Why is Trusty only officially supported on X2 but not X1?

TLDR: if this isn’t officially supported could I compile it from source? Would this be a bad idea?

Details:
If you download releases X2 officially supports trusty but X1 does not. This is strange to me as both support TEE and both are in the Android Trusty source code. For example, taking https://developer.nvidia.com/embedded/linux-tegra (32.5.1 as of this writing) you’ll find Trusty in X2 release Tegra186_Linux_R32.5.1_aarch64.tbz2:Linux_for_Tegra/bootloader/tos-trusty.img but no equivalent for X1 release (tegra210). However if you look at trusty/external/linux/drivers/soc/tegra/Kconfig you find “config ARCH_TEGRA_210_SOC” indicating that it should be possible to compile from source.

My main concern is I’m worried this wasn’t officially supported on purpose due to an implementation issue (such as a security issue). Can someone shine some light on this? Thank you!

hello johndmcmaster ,

Jetson TX1 series and Jetson Nano did not support Trusty.
please check developer guide, Trusty, a Trusted Execution Environment.

Applies to: Jetson Xavier NX, Jetson AGX Xavier series, and Jetson TX2 series devices

Thank you for your reply, but I’m looking for more detail than that. I understand that it’s not officially supported, but this conflicts with the device supporting TEE and it being supported by Trusty source code. Can you please elaborate why its not supported in that document?

hello johndmcmaster,

actually, TX1 is approaching EOL.
there’s no trusty sources if you download the t210 source package.
thanks

For people that might find this thread in the future, this is the best answer I’ve come up with from my own research:

  • Fusée Gelée (RCM vulnerability) is not publicly patched
  • nVIDIA has not provided a mitigation for it (ex: How to block RCM mode and JTAG by enabling bits in fuse blob?)
  • Side note: Fusée Gelée patched on Mariko
  • While Trusty can help with remote code execution breaches, most people want local tampering protection. So for most use cases Trusty can be bypassed
  • Therefore Trusty is not generally recommended / officially supported