Hello expert, We compiled the OP-TEE to use the FFA ABI. And we have recognized the problem you have pointed out. It is a FF-A case for that REE OS kernel communicates with optee_os with Hafnium as SPMC. And in the FF-A case, it is hard to get optee api uid via arm_smccc_smc function. You are right. Now, we try to make some adaptation changes to the REE OS kernel about FFA configuration. regards, yuye ------------------------------------------------------------------ 发件人:Jens Wiklander jens.wiklander@linaro.org 发送时间:2023年1月9日(星期一) 16:03 收件人:梅建强(禹夜) meijianqiang.mjq@alibaba-inc.com 抄 送:op-tee op-tee@lists.trustedfirmware.org; 高海源(码源) haiyuan.ghy@alibaba-inc.com; 王一蒙(北见) wym389994@alibaba-inc.com; 赵哲(为哲) weizhe.zz@alibaba-inc.com 主 题:Re: optee device tree and tee driver Hi, On Sat, Jan 7, 2023 at 10:00 AM 梅建强(禹夜) meijianqiang.mjq@alibaba-inc.com wrote:
Hello expert,
Glad to see you emailed back! Before asking you any more questions, I need to explain the problem in our development environment.
The optee driver provied by linaro/linux supports FF-A which depends on that the REE OS kernel supports FF-A. We are currently using kernel 5.10 which does not support FF-A, while it is difficult to change from kernel 5.19 to 5.10 due to the platform limitations.
So you are not using FF-A after all? What are you doing with Hafnium as SPMC?
In consideration of that devices on which the kernel starts are managed by ACPI in the current server environment, we prefer to add an ACPI DSDT table for optee and report it to the kernel as a platform device.
OK
Now, we have independently installed the optee.ko compiled by optee driver into kernel 5.10, and we found that optee api uid mismatch when optee driver probing for its device. It seems that the optee driver tried to get the optee api uid from secure world via optee_smccc_smc, but failed.
dmseg log is as follows:
[ 82.121488] tee: loading out-of-tree module taints kernel.
[ 82.121578] tee: module verification failed: signature and/or required key missing - tainting kernel [ 83.206160] optee: probing for conduit method. [ 83.206166] optee: optee_compatible string: linaro,optee-tz [ 83.206171] optee: res.a0: 0xffffffffffffffff res.a1: 0x0 res.a2: 0x0 res.a3: 0x0 [ 83.206172] optee: api uid mismatch [ 83.206264] optee: probe of LNRO0020:00 failed with error -22
Do you know how to solve this problem? Looking forward to your reply. Thanks for support.
The module you have compiled for the kernel seems to use the SMC ABI. Did you compile OP-TEE to use the SMC ABI too? Or do you expect to use the FF-A ABI? I'm a bit confused by the earlier mail where you say that you're using Hafnium as SPMC, which suggests using the FF-A ABI. Cheers, Jens
regards, yuye
发件人:Jens Wiklander jens.wiklander@linaro.org 发送时间:2023年1月5日(星期四) 20:29 收件人:梅建强(禹夜) meijianqiang.mjq@alibaba-inc.com 抄 送:op-tee op-tee@lists.trustedfirmware.org; 高海源(码源) haiyuan.ghy@alibaba-inc.com; 王一蒙(北见) wym389994@alibaba-inc.com; 赵哲(为哲) weizhe.zz@alibaba-inc.com 主 题:Re: optee device tree and tee driver
Hi Yuye,
On Wed, Jan 4, 2023 at 6:10 PM 梅建强(禹夜) meijianqiang.mjq@alibaba-inc.com wrote:
Hello expert,
I have a few questions about the optee device tree and tee driver. In our environment, optee uses version 3.19 vexpress-fvp and runs on top of hafnium as SPMC. Here's my question.
- Does the current optee version support adding ACPI table iterm for optee to enable REE to identify the installed optee driver so that TA and CA can establish communication?
Since you mention SPMC I assume you're using FF-A also. With FF-A there is no need for OP-TEE to have anything in DTB or ACPI. The FF-A framework is able to tell if there's an OP-TEE available to communicate with or not.
(I raise this question because I cannot find the corresponding optee node in "/sys/devices/platform" in the current linux environment. While in the QEMU runtime environment, the corresponding optee node is in "/proc/device-tree/firmware", i.e. "linaro,optee-tz".)
Yes, but only in the non-FF-A case.
- If I want to transfer dtb file which includes a device tree node written by optee to linux, How to configure CFG_DT, CFG_DT_ADDR, and CFG_EXTERNAL_DTB_OVERLAY?
(I understand that this method should be independent from the method in question 1. If it is not, look forward your explain.)
In the FF-A case, this isn't necessary or even possible in an easy way.
Cheers, Jens
Looking forward to your reply. Thanks.
regards, yuye