PKCS11 Sample returning CKF_NVIDIA_SECURE_STORAGE_NOT_PROVISIONED error

Please provide the following info (check/uncheck the boxes after creating this topic):
Software Version
DRIVE OS Linux 5.2.6
DRIVE OS Linux 5.2.6 and DriveWorks 4.0
DRIVE OS Linux 5.2.0
DRIVE OS Linux 5.2.0 and DriveWorks 3.5
NVIDIA DRIVE™ Software 10.0 (Linux)
NVIDIA DRIVE™ Software 9.0 (Linux)
DRIVE OS Linux 6.0.6
other DRIVE OS version
other

Target Operating System
Linux
QNX
other

Hardware Platform
NVIDIA DRIVE™ AGX Xavier DevKit (E3550)
NVIDIA DRIVE™ AGX Pegasus DevKit (E3550)
other

SDK Manager Version
1.9.1.10844
other

Host Machine Version
native Ubuntu 18.04
other

I am working on the DRIVE AGX Orin with the official SDK sources, and we need to add a Trusted Execution Environment (TEE) to it. According to the NVIDIA DRIVE OS Linux SDK Developer Guide (PR-10720-6.0 _v6.0.9), I read about the PKCS#11 API to perform this task.

Following the README instructions, I successfully compiled and tested the example on a DRIVE AGX Orin running Linux. However, I encountered an error with the C_GetTokenInfo function in the pkcs11_init function while getting the token info:


Error:

TOKEN STATUS:
CKF_NVIDIA_SECURE_STORAGE_NOT_PROVISIONED


Investigating the error, I found that the token model being compared is NVPKCS11_CCPLEX_DYNAMIC_2_MODEL_NAME, which utilizes CCPLEX hardware as mentioned here. The documentation states that:

  • To use a CCPLEX token, your application must also have access permission to all three GP-SE channels, by adding nvvse/Engines:0-2 custom abilities.
  • For an application using a CCPLEX token to also have access to the TZ-SE (QNX only) cryptographic hardware, you add nvvse/Engines:3-5 custom abilities.

I noticed that the QNX section of the example code is the only one that specifies which GID is used (this adds custom abilities to the example, such as nvtzvault/crypto_ability nvvse/Engines:0-2):


Code:

#ifdef QNX /* TZ-SE and CKM_SHA256_HMAC not supported on Linux */

static CK_RV pkcs11_open_session_with_channel(CK_SESSION_HANDLE_PTR phSession, CK_SLOT_ID ccplex_slot_id, CK_NVIDIA_CHANNEL_HANDLE_PTR phChannel)

{

const CK_ULONG ulChannelIdSha = 7109U; /* This is the GID of device node /dev/nvvse/tzsha1 */

.

.

.


The README also provides details on GID management for QNX but not for Linux:


README

GNX instructions:

GID 6004 is to allow CCPLEX_DYNAMIC_2 token to be accessed. Other tokens will require different GIDs, these are listed in the PDK documentation.

The library will attempt to connect to all tokens when C_Initialize is called. You will see warnings about failing to connect to tokens that you do not have permission to use - these can be safely ignored.

.

.

.

  1. Conclusion

To run the sample app as non-root on a safety build, using nvvse and the CCPLEX_DYNAMIC_2 token:

iolauncher -U 45040:2281,2282,2283,7109,3000,3780,3790,6004,40002,40006,45011,45037,45040,45057,45066,45071,45112 \

-A nonroot,allow,able=nvvse/Engines:0-5 \

-A nonroot,allow,able=nvtzvault/pkcs11ks_dynamic_token_2_ability \

-A nonroot,allow,able=nvtzvault/crypto_ability \

-A nonroot,allow,able=nvsys/system_info \

-A nonroot,allow,able=Nvdvms/ClientCommGetState \

./pkcs11_reference_application

Linux Instructions:

To run the application, any command that uses pkcs11 needs to have tzvault privileges.

This can be done by adding the user temporarily to the tzvault group via sudo as follows:

sudo -u -g tzvault ./pkcs11_reference_application


Based on this information, it appears that the example is intended to run on QNX and not Linux if the TrustZone Secure Environment (TZ-SE) is required. The code and documentation indicate that TZ-SE is not supported on Linux.

So, I am writing to confirm whether TZ-SE is indeed not supported on Linux, or if I might be missing an initial setup or configuration? Additionally, do you know if there is a way to add GID custom abilities on Linux similar to the QNX README instructions?

Yes.

Please use DRIVE AGX Orin General - NVIDIA Developer Forums to post topics related to DRIVE AGX Orin. Also, consider upgrading to latest release (DRIVE 6.0.8.1) to get latest software.

Hi,

Just to clarify, is TZ-SE only supported on QNX?

I may not have mentioned it earlier, but I am working with a DRIVE AGX Orin.

Thank you!

Yes. It is not supported on linux

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.