The hwkey-agent is enabled by default (Welcome — Jetson Linux<br/>Developer Guide 34.1 documentation) and doesn’t seem to put any error messages into dmesg. However, when I run hwkey-app, with DEBUG enabled, I just get:
# ~/hwkey-app -e -i t0 -o t1 -t
tipc_connect: can't connect to tipc service "hwkey-agent.srv.crypto-srv" (err=107)
Can anyone suggest what the cause might be?
Edmund
hello edmund.grimley-evans,
may I know which JetPack release you’re working with,
also, had you already enable secureBoot and secureOS for testing TA/CA services.
thanks
Thanks for replying!
I don’t think I know the JetPack release version because the
installation was done by a colleague, but I can quote the kernel
version: 4.9.140-l4t-r32.3.1+g47e7e1cb0b49
I haven’t enabled secureBoot and secureOS. I was hoping I could test
hwkey without doing that.
Is it necessary to blow real physical fuses in order to test the key
derivation code in hwkey?
Thanks,
Edmund
hello edmund.grimley-evans,
you’ll need to enable security features to make TA/CA service works.
however, the hwkey-agent TA/CA should works without fuse burned, just the same thing as the zero KEK2 key.
please setup serial consoles for checking bootloader messages, you should found below messages means it’s working.
thanks
NOTICE: BL31: v1.3(release):tegra-l4t-r32.4.2
NOTICE: BL31: Built : 16:24:39, May 28 2020
ipc-unittest-main: 1519: Welcome to IPC unittest!!!
ipc-unittest-main: 1531: waiting forever
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 40: hwkey-agent is running!!
hwkey-agent: 182: key_mgnt_processing .......
hwkey-agent: 157: Init hweky-agent services!!
Thank you. That has got me a step further. I can now see an error message:
hwkey-agent: 153: ekb_verification: EKB_CMAC verification is not match.
If I ignore the failure from ekb_verification, by setting rc = NO_ERROR immediately after calling that function, then hwkey-app seems to work for encryption and decryption.
Edmund
I have the same error.
how to enable security feature.
Hi JerryChang,
I got the same error here, and I tried to printf the value of both 16 bytes in the comparasion, they are different indeed.
Since my board is second-hand, I’m wondering if this is caused by burned fuse?
Thanks,
Jacob
hi JacobLiu,
please check the developer guide, please see Security chapter for the details.
you may also see Tutorial page for the training video, Jetson Security and Secure Boot.
you may determine your device is fused or not by running odmfuseread.sh to read the fuse info from the target board. this tool is available via https://developer.nvidia.com/embedded/linux-tegra, please download SecureBoot Tools for reference,
thanks