[EXT] i.MX95: EdgeLock Enclave secure storage

Pankaj Gupta pankaj.gupta at nxp.com
Tue Jun 30 05:06:42 PDT 2026


Hi Fabio,

Thank you for your kind words and for your interest in the upstream EdgeLock Enclave (ELE) work.

Regarding the specific areas you mentioned, please find my comments inline below.

Regards,
Pankaj Gupta
NXP Semiconductor

> -----Original Message-----
> From: Fabio Estevam <festevam at gmail.com>
> Sent: 13 June 2026 19:29
> To: Pankaj Gupta <pankaj.gupta at nxp.com>
> Cc: Schrempf Frieder <frieder.schrempf at kontron.de>; moderated
> list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE <linux-arm-
> kernel at lists.infradead.org>; open list:HARDWARE RANDOM NUMBER
> GENERATOR CORE <linux-crypto at vger.kernel.org>; Peng Fan
> <peng.fan at nxp.com>; Stefano Babic <sbabic at nabladev.com>; Frank Li
> <frank.li at nxp.com>
> Subject: [EXT] i.MX95: EdgeLock Enclave secure storage
> 
> Caution: This is an external email. Please take care when clicking links or
> opening attachments. When in doubt, report the message using the 'Report
> this email' button
> 
> 
> Hi Pankaj,
> 
> First of all, thank you for your work on upstreaming the EdgeLock Enclave (ELE)
> support. It is great to finally see the ELE framework landing upstream after a
> long development effort.
> 
> I am currently evaluating the state of i.MX95 secure-boot and storage-security
> support based on current linux-next, with the goal of understanding what can
> already be achieved using upstream software and what pieces are still under
> development.
> 
> From my review, it appears that the following infrastructure is already available
> upstream:
> 
> - ELE/V2X mailbox support for i.MX95.
The current upstream driver only supports i.MX8ULP. However, it establishes the foundation for ELE/V2X mailbox support on i.MX95.

> - OCOTP/ELE nvmem support for fuse access.
The upstream OCOTP/ELE nvmem support is independent of the recently accepted Secure Enclave driver for i.MX8ULP.

> - Secure-enclave bindings documenting the i.MX95 ELE HSM.
> 
> However, I could not find upstream support for several capabilities that would
> be useful for secure storage deployments on i.MX95, including:
> 
> - An ELE-backed trusted-key provider for the Linux trusted key framework.
Work in this area is currently ongoing. The intention is to provide an ELE-backed trusted key implementation that can integrate with the Linux trusted key framework.

> - Integration allowing Linux to use ELE as a key-sealing/ unsealing backend.
Support for using ELE as a backend for key sealing and unsealing is also under development and is planned to build on top of the trusted key support.

> - i.MX95-specific crypto acceleration exposed through the Linux crypto API for
> dm-crypt use cases.

ELE itself is not designed to act as a general-purpose cryptographic accelerator.
For dm-crypt use cases, the current direction is to perform the cryptographic operations through OP-TEE using Arm Cryptography Extensions (Arm-CE),
while ensuring that plaintext keys are only present in on-chip OCRAM and never leave the SoC.
Upstream discussions and corresponding RFC patches are expected once the related OP-TEE PTA support is available for review in OP-TEE OS.

> 
> Are you aware of any ongoing upstream or planned development activities in
> these areas, particularly for i.MX95?


The activities mentioned above are the primary ongoing efforts related to secure storage and key management on i.MX95.
As these developments progress, they will be proposed and discussed through the relevant upstream mailing lists.

> 
> Any information about the upstream roadmap, ongoing development, or
> expected direction for these features would be greatly appreciated.
> 
> Thanks again for your work and for any insights you can share.
> 
> Regards,
> 
> Fabio Estevam


More information about the linux-arm-kernel mailing list