Initialize OP-TEE with modified fixed vector

I have a question about how I can create my own FV for use with OP-TEE.

According to the example in the Tool for EKB generation about the fv_ekb_t234:

This is the fixed vector for deriving EKB root key from fuse.
It is expected user to replace the FV below with a user specific
FV, and code the exact same user specific FV into OP-TEE

It is the last part here I can’t seem to find any information on. I’m guessing I have to supply the FV to the hwkey-agent during build of OP-TEE somehow, but I have never build OP-TEE before and I don’t know where to start looking for changing out the FV.

Could someone please point me in the right direction?

Best regards,

Hi baard.krohg,

Are you using the devkit or custom board for AGX Orin?
What’s your Jetpack version in use?

Please refer to atf_and_optee_README.txt for details.

Hello Kevin!

For now I’m using a devkit, but I’ll eventually use a custom board. Does that change things? I’m using R35.4.1

The README is enough to get me started I think, but on the first read through I didn’t see anything about the FV?

A little update;

I was able to build optee and flash it to my devkit (I think). Because it won’t boot. I’m getting a kernel panic because it can’t decrypt the drive, which is (I’m guessing) because optee didn’t encode the correct FV when it was built.

Bootlog captured from minicom:
bootlog.txt (87.9 KB)

Since I didn’t know any better I just generated the ekb with a random FV, and hoped the hwkey-agent would pick up the fv_ekb_t234 file and incorporate it somehow when I built the system. I replaced the tos-optee_t234.img file in the BSP with the generated tos.img file as per the instructions in the readme. I then flashed the devkit, (btw, I had to re-install python3-cryptography after having uninstalled it to be able to compile optee) and the result is the boot-log above.

I haven’t really looked through the flash-log because I don’t know what to look for there (if anything)
flash_1-5_0_20230823-153030.log (39.5 KB)

For reference, the flash commands I’m using are below, and work if I only use the standard FV:

sudo ./
sudo ./tools/ -u $USERNAME -p $PASSWORD --accept-license

sudo systemctl stop udisks2.service

sudo ./tools/kernel_flash/ \
     --showlogs --no-flash \
     -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
     --network usb0 \
     jetson-agx-orin-devkit internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/ \
     --showlogs --no-flash --external-only --append \
     --external-device nvme0n1p1 \
     --network usb0 \
     -i ./sym2_t234.key \
     -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
     jetson-agx-orin-devkit external

sudo ./tools/kernel_flash/ --showlogs --network usb0 --flash-only

So, my question remains- how do I properly supply the FV to optee when building it?
Or do I also have to “preemptively” copy the files from .../optee/install/t234/... to the system by copying them into the Linux_for_Tegra/rootfs/...?

I think I found it-
When changing out the FV as you generate an ekb, you also have to change out the

static unit8_t fv_for_ekb[] = {...}

in optee/optee_os/core/pta/tegra/jetson_user_key_pta.c, and compile it according to the readme instructions mentioned earlier.

I also copied the resulting install files to the Linux_for_Tegra/rootfs before flashing, but I’m not sure whether or not this was necessary.

1 Like

hello baard.krohg,

please access to jetson-linux-r3541 to download the [Driver Package (BSP) Sources].
as you can see… there’s t234 example to generate EKS image, it’s using a test key as FV key by default.
for example, $public_sources/r35.4.1/Linux_for_Tegra/source/public/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/
you may refer to KDF of Fuse Keys section to replace that key with generated fixed vector (FV), or the user-defined key by running the openssl tool from the command line.
you may running to create a new EKS image, and flashing to the target.
as you mentioned, please update the keys within fv_for_ekb to match the ‘fv’ vector used for EKB binary.

please see-also Topic 246326. thanks


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.