Hi Brian,

On Tue, Jul 13, 2021 at 11:21 AM Brian Hutchinson <b.hutchman@...> wrote:

It's been over a year now since I ran NXP's yocto release on imx8mm-evk but I believe that op-tee was included. I now find myself needing to use our eMMC RPMB for key storage since our TPM modules have supply chain issues :(.

So I understand op-tee works with RPMB so looks like I probably need to move that direction and would like to know if anyone has done one of these setups before adding op-tee to fsl-community-bsp configured for RPMB.

What I'm really wanting to do is have an application filesystem that's encrypted and get key to mount/decrypt from RPMB.

Latest OP-TEE from NXP supports generating HUK for closed devices, so
that should be all you need. You might need to configure the OP-TEE to
enable RPMB, but that should be all you need to be able to access it.

The main problem with RPMB is that you will have to generate and write
a key in order to protect the RPMB access, and for this you will have
to close your device (HUK is only available when the device is closed
and booted in secure mode), and compile and boot a specific OP-TEE
binary that has the capability of writing the RPMB key on first access
(CFG_RPMB_WRITE_KEY=y). The current OP-TEE implementation derives the
RPMB key out of HUK, which forces it to be specific to the device and
makes it available only when the device is in secure mode.

https://docs.foundries.io/latest/reference-manual/security/secure-boot-imx.html
might be useful for understanding how that access is made and how to
close/fuse your board.

Cheers,

--
Ricardo Salveti