Re: TZASC misconfiguration on i.mx8m

Mon, 08 Jun 2026 18:44:42 -0700 



On 6/8/2026 11:07 AM, Richard Weinberger wrote:

Ye Li <[email protected] <mailto:[email protected]>> schrieb am Mo., 8. 
Juni 2026, 03:43:


    Hi Richard,

    On 6/5/2026 10:52 PM, Richard Weinberger wrote:
     > CC'ing Ye Li.
     >
     > On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
     >> Hello!
     >>
     >> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot
    configures
     >> region0 to allow secure and non-secure world access.
     >> This is known to be problematic and allows circumventing the
    TrustZone due to
     >> memory aliasing[0][1].
     >>
     >> It causes also recent OP-TEE to panic at startup:
     >> E/TC:0 0 Panic 'region0 is not secure configured, non-secure
    memory alias access possible!' at core/arch/arm/plat-imx/
    tzc380.c:217 <imx_configure_tzasc>
     >>
     >> This is not a theoretical issue.
     >> On my i.mx8mm evk Board I was able to exploit this and dump all
    OP-TEE memory from Linux.
     >
     > I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
     > Author: Ye Li <[email protected] <mailto:[email protected]>>
     > Date:   Tue Aug 27 06:25:34 2019 +0000
     >
     >      imx8m: Configure trustzone region 0 for non-secure access
     >
     >      Set trustzone region 0 to allow both non-secure and secure
    access
     >      when trust zone is enabled. We found USB controller fails to
    access
     >      DDR if the default region 0 is secure access only.
     >
     >      Signed-off-by: Ye Li <[email protected] <mailto:[email protected]>>
     >      Signed-off-by: Peng Fan <[email protected]
    <mailto:[email protected]>>
     >
     > Thanks,
     > //richard
    We have discussed this with iMX optee owner. The fix should be done in
    OPTEE not u-boot.
    1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
    meet secure requirement not depending on SPL setting.
    2. SPL also supports Non-optee case.

    Best regards,
    Ye Li


Can you please point to this discussion?



It is our internal discussion not on community thread. I add Sahil to 
comment for optee. And please notice, trustzone should be enabled before 
DDR initialization. So it should be in SPL not optee. Optee can 
reconfigure trustzone setting.


Best regards,
Ye Li


Thanks,
//richard

























					Reply via email to