Python integration with op-tee

hi everyboody
i build op-tee source codes on a jetson xavier and made a trusted zone by ridgerun tutorial
my intention for doing this was to be able add a my Python code in trusted zone to be secure from copy and not be accessible from normal word or curios users
but there is a problem
somewhere i read the python codes not working in trusted Env and is not executable
and the other problem is i dont know how to add a program code in trusted zone( not only python codes somthing like C programs )
do anybody have experience in integrating python code with op-tee to help me to do this ??

hello abolfazl_asari,

you may also read the developer guide for details, i.e. OP-TEE: Open Portable Trusted Execution Environment.

please visit jetson-linux-r3550 to download the public sources package, i.e. [Driver Package (BSP) Sources].
please extract nvidia-jetson-optee-source.tbz2 tarball, and you’ll see some secure sample applications for demonstration.
i.e. $public_sources/atf_and_optee/optee/samples/
you may see-also Secure Samples for reference.

hi jerry chang
first of all thanks your attention but i think your answer confused me
i want to deploy a program in trusted zone as a TA( trusted application )
for the beginning i wan to make a custom C program as TA in optee and build it to run on jetson xavier nx
i build hello word sample of optee exmple of linaro in GitHub - linaro-swg/optee_examples: OP-TEE Sample Applications and its worked fine
but i dont know how i gonna implement my simple code in trusted zone and build again the os to flash on jetson
can you help me about that??
thanks alot

in simple language
is it possible to make a trusted application to run python code that is stores in secure world with commands from rich world (non secure Env) ?? somehow the code be secure from getting any copies or access from rich world user

hello abolfazl_asari,

had you using any customize keys?
please see-also sample script of, which use those keys to create an EKS image.
for instance,

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# For each key, uncomment the random generate key and comment out the next line for production
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key
# openssl rand -rand /dev/urandom -hex 16 > auth_t194.key
echo "00000000000000000000000000000000" > auth_t194.key

python3 -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -in_auth_key auth_t194.key \
        -out eks_t194.img

please see-also Topic 270934 for updating EKS image accordingly.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.