Hi considering that I have ARMv8 SoC with TrustZone support is it possible to somehow configure it so that let’s say two partitions from my eMMC are accessible only from Secure World using eg. OPTEE? For example the partitions with my FIP binaries (fip_a, fip_b)?
Anything is possible but you have to write the code for it.
Does optee have a secure mode driver for the emmc? If not then you will need to get typing
You’ll also need the scmi interface in the kernel too
I doubt this is possible as eMMC either goes through Linux or fully through OPTEE (if that’s even possible). It’s not an interface that can be compartmentalized.
But maybe if you elaborate on your use case we can suggest alternative approaches.
Thanks, where do these things are usually implemented? In OPTEE, TFA? For example I was looking at PSA Firmware Update specification and this document outlines the firmware update process where one of the components is Secure Firmware Store. I was trying to find out what does actually mean but it extremely difficult to find anything practical (in terms of implementation) rather than specification.
Sure, so basically I’m looking at the https://trustedfirmware-a.readthedocs.io/en/latest/components/firmware-update.html#psa-firmware-update-psa-fwu
I haven’t browsed all the documentation yet, however I’m wondering if the update process should be performed in secure world, shouldn’t the access to firmware storage be restricted only for secure world? Assuming that on eMMC I have the fip-a fip-b partitions for my FIP images, I can just simply override it from linux and destroy them. However I just mentioned in the other post that I have found https://trusted-services.readthedocs.io/en/latest/services/fwu/index.html and will check it, perhaps the answer to my question is somewhere there. BTW optee iteself does not have any eMMC drivers, it utilizes drivers in REE, namely Linux drivers.