Hi Robert,
On Wed, Aug 13, 2025 at 4:48 PM Robert Delien via OP-TEE op-tee@lists.trustedfirmware.org wrote:
Hi,
We would like to protect trusted application heap memory against cryogenic attacks. We think a good method to achieve this is by employing the Bus Encryption Engine hardware in our i.MX6UL. For testing, I currently configure the BEE in U-Boot, to encrypt the Op-Tee TA_RAM area (0x8e100000-8f9fffff), and make it available unencryptedly at 0x10000000-0x118fffff. TA_RAM_START is set to 0x10000000 and this seems to work, but I have a few questions:
- Does area TA_RAM_START:TA_RAM_SIZE hold all TA code, stack and heap?
Yes. However, on the latest releases, we've started to merge the physical memory areas reserved for OP-TEE core and TAs. So there's a risk that things may become a bit more complicated in upstream.
- Access privileges to 0x10000000-0x118fffff have been set to *Non-Secure
User none, Non-Secure Spvr none, Secure User RD + WR, Secure Spvr RD + WR*, but much to my surprise, *Non-Secure User none, Non-Secure Spvr none, Secure User none, Secure Spvr RD + WR* worked equally well.
Where do you set these access privileges?
I can provide a memory map if useful, but I'd rather not post that at forehand.
If this works well, achieves our goal and the performance penalty is acceptable, we will roll this into an Op-Tee driver.
Sounds interesting.
Cheers, Jens
With kind regards,
Robert.-- DISCLAIMER De informatie, verzonden in of met dit e-mailbericht, is vertrouwelijk en uitsluitend voor de geadresseerde(n) bestemd. Het gebruik van de informatie in dit bericht, de openbaarmaking, vermenigvuldiging, verspreiding en|of verstrekking daarvan aan derden is niet toegestaan. Gebruik van deze informatie door anderen dan geadresseerde(n) is strikt verboden. Aan deze informatie kunnen geen rechten worden ontleend. U wordt verzocht bij onjuiste adressering de afzender direct te informeren door het bericht te retourneren en het bericht uit uw computersysteem te verwijderen.