Optee secure storage for large files in jetson-agx-orin devkit

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Orin
1

I am currently using jetson-agx-orin devkit(jetpack 6.2), and I am currently exploring optee secure storage with it.

I had initially flashed this board with optee image with all the default settings (without any change in conf.mk, platform_config.h etc). I wrote a TA to store .txt files in secure storage. I could store up to ~3 MB size files in the secure storage, and above this, I would get this error: TEE_ERROR_TARGET_DEAD (0xFFFF3024)

I realised it was mostly because of insufficient memory management variables(like virtual memory, page table caches etc…)

I made the below changes, and reflashed the jetson board:
In conf.mk (optee_build/Linux_for_Tegra/source/jetson-optee-srcs/optee/optee_os/core/arch/arm/plat-tegra/conf.mk)

  1. CFG_TZDRAM_SIZE ?= 0x40000000 # 1GB (The default value was ~64MB)
  2. CFG_CORE_HEAP_SIZE ?= 4194304 # 4MB (The default value was ~128KB)
  3. CFG_TEE_RAM_VA_SIZE ?= 0x8000000 # 128MB
  4. CFG_RESERVED_VASPACE_SIZE ?= (1024 * 1024 * 512) # 512MB

In platform_config.h (optee_build/Linux_for_Tegra/source/jetson-optee-srcs/optee/optee_os/core/arch/arm/plat-tegra/platform_config.h)

  1. # define MAX_XLAT_TABLES 64 (default was 8)

In pgt_cache.h (optee_build/Linux_for_Tegra/source/jetson-optee-srcs/optee/optee_os/core/include/mm/pgt_cache.h)
I changed the line 52 to
# define PGT_CACHE_SIZE ROUNDUP(CFG_NUM_THREADS * 64, PGT_NUM_PGT_PER_PAGE)
Default was CFG_NUM_THREADS * 2

After reflashing, I could store and delete up to 30 MB .bin/.txt files in the secure storage, using the same TA and CA code (with some modifications in STACK_SIZE AND DATA_SIZE in TA).

But later on, when I again tried to store files, in the mid-process of storing the file, the board would start rebooting. This started happening then even for small .txt files of size <1 MB as well. Why is this happening? What issue could it be? How do I go about debugging this?

5

If you haven’t seen it here’s docs on optee secure storage

and nvidia doc

Here’s one way to see what source files have “secure storage”.

cd Linux_for_Tegra/source/optee

grep “secure storage” --include=*.{c,h,mk,txt} -irHn -C 5 |sudo tee sstorage.txt

grep “secure” --include={.S,Makefile,.txt} -irHn |sudo tee secure.txt

6

hello iamdkg123,

may I know what’s the actual use-case.
the optee secure storage is not a place to store massive data.

instead, you could create a key in optee then store a key in the secure storage. after that, a CA can be created to ask optee to help encrypt the data then the CA stores the encrypted data to the RootFS.
EKB is created for this kind of cases. you may see-also developer guide, EKB: Encrypted Key Blob for reference.

here’re something wrong.
for instance,
CFG_TZDRAM_SIZE: this cannot be changed, it’s configured by MB1.
CFG_CORE_HEAP_SIZE: please check it’s the secure storage access failure even though this can be increased.
CFG_TEE_RAM_VA_SIZE: this is the virtual address range for the optee core. you should not revise this.
CFG_RESERVED_VASPACE_SIZE: it doesn’t need to be changed unless you make sure this is too small.
MAX_XLAT_TABLES: why you modify this, did you see a specific error logs for it?

7

Thank you for the answer. Things are much more clear to me now.

On an additional note, I have create a new topic: Precise Usage of OEM_K1 Fuse Key for TA Encryption on Jetson AGX Orin with OP-TEE

Could you please shed some light on it? Thank you!

8

okay, let’s moving to Topic 327600 for follow-up questions.

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.