TA Panic on boot

[kiwikissling]

I've been working with build 98186ef6 successfully. Today I pulled and built e7161ba and have since encountered a TA Panic on boot.

Am I missing something in the setup/build process?

[neilsh-msft]

The RPMB partition on the eMMC needs to be reset. Apply the following change, rebuild the OpTEE firmware and boot the board once with the new image. This should reset the RPMB partition and then the board can boot with the standard firmware.

In file /build/firmware/Common.mk change the following setting in OPTEE_FLAGS: from CFG_RPMB_RESET_FAT=n to CFG_RPMB_RESET_FAT=y

[kiwikissling]

@neilsh-msft, Thanks for your help here. I'm a relative noob at this stuff. My experience to-date has simply been pulling and building the imx-iotcore solution.

I found the CFG_RPMB_RESET_FAT setting and have changed it as suggested. I now have no idea how to build the firmware, having never done this previously. I installed GunWin32 Make, but I get loads of make errors when making ..\imx-iotcore\build\firmware\makefile. Is there a guide somewhere on building the firmware from a Windows machine? Is there another way to achieve the RPMB reset without me diving into firmware make-land?

[neilsh-msft]

Our documentation for building the firmware is published here. It has instructions and what tools are necessary for building the firmware.

[kiwikissling]

Oh wow. What a steep learning curve.

I installed Ubuntu, went through the firmware build guidance and I got as far as installing NXP's code signing tool. I then followed the the code signing tool's Release_Notes.txt ... but with no luck. Some problem with OpenSSL headers which I'm still looking for. This is turning out to be a big chunk of work just to clear that RPMB store! Will keep trying, but happy to receive any further guidance. Thanks.

[neilsh-msft]

Unless you're planning on implementing high assurance boot, you shouldn't need to worry about generating signed firmware using NXP's code signing tool. By default it should just use the default test certificates.

If you make the makefile change I mentioned above and follow the directions on the building arm firmware page: https://github.com/ms-iot/imx-iotcore/blob/public_preview/Documentation/build-firmware.md up to the "Deploying firmware to an SD card manually" section you should have a repo in a state that if you build the FFU file in Visual Studio, the resulting FFU should clear the RPMB partition on every boot. I keep a special SD card with the updated OpTEE that I use to reset RPMB partitions for people in my group who run into this issue.

[neilsh-msft]

Note: I'm going to be out of office for a week starting tomorrow, so I'll ask someone to keep an eye on this thread.

[kiwikissling]

Thanks for your help @neilsh-msft. This worked a treat, and I have saved the reset SD card as suggested