The fixed vector used to create the EKB needs to match what is included in the optee source ( jetson_user_key_pta.c). The last few releases of L4T have been making changes as to how the fixed vector is specified. Originally, it was provided as a command-line option, but in L4T 36.3 it was hard-coded to a value (with the command line option being taken away) and then the latest release, L4T 36.4.3, it was randomized (also with no option). Please put the command line option back so we can use the standard tooling straight from the release without any modifications required. I utilize a controlled access signing server to create and sign artifacts where private keys are involved. The signing server is containerized and in-part constructed from tooling from the L4T releases so it is helpful if it can be utilized as-is without having to make modifications to it.
I guess this is a side-effect of EKB version 2, from OP-TEE: Open Portable Trusted Execution Environment — NVIDIA Jetson Linux Developer Guide
For EKB version 1, a hardcoded FV in EKB generation tool is used for EKB generation and the same FV is hardcoded in OP-TEE for EKB extraction. For EKB version 2, FV is a randomly generated 16-byte value and stored in EKB. This FV is used for EKB generation and EKB extraction. The current JetPack release supports EKB version 2. The extraction in jetson-user-key PTA is backward compatible. It still supports EKB version 1.
In any case, I support your request to put it back as we may end-up having to support different jetpack where only v1 exist.
I guess I’ll need to take a closer look at how the jetson-user-key PTA handles the FV in EKB v2. Currently, we’re patching optee to set the FV to match what was used by gen_ekb.py to generate the EKB. But, if it is passed in the header then maybe I don’t need to patch the optee source? Thanks, for adding your comment, @sebastien.schertenleib.
hello chad.mcquillen,
please refer to developer guide, EKB Header to update FV.
you’ll also need to update random fixed vector for EKB within below..
$public_sources/r36.4.3/Linux_for_Tegra/source/atf_and_optee/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c
/*
* Fixed vector for EKB version 1.
*/
static uint8_t fv_for_ekb[] = {
0xba, 0xd6, 0x6e, 0xb4, 0x48, 0x49, 0x83, 0x68,
0x4b, 0x99, 0x2f, 0xe5, 0x4a, 0x64, 0x8b, 0xb8,
};
@JerryChang, that looks un-necessary since the code in jetson_user_key_pta.c is going to pull the fixed vector out of the EKB v2 header and update fv_for_ekb as follows:
static TEE_Result get_ekb_content_start_addr(vaddr_t ekb_addr,
vaddr_t *ekb_content_addr)
{
struct ekb_header *header;
if (ekb_addr == 0 || !ekb_content_addr)
return TEE_ERROR_BAD_PARAMETERS;
header = (struct ekb_header *)ekb_addr;
if (header->ekb_size < EKB_MIN_SIZE)
return TEE_ERROR_BAD_FORMAT;
if (strncmp((char *)EKB_MAGIC_STR, header->ekb_magic, strlen(EKB_MAGIC_STR)))
return TEE_ERROR_BAD_FORMAT;
if (header->ver_maj == 1) {
*ekb_content_addr = ekb_addr + sizeof(struct ekb_header);
} else if (header->ver_maj == 2) {
memcpy(fv_for_ekb, header + 1, sizeof(fv_for_ekb));
*ekb_content_addr = ekb_addr + sizeof(struct ekb_header)
+ sizeof(fv_for_ekb);
} else {
return TEE_ERROR_BAD_FORMAT;
}
return TEE_SUCCESS;
}
Given that I rescind my request to add back the ‘-fv’ option (although others may still desire it to meet their own needs). Our signing server needs to support signing firmware across multiple L4T releases and will just need to be updated to call gen_ekb.py differently depending on which version of firmware / L4T we are signing.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.