How can I disable OP-TEE on Nvidia Jetson Xavier NX?

My Nvidia Jetson Xavier NX is flashed with Jetson Linux 35.1, which comes with OP-TEE.

I have two questions with respect to OP-TEE:

  1. How can I find out what physical address range has been reserved for OP-TEE?
  2. How can I completely disable OP-TEE so there is no physical address range reserved for OP-TEE?

hello ptrk1,

please refer to developer guide about OP-TEE.
as you can see in flash configuration file, it’s secure-os partition reserved for OP-TEE.
unfortunately, we don’t test the use-case by disabling OP-TEE.

Hi Jerry, thanks for getting back to me. Please excuse my naivety but do you mind highlighting which flash configuration file you’re referring to? Thanks in advance.

hello ptrk1,

assume you install the release image with SDKManger,
you’ll see the cfg file within the default installation path.
for example, ~/nvidia/nvidia_sdk/JetPack_5.0.2_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/bootloader/t186ref/cfg/flash_t194_uefi_spi_sd_p3668.xml

Hi Jerry, thank you for pointing that out! I’ve found the file and the relevant secure-os section you were referring to as shown below:

<partition_layout version="01.00.0000">
...
        <partition name="secure-os" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 2621440 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> TOSFILE </filename>
            <description> **Required.** Slot A; contains the trusted OS. </description>
         </partition>
       ...
</partition_layout>

As I understand from looking at this file, this config file determines how the SDKManager flashes/partitions the SD card or eMMC on the Xavier. Is this correct?

My follow-up question is, if I wish to disable OP-TEE (despite knowing it is untested), do I simply remove the above secure-os partition from the config file and try flashing the device via SDKManager?

If it is not possible to disable OP-TEE, how do I go about finding out the physical memory address range that is reserved for OP-TEE once the system is booted? I tried a few different strategies of finding this information such as taking a look through the source code of the bootloader, which I believe is here; however, I wasn’t able to find the answer to my question.

My ultimate objective is to either turn off OP-TEE or if that is not possible, avoid interacting with the memory region reserved for OP-TEE (which requires me to find out the physical memory address that has been reserved for OP-TEE).

hello ptrk1,

that’s correct. this xml file list all the partition flash to the target. you may try removing the above secure-os partition from the config file, but you’ll need to perform flash.sh for image flashing manually.

may I know which l4t release version you’re working with.
this is source of UEFI, and it’s supported start with l4t-35.x release.

Thank you for confirming, I will try to flash the device manually after removing the secure-os partition from the config file and I will report back if I encounter any issues. Also, I’m using Jetson_Linux_R35.1.

hello ptrk1,

you may use mon-only image to disable OP-TEE.
here show the steps for reference.

  1. please modify p3668.conf.common flash configuration file, TOSFILE="bootloader/tos-mon-only_t194.img";
  2. please enter the $OUT/Linux_For_Tegra/bootloader folder, please also setting soft links for the binary file, $ ln -sf tos-mon-only_t194.img tos_t194.img
  3. perform a full flash. $ sudo ./flash.sh jetson-xavier-nx-devkit-emmc mmcblk0p1

Hi Jerry, thank you for the detailed instructions. Once I’ve finished flashing the device, what would be the easiest way to confirm that OP-TEE is indeed turned off? Is there some variable in the UEFI bootloader that I can check to confirm that OP-TEE has been turned off?