Initialize OP-TEE with modified fixed vector

baard.krohg · August 22, 2023, 12:14pm

I have a question about how I can create my own FV for use with OP-TEE.

According to the example in the Tool for EKB generation about the fv_ekb_t234:

This is the fixed vector for deriving EKB root key from fuse.
It is expected user to replace the FV below with a user specific
FV, and code the exact same user specific FV into OP-TEE

It is the last part here I can’t seem to find any information on. I’m guessing I have to supply the FV to the hwkey-agent during build of OP-TEE somehow, but I have never build OP-TEE before and I don’t know where to start looking for changing out the FV.

Could someone please point me in the right direction?

Best regards,
Baard

KevinFFF · August 23, 2023, 6:34am

Hi baard.krohg,

Are you using the devkit or custom board for AGX Orin?
What’s your Jetpack version in use?

Please refer to atf_and_optee_README.txt for details.

baard.krohg · August 23, 2023, 7:06am

Hello Kevin!

For now I’m using a devkit, but I’ll eventually use a custom board. Does that change things? I’m using R35.4.1

The README is enough to get me started I think, but on the first read through I didn’t see anything about the FV?

baard.krohg · August 23, 2023, 1:50pm

A little update;

I was able to build optee and flash it to my devkit (I think). Because it won’t boot. I’m getting a kernel panic because it can’t decrypt the drive, which is (I’m guessing) because optee didn’t encode the correct FV when it was built.

Bootlog captured from minicom:
bootlog.txt (87.9 KB)

Since I didn’t know any better I just generated the ekb with a random FV, and hoped the hwkey-agent would pick up the fv_ekb_t234 file and incorporate it somehow when I built the system. I replaced the tos-optee_t234.img file in the BSP with the generated tos.img file as per the instructions in the readme. I then flashed the devkit, (btw, I had to re-install python3-cryptography after having uninstalled it to be able to compile optee) and the result is the boot-log above.

I haven’t really looked through the flash-log because I don’t know what to look for there (if anything)
flash_1-5_0_20230823-153030.log (39.5 KB)

For reference, the flash commands I’m using are below, and work if I only use the standard FV:

sudo ./apply_binaries.sh
sudo ./tools/l4t_create_default_user.sh -u $USERNAME -p $PASSWORD --accept-license

sudo systemctl stop udisks2.service

sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
     --showlogs --no-flash \
     -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
     --network usb0 \
     jetson-agx-orin-devkit internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
     --showlogs --no-flash --external-only --append \
     --external-device nvme0n1p1 \
     --network usb0 \
     -i ./sym2_t234.key \
     -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
     jetson-agx-orin-devkit external

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Edit:
So, my question remains- how do I properly supply the FV to optee when building it?
Or do I also have to “preemptively” copy the files from .../optee/install/t234/... to the system by copying them into the Linux_for_Tegra/rootfs/...?

baard.krohg · August 24, 2023, 8:13am

I think I found it-
When changing out the FV as you generate an ekb, you also have to change out the

static unit8_t fv_for_ekb[] = {...}

in optee/optee_os/core/pta/tegra/jetson_user_key_pta.c, and compile it according to the readme instructions mentioned earlier.

I also copied the resulting install files to the Linux_for_Tegra/rootfs before flashing, but I’m not sure whether or not this was necessary.

JerryChang · August 24, 2023, 8:17am

hello baard.krohg,

please access to jetson-linux-r3541 to download the [Driver Package (BSP) Sources].
as you can see… there’s t234 example to generate EKS image, it’s using a test key as FV key by default.
for example, $public_sources/r35.4.1/Linux_for_Tegra/source/public/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh.
you may refer to KDF of Fuse Keys section to replace that key with generated fixed vector (FV), or the user-defined key by running the openssl tool from the command line.
then,
you may running gen_ekb.py to create a new EKS image, and flashing to the target.
besides,
as you mentioned, please update the keys within fv_for_ekb to match the ‘fv’ vector used for EKB binary.

please see-also Topic 246326. thanks

system · September 11, 2023, 8:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.