TF-A (ARM Trusted Firmware) Architecture Validation for i.MX93 Systems

[ajlennon]

Issue Description

Similar to the OP-TEE concerns in issue #1, the TF-A signature verification test (boot_006) needs architectural validation to ensure we're correctly assessing secure world implementation on i.MX93 systems.

Current Behavior

The test currently:

1. ✅ PASSES by detecting ELE as an alternative to TF-A
2. Reports: "i.MX93 EdgeLock Enclave provides secure world functionality (alternative to TF-A)"
3. Previously showed: "PSCI/SMC calls detected but TF-A not clearly identified"

Architectural Questions

1. TF-A vs ELE: Does i.MX93 use traditional ARM Trusted Firmware-A or is this completely replaced by EdgeLock Enclave?
2. Secure Monitor: What provides EL3 secure monitor functionality on i.MX93?
3. PSCI Implementation: The system shows PSCI/SMC calls - what secure firmware handles these?
4. Boot Flow: What is the actual secure boot flow from hardware root of trust through secure world setup?

Investigation Required

1. Boot Flow Analysis

• Trace the complete boot sequence from hardware reset
• Identify what runs at EL3 (secure monitor level)
• Verify if TF-A BL31 is present or if ELE firmware handles EL3
• Check for any ARM Trusted Firmware components

2. Secure World Architecture

• Document the complete secure world implementation
• Verify EL3/EL1 secure world boundaries
• Check if ELE provides all TF-A functionality or complements it
• Analyze secure service interfaces

3. PSCI/SMC Analysis

• Investigate what handles PSCI calls (Power State Coordination Interface)
• Check SMC (Secure Monitor Call) routing
• Verify secure world entry points and services

Technical Investigation

Current Detection Logic

// Traditional TF-A detection
if tfa_check.stdout.contains("TF-A") || tfa_check.stdout.contains("BL31") || tfa_check.stdout.contains("Trusted Firmware") {
    // ... signature verification
}
// i.MX93 may use ELE for secure world instead of traditional TF-A
else if !ele_secure_world.stdout.is_empty() && ele_secure_world.stdout.contains("fsl-ele-mu") {
    Ok((TestStatus::Passed, "i.MX93 EdgeLock Enclave provides secure world functionality (alternative to TF-A)".to_string(), Some(details.join("\n"))))
}

Commands to Run

# Check for TF-A/BL31 in boot log
dmesg | grep -i 'tf-a\|trusted.*firmware\|bl31'

# Check for PSCI/SMC calls
dmesg | grep -i 'smc\|psci\|arm.*smc'

# Check for ELE secure world
dmesg | grep -i 'fsl-ele-mu\|ele.*secure'

# Check for secure world services
cat /proc/cpuinfo | grep -i 'secure\|monitor'

Expected Outcomes

1. Architecture Clarity: Clear understanding of i.MX93 secure world architecture
2. Proper Testing: Accurate validation of secure monitor implementation
3. Documentation: Clear mapping of ELE vs TF-A functionality
4. Security Assurance: Confirmation that secure world is properly implemented

References

• NXP i.MX93 Reference Manual - Security Architecture section
• ARM Trusted Firmware documentation
• EdgeLock Enclave documentation
• Foundries.io LMP secure boot documentation

Related Issues

• OP-TEE Implementation Analysis Required for i.MX93 Systems #1 - OP-TEE Implementation Analysis
• Boot security test suite validation
• Secure world architecture documentation

Priority

Medium - The system appears secure through ELE, but we need architectural clarity to ensure our testing accurately reflects the security implementation.