How to use OpenSSL RSA in trusty?

I am trying to compile OpenSSL RSA for trusty, my reference code is app/sample/hwkey-agent.

OpenSSL AES algorithm was compiled and used in the official example hwkey-agent, now I want to use OpenSSL RSA algorithm but the compilation doesn’t work, I would like to know the official has there been any attempt to compile the RSA algorithm for use in trusty.

Any relevant experience or tutorials?

Does anyone know?

By viewing openssl.config file inside trusty/lib/lib/openssl folder, RSA should be enabled. You could try to add code to use opensll RSA API in the TA and see how it goes.

Thanks for your reply.

I meet so many problem when compile OpenSSL RSA for trusty.

My example TA service with openssl rsa part as follows:

RSA* create_rsa_from_mem_with_type(char* key, int pubtype) {
    RSA *rsa = NULL;
    BIO *bio = NULL;

    bio = BIO_new(BIO_s_mem());
    if(bio == NULL) {
        TLOGI("bio is NULL!\n");

    BIO_puts(bio, key);
    if (pubtype == 1) {
         rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
    } else {
        rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
    if(rsa == NULL) {
        TLOGI("wrong again\n");
    return rsa;

int public_encrypt(unsigned char* data, int data_len, char* key, unsigned char* encrypted) {
    RSA* rsa = create_rsa_from_mem_with_type(key, 1);
    if (rsa != NULL) {
        int result = RSA_public_encrypt(data_len, data, encrypted, rsa, RSA_PKCS1_PADDING);
        return result;
    return 0;

int private_decrypt(unsigned char * enc_data,int data_len, char * key, unsigned char *decrypted)
    RSA * rsa = create_rsa_from_mem_with_type(key, 0);
    if (rsa != NULL ) {
        int result = RSA_private_decrypt(data_len, enc_data, decrypted, rsa, RSA_PKCS1_PADDING);
        return result;
    return 0;

But I got many problems when compile:

First I got “undefined reference to xxx” error, then I added related sources(openssl crypto/xx/xx.c) to the that can fix some problems. part as here:

common_src_files := \
crypto/evp/evp_key.c \
crypto/evp/encode.c \
crypto/evp/p5_crpt.c \
crypto/evp/p5_crpt2.c \
crypto/pkcs12/p12_crpt.c \
crypto/pkcs12/p12_p8d.c \
crypto/pkcs12/p12_decr.c \
crypto/pkcs12/p12_key.c \
crypto/asn1/p5_pbe.c \
crypto/asn1/p5_pbev2.c \
crypto/evp/m_md5.c \
crypto/md5/md5_dgst.c \
crypto/md5/md5_one.c \

I still had errors for “Undefined reference to EVP_md5”, I think I have added “crypto/evp/m_md5”, but not work. I want to know if I’m on the right track.

Other problem: When I add crypto/ui/ui_openssl.c, I encounter a mismatch of ‘ioctl parameters’, which should be related to the definition of ioctl in trusty.

Finaly, I was wondering if the official has tried to tune this code, can you provide a demo?

hello zjfsharp,

the RSA should be enabled.
may I know what’s toolchain you’re using for building Trusty sources?

TOS consists of 32-bit trusted applications (TAs) which run on top of a 64-bit kernel. therefore, both 32-bit and 64-bit toolchains are necessary.
could you please refer to Jetson Linux Driver Package Toolchain for getting aarch64 toolchain.
you may also access armhf (32-bit) toolchain, for example, arm-linux-gnueabihf.

we had confirmed we could build trusty sources,
please refer to below.

$ export CROSS_COMPILE_AARCH64=~/l4t-gcc/gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-  
$ export CROSS_COMPILE_ARM=~/l4t-gcc/gcc-linaro-7.3.1-2018.05-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf- 
generating image: t194ref/build-t186/lk.bin
$ ls -la t194ref/build-t186/lk.bin
-rwxrwxr-x 1 jerry jerry 282632 Oct 29 14:38 t194ref/build-t186/lk.bin*

please also have confirmation,

Yes, I can build trusty sources like above. It’s OK.

But I want to support OpenSSL RSA in hwkey-agent sample, so I added some openssl rsa codes, I got errors. My solution as above description(reply to @CHuang1 ), But I still can’t fix problems.

Here is more update for your reference,
You are correct. The sample can not be compiled with the OpenSSL that had been configured with embedded settings.
As the downstream was upgraded the OpenSSL to 1.1.1g, the error message is different but still can’t be compiled with the APIs,

Here is a suggestion to get the RSA key,

  1. To generate RSA key pairs for DER format on the host and store that on the device. This can be done using custom EKB format and flash it on the partition.

  2. In the Tursty TA,

  3. RSA encryption of private key

1. Load the private key of DER format into memory
2. EVP_PKEY_new (create a key structure)
3. d2i_PrivateKey (setting up the private key from memory into the key structure)
4. EVP_PKEY_get1_RSA (get the RSA structure)
5. RSA_private_encrypt/decrypt (perform the RSA private key encryption)
  1. RSA encryption of public key
1. Load the public key of DER format into memory
2. EVP_PKEY_new (create a key structure)
3. d2i_PublicKey (setting up the public key from memory into the key structure)
4. EVP_PKEY_get1_RSA (get the RSA structure)
5. RSA_public_encrypt/decrypt (perform the RSA public key encryption)