This article gives information about the OTP framework in OP-TEE and the associated interfaces.
1. Framework purpose[edit source]
The two OP-TEE OTP PTA, BSEC and NVMEM, provides a generic interface for the device non-volatile OTP (one-time programmable) fuses.
It offers interfaces to read and/or write OTP data and status at Trusted Applications (TA) in secure world and at non-secure applications.
2. System overview[edit source]
|
Coming soon |
2.1. Component description[edit source]
- Non secure world (Linux):
- NVMEM framework (kernel space) : The NVMEM framework in Linux® kernel provides sysfs interface and NVMEM API.
- NVMEM drivers (kernel space): Provider drivers such as BSEC Linux® driver that exposes OTP data to the core.
- TEE Core API Lib (User Space): Library called by the client application to access to the kernel space.
- TEE framework (kernel space): The TEE framework provides TEE client API to communicate with secure services, as the services provided by the OP-TEE Linux® driver.
- OP-TEE driver (Kernel Space): Generic driver that send the message to the OP-TEE OS.
- Secure world: the OP-TEE secure OS is running on the Cortex-A in secure mode and exposes secure service with Trusted Applications (TA)
- NVMEM TA (OP-TEE core): Interface that exposes the NVMEM specific services for provisioning by non-secure world.
- BSEC PTA (OP-TEE core): Interface that exposes the BSEC specific services for OTP acccess by non-secure world or to other TAs.
- BSEC driver (OP-TEE core):
- Hardware: access to hardware specific peripherals
2.2. API description[edit source]
The OTP interface is provided by two trusted applications (TA) in OP-TEE, accessible from the normal world with the GlobalPlatform API:
- BSEC PTA: used to export OTP to other TA or to normal world (individual access)
- NVMEM TA: used to export OTP to STM32cubeProgrammer (global access)
3. Configuration[edit source]
3.1. OP-TEE_OS configuration[edit source]
Activate BSEC PTA in OP-TEE configuration core/arch/arm/plat-stm32mp1/conf.mk :
CFG_BSEC_PTA ?= y
Activate STM32MP NVMEM TA in OP-TEE configuration core/arch/arm/plat-stm32mp1/conf.mk :
CFG_TA_STM32MP_NVMEM ?=y
3.2. Device tree configuration[edit source]
Detailed DT configuration for STM32 internal peripherals:
4. How to use the OP-TEE OTP interfaces[edit source]
The access to Trusted application (TA) is done with TEE client API architecture/globalplatform_api.html#tee-client-api.
4.1. BSEC PTA[edit source]
The BSEC Pseudo TA (PTA) interface and services runs in TEE kernel and provide access to OPT data and status: lock and error.
This interface is used by Trusted Application in secure world to access to all available OTP, not masked by hardware.
See example in the NVMEM TA: ta/stm32mp_nvmem/ta_stm32mp_nvmem.c , this access is only allowed for open device (checked during open session) but no access restriction for other TA.
This interface is also used by non-secure world BSEC driver to access to unsecured OTP: - Linux: drivers/nvmem/stm32-romem.c - U-Boot: arch/arm/mach-stm32mp/bsec.c
Only the lower OTPs words are accessible by default by non-secure world (TEE_LOGIN_REE_KERNEL), the software needs to manage exceptions to allow some upper OTPs to be accessed by the non-secure world as described in BSEC_device_tree_configuration, when a OPT is not accessible, the returned value is 0x0.
4.2. NVMEM TA[edit source]
The NVMEM TA interface and services runs in TEE kernel and allow processioning to secure not volatile memory (NVMEM), by exchanging buffer with STM32CubeProgrammer tools.
See example in U-Boot: arch/arm/mach-stm32mp/bsec.c .
5. References[edit source]
Please refer to the following links for additional information: