TZASC misconfiguration on i.mx8m

TZASC misconfiguration on i.mx8m

[Richard Weinberger]

Hello!

FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot configures
region0 to allow secure and non-secure world access.
This is known to be problematic and allows circumventing the TrustZone due to
memory aliasing[0][1].

It causes also recent OP-TEE to panic at startup:
E/TC:0 0 Panic 'region0 is not secure configured, non-secure memory alias access possible!' at core/arch/arm/plat-imx/tzc380.c:217 <imx_configure_tzasc>

This is not a theoretical issue.
On my i.mx8mm evk Board I was able to exploit this and dump all OP-TEE memory from Linux.

Thanks,
//richard

[0] https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd
[1] https://github.com/OP-TEE/optee_os/commit/443c5817de47f1bd19091b419806898070382a67 

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Re: TZASC misconfiguration on i.mx8m

[Richard Weinberger]

CC'ing Ye Li.

On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
> Hello!
> 
> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot configures
> region0 to allow secure and non-secure world access.
> This is known to be problematic and allows circumventing the TrustZone due to
> memory aliasing[0][1].
> 
> It causes also recent OP-TEE to panic at startup:
> E/TC:0 0 Panic 'region0 is not secure configured, non-secure memory alias access possible!' at core/arch/arm/plat-imx/tzc380.c:217 <imx_configure_tzasc>
> 
> This is not a theoretical issue.
> On my i.mx8mm evk Board I was able to exploit this and dump all OP-TEE memory from Linux.

I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
Author: Ye Li <ye.li@nxp.com>
Date:   Tue Aug 27 06:25:34 2019 +0000

    imx8m: Configure trustzone region 0 for non-secure access
    
    Set trustzone region 0 to allow both non-secure and secure access
    when trust zone is enabled. We found USB controller fails to access
    DDR if the default region 0 is secure access only.
    
    Signed-off-by: Ye Li <ye.li@nxp.com>
    Signed-off-by: Peng Fan <peng.fan@nxp.com>

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Re: TZASC misconfiguration on i.mx8m

[Ye Li]

Hi Richard,

On 6/5/2026 10:52 PM, Richard Weinberger wrote:
> CC'ing Ye Li.
> 
> On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
>> Hello!
>>
>> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot configures
>> region0 to allow secure and non-secure world access.
>> This is known to be problematic and allows circumventing the TrustZone due to
>> memory aliasing[0][1].
>>
>> It causes also recent OP-TEE to panic at startup:
>> E/TC:0 0 Panic 'region0 is not secure configured, non-secure memory alias access possible!' at core/arch/arm/plat-imx/tzc380.c:217 <imx_configure_tzasc>
>>
>> This is not a theoretical issue.
>> On my i.mx8mm evk Board I was able to exploit this and dump all OP-TEE memory from Linux.
> 
> I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
> Author: Ye Li <ye.li@nxp.com>
> Date:   Tue Aug 27 06:25:34 2019 +0000
> 
>      imx8m: Configure trustzone region 0 for non-secure access
>      
>      Set trustzone region 0 to allow both non-secure and secure access
>      when trust zone is enabled. We found USB controller fails to access
>      DDR if the default region 0 is secure access only.
>      
>      Signed-off-by: Ye Li <ye.li@nxp.com>
>      Signed-off-by: Peng Fan <peng.fan@nxp.com>
> 
> Thanks,
> //richard
We have discussed this with iMX optee owner. The fix should be done in 
OPTEE not u-boot.
1. OPTEE uses secure memory, so it needs to re-confiure trustzone to 
meet secure requirement not depending on SPL setting.
2. SPL also supports Non-optee case.

Best regards,
Ye Li
> 

Re: TZASC misconfiguration on i.mx8m

[Richard Weinberger]

Ye Li <ye.li@oss.nxp.com> schrieb am Mo., 8. Juni 2026, 03:43:

> Hi Richard,
>
> On 6/5/2026 10:52 PM, Richard Weinberger wrote:
> > CC'ing Ye Li.
> >
> > On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
> >> Hello!
> >>
> >> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot configures
> >> region0 to allow secure and non-secure world access.
> >> This is known to be problematic and allows circumventing the TrustZone
> due to
> >> memory aliasing[0][1].
> >>
> >> It causes also recent OP-TEE to panic at startup:
> >> E/TC:0 0 Panic 'region0 is not secure configured, non-secure memory
> alias access possible!' at core/arch/arm/plat-imx/tzc380.c:217
> <imx_configure_tzasc>
> >>
> >> This is not a theoretical issue.
> >> On my i.mx8mm evk Board I was able to exploit this and dump all OP-TEE
> memory from Linux.
> >
> > I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
> > Author: Ye Li <ye.li@nxp.com>
> > Date:   Tue Aug 27 06:25:34 2019 +0000
> >
> >      imx8m: Configure trustzone region 0 for non-secure access
> >
> >      Set trustzone region 0 to allow both non-secure and secure access
> >      when trust zone is enabled. We found USB controller fails to access
> >      DDR if the default region 0 is secure access only.
> >
> >      Signed-off-by: Ye Li <ye.li@nxp.com>
> >      Signed-off-by: Peng Fan <peng.fan@nxp.com>
> >
> > Thanks,
> > //richard
> We have discussed this with iMX optee owner. The fix should be done in
> OPTEE not u-boot.
> 1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
> meet secure requirement not depending on SPL setting.
> 2. SPL also supports Non-optee case.
>
> Best regards,
> Ye Li
>

Can you please point to this discussion?

Thanks,
//richard

>

Re: TZASC misconfiguration on i.mx8m

[Ye Li]

On 6/8/2026 11:07 AM, Richard Weinberger wrote:
> Ye Li <ye.li@oss.nxp.com <mailto:ye.li@oss.nxp.com>> schrieb am Mo., 8. 
> Juni 2026, 03:43:
> 
>     Hi Richard,
> 
>     On 6/5/2026 10:52 PM, Richard Weinberger wrote:
>      > CC'ing Ye Li.
>      >
>      > On Donnerstag, 4. Juni 2026 19:24 Richard Weinberger wrote:
>      >> Hello!
>      >>
>      >> FYI, in arch/arm/mach-imx/imx8m/soc.c enable_tzc380() U-Boot
>     configures
>      >> region0 to allow secure and non-secure world access.
>      >> This is known to be problematic and allows circumventing the
>     TrustZone due to
>      >> memory aliasing[0][1].
>      >>
>      >> It causes also recent OP-TEE to panic at startup:
>      >> E/TC:0 0 Panic 'region0 is not secure configured, non-secure
>     memory alias access possible!' at core/arch/arm/plat-imx/
>     tzc380.c:217 <imx_configure_tzasc>
>      >>
>      >> This is not a theoretical issue.
>      >> On my i.mx8mm evk Board I was able to exploit this and dump all
>     OP-TEE memory from Linux.
>      >
>      > I suggest reverting commit b3cf0a8f03d162e030cde1131751d060853e16fc
>      > Author: Ye Li <ye.li@nxp.com <mailto:ye.li@nxp.com>>
>      > Date:   Tue Aug 27 06:25:34 2019 +0000
>      >
>      >      imx8m: Configure trustzone region 0 for non-secure access
>      >
>      >      Set trustzone region 0 to allow both non-secure and secure
>     access
>      >      when trust zone is enabled. We found USB controller fails to
>     access
>      >      DDR if the default region 0 is secure access only.
>      >
>      >      Signed-off-by: Ye Li <ye.li@nxp.com <mailto:ye.li@nxp.com>>
>      >      Signed-off-by: Peng Fan <peng.fan@nxp.com
>     <mailto:peng.fan@nxp.com>>
>      >
>      > Thanks,
>      > //richard
>     We have discussed this with iMX optee owner. The fix should be done in
>     OPTEE not u-boot.
>     1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
>     meet secure requirement not depending on SPL setting.
>     2. SPL also supports Non-optee case.
> 
>     Best regards,
>     Ye Li
> 
> 
> Can you please point to this discussion?

It is our internal discussion not on community thread. I add Sahil to 
comment for optee. And please notice, trustzone should be enabled before 
DDR initialization. So it should be in SPL not optee. Optee can 
reconfigure trustzone setting.

Best regards,
Ye Li
> 
> Thanks,
> //richard
> 

Re: TZASC misconfiguration on i.mx8m

[Richard Weinberger]

Ye Li,

On Dienstag, 9. Juni 2026 03:44 Ye Li wrote:
> >     We have discussed this with iMX optee owner. The fix should be done in
> >     OPTEE not u-boot.
> >     1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
> >     meet secure requirement not depending on SPL setting.
> >     2. SPL also supports Non-optee case.
> > 
> >     Best regards,
> >     Ye Li
> > 
> > 
> > Can you please point to this discussion?
> 
> It is our internal discussion not on community thread. I add Sahil to 
> comment for optee. And please notice, trustzone should be enabled before 
> DDR initialization. So it should be in SPL not optee. Optee can 
> reconfigure trustzone setting.

But U-Boot right now harms the TZASC settings.

This is exactly why upstream OP-TEE has the following guard:
commit 443c5817de47f1bd19091b419806898070382a67
Author: Marco Felsch <m.felsch@pengutronix.de>
Date:   Tue Jun 17 13:27:53 2025 +0200

    drivers: imx: tzc380: add support to verify region0
    
    There are platforms where memory aliasing can't be prevented, e.g. the
    i.MX8M. If the previous running firmware configured region0, which
    covers the whole AXI address space, to be accessible from secure and
    non-secure world the OP-TEE core memory would be accessible via memory
    aliasing.
    
    To prevent such attacks we need to ensure that region0 is accessible
    from the secure world only.
    
    Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
    Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

Upstream A-TF also used to misconfigure region0, this got fixed by:
https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd

So, why is U-Boot working *against* upstream?
Instead of using the sledgehammer and enable normal world access to the whole
region0, apply a more precise fix to make these USB masters work.
I know, with downstream IMX OP-TEE it's less of a problem, because you carry this change:

commit c09d6e9da171f8c5ee42b42ff144b320761a5f16
Author: Sahil Malhotra <sahil.malhotra@nxp.com>
Date:   Mon Aug 4 20:08:59 2025 +0200

    LFOPTEE-468 core: plat-imx: tzc380: update TZASC configuration
    
    In order to prevent Memory aliasing, need to ensure that region0
    is accessible from secure world only.
    
    Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>

Thanks,
//richard
-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Re: TZASC misconfiguration on i.mx8m

[Ye Li]

On 6/9/2026 2:53 PM, Richard Weinberger wrote:
> Ye Li,
> 
> On Dienstag, 9. Juni 2026 03:44 Ye Li wrote:
>>>      We have discussed this with iMX optee owner. The fix should be done in
>>>      OPTEE not u-boot.
>>>      1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
>>>      meet secure requirement not depending on SPL setting.
>>>      2. SPL also supports Non-optee case.
>>>
>>>      Best regards,
>>>      Ye Li
>>>
>>>
>>> Can you please point to this discussion?
>>
>> It is our internal discussion not on community thread. I add Sahil to
>> comment for optee. And please notice, trustzone should be enabled before
>> DDR initialization. So it should be in SPL not optee. Optee can
>> reconfigure trustzone setting.
> 
> But U-Boot right now harms the TZASC settings.
> 
> This is exactly why upstream OP-TEE has the following guard:
> commit 443c5817de47f1bd19091b419806898070382a67
> Author: Marco Felsch <m.felsch@pengutronix.de>
> Date:   Tue Jun 17 13:27:53 2025 +0200
> 
>      drivers: imx: tzc380: add support to verify region0
>      
>      There are platforms where memory aliasing can't be prevented, e.g. the
>      i.MX8M. If the previous running firmware configured region0, which
>      covers the whole AXI address space, to be accessible from secure and
>      non-secure world the OP-TEE core memory would be accessible via memory
>      aliasing.
>      
>      To prevent such attacks we need to ensure that region0 is accessible
>      from the secure world only.
>      
>      Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
>      Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> 
> Upstream A-TF also used to misconfigure region0, this got fixed by:
> https://github.com/ARM-software/arm-trusted-firmware/commit/9bf148071aad597e7fe7d1080c00aeb35b67a3dd
> 
> So, why is U-Boot working *against* upstream?
> Instead of using the sledgehammer and enable normal world access to the whole
> region0, apply a more precise fix to make these USB masters work.
> I know, with downstream IMX OP-TEE it's less of a problem, because you carry this change:
> 
> commit c09d6e9da171f8c5ee42b42ff144b320761a5f16
> Author: Sahil Malhotra <sahil.malhotra@nxp.com>
> Date:   Mon Aug 4 20:08:59 2025 +0200
> 
>      LFOPTEE-468 core: plat-imx: tzc380: update TZASC configuration
>      
>      In order to prevent Memory aliasing, need to ensure that region0
>      is accessible from secure world only.
>      
>      Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
> 
Why can't this optee patch apply to optee upstream? It is optee using 
secure memory, then it should be optee's responsibility to configure 
trustzone correctly. Optee can't depends on default value of trustzone, 
since trustzone is not enabled by optee.

Best regards,
Ye Li

> Thanks,
> //richard

Re: TZASC misconfiguration on i.mx8m

[Richard Weinberger]

On Dienstag, 9. Juni 2026 11:56 Ye Li wrote:
> Why can't this optee patch apply to optee upstream? It is optee using 
> secure memory, then it should be optee's responsibility to configure 
> trustzone correctly. Optee can't depends on default value of trustzone, 
> since trustzone is not enabled by optee.

Sorry for the harsh words, but that's *your* job at NXP to sort out.
You seem to ignore upstream.

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Re: TZASC misconfiguration on i.mx8m

[Ye Li]

On 6/9/2026 5:58 PM, Richard Weinberger wrote:
> On Dienstag, 9. Juni 2026 11:56 Ye Li wrote:
>> Why can't this optee patch apply to optee upstream? It is optee using
>> secure memory, then it should be optee's responsibility to configure
>> trustzone correctly. Optee can't depends on default value of trustzone,
>> since trustzone is not enabled by optee.
> 
> Sorry for the harsh words, but that's *your* job at NXP to sort out.
> You seem to ignore upstream.
> 
I'm not working in optee. As I mentioned early, NXP has decided to fix 
it in optee. That's what you find the patch in NXP downstream tree. I 
think Sahil will try to upstream it later.

Best regards,
Ye Li
> Thanks,
> //richard
> 

Re: TZASC misconfiguration on i.mx8m

[Richard Weinberger]

On Dienstag, 9. Juni 2026 12:12 Ye Li wrote:
> >> Why can't this optee patch apply to optee upstream? It is optee using
> >> secure memory, then it should be optee's responsibility to configure
> >> trustzone correctly. Optee can't depends on default value of trustzone,
> >> since trustzone is not enabled by optee.
> > 
> > Sorry for the harsh words, but that's *your* job at NXP to sort out.
> > You seem to ignore upstream.
> > 
> I'm not working in optee. As I mentioned early, NXP has decided to fix 
> it in optee. That's what you find the patch in NXP downstream tree. I 
> think Sahil will try to upstream it later.

Ok! :)
Maybe Sahil can shed light on the issue.
I find it kinda odd that NXP is only focusing on their tree despite the
upstream solution.

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

RE: [EXT] Re: TZASC misconfiguration on i.mx8m

[Sahil Malhotra]

[-- Attachment #1: Type: text/plain, Size: 1744 bytes --]

HI Richard,

A Pull request for marking region0 as secure in OP-TEE is raised here: https://github.com/OP-TEE/optee_os/pull/7838

Regards,
Sahil Malhotra

> -----Original Message-----
> From: Richard Weinberger <richard@sigma-star.at>
> Sent: 09 June 2026 15:46
> To: Sahil Malhotra <sahil.malhotra@nxp.com>; Ye Li (OSS)
> <ye.li@oss.nxp.com>
> Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Alice Guo
> <alice.guo@nxp.com>; Peng Fan <peng.fan@nxp.com>;
> upstream+uboot@sigma-star.at; Ye Li <ye.li@nxp.com>
> Subject: [EXT] Re: TZASC misconfiguration on i.mx8m
> 
> Caution: This is an external email. Please take care when clicking links or
> opening attachments. When in doubt, report the message using the 'Report
> this email' button
> 
> 
> On Dienstag, 9. Juni 2026 12:12 Ye Li wrote:
> > >> Why can't this optee patch apply to optee upstream? It is optee
> > >> using secure memory, then it should be optee's responsibility to
> > >> configure trustzone correctly. Optee can't depends on default value
> > >> of trustzone, since trustzone is not enabled by optee.
> > >
> > > Sorry for the harsh words, but that's *your* job at NXP to sort out.
> > > You seem to ignore upstream.
> > >
> > I'm not working in optee. As I mentioned early, NXP has decided to fix
> > it in optee. That's what you find the patch in NXP downstream tree. I
> > think Sahil will try to upstream it later.
> 
> Ok! :)
> Maybe Sahil can shed light on the issue.
> I find it kinda odd that NXP is only focusing on their tree despite the upstream
> solution.
> 
> Thanks,
> //richard
> 
> --
> ​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
> ATU 66964118 | FN: 374287y
> 


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 11102 bytes --]

Re: TZASC misconfiguration on i.mx8m

[Fabio Estevam]

Hi Ye Li,

On Sun, Jun 7, 2026 at 10:53 PM Ye Li <ye.li@oss.nxp.com> wrote:

> We have discussed this with iMX optee owner. The fix should be done in
> OPTEE not u-boot.
> 1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
> meet secure requirement not depending on SPL setting.
> 2. SPL also supports Non-optee case.

Does NXP plan to fix this?

Thanks

Re: TZASC misconfiguration on i.mx8m

[Ye Li]

Hi Fabio,

On 6/11/2026 10:53 PM, Fabio Estevam wrote:
> Hi Ye Li,
> 
> On Sun, Jun 7, 2026 at 10:53 PM Ye Li <ye.li@oss.nxp.com> wrote:
> 
>> We have discussed this with iMX optee owner. The fix should be done in
>> OPTEE not u-boot.
>> 1. OPTEE uses secure memory, so it needs to re-confiure trustzone to
>> meet secure requirement not depending on SPL setting.
>> 2. SPL also supports Non-optee case.
> 
> Does NXP plan to fix this?
> 
> Thanks

Sahil has sent patch to optee community. We are still discussing it. In 
any case, this SPL patch can't be simply reverted, it will cause 
regression to SW running in normal world.

Best regards,
Ye Li