/optee_os/out/arm/core, copy the file "tee.bin" into <hafnium-root-dir>/initrd
5.
Rename <hafnium-root-dir>/initrd/tee.bin to <hafnium-root-dir>/initrd/kernel0
6.
In <hafnium-root-dir>/initrd/ , run the following command (The linux's vmlinuz and initrd.img are already in the directory)
find . | cpio -o > ../initrd.img
8. In <hafnium-root-dir>, run
qemu-system-aarch64 \ -M virt,gic_version=3 \ -cpu cortex-a57 -nographic -machine virtualization=true \ -kernel out/reference/qemu_aarch64_clang/hafnium.bin \ -initrd initrd.img -append "rdinit=/sbin/init"
9. The result is as follows:
NOTICE: Initialising hafnium INFO: text: 0x40001000 - 0x4001b000 INFO: rodata: 0x4001b000 - 0x4001f000 INFO: data: 0x4001f000 - 0x400b7000 INFO: Supported bits in physical address: 44 INFO: Stage 2 has 4 page table levels with 1 pages at the root. INFO: Found PSCI version: 0x2 INFO: Memory range: 0x40000000 - 0x47ffffff INFO: Ramdisk range: 0x44000000 - 0x45aa8bff WARNING: Device memory not provided, defaulting to 1 TB. INFO: Loaded primary VM with 8 vCPUs, entry at 0x40280000. INFO: Loading VM id 0x2: secondary VM 1. INFO: Loaded with 2 vCPUs, entry at 0x47f00000. INFO: Loading VM id 0x3: secondary VM 2. INFO: Loaded with 4 vCPUs, entry at 0x47d00000. ./qboot.sh: line 5: 3397 Segmentation fault (core dumped) qemu-system-aarch64 -M virt,gic_version=3 -cpu cortex-a57 -nographic -machine virtualization=true -kernel out/reference/qemu_aarch64_clang/hafnium.bin -initrd initrd.img -append "rdinit=/sbin/init"
I appreciate for any possible help!
Thanks.
------
By Yinhua
-- Hafnium mailing list Hafnium@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium
Hi Olivier Deprez,
I really appreciate for your help! I load OP-TEE on hafnium successfully!
Thanks!
Sincerely, Yinhua.
________________________________ From: Olivier Deprez Olivier.Deprez@arm.com Sent: Monday, January 18, 2021 15:54 To: 陈 胤桦 yinhua_chen@outlook.com; hafnium@lists.trustedfirmware.org hafnium@lists.trustedfirmware.org Subject: Re: load TEE systems(like OPTEE) on hafnium
Hi Yinhua,
For starters you can try below list of commands. This effectively boots Hafnium and OP-TEE in the SWd.
There is a sample sp_layout.json file in the instructions.
The SPMC manifest is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/bo...
The OP-TEE partition manifest is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/fdts/optee_...
Notice the NWd payload (BL33) is not linux but the sample TF-A-tests framework. It requires additional steps to boot linux including the FF-A driver.
Those instructions are just for the sake of experimenting, as said earlier proper releases shall come from the Arm platforms team.
Regards, Olivier.
========================================
# NOTE: make sure gcc-arm-9.2-2019.12-x86_64-aarch64-none-elf/bin is in PATH
mkdir workspace; cd workspace
# Hafnium # https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/HEAD/do...
git clone https://git.trustedfirmware.org/hafnium/hafnium.git; cd hafnium git fetch "https://review.trustedfirmware.org/hafnium/hafnium" refs/changes/11/6011/16 && git checkout FETCH_HEAD git checkout -b spmc git submodule update --init make PROJECT=reference cd ..
# OPTEE # https://optee.readthedocs.io/en/latest/building/prerequisites.html#prerequis...
git clone https://git.trustedfirmware.org/OP-TEE/optee_os.git -b ffa_rel_proto; cd optee_os
# Adjust TEE start address perl -pi -e 's/CFG_TZDRAM_START ?= 0x06280000/CFG_TZDRAM_START ?= 0x06281000/' core/arch/arm/plat-vexpress/conf.mk
CROSS_COMPILE64=aarch64-none-elf- PLATFORM=vexpress PLATFORM_FLAVOR=fvp CFG_ARM_GICV3=y CFG_CORE_SEL2_SPMC=y CFG_ARM64_core=y CFG_USER_TA_TARGETS=ta_arm64 CFG_TEE_CORE_DEBUG=y CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_BENCHMARK=n CFG_WITH_STATS=y make cd ..
# TF-A-tests
git clone https://git.trustedfirmware.org/TF-A/tf-a-tests.git; cd tf-a-tests make CROSS_COMPILE=aarch64-none-elf- PLAT=fvp DEBUG=1 TESTS=spm -j4 cd ..
# TF-A # git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git; cd trusted-firmware-a git checkout b4b23c780c0763ce01ac21de1a0e79287677405f -b spmc
#{ # "op-tee" : { # "image": "../optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin", # "pm": "fdts/optee_sp_manifest.dts" # } #} echo \ "{ \ "op-tee" : { \ "image": "../optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin", \ "pm": "fdts/optee_sp_manifest.dts" \ } }" > sp_layout.json
make CROSS_COMPILE=aarch64-none-elf- SPD=spmd CTX_INCLUDE_EL2_REGS=1 PLAT=fvp BL33=../tf-a-tests/build/fvp/debug/tftf.bin DEBUG=1 BL32=../hafnium/out/reference/secure_aem_v8a_fvp_clang/hafnium.bin ARM_ARCH_MINOR=4 SP_LAYOUT_FILE=sp_layout.json ARM_SPMC_MANIFEST_DTS=plat/arm/board/fvp/fdts/fvp_spmc_optee_sp_manifest.dts all fip cd ..
# Run FVP
../fvp/Base_RevC_AEMv8A_pkg/models/Linux64_GCC-6.4/FVP_Base_RevC-2xAEMv8A -C pctl.startup=0.0.0.0 -C cluster0.NUM_CORES=4 -C cluster1.NUM_CORES=4 -C bp.secure_memory=1 -C bp.secureflashloader.fname=trusted-firmware-a/build/fvp/debug/bl1.bin -C bp.flashloader0.fname=trusted-firmware-a/build/fvp/debug/fip.bin -C cluster0.has_arm_v8-4=1 -C cluster1.has_arm_v8-4=1 -C cache_state_modelled=0 -C bp.pl011_uart0.out_file=fvp-uart0.log -C bp.pl011_uart1.out_file=fvp-uart1.log -C bp.vis.disable_visualisation=1
==================================
________________________________________ From: 陈 胤桦 yinhua_chen@outlook.com Sent: 16 January 2021 04:23 To: Olivier Deprez; hafnium@lists.trustedfirmware.org Subject: 回复: load TEE systems(like OPTEE) on hafnium
Hi Olivier Deprez,
Thanks for your guidance, it really helps me a lot!
I do really want to run OP-TEE as TEE on top of Hafnium in the secure world, and now I am just exploring how to achieve the goal.
Just one more question: Do I need to recompile ATF if I want to load TEE systems?
When I read ATF's document, I see that a "sp_layout.json" file is required when compile ATF.
Here is an example of "sp_layout.json":
{ "tee1" : { "image": "tee1.bin", "pm": "tee1.dts", "owner": "SiP" },
"tee2" : { "image": "tee2.bin", "pm": "tee2.dts", "owner": "Plat" } }
It seems that the "manifest.dts" file mentioned in hafnium document is not the only file specifying the layout of secure partitions.
Should I change both "sp_layout.json" and "manifest.dts" files and recompile ATF to load TEE systems on hafnium?
I appreciate for your help!
Sincerely, Yinhua
________________________________ 发件人: Olivier Deprez Olivier.Deprez@arm.com 发送时间: 2021年1月15日 18:57 收件人: hafnium@lists.trustedfirmware.org hafnium@lists.trustedfirmware.org; 陈 胤桦 yinhua_chen@outlook.com 主题: Re: load TEE systems(like OPTEE) on hafnium
Hi By Yinhua,
Your experiment fails for two main reasons: 1/ you're attempting to load OP-TEE as a normal world VM whereas OP-TEE is a TEE meant to run in TZ secure world. 2/ you're using qemu which is not yet capable of emulating S-EL2. At present, you'd need to use Arm's FVP.
Can you confirm you wish to run OP-TEE as TEE on top of Hafnium in the secure world?
Clearer instructions on how to run OP-TEE as a Secure Partition shall follow in coming days from Arm's platform team.
Regards, Olivier.
________________________________________ From: Hafnium hafnium-bounces@lists.trustedfirmware.org on behalf of 陈 胤桦 via Hafnium hafnium@lists.trustedfirmware.org Sent: 15 January 2021 09:48 To: hafnium@lists.trustedfirmware.org Subject: [Hafnium] load TEE systems(like OPTEE) on hafnium
Hi all :
I follow the "Getting Started" instructions and run linux as the primary VM on hafnium successfully.
Then, I try to load OP-TEE system as a secondary VM on hafnium but fail.
Is there any document which can help me load TEE system on hafnium?
If not, could you give me some guidance and tips?
The following is the efforts I made :
------
1. I write the file "manifest.dts" as follows:
/dts-v1/;
/ { hypervisor { compatible = "hafnium,hafnium";
ffa_tee;
vm1 { debug_name = "primary VM -chenyinhua"; kernel_filename = "vmlinuz"; ramdisk_filename = "initrd.img";
smc_whitelist = < 0x04000000 0x3200ffff >; };
vm2 { debug_name = "secondary VM 1"; kernel_filename = "kernel0"; vcpu_count = <2>; mem_size = <0x100000>;
smc_whitelist_permissive; }; }; };
1.
Run prebuilts/linux-x64/dtc/dtc -I dts -O dtb --out-version 17 -o manifest.dtb manifest.dts
2.
Move "manifest.dtb" into "initrd" directory
3.
Follow this blog to build OP-TEE: https://blog.csdn.net/dddddttttt/article/details/80793453, now I can run optee_examples successfully.
4.
In <opentee-root-dir>/optee_os/out/arm/core, copy the file "tee.bin" into <hafnium-root-dir>/initrd
5.
Rename <hafnium-root-dir>/initrd/tee.bin to <hafnium-root-dir>/initrd/kernel0
6.
In <hafnium-root-dir>/initrd/ , run the following command (The linux's vmlinuz and initrd.img are already in the directory)
find . | cpio -o > ../initrd.img
8. In <hafnium-root-dir>, run
qemu-system-aarch64 \ -M virt,gic_version=3 \ -cpu cortex-a57 -nographic -machine virtualization=true \ -kernel out/reference/qemu_aarch64_clang/hafnium.bin \ -initrd initrd.img -append "rdinit=/sbin/init"
9. The result is as follows:
NOTICE: Initialising hafnium INFO: text: 0x40001000 - 0x4001b000 INFO: rodata: 0x4001b000 - 0x4001f000 INFO: data: 0x4001f000 - 0x400b7000 INFO: Supported bits in physical address: 44 INFO: Stage 2 has 4 page table levels with 1 pages at the root. INFO: Found PSCI version: 0x2 INFO: Memory range: 0x40000000 - 0x47ffffff INFO: Ramdisk range: 0x44000000 - 0x45aa8bff WARNING: Device memory not provided, defaulting to 1 TB. INFO: Loaded primary VM with 8 vCPUs, entry at 0x40280000. INFO: Loading VM id 0x2: secondary VM 1. INFO: Loaded with 2 vCPUs, entry at 0x47f00000. INFO: Loading VM id 0x3: secondary VM 2. INFO: Loaded with 4 vCPUs, entry at 0x47d00000. ./qboot.sh: line 5: 3397 Segmentation fault (core dumped) qemu-system-aarch64 -M virt,gic_version=3 -cpu cortex-a57 -nographic -machine virtualization=true -kernel out/reference/qemu_aarch64_clang/hafnium.bin -initrd initrd.img -append "rdinit=/sbin/init"
I appreciate for any possible help!
Thanks.
------
By Yinhua
-- Hafnium mailing list Hafnium@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium
hafnium@lists.trustedfirmware.org