Ye Li, On Dienstag, 9. Juni 2026 03:44 Ye Li wrote: > > We have discussed this with iMX optee owner. The fix should be done in > > OPTEE not u-boot. > > 1. OPTEE uses secure memory, so it needs to re-confiure trustzone to > > meet secure requirement not depending on SPL setting. > > 2. SPL also supports Non-optee case. > > > > Best regards, > > Ye Li > > > > > > Can you please point to this discussion? > > It is our internal discussion not on community thread. I add Sahil to > comment for optee. And please notice, trustzone should be enabled before > DDR initialization. So it should be in SPL not optee. Optee can > reconfigure trustzone setting.
But U-Boot right now harms the TZASC settings. This is exactly why upstream OP-TEE has the following guard: commit 443c5817de47f1bd19091b419806898070382a67 Author: Marco Felsch <[email protected]> Date: Tue Jun 17 13:27:53 2025 +0200 drivers: imx: tzc380: add support to verify region0 There are platforms where memory aliasing can't be prevented, e.g. the i.MX8M. If the previous running firmware configured region0, which covers the whole AXI address space, to be accessible from secure and non-secure world the OP-TEE core memory would be accessible via memory aliasing. To prevent such attacks we need to ensure that region0 is accessible from the secure world only. Reviewed-by: Sahil Malhotra <[email protected]> Signed-off-by: Marco Felsch <[email protected]> Upstream A-TF also used to misconfigure region0, this got fixed by: https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd So, why is U-Boot working *against* upstream? Instead of using the sledgehammer and enable normal world access to the whole region0, apply a more precise fix to make these USB masters work. I know, with downstream IMX OP-TEE it's less of a problem, because you carry this change: commit c09d6e9da171f8c5ee42b42ff144b320761a5f16 Author: Sahil Malhotra <[email protected]> Date: Mon Aug 4 20:08:59 2025 +0200 LFOPTEE-468 core: plat-imx: tzc380: update TZASC configuration In order to prevent Memory aliasing, need to ensure that region0 is accessible from secure world only. Signed-off-by: Sahil Malhotra <[email protected]> Thanks, //richard -- sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr: ATU 66964118 | FN: 374287y
