Add hardware-based security support for the i.MX series chips. #38050
+2,036
−13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the libtrustymatter third-party lib contains the Trusty IPC infrastructure and client application in the Non-secure side. Change-Id: Id2cb5ccc0006d9f51cab06ed971174a94aa0111f Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/21249 Reviewed-by: Elven Wang <elven.wang@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23003
read all device attestation credentials from secure storage which is managed by TEE (Trusty OS), all credentials should be provisioned in bootloader stage. Change-Id: I59f144b92c3dfde2ab167d9f0f7f62508ed47354 Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/21250 Reviewed-by: Elven Wang <elven.wang@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23004
move the p256keypair operations to Trusty OS to enhance the crypto security. Change-Id: I47ec6b440f91adf3e717ed8915f35b7844731c90 Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/21251 Reviewed-by: Elven Wang <elven.wang@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23005
support trusty backed persistent storage operation keystore. Change-Id: I156c51bc415b1e9fb16e054deccb34415a7acc86 Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/21252 Reviewed-by: Elven Wang <elven.wang@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23007
Now the build script are refined to use parameter for different option:
Usage:./scripts/examples/imxlinux_example.sh -s|--src <src folder>
-o|--out <out folder> [-d|--debug] [-n|--no-init] [-t|--trusty]
-s, --src Source folder
-o, --out Output folder
-d, --debug Debug build (optional)
-n, --no-init No init mode (optional)
-t, --trusty Build with Trusty OS backed security enhancement (optional)
example: ./scripts/examples/imxlinux_example.sh -s examples/chip-tool
-o out -dnt #will build examples/chip-tool to out/ folder with debug
build and skip init and use Trusty OS.
Change-Id: I3ac3b60395255b3bfe45fdf21184ba0b6c7ba265
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Reviewed-on: http://androidsource.nxp.com/project/21564
Reviewed-by: Faqiang Zhu <faqiang.zhu@nxp.com>
Reviewed-on: http://androidsource.nxp.com/project/23009
Support the ELE (EdgeLock Enclave) backed persistent storage operation keystore. It's availble for i.MX 93 only. Change-Id: Id9e624040c57f80d9cc84511cf9a28c01084a60d Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/22450 Reviewed-by: Elven Wang <elven.wang@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23010
Support device attestation based on EdgeLock Enclave(ELE). Attestation certifications and keys should be provisioned into device in advance. The official tool to provide signed content is not ready, so we disable the device attestation feature based on ELE first. It's currently only supported by i.MX 93 platform. Change-Id: I39c79efa17a99266113e2bf28204d0c23b81af1d Signed-off-by: Ji Luo <ji.luo@nxp.com> Reviewed-on: http://androidsource.nxp.com/project/23345 Reviewed-by: Elven Wang <elven.wang@nxp.com>
|
PR #38050: Size comparison from 52d8e11 to ab42e1f Full report (75 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Compared to software-based security systems, the hardware-based security modules supported by the i.MX series chips offer faster performance and superior security capabilities.
The NXP i.MX8M chip support Trusty TEE, and the NXP i.MX93 chips support ELE (EdgeLock Enclave). This pull request provides the driver code for Trusty TEE and ELE.
And it implements a portion of hardware-based security APIs.
For more information about Trusty TEE and ELE, please refer the website listed below:
https://source.android.com/docs/security/features/trusty
https://www.nxp.com/design/design-center/training/TIP-EEE-ADVANCEMENTS-IN-INTEGRATED-SOC-SECURITY
Testing
Testing passed on i.MX8M and i.MX93 platforms.
Successfully pairing between chip-tool and chip-lighting-app.