Hi,
I am experiencing unexpected behavior on the Xavier NX module with L4T R35.1 while developing for OP-TEE. Specifically I am trying to use the OP-TEE PTA jetson_user_key_pta.c to derive a root key from KEK256 as described in the developer documentation. I have added BctKEKKeySelect = 1;
to the tegra194-br-bct-qspi.cfg
to allow accessing of KEK0 and KEK1 as a single KEK256 register.
I modified jetson_user_key_pta.c to print out the derived key inside hwkey_derivation_process
immediately after the call to tegra_se_nist_sp_800_108_cmac_kdf
. I have not modified the original call:
rc = tegra_se_nist_sp_800_108_cmac_kdf(SE_AES_KEYSLOT_KEK256,
TEGRA_SE_KEY_256_SIZE,
"Derived 256-bit root key",
"256-bit key",
TEGRA_SE_KEY_256_SIZE,
demo_256_rk);
I then burned fuses on a development Xavier NX module with the following values:
PublicKeyHash: 0000000000000000000000000000000000000000000000000000000000000000
SecureBootKey: 00000000000000000000000000000000
Kek0: 41414141414141414141414141414141
Kek1: 42424242424242424242424242424242
Kek2: 00000000000000000000000000000000
Kek256: 4141414141414141414141414141414142424242424242424242424242424242
BootSecurityInfo: 00000000
JtagDisable: 00000000
SecurityMode: 00000000
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
ReservedOdm8: 00000000
ReservedOdm9: 00000000
ReservedOdm10: 00000000
ReservedOdm11: 00000000
Upon the first boot of the module after flashing I get the following derived key:
M/TC: hwkey_derivation_process: Successfully derived the 256 root key!
______________________________________________________________
M/TC: 31
M/TC: ee
M/TC: da
M/TC: 84
M/TC: 61
M/TC: e8
M/TC: ba
M/TC: b5
M/TC: 5f
M/TC: 10
M/TC: f5
M/TC: 73
M/TC: 4c
M/TC: b1
M/TC: 27
M/TC: ad
M/TC: a0
M/TC: 1
M/TC: 3a
M/TC: ed
M/TC: 95
M/TC: ac
M/TC: a5
M/TC: e9
M/TC: e7
M/TC: ed
M/TC: c7
M/TC: 0
M/TC: cf
M/TC: 73
M/TC: e2
M/TC: 3e
M/TC: ______________________________________________________________
However every subsequent boot results in a completely different key printed to the console, for example:
M/TC: hwkey_derivation_process: Successfully derived the 256 root key!
______________________________________________________________
M/TC: e5
M/TC: 9e
M/TC: df
M/TC: 44
M/TC: 45
M/TC: d
M/TC: fe
M/TC: c3
M/TC: 20
M/TC: d1
M/TC: 63
M/TC: 84
M/TC: 45
M/TC: 7b
M/TC: d2
M/TC: 72
M/TC: 68
M/TC: 27
M/TC: e4
M/TC: bb
M/TC: 29
M/TC: 56
M/TC: b3
M/TC: e6
M/TC: e9
M/TC: c1
M/TC: 1e
M/TC: e4
M/TC: 76
M/TC: b7
M/TC: b9
M/TC: 13
M/TC: ______________________________________________________________
Each new boot results in a different and unique key being printed. If I reflash the module, the first boot returns the key starting with 31 ee
, but every subsequent key is seemingly random. If I call tegra_se_clear_aes_keyslots
before the KDF, it correctly returns 7e9e0cdcc3d8fa5376e46a8e95095a51ed56485bff4a4f02304c4b32b9e2f834
which is the KDF on a NULL key. This leads me to believe that the behavior of the Tegra Security Engine is correct, and that there is either an issue with the fuse reading or KDF implementation in OP-TEE.
I have verified that the counters used for the KDF function inside optee_os/core/drivers/tegra/t194/tegra_se_aes.c
are not persisting across reboots.
Can anyone at NVIDIA verify that they are indeed getting deterministic KDFs from tegra_se_nist_sp_800_108_cmac_kdf
inside of OP-TEE?
Thanks