Hi there I want to Implement Trusty on Jetson AGX Xavier.
So far
I have gone through Secureboot and Disk Encryption. I have L4T Driver Package (BSP) Sources on my host. I am not sure what to do next kindly guide me what will be the next step from here.
Thanks
hello AbdulWasey,
are you saying developing TAs/CAs that run with Trusty’s Trusted Execution Environment (TEE)?
please access to developer guide, Trusted Application Development for reference,
thanks
Hi @JerryChang
Yes, But this <trusty_top> directory of source package is available on the host. I am trying to understand how trusty will be available on Xavier where I can build and run my code in TEE on the Xavier not on the host.
Hi @JerryChang
I am trying to understand the trusty and how it can be implemented?
I can see a file atf_and_trusty_README.txt in /source/public which shows how to create tos_t194.img and replacing with the old tos.img. Now what will happen when board is flashed with new tos_t194.img? Did this creates some secure directory where I can put my data and code?
Thanks
please check this thread as see-also. [TRUSTY] Trusted Application Testing
Hi @JerryChang
Where can I get more details about CAs and TAs implementation? I don’t have much idea about that. I can see in . [TRUSTY] Trusted Application Testing that I have to go through the atf_and_trusty.README to implement SecureOS. Will this all to enable TEE on the Xavier.
hello AbdulWasey,
there’s NO specific rules for the implementation of CA.
please refer to this for the steps or guides to implement or extend more functions into it.
thanks
Hi @JerryChang
The bootloader allocates a dedicated carveout, TZ-DRAM, to run a secure OS
What is the allocated size of TZ-DRAM in case of Xavier AGX can you specify please
thanks
hello AbdulWasey,
please refer to cboot sources for the carveout index.
for example, $L4T_Sources/r32.5.1/Linux_for_Tegra/source/public/cboot$ vim ./bootloader/partner/t19x/mb1-headers/tegrabl_carveout_id.h
it’s #define CARVEOUT_TZDRAM 34U for the TZ-DRAM.
then, you’re able to check the CBoot logs for allocated base address and also the size.
for example,
��[0001.089] I> Welcome to Cboot
��fmon_post initialized
��[0001.090] I> Cboot Version: t194-9efcbc4f
...
[0001.367] I> 34) Base:0xf3c00000 Size:0x01000000
note,
there’s erroneous in the makefile, please check Physical address range in the secure world - #5 by JerryChang.
we’ve also done the update, please expect next public release (i.e. JetPack-4.6) will include the fixes.
thanks
Hi @JerryChang
I have gone through the atf_and_trusty.README and successfully created the tos_t194.img, and will flash that after enabling the scureboot. but I am bit confused regarding the TAs/CAs. The thing I want to do with trusty is to save some keys, some important data and certificates and access them and change them whenever I need. How can be this possible kindly guide me.
Thanks
hello AbdulWasey,
please check the TA/CA sample in the developer guide, it’s hwkey-agent and hwkey-app to use the key for data encryption and decryption.
thanks
Hi @JerryChang
I have gone through hwkey-agent and hwkey-app. To enable the hwkey-agent and other TAs on Xavier I have to do ?
- newly generated
tos_t194.imgplaced in/linux_for-tegra/bootloader/directory by following the instruction inatf_and_trusty.README - Secureboot enabled with <pkc.pem> and <SBK.key> keys
-
<eks_image_file> genrated by
gen_ekb.pyand placed in/linux_for-tegra/bootloader/directory
or there is anything else that I am missing kindly guide me.
Thanks
hello AbdulWasey,
you’ll need to have secure-os partition flashed with your customize image,
for example,
[ 214.3226 ] Writing partition secure-os with tos-trusty_t194_sigheader.img.encrypt
[ 214.4007 ] [................................................] 100%
those others looks correct, please have a try,
thanks
Hi @JerryChang
Does the
Means that the 0x01000000 in hex equals to 16,777,216 in decimal so is this size in bytes? So it will be then 16MB of TZ-DRAM allocated to secure OS?
Thanks
that’s correct.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.