Last edited 10 months ago

OP-TEE OTP overview

Applicable for STM32MP13x lines, STM32MP15x lines

This article gives information about the OTP framework in OP-TEE and the associated interfaces.

1. Framework purpose[edit source]

The two OP-TEE trusted applications (TA), STM32MP BSEC and STM32MP NVMEM, provide a generic interface for the device nonvolatile OTP (one-time programmable) fuses.

These two TAs offer interfaces to read and/or write OTP data and status at other TAs in a secure world and in nonsecure applications.

2. System overview[edit source]

  • OP-TEE BSEC PTA
#STM32MP BSEC PTANVMEM overviewOP-TEE BSEC PTA.png
  • OP-TEE NVMEM TA
#STM32MP NVMEM TA#STM32MP BSEC PTAOP-TEE NVMEM TA.png

2.1. Component description[edit source]

  • Nonsecure world (Linux):
    • NVMEM framework (kernel space) : The NVMEM framework in Linux® kernel provides a sysfs interface and an NVMEM API.
    • NVMEM drivers (kernel space): Provider drivers such as BSEC Linux® driver that exposes OTP data to the core.
    • TEE Core API Lib (User Space): Library called by the client application to access to the kernel space.
    • TEE framework (kernel space): The TEE framework provides TEE client API to communicate with secure services, as the services provided by the OP-TEE Linux® driver.
    • OP-TEE driver (Kernel Space): Generic driver that sends messages to the OP-TEE OS.

2.2. API description[edit source]

The OTP interface is provided by two trusted applications (TA) in OP-TEE, accessible from the normal world with the GlobalPlatform TEE Client API:

3. Configuration[edit source]

3.1. OP-TEE_OS configuration[edit source]

Activate STM32MP BSEC PTA in OP-TEE configuration core/arch/arm/plat-stm32mp1/conf.mk :

CFG_BSEC_PTA ?= y

Activate BSEC driver write support in OP-TEE configuration core/arch/arm/plat-stm32mp1/conf.mk :

CFG_STM32_BSEC_WRITE ?= y

In ecosystem release ≤ v4.1.0 , this configuration is activated on OP-TEE debug release with:

CFG_STM32_BSEC_WRITE ?= $(CFG_TEE_CORE_DEBUG)

Activate STM32MP NVMEM TA in OP-TEE configuration core/arch/arm/plat-stm32mp1/conf.mk :

CFG_TA_STM32MP_NVMEM ?= y
Warning white.png Warning
It is strongly recommended to deactivated the TA STM32MP NVMEM in final product.
Warning white.png Warning

For STM32MP15x lines More info.png, ecosystem release ≥ v5.0.0 More info.png :
The default configuration of OP-TEE disables secure services, leaving only system services such as PSCI and SCMI and STM32PRGFW-UTIL is the default tools for One-time Programmable (OTP) management.
In order to embed an OP-TEE firmware with the NVMEM TA services, to manage OTP with U-Boot, one shall build OP-TEE OS with Trusted Application support, that is :

  • Either restore only Trusted Applications support in OP-TEE, in which case NVMEM TA will run in DDR without memory hardware protection (OP-TEE DDR area is not encrypted in STM32MP15x lines More info.png):
    • Build OP-TEE with configuration switch CFG_WITH_USER_TA=y
  • Or restore all OP-TEE secure services, including Trusted Applications support, by configuring it to run in secure SYSRAM:
    • Build OP-TEE with configuration switch CFG_STM32MP1_OPTEE_IN_SYSRAM=y so that OP-TEE executes in secure SYSRAM;
    • Build TF-A with configuration switch STM32MP1_OPTEE_IN_SYSRAM=1 so that TF-A/BL2 loads OP-TEE in secure SYSRAM, unless what TF-A will fail to boot OP-TEE images.

Refer to OP-TEE OS configuration for STM32MP15x lines for more information.

3.2. Device tree configuration[edit source]

Detailed DT configuration for STM32 internal peripherals:

4. How to use the OP-TEE OTP interfaces[edit source]

The access to a trusted application (TA) is done with TEE client API architecture/globalplatform_api.html#tee-client-api.

4.1. STM32MP BSEC PTA[edit source]

The STM32MP BSEC PTA interface runs at TEE kernel level and provides access to OTP data and status: lock and error (core/pta/stm32mp/bsec_pta.c ).

This interface is used by trusted applications (TAs) in a secure environment to access all available OTP that are not masked by hardware.

See the example in the STM32MP NVMEM TA: ta/stm32mp_nvmem/ta_stm32mp_nvmem.c . This access is only allowed for an open device (checked during open session), but there is no access restriction for other trusted applications.

This interface is also used by nonsecure world BSEC driver to access an unsecured OTP:

Only the lower OTP words are by default accessible by the nonsecure world (TEE_LOGIN_REE_KERNEL). The software needs to manage exceptions to allow some upper OTPs to be accessed by the nonsecure world as described in BSEC_device_tree_configuration. When an OTP is not accessible, the returned value is 0x0.

4.2. STM32MP NVMEM TA[edit source]

The STM32MP NVMEM early TA interface runs in a secure user environment and allows accessing a secure nonvolatile memory (NVMEM), by exchanging buffer with provisioning application and with STM32CubeProgrammer tools (ta/stm32mp_nvmem/ta_stm32mp_nvmem.c ).

Warning white.png Warning
Session to the STM32MP NVMEM TA failed on closed device, because open session to STM32MP BSEC PTA is refused.

See example in U-Boot: arch/arm/mach-stm32mp/cmd_stm32prog/stm32prog.c .

Warning white.png Warning
This interface is a potential security breach. It should be used only during development phases or for a provisioning software. It is recommended to deactivate this TA in a final product.

5. References[edit source]

Please refer to the following links for additional information: