Please provide the following info (check/uncheck the boxes after creating this topic):
Software Version
DRIVE OS Linux 5.2.6
DRIVE OS Linux 5.2.6 and DriveWorks 4.0
DRIVE OS Linux 5.2.0
DRIVE OS Linux 5.2.0 and DriveWorks 3.5
NVIDIA DRIVE™ Software 10.0 (Linux)
NVIDIA DRIVE™ Software 9.0 (Linux)
DRIVE OS Linux 6.0.6
other DRIVE OS version
other
Target Operating System
Linux
QNX
other
Hardware Platform
NVIDIA DRIVE™ AGX Xavier DevKit (E3550)
NVIDIA DRIVE™ AGX Pegasus DevKit (E3550)
other
SDK Manager Version
1.9.1.10844
other
Host Machine Version
native Ubuntu 18.04
other
I am working on the DRIVE AGX Orin with the official SDK sources, and we need to add a Trusted Execution Environment (TEE) to it. According to the NVIDIA DRIVE OS Linux SDK Developer Guide (PR-10720-6.0 _v6.0.9), I read about the PKCS#11 API to perform this task.
Following the README instructions, I successfully compiled and tested the example on a DRIVE AGX Orin running Linux. However, I encountered an error with the C_GetTokenInfo function in the pkcs11_init function while getting the token info:
Error:
TOKEN STATUS:
CKF_NVIDIA_SECURE_STORAGE_NOT_PROVISIONED
Investigating the error, I found that the token model being compared is NVPKCS11_CCPLEX_DYNAMIC_2_MODEL_NAME, which utilizes CCPLEX hardware as mentioned here. The documentation states that:
- To use a CCPLEX token, your application must also have access permission to all three GP-SE channels, by adding nvvse/Engines:0-2 custom abilities.
- For an application using a CCPLEX token to also have access to the TZ-SE (QNX only) cryptographic hardware, you add nvvse/Engines:3-5 custom abilities.
I noticed that the QNX section of the example code is the only one that specifies which GID is used (this adds custom abilities to the example, such as nvtzvault/crypto_ability nvvse/Engines:0-2):
Code:
#ifdef QNX /* TZ-SE and CKM_SHA256_HMAC not supported on Linux */
static CK_RV pkcs11_open_session_with_channel(CK_SESSION_HANDLE_PTR phSession, CK_SLOT_ID ccplex_slot_id, CK_NVIDIA_CHANNEL_HANDLE_PTR phChannel)
{
const CK_ULONG ulChannelIdSha = 7109U; /* This is the GID of device node /dev/nvvse/tzsha1 */
.
.
.
The README also provides details on GID management for QNX but not for Linux:
README
GNX instructions:
GID 6004 is to allow CCPLEX_DYNAMIC_2 token to be accessed. Other tokens will require different GIDs, these are listed in the PDK documentation.
The library will attempt to connect to all tokens when C_Initialize is called. You will see warnings about failing to connect to tokens that you do not have permission to use - these can be safely ignored.
.
.
.
- Conclusion
To run the sample app as non-root on a safety build, using nvvse and the CCPLEX_DYNAMIC_2 token:
iolauncher -U 45040:2281,2282,2283,7109,3000,3780,3790,6004,40002,40006,45011,45037,45040,45057,45066,45071,45112 \
-A nonroot,allow,able=nvvse/Engines:0-5 \
-A nonroot,allow,able=nvtzvault/pkcs11ks_dynamic_token_2_ability \
-A nonroot,allow,able=nvtzvault/crypto_ability \
-A nonroot,allow,able=nvsys/system_info \
-A nonroot,allow,able=Nvdvms/ClientCommGetState \
./pkcs11_reference_application
Linux Instructions:
To run the application, any command that uses pkcs11 needs to have tzvault privileges.
This can be done by adding the user temporarily to the tzvault group via sudo as follows:
sudo -u -g tzvault ./pkcs11_reference_application
Based on this information, it appears that the example is intended to run on QNX and not Linux if the TrustZone Secure Environment (TZ-SE) is required. The code and documentation indicate that TZ-SE is not supported on Linux.
So, I am writing to confirm whether TZ-SE is indeed not supported on Linux, or if I might be missing an initial setup or configuration? Additionally, do you know if there is a way to add GID custom abilities on Linux similar to the QNX README instructions?