diff --git a/commitFile.txt b/commitFile.txt index 6cb6d5f..4794600 100644 --- a/commitFile.txt +++ b/commitFile.txt @@ -2985,7 +2985,7 @@ bbf046fa124b7c4632ae2631e9059507a72a3d2a - optee/samples/ms-tpm-20-ref/LICENSE df67ed7bc549a84f8ff8a5de0d3d096a6e2bbd48 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/Makefile 6d3239af75e740ae509ca8b2e0d51b584f3465a5 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile 3f229d45d7d2ce7e5d7e46e12377af9165e6c361 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h -1bce5759e31235d9c5bdba21dd91adaa428fc3f0 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c +c2c40637f04e216036f75507c8f785dd4df7cd2b - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c 8a3ff6f0fbf400d5960a0b9e29100a2f0c257cce - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/mbedtls_ltc/user_custom.h 53e682c13d0856ad3840af92efef4f69ce2e1d61 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/include/fTPM.h ea9d25b54a0bfb6a2f2919629390ac2f1a7cd709 - optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/include/fTPM_event_log_private.h @@ -3600,7 +3600,7 @@ b80579004bf66d76c34c31b4fe0ba65e1a34eb8a - optee/samples/ms-tpm-20-ref/TPMCmd/tp 5d749f54ac223562addbb57a4b3ece73eb25b9c4 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/support/Power.c f8b98f1215fd1f432f6e12fc63cc39e8bdd8be20 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/support/Response.c f117763dee48fbe30eec672134d8f4c747362762 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/support/TableDrivenMarshal.c -ebbf99f5b71a40e2dcb3b0718428993ceb092ea7 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c +631abb9a8ededc6a2ba5ec366a297ceefcca8bff - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c ec1d7790053a5109933da61c97434e47e326bd4f - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/Object.c 74b6eb8868ae67779b9cd920d12e7566d91ee613 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PP.c 6f80821c4cecac735c594a05787bbed9e95b3079 - optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/NvReserved.c @@ -3771,19 +3771,22 @@ ed0d9f117bda9b562ce47f09fa526466ea647130 - optee/samples/ms-tpm-20-ref/TPMCmd/Si d7bd32e37a53264b6ec8ebcf3b41f087652c4d3d - optee/samples/ms-tpm-20-ref/TPMCmd/Simulator/src/TPMCmdp.c 922b6cdcf8fe2c2afbea87d499eba8234873cbb8 - optee/samples/ms-tpm-20-ref/TPMCmd/Simulator/src/TcpServer.c 5a493d9124d00ded9800ae107ba167c72c9056ad - optee/samples/ftpm-helper/Makefile -4aeaf4a8d06a121aa56dc7250ac5ebadaf6f94d9 - optee/samples/ftpm-helper/README.md +0900cca9167560e9f0926d8a8bde7c764e065e9f - optee/samples/ftpm-helper/README.md 96da5d9fe175e882abdd919aa1c4bd9a2def2f06 - optee/samples/ftpm-helper/LICENSE 5dbb2cb40501d442a50453c79e55f6fe7aa642c9 - optee/samples/ftpm-helper/host/Makefile 4ebeba0c52d359825b26ffad5fd456d1c43277d8 - optee/samples/ftpm-helper/host/ftpm_helper_ca.c -05ab08f5221f05e94520ed9495423d026bcd5460 - optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py +407eeba3851b04988f64bd5086ac89507959814e - optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py 44dd5efe74224613ae3361b5288d5f4fbbffb808 - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_ca_sign_sid_csr.sh 46d7267ff5f2e40f0cb402b89ccef57708c6ce05 - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_ca_sign_sid_csr.py +98de1c20da4296bd01a493dddbbe8bbaf53e7e51 - optee/samples/ftpm-helper/host/tool/README_keylime_TPM_for_unfused_Jetson.md +a6b769f1f9c0ba9077b63cbeb10f2567ddd5ab49 - optee/samples/ftpm-helper/host/tool/ftpm_gen_measurement_list.py ffaf17771c52fb326d9298929500e7cad003d933 - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_gen_ek_csr.sh e3f3060340f290f4b9ac80f0bfef98636605414c - optee/samples/ftpm-helper/host/tool/ftpm_offline_provisioning_verify.sh 6040c09f6e07731353cde2f79647f9b37019012c - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_ca_simulator.py +deb9eb80f2b363a1a1abae3526b261b4dacd4fa3 - optee/samples/ftpm-helper/host/tool/ftpm_sim_provisioning_tool.sh ddb11390ea289ff539c833fcd9849d0bf81106b2 - optee/samples/ftpm-helper/host/tool/ftpm_test_local_attestation.sh 58f17af47d0dd8ec7ec3e5a0a4cfcc10da119248 - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_gen_ek_csr_tool.py -17aa9eb1d7d6989dee35a50bb30d873f45ab053f - optee/samples/ftpm-helper/host/tool/kdk_gen.py +67d5b2372fbf7a9e401c33b0a88d7690fa02c39f - optee/samples/ftpm-helper/host/tool/kdk_gen.py 18d61e2198cfc4965ec932ad1751e98ea619bffe - optee/samples/ftpm-helper/host/tool/oem_ekb_gen.py fe950095be80ba8e01f91fc8db3c98d64f2ce7b3 - optee/samples/ftpm-helper/host/tool/ftpm_device_provision.sh cce78a2db51c264b884b2e53c7605556e4651318 - optee/samples/ftpm-helper/host/tool/ftpm_manufacturer_ca_simulator.sh @@ -3791,8 +3794,11 @@ cce78a2db51c264b884b2e53c7605556e4651318 - optee/samples/ftpm-helper/host/tool/f 68063b7cdc77b6f03971c9b479950603d395e530 - optee/samples/ftpm-helper/host/tool/lib/ftpm_ek.py 2989d9817b1d1ee76139b1bf780f937af2721fe3 - optee/samples/ftpm-helper/host/tool/lib/aes_drbg.py 79c7dece1ab210876510b24cf9a18ec129a93693 - optee/samples/ftpm-helper/host/tool/lib/ftpm_ek_csr.py +e5a4b96b9883d615734a76bf898ff4433fed4b59 - optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_root_ca_csr.config 2b3f0a1315886edf3fe2969e88e4f709914c2ea1 - optee/samples/ftpm-helper/host/tool/conf/ftpm_i_ca_sim.config +1dbb0eb577e447341e8844a47e877f919c89c4ef - optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_i_ca_csr.config ab33fbbfb23ed4c0687e915bd88cc7b568b319d1 - optee/samples/ftpm-helper/host/tool/conf/ftpm_root_ca_sim.config +9344d91fe659e33261e06fe1558bb59983870528 - optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_ek_csr.config 174230a84516fd6fc4c6dfa553bfba136df35489 - optee/samples/ftpm-helper/ta/Makefile 6442bb99b6d3029526133a362a0838012c051149 - optee/samples/ftpm-helper/ta/user_ta_header_defines.h a521701086a719a903d80697a572009e501ffb6b - optee/samples/ftpm-helper/ta/ftpm_helper_ta.c diff --git a/optee/atf_and_optee_README.txt b/optee/atf_and_optee_README.txt index 7281f48..382849b 100644 --- a/optee/atf_and_optee_README.txt +++ b/optee/atf_and_optee_README.txt @@ -75,7 +75,7 @@ Building the OP-TEE Source Code ---------------------------------------------------------------------- To build the OP-TEE source package, run the the following command: -./optee_src_build.sh -p t +./optee_src_build.sh -p t -t ---------------------------------------------------------------------- Building the OP-TEE dtb diff --git a/optee/samples/ftpm-helper/README.md b/optee/samples/ftpm-helper/README.md index 00bc1d1..83c9793 100644 --- a/optee/samples/ftpm-helper/README.md +++ b/optee/samples/ftpm-helper/README.md @@ -1,3 +1,13 @@ +SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +SPDX-License-Identifier: LicenseRef-NvidiaProprietary + +NVIDIA CORPORATION, its affiliates and licensors retain all intellectual +property and proprietary rights in and to this material, related +documentation and any modifications thereto. Any use, reproduction, +disclosure or distribution of this material and related documentation +without an express license agreement from NVIDIA CORPORATION or +its affiliates is strictly prohibited. + # Overview of the Firmware TPM implementation on Jetson __Applies to__ the Jetson AGX Orin, the Jetson Orin NX series, and the Jetson Orin Nano series. @@ -234,7 +244,7 @@ The Silicon ID Seed provisioning flow along the TCBs in the secure boot chain. T - FMC (MB2). - Firmware (TOS). -The purpose of this flow is to generate a Silicon ID seed, fTPM seed, the signature of MB2 event log, and the signature of TOS event log. The security mechanism of the key generation flow uses the TZ-SE, which is the hardware Security Engine in the TrustZone, but the keyslot is not accessible by the CPU. The Silicon ID key pair and the signatures of the event logs are generated by MB2 and are passed to OP-TEE using encrypted TZ memory and are used to identify the device and the firmware status during the fTPM provisioning process (if needed). +The purpose of this flow is to generate a Silicon ID seed and fTPM seed. The security mechanism of the key generation flow uses the TZ-SE, which is the hardware Security Engine in the TrustZone, but the keyslot is not accessible by the CPU. The fTPM Seed is passed to OP-TEE using encrypted TZ memory and is used to derive the EPS during the fTPM provisioning process. The Silicon ID generation flow: - In the PSCBL layer: @@ -247,10 +257,6 @@ The Silicon ID generation flow: - The Silicon ID Key Seed is KDF(key=Silicon_ID, constant str2). - The Silicon_ID key pair. - The Silicon_IDkey pair is f(ECC, NIST P256)KEYGEN(seed=Silicon_ID_Key_Seed). - - The signature of the MB2 event log. - - The Event_log_MB2.sig is f(ECDSA)SIGN(key=Silicon_IDpriv key, digest=SHA512(MB2)). - - The signature of the TOS event log. - - The Event_log_TOS.sig is f(ECDSA)SIGN(key=Silicon_IDpriv key, digest=SHA512(TOS)). ### EPS Derivation Flow in the OP-TEE OS Layer @@ -469,7 +475,7 @@ The SW Components - The fTPM helper CA provides the command line interface (CLI) for the script to query the EK certificates from the EKB. - fTPM helper TA - The fTPM helper TA provides the interfaces to support the fTPM helper CA. - - It helps to query SN, event log signatures, and EK certificates. + - It helps to query SN and EK certificates. - fTPM helper PTA - The fTPM helper PTA helps to gather the fTPM properties from MB2 and EKB. - The fTPM helper PTA retrieves Device SN from the fuse and makes sure it matches with the Device SN in EKB. @@ -518,8 +524,6 @@ sequenceDiagram Note over mb2: fTPM_Seed Derivation Note over mb2: 1. fTPM_Seed = KDF(Silicon_ID, const str1) Note over mb2: 2. Generating the Silicon_ID key pair - Note over mb2: 3. Signing the MB2 event log - Note over mb2: 4. Signing the TOS event log end critical @@ -528,7 +532,7 @@ sequenceDiagram end mb2->>fhpta: Delivering the OP-TEE DTB - Note over mb2,fhpta: The OP-TEE DTB includes:
1. fTPM_Seed
2. Silicon_ID public key
3. Signature of the MB2 event log
4. Signature of the TOS event log
5. The tpm_event_log buffer + Note over mb2,fhpta: The OP-TEE DTB includes:
1. fTPM_Seed
2. The tpm_event_log buffer Note left of fhpta: OP-TEE OS Boots Up @@ -544,7 +548,7 @@ sequenceDiagram critical Note over fhpta: Gathering the fTPM Data from OP-TEE DTB and EKB - Note over fhpta: The fTPM content in DTB:
1. fTPM_Seed
2. Silicon_ID public key
3. Signature of the MB2 event log
4. Signature of the TOS event log + Note over fhpta: The fTPM content in DTB:
1. fTPM_Seed Note over fhpta: The fTPM content in EKB:
1. Device_SN
2. EPS Seed
3. EK Certificates end @@ -600,8 +604,6 @@ sequenceDiagram > - The sample root filesystem: tegra\_linux\_sample-root-filesystem_${rel_ver}_aarch64.tbz2 > - The public source tarball: public_sources.tbz2 > - The toolchain (Optional): aarch64--glibc--stable-${rel_date}.tar.gz -> - The overlay package (Optional): ftpm_${rel_ver}_overlay_release.tbz2 -> - Only needed for overlay release. > 2. Download the FSKP package. > - This is a partner release package. Please download it separately. > 3. Create a ${BSP_TOP} folder. @@ -623,22 +625,17 @@ sequenceDiagram > cd Linux_for_Tegra/rootfs > sudo tar jvxpf ~/Downloads/tegra_linux_sample-root-filesystem_${rel_ver}_aarch64.tbz2 > ~~~ -> d. Untar the overlay package. -> ~~~ -> cd ${BSP_TOP} -> tar jvxf ~/Downloads/ftpm_${rel_ver}_overlay_release.tbz2 -> ~~~ -> e. Apply the BSP packages. +> d. Apply the BSP packages. > ~~~ > cd Linux_for_Tegra > sudo ./apply_binaries.sh > ~~~ -> f. Install the FSKP packages. +> e. Install the FSKP packages. > ~~~ > cd ${ODM_BSP_TOP} > tar jvxf ~/Downloads/fskp_partner_t234_${rel_ver}_aarch64.tbz2 > ~~~ -> g. Untar the ATF and OP-TEE source tarball. +> f. Untar the ATF and OP-TEE source tarball. > ~~~ > cd Linux_for_Tegra/source/ > tar jvxf atf_src.tbz2 @@ -1108,10 +1105,10 @@ The generated per-device EKS images are stored in the "oem_out" folder. The OEM ## Running the fTPM Provisioning Script on the Jetson Device - The fTPM provisioning script handles the process of provisioning the fTPM on the Jetson device. This involves querying EK certificates from the Encrypted Key Block (EKB), storing the EK certificate in the fTPM Non-Volatile (NV) memory, taking ownership of the fTPM, and creating EK accordingly with default EK handles. -- The fTPM helper TA/CA and PTA are applications designed to support fTPM provisioning. These components provide interfaces for querying SN, event log signatures, and EK certificates. +- The fTPM helper TA/CA and PTA are applications designed to support fTPM provisioning. These components provide interfaces for querying SN and EK certificates. - The fTPM TA supports TPM2 functionalities defined by the Trusted Computing Group (TCG). It receives EPS from the fTPM helper PTA during the first startup time and stores it in NV memory with the provisioning process. -### Rebuilding and Updating the TOS Image for fTPM Support +### Optionally Rebuilding and Updating the TOS Image for fTPM Support To customize the fTPM function on your Jetson device, you may need to rebuild and update the Trusted Operation System (TOS) image. Follow these steps to ensure a secure environment for your application. > [!Tip] @@ -1235,9 +1232,8 @@ Appendix A: The Overall Command Reference Flow for fTPM Manufacturing Support > [!Note] The ODM Preparation Work > 1. [Jetson BSP Installation](#jetson-bsp-installation) -> 2. [Rebuild and Update the TOS Image for fTPM Support (Optional)](#rebuilding-and-updating-the-tos-image-for-ftpm-support). -> 3. Retrieve the OEM's "pv_key.crt" and store at "~/oem_keys/uefi_keys/pv_key.crt". -> 4. Assume that the ODM's own keys are stored at: +> 2. Retrieve the OEM's "pv_key.crt" and store at "~/oem_keys/uefi_keys/pv_key.crt". +> 3. Assume that the ODM's own keys are stored at: > ~~~ > ~/odm_keys/rsa3k.pem > ~/odm_keys/sbk-32.key @@ -1619,32 +1615,31 @@ Appendix B: Handle The fTPM Manufacturing Flow In One Entity > [!Note] The Preparation Work > 1. [Jetson BSP Installation](#jetson-bsp-installation) -> 2. [Rebuild and Update the TOS Image for fTPM Support (Optional)](#rebuilding-and-updating-the-tos-image-for-ftpm-support). -> 3. Assume that the ODM's own keys are stored at: +> 2. Assume that the ODM's own keys are stored at: > ~~~ > ~/odm_keys/rsa3k.pem > ~/odm_keys/sbk-32.key > ~~~ -> 4. Assume that the ODM's fskp fusing files are stored at: +> 3. Assume that the ODM's fskp fusing files are stored at: > ~~~ > ~/odm_fskp/odm_fuse_template.xml > ~/odm_fskp/fskp_ak.bin > ~/odm_fskp/fskp_ek.bin > ~/odm_fskp/fskp_conf.txt > ~~~ -> 5. Assume that the ODM's user defined keys (for EKB generation) are stored at: +> 4. Assume that the ODM's user defined keys (for EKB generation) are stored at: > ~~~ > ~/oem_keys/oem_k1.key > ~/oem_keys/sym_t234.key > ~/oem_keys/sym2_t234.key > ~/oem_keys/auth_t234.key > ~~~ -> 6. Assume that the OEM's UEFI keys (for UEFI payloads such as kernel/kernel-dtb signing and encryuption) are store at: +> 5. Assume that the OEM's UEFI keys (for UEFI payloads such as kernel/kernel-dtb signing and encryuption) are store at: > ~~~ > ~/oem_keys/uefi_keys/uefi_keys.conf > ~/oem_keys/uefi_keys/uefi_enc.key > ~~~ -> 7. Assume that the OEM's fuse template are stored at: +> 6. Assume that the OEM's fuse template are stored at: > ~~~ > ~/oem_keys/oem_fuse_template.xml > ~~~ @@ -1872,3 +1867,193 @@ Appendix B: Handle The fTPM Manufacturing Flow In One Entity > ~~~ > - Sending the factory.tar.gz to FACTORY. > - Please follow the [Flashing Images](#flashing-images) process in Appendix A. + + +Appendix C: MassFlash Multiple Targets Simulteneously +----------------------------------------------------- + +Use **--massflash** command option to flash multiple targets simulteneoutly. + +The following procedures assume that: + - All targets are fused with the same value to the **Kdk0** fuse; + The **Kdk0** fuse value is saved as **fuse-kdk0** file. + - All targets are fused with the same value to the **OdmInfo** fuse. + The **OdmInfo** fuse value is used as in **--oem_id** in the generation of EKB_db. + (0x21 is used in the following example). + - All targets are fused with the sequential values to the **OdmId** fuses. + The starting **OdmId** fuse value is used as **--sn** in the generation of EKB_db. + (0x1000218000 is used in the following example.) + +## Preparing EKB_db + +### ODM: Generating ODM EKB_db + +> ~~~ +> cd ${BSP_TOP}/Linux_for_Tegra/source/optee/samples/ftpm-helper/host/tool +> ./kdk_gen.py --oem_id 0x21 --sn 0x1000218000 --num_devices 100 --preset fuse-kdk0 --fixed +> ./odm_ekb_gen.py --kdk_db ftpm_kdk/kdk_db_0021-0000001000218000-100.csv +> ~~~ + +The ODM packages the **odm_out** folder and delivers it to the OEM. + +### OEM: Generating OEM EKB_db + +The OEM unpacks the ODM's **odm_out** package, and puts it to ${BSP_TOP}/Linux_for_Tegra/source/optee/samples/ftpm-helper/host/tool. + +> ~~~ +> cd ${BSP_TOP}/Linux_for_Tegra/source/optee/samples/ftpm-helper/host/tool +> oem_ekb_gen.py -oem_k1_key oem_k1.key \ +> -in_sym_key sym_t234.key \ +> -in_sym_key2 sym2_t234.key \ +> -in_auth_key auth_t234.key \ +> -in_ftpm_odm_ekb odm_out +> ~~~ + +THE OEM packages the **oem_out** folder and deliver it back to the ODM. + +### ODM: Signing and encrypting EKB_db + +The ODM unpacks the **oem_out** package, and put it to ${BSP_TOP}/Linux_for_Tegra. + +> ~~~ +> cd ${BSP_TOP}/Linux_for_Tegra +> ./l4t_sign_image.sh --chip \ +> --key \ +> --encrypt_key \ +> --mass-ekb oem_out \ +> --type data \ +> --split False +> ~~~ + +The ODM packages the encrypted/signed eks files. + +> ~~~ +> tar cf eks_0021-0000001000218000-100.tar --directory=oem_out/signed/ . +> ~~~ + +The ODM delivers **eks_0021-0000001000218000-100.tar** to the OEM. + +## ODM: QSPI Image Generation + +Follow the same steps to generate **QSPI Image Generation** in Appendix A or Appendix B. + +For example, to generate QSPI image for Orin Nano: + +> ~~~ +> sudo BOARDID=3767 FAB=300 BOARDSKU=0005 CHIP_SKU=00:00:00:D5 RAMCODE_ID=2 ./tools/kernel_flash/l4t_initrd_flash.sh \ +> --odm-image-gen \ +> --showlogs \ +> --network usb0 \ +> --no-flash \ +> -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \ +> -u ~/odm_keys/rsa3k.pem \ +> -v ~/odm_keys/sbk-32.key \ +> jetson-orin-nano-devkit \ +> internal +> ~~~ + +The ODM delivers the **lbc_odm.tar.gz** to the OEM. + +## OEM: UPI Image Generation + +Follow the same steps to generate **UPI Image Generation** in Appendix A or Appendix B. +In addition, add **--massflash ``** to the --mass-storage-only command, where `` is the maximum number of USB ports that the host can support. + +For example, to generate the UPI images for Orin Nano for all 5 flashing USB ports: +> ~~~ +> sudo BOARDID=3767 FAB=300 BOARDSKU=0005 CHIP_SKU=00:00:00:D5 RAMCODE_ID=2 ./tools/kernel_flash/l4t_initrd_flash.sh \ +> --mass-storage-only \ +> --massflash 5 +> --showlogs \ +> --network usb0 \ +> --no-flash \ +> --external-device nvme0n1p1 \ +> --external-only \ +> -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml \ +> --uefi-keys ~/oem_keys/uefi_keys/uefi_keys.conf \ +> --uefi-enc ~/oem_keys/uefi_keys/uefi_enc.key \ +> jetson-orin-nano-devkit \ +> nvme0n1p1 +> ~~~ + +## OEM: Final Factory tarball Generation + +> ~~~ +> cd ${BSP_TOP}/Linux_for_Tegra +> sudo tar zvxf lbc_odm.tar.gz +> sudo tar zvxf upi_oem.tar.gz +> cd tools/kernel_flash/images/internal/ +> # Untar EKB_final_db received from ODM +> sudo mkdir ekb_db +> cd ekb_db +> sudo tar xf ${OEM_BSP_TOP}/eks_0021-0000001000218000-100.tar +> cd ${BSP_TOP}/Linux_for_Tegra +> # Copy boot*.img in mfi_jetson-orin-nano-devkit/bootloader/ to the Factory tarball. +> sudo cp mfi_jetson-orin-nano-devkit/bootloader/boot*.img \ +> tools/kernel_flash/images/rcmboot/ +> # Package the factory tarball +> sudo tar zvcf factory.tar.gz \ +> tools/kernel_flash/initrdflashparam.txt \ +> tools/kernel_flash/initrdflashimgmap.txt \ +> tools/kernel_flash/images/ +> ~~~ + +The OEM delivers the **factory.tar.gz** to the FACTORY. + +## FACTORY: **MassFlash** Work Flow + +Follow the [Flashing Images](#flashing-images) process in Appendix A. +In addition, add a **--massflash ``** to the --flash-only command, where `` is the maximum number of USB ports that the host can support. + +For example, to flash 5 targets of Orin Nano simultaneously: +> ~~~ +> cd ${BSP_TOP}/Linux_for_Tegra +> sudo ./tools/kernel_flash/l4t_initrd_flash.sh \ +> --flash-only \ +> --massflash 5 \ +> --showlogs \ +> --network usb0 \ +> --ekb-pair \ +> jetson-orin-nano-devkit \ +> nvme0n1p1 +> ~~~ + +The above command will flash upto 5 targets simultaneously, and during the flashing, the script will read the targets under flashing for **OdmInfo** and **OdmId** fuses and flash the matching ekb binary to the A_eks and B_eks partitions of the targets. + +After 5 targets are flashed, another 5 targets can be flashed using the exact same command. However, due to the unique combined **OdmInfo** and **OdmId** fused onto each board, the matching ekb image is flashed to the corresponding board, respectively. + +The above command script also supports **-k ``** option to flash only the specific `` partition to all the targets. + +For example, +> ~~~ +> sudo ./tools/kernel_flash/l4t_initrd_flash.sh \ +> -k A_secure-os \ +> --flash-only \ +> --massflash 5 \ +> --showlogs \ +> --network usb0 \ +> jetson-orin-nano-devkit \ +> nvme0n1p1 +> ~~~ + +The above command script will flash only the **A_secure-os** partition to all the targets. + +To ensure that both A_eks and B_eks partitions get the same ekb binary flashed, the command script supports the wildcard **-k \*_eks** option. + +For example, +> ~~~ +> sudo ./tools/kernel_flash/l4t_initrd_flash.sh \ +> -k *_eks \ +> --flash-only \ +> --massflash 5 \ +> --showlogs \ +> --network usb0 \ +> --ekb-pair \ +> jetson-orin-nano-devkit \ +> nvme0n1p1 +> ~~~ + +The above command script will flash only the **A_eks** and **B_eks** partitions with the matching ekb binary. + +```note +NOTE: *_eks is the only wildcard -k option supported. diff --git a/optee/samples/ftpm-helper/host/tool/README_keylime_TPM_for_unfused_Jetson.md b/optee/samples/ftpm-helper/host/tool/README_keylime_TPM_for_unfused_Jetson.md new file mode 100644 index 0000000..6e5830e --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/README_keylime_TPM_for_unfused_Jetson.md @@ -0,0 +1,400 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: LicenseRef-NvidiaProprietary +# +# NVIDIA CORPORATION, its affiliates and licensors retain all intellectual +# property and proprietary rights in and to this material, related +# documentation and any modifications thereto. Any use, reproduction, +# disclosure or distribution of this material and related documentation +# without an express license agreement from NVIDIA CORPORATION or +# its affiliates is strictly prohibited. + +# Keylime TPM Remote Attestation Test for an unfused Jetson + +This README file describes how to use Keylime to verify fTPM on an +unfused Jetson device using fTPM simulation mode. + + +## Overview + * Preparation for Keylime + + Provisioning fTPM in simulation mode on an unfused Jetson device + + Keylime Server Installation and Configuration on a host + + Keylime Agent Installation and Configuration on the Jetson device + * Launching Keylime Server + * Launching Keylime Agent + * Using Keylime Tenant to add or remove an IoT device (through TPM remote attestation) + * Using Keylime to Monitor Device Measurement + * PCR0 Measurement Calculation + + +## Preparation for Keylime + +### Provisioning fTPM in simulation mode on an unfused Jetson device + + * mkdir a folder, **ftpm_tool**, on the Jetson device. + * Copy the following fTPM simulation provisioning script to the **ftpm_tool** folder on the Jetson device. + + ftpm_sim_provisioning_tool.sh + * Copy the following configuration files to the **ftpm_tool/conf** folder. + + ftpm_sim_root_ca_csr.config + + ftpm_sim_i_ca_csr.config + + ftpm_sim_ek_csr.config + + * Run the following commands to complete the fTPM simulation provisioning. +~~~ + # Install tpm2-tools + sudo apt-get install tpm2-tools + + # Run the fTPM SIM provision script + sudo ./ftpm_sim_provisioning_tool.sh ek_prov + + # To clear the fTPM SIM provision + sudo ./ftpm_sim_provisioning_tool.sh clear +~~~ + + * Note: If **ftpm_sim_provisioning_tool.sh** returns "fTPM is already provisioned" message, your Jetson device has been fTPM provisioned, and you cannot continue to run the device in the fTPM simulation mode. + + * Note: the following files in **ftpm_tool/temp_ftpm_sim_prov/cert/** folder will need to copy to the Keylime Server: + - ftpm_sim_root_ca_csr.config + - ftpm_sim_i_ca_csr.config + - ftpm_sim_ek_csr.config + + +### Keylime Server Installation and Configuration + +Keylime Server consists of **Keylime Verifier**, **Keylime Registrar** and **Keylime Tenant**. + +To simply the verification steps, we install all these 3 components on one host. All following steps have been verified on Ubuntu 22.04 with Keylime v7.11.0. + + +#### SWTPM Installation (Optional) +Keylime verifier relies on TPM to work. If the host machine doesn’t have TPM support, you can install the SWTPM module as a TPM emulator. + +How to check if your host has TPM support: + +~~~ +1. cd /sys +2. find ./ | grep tpm +~~~ + +If you can find the terms below, that means your host does have TPM support. + +~~~ + * devices/platform/MSFT0101:00/tpmrm/tpmrm0 -> This is a SW TPM emulator (NOT SWTPM). + * devices/platform/STM7364:00/tpm/tpm0 -> This is a physical DTPM. +~~~ + +You can continue on the section of **Install and configure Keylime Server**. + +Otherwise, follow the following steps to install SWTPM module. + +~~~ + # Install Prerequisite Packages for SWTPM + sudo apt-get install tpm2-tools swtpm-tools + + # SWTPM Provisioning + sudo mkdir /tmp/swtpm + sudo chown tss:root /tmp/swtpm + sudo swtpm_setup --tpmstate /tmp/swtpm --create-ek-cert --create-platform-cert --tpm2 + + # SWTPM EK & EK Cert NVRAM Handles + # 0x81010001 : RSA 2K EK + # 0x81010016 : ECC NIST P384 EK + # 0x01c00002 : RSA 2K EK Cert + + # Open a terminal to launch SWTPM + sudo su + swtpm socket --tpmstate dir=/tmp/swtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 \ + --flags not-need-init,startup-clear + + # Open another terminal to verifing SWTPM Cert Chain + sudo su + export TPM2TOOLS_TCTI="swtpm:port=2321" + mkdir swtpm_cert + cp /var/lib/swtpm-localca/swtpm-localca-rootca-cert.pem swtpm_cert/ + cp /var/lib/swtpm-localca/issuercert.pem swtpm_cert/ + cd swtpm_cert + tpm2_nvread 0x01c00002 -o swtpm_rsa_ek_cert.der + openssl x509 -inform DER -outform PEM -in swtpm_rsa_ek_cert.der -out swtpm_rsa_ek_cert.pem + openssl verify -CAfile swtpm-localca-rootca-cert.pem --untrusted issuercert.pem -show_chain swtpm_rsa_ek_cert.pem +~~~ + +#### Install and configure Keylime Server +~~~ + # Install Prerequisite Packages for Keylime Server + sudo apt-get install git python3-pip python3-gpg tpm2-tools + sudo apt-get remove python3-cryptography + + # Clone Keylime Repo + git clone --branch v7.11.0 https://github.com/keylime/keylime.git + + # Install Keylime Server Components + cd keylime + sudo pip3 install . -r requirements.txt + sudo python3 setup.py install + + # Add user: keylime + sudo useradd -g tss keylime + + # Create Keylime DIRs + sudo mkdir -p /var/lib/keylime/tpm_cert_store + sudo mkdir -p /var/lib/keylime/cv_ca + + # Copy ftpm simulation CA certificates from the Jetson device. + scp ${AGENT_IP_ADDR}:ftpm_tool/temp_ftpm_sim_prov/cert/ftpm_sim_root_ca_cert.pem /var/lib/keylime/tpm_cert_store/ + scp ${AGENT_IP_ADDR}:ftpm_tool/temp_ftpm_sim_prov/cert/ftpm_sim_i_ca_cert.pem /var/lib/keylime/tpm_cert_store/ + + sudo chown keylime:tss /var/lib/keylime + sudo chown keylime:tss /var/lib/keylime/cv_ca + sudo chown keylime:tss /var/lib/keylime/tpm_cert_store + + # Configure Keylime Verifier + sudo mkdir -p /usr/etc/keylime + sudo cp config/logging.conf config/verifier.conf config/ca.conf /usr/etc/keylime + + sudo vi /usr/etc/keylime/verifier.conf + # Find and update the configs + # ip = "${VERIFIER_IP_ADDR}" + # registrar_ip = ${REGISTRAR_IP_ADDR} + + # Configure Keylime Registrar + sudo cp config/logging.conf config/registrar.conf /usr/etc/keylime + + sudo vi /usr/etc/keylime/registrar.conf + # Find and Update the configs + # ip = "${REGISTRAR_IP_ADDR}" + + # Configure Keylime Tenant + sudo cp config/tenant.conf /usr/etc/keylime + + sudo vi /usr/etc/keylime/tenant.conf + # Find and update the configs + # verifier_ip = ${VERIFIER_IP_ADDR} + # registrar_ip = ${REGISTRAR_IP_ADDR} + # accept_tpm_signing_algs = ['rsassa', 'ecdsa'] +~~~ + + +### Keylime Agent Installation and Configuration on Jetson + +Perform the following steps on the Jetson device +(Verified on Ubuntu 22.04 with rust-keylime v0.2.6) + +#### Install and configure Keylime Agent + +~~~ + # Install Prerequisite Packages + sudo apt-get install git clang libarchive-dev libssl-dev libtss2-dev libzmq3-dev rust-all build-essential + + # Clone rust-keylime Repo + git clone --branch v0.2.6 https://github.com/keylime/rust-keylime.git + + # Build and Install rust-keylime + cd rust-keylime + make + sudo make install + + # Add user keylime + sudo useradd -g tss keylime + + # Create keylime DIRs + sudo mkdir -p /var/lib/keylime/cv_ca + sudo chown keylime:tss /var/lib/keylime + sudo chown keylime:tss /var/lib/keylime/cv_ca + + # Pause here, go to steps to "Launching Keylime Server from the host" + # The file 'cacert.crt' is from the Keylime Verifier. + # Copy the 'cacert.crt' file from the Keylime Verifier after the Verifier is launched. + sudo chown keylime:tss /var/lib/keylime/cv_ca/cacert.crt + + # Configure rust-keylime agent + sudo vi /etc/keylime/agent.conf + + # Find and update the configs + # ip = "${AGENT_IP_ADDR}" + # contact_ip = "${AGENT_IP_ADDR}" + # registrar_ip = "${REGISTRAR_IP_ADDR}" +~~~ + + +### Launching Keylime Server from the host + +~~~ + # Setup TPM interface on host (Choose 1 or 2 when launching Verifier or Registrar) + - 1. SWTPM interface if SWTPM is installed in previous steps + export TPM2TOOLS_TCTI="swtpm:port=2321" + - 2. TPM interface supported on the host machine + export TPM2TOOLS_TCTI="device:/dev/tpmrm0" +~~~ + +~~~ + # Open one terminal to launch Keylime Verifier + sudo su + export TPM2TOOLS_TCTI="swtpm:port=2321" or export TPM2TOOLS_TCTI="device:/dev/tpmrm0" + keylime_verifier + + # Open another terminal to launch Keylime Registrar + sudo su + export TPM2TOOLS_TCTI="swtpm:port=2321" or export TPM2TOOLS_TCTI="device:/dev/tpmrm0" + keylime_registrar + + # Open another terminal to copy the CA cert file to the Jetson device: + scp /var/lib/keylime/cv_ca/cacert.crt ${AGENT_IP_ADDR}:/var/lib/keylime/cv_ca/ + + # Go back to continue to "Install and configure Keylime Agent" +~~~ + + +### Launching Keylime Agent on the Jetson device + +~~~ + # Install tpm2-tools + sudo apt-get install tpm2-tools + + # Insert fTPM module + sudo su + export TPM2TOOLS_TCTI="device:/dev/tpmrm0" + + # Keylime Agent (Using fTPM RSA EK) + export KEYLIME_AGENT_TPM_HASH_ALG="sha256" + export KEYLIME_AGENT_TPM_ENCRYPTION_ALG="rsa" + export KEYLIME_AGENT_TPM_SIGNING_ALG="rsassa" + export KEYLIME_AGENT_EK_HANDLE="0x81010001" + export KEYLIME_AGENT_TPM_OWNERPASSWORD="owner" + + # Launching Keylime Agent (to register device to Keylime Registrar) + RUST_LOG=debug keylime_agent +~~~ + + +### Using Keylime Tenant to add or remove an IoT device + +~~~ + # Open a terminal on the host + + # Enroll the agent for TPM remote attestation + sudo keylime_tenant -c add -t ${AGENT_IP_ADDR} -u --cert /var/lib/keylime/cv_ca + (password: default) + + # Using "update" when SQL DB full + sudo keylime_tenant -c update -t ${AGENT_IP_ADDR} -u --cert /var/lib/keylime/cv_ca + + # Remove the agent for TPM remote attestation + sudo keylime_tenant -c delete -t ${AGENT_IP_ADDR} -u --cert /var/lib/keylime/cv_ca +~~~ + + * Note: uuid is d432fbb3-d2f1-4a97-9ef7-75bd81c00000. + + It is set in /etc/keylime/agent.conf file: + +~~~ + uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000" +~~~ + +### Using Keylime to Monitor Device Measurement + +Using Keylime to monitor PCR content and protect firmware integrity is a robust approach to maintaining device security. By leveraging TPM and storing critical measurements in PCR0, we can ensure that the integrity of the device is preserved from the earliest stages of the boot process. This proactive security measure helps in safeguarding against potential threats and maintaining trust in the device's operational state. + +~~~ + 1. Set value of tpm_hash_alg in /etc/keylime/agent.conf at device side. + + # List of hash algorithms used for PCRs + # Accepted values: sha512, sha384, sha256 + tpm_hash_alg = "sha256" + + 2. Get PCR0 value and launch keylime_agent at device side. + + # Dump hash value of all PCR banks + sudo tpm2_pcrread + + # Sample output + # sha256: + # 0 : 0x6095EAF50940A6F5DEAFAE6425DBC45C9828F4D6C99A001B7BA433D346FC5F67 + # 1 : 0x5C268A52829842D05B2AD2E7475F3FBD85D420706E129E285E891F0CC1076932 + # 2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 + # ........ + # 23: 0x0000000000000000000000000000000000000000000000000000000000000000 + # Get the hash value of bank 0 which is measurement of MB2/OP-TEE/fTPM/UEFI + + 3. Add the device to be monitored at server side by its PCR0 hash value through keylime_tenant. PCR0 of sha256 value + is monitored which is configured from step 1. + + sudo keylime_tenant -c add -t -u --cert --tpm_policy '{"0":[""]}'” + # -t: device ip + # -u: uuid + # --cert: CA certificate configured. Normally it's under /var/lib/keylime/cv_ca + # --tpm_policy: JSON format policy to monitor TPM PCR, here we monitor PCR0 to check integrity of firmware images + which include MB2, OP-TEE, fTPM and UEFI. + + # Sample command: + sudo keylime_tenant -c add -t -u --cert --tpm_policy \ + '{"0":["6095EAF50940A6F5DEAFAE6425DBC45C9828F4D6C99A001B7BA433D346FC5F67"]}' + + 4. Modify MB2 content to build a new MB2 image which results in a different PCR0 hash value. + + 5. Flash the modified MB2 image and update tpm policy at server side through keylime_tenant by using "update" command + but still with previous PCR0 hash value. + + sudo keylime_tenant -c update -t -u --cert --tpm_policy '{"0":[""]}'” + # -t: device ip + # -u: uuid + # --cert: CA certificate configured. Normally it's under /var/lib/keylime/cv_ca + # --tpm_policy: JSON format policy to monitor TPM PCR, here we only monitor PCR0 to check integrity of firmware + images - MB2/TOS/CPUBL + + # Sample command: + sudo keylime_tenant -c update -t -u --cert --tpm_policy \ + '{"0":["6095EAF50940A6F5DEAFAE6425DBC45C9828F4D6C99A001B7BA433D346FC5F67"]}'” + + 6. The monitored device will be revoked due to PCR0 value from device side does not match to the one at server side. + + # Log dump at keylime_verifier + keylime.tpm - ERROR - PCR #0: 9c05e5bb9e5e00863a57b87464448ea8a445c8dfa6a3c8aed266cf14ea2c7d04 from quote (from agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000) does not match expected value ['6095eaf50940a6f5deafae6425dbc45c9828f4d6c99a001b7ba433d346fc5f67'] +~~~ + +### PCR0 Measurement Calculation + +Platform Configuration Registers (PCRs) are registered in the TPM that store integrity measurements of the system's state. They are used to ensure that the system has not been tampered with and that it is in a known good state. “PCR extend” is to extend the value of a PCR with a new hash value. + +~~~ + PCR_new = HASH(PCR_old || new hash) + # PCR_old is the current PCR value + # new hash is the value to being added + # PCR_new is the updated PCR value +~~~ + +PCR0 represents the measurement of various firmware images such as MB2, OP-TEE, fTPM, UEFI. This measurement includes values computed using SHA-256, SHA-384 and SHA-512 cryptographic hash functions. + +The SHA-512 value for each firmware image is embedded within the BCH header and can be directly extracted and utilized. In contrast, the SHA-256 and SHA-384 values are derived from the SHA-512 value, rather than being direct measurements of the firmware image. + +The tool **ftpm_gen_measurement_list.py** can be used to generate PCR0 content from firmware images directly. + +~~~ + python3 ftpm_gen_measurement_list.py \ + --platform \ + --mb2_image \ + --secure_os_image \ + --uefi_image + + # --platform: t234 is the only supported platform for now + # --mb2_image: mb2 image file + # --secure_os_image: secure OS image file + # --uefi_image: UEFI image file +~~~ + +Command example: + +~~~ + python3 ftpm_gen_measurement_list.py \ + --platform t234 \ + --mb2_image mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed \ + --secure_os_image tos-optee_t234_sigheader_encrypt.img.signed \ + --uefi_image uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader_encrypt.bin.signed + + # Sample output of PCR0 content: + INFO: + SHA256 PCR value: 4EE357BA9620020F65F542A8F71103397F95173744F5ECAB10528D3D6D719D40 + INFO: + SHA384 PCR value: 011E66783D35E158C0DD4D1C9AA6A308221E76B96DF020E554FD48BC19BBB6641CE2F992F94AD021EB091969B2614143 + INFO: + SHA512 PCR value: 4977E0D73BCE8D5675B9337D6126958A64BE682B62AE3161CBFF43B8A5BA0E36A4FEAE096E314649D1905F2D39D492C021E06CEBEB3CCC7747F0262167A59848 +~~~ + diff --git a/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_ek_csr.config b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_ek_csr.config new file mode 100644 index 0000000..7da6b7d --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_ek_csr.config @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause +[req] +encrypt_key = yes +prompt = no +utf8 = yes +string_mask = utf8only +certificatePolicies = 2.23.133.2.1 +distinguished_name = dn +req_extensions = req_ext +[dn] +organizationName = "fTPM SIM DEV" +organizationalUnitName = "fTPM SIM DEV Device D01" +commonName = "fTPM SIM DEV Device" +C = "US" +[req_ext] +basicConstraints = critical,CA:FALSE +keyUsage = keyEncipherment diff --git a/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_i_ca_csr.config b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_i_ca_csr.config new file mode 100644 index 0000000..3bbcea6 --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_i_ca_csr.config @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause +[req] +encrypt_key = yes +prompt = no +utf8 = yes +string_mask = utf8only +distinguished_name = dn +x509_extensions = ca_ext + +[ca_ext] +keyUsage = critical, keyCertSign, cRLSign +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +[dn] +organizationName = "fTPM SIM DEV" +organizationalUnitName = "fTPM SIM DEV I01" +commonName = "fTPM SIM DEV Intermediate CA" +C = "US" diff --git a/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_root_ca_csr.config b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_root_ca_csr.config new file mode 100644 index 0000000..cd42baf --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/conf/ftpm_sim_root_ca_csr.config @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause +[req] +encrypt_key = yes +prompt = no +utf8 = yes +string_mask = utf8only +distinguished_name = dn +x509_extensions = ca_ext + +[ca_ext] +keyUsage = critical, keyCertSign, cRLSign +basicConstraints = CA:true +subjectKeyIdentifier = hash + +[dn] +organizationName = "fTPM SIM DEV" +organizationalUnitName = "fTPM SIM DEV R01" +commonName = "fTPM SIM DEV Root CA" +C = "US" diff --git a/optee/samples/ftpm-helper/host/tool/ftpm_gen_measurement_list.py b/optee/samples/ftpm-helper/host/tool/ftpm_gen_measurement_list.py new file mode 100755 index 0000000..9ce9f45 --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/ftpm_gen_measurement_list.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python3 + +# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA Corporation. All Rights Reserved. +# SPDX-License-Identifier: BSD-2-Clause + +""" +ftpm_gen_measurement_list.py: + Generate measurement list of PCR to be monitored in measured boot flow. + PCR0 only for now. + +Usage: + python ftpm_gen_measurement_list.py \ + --platform \ + --mb2_image \ + --secure_os_image \ + --uefi_image + +Example: + python ftpm_gen_measurement_list.py \ + --platform t234 \ + --mb2_image mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed \ + --secure_os_image tos-optee_t234_sigheader_encrypt.img.signed \ + --uefi_image uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader_encrypt.bin.signed + + output: + INFO: + SHA256 PCR value: +""" + +import hashlib +import sys +from typing import List +import binascii +import os +import logging +import argparse + +# Configure global constants +PLATFORM_OFFSETS = { + "t234": { + "magic": 0x1400, + "hash": 0x1460 + } +} + +BINARY_MAGIC_ORDER = ["MB2B", "TOSB", "CPBL"] # Expected order of binary magic strings +SUPPORTED_ALGORITHMS = ["sha256"] # Supported hashing algorithms +UEFI_SUPPORTED_MEASUREMENT = ["sha256", "sha384"] # UEFI-supported hash measurements +EV_SEPARATOR_DATA = bytes.fromhex("00000000") # Defined by TCG PC Client Platform Firmware Profile Spec + +def configure_logging() -> None: + """ + Configure logging. + """ + logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s") + +def validate_files(files: List[str], platform: str) -> None: + """ + Validates the existence and order of specified files. + + Args: + files (List[str]): List of file paths to validate. + platform (str): Target platform. + + Raises: + ValueError: If any file doesn't exist or is not accessible. + """ + for i, f in enumerate(files): + if not os.path.isfile(f): + raise ValueError(f"File '{f}' does not exist or is not accessible.") + magic = read_magic_from_file(f, platform) + if magic != BINARY_MAGIC_ORDER[i]: + raise ValueError(f"'{f}' should have magic '{BINARY_MAGIC_ORDER[i]}', but found '{magic}'") + +def read_magic_from_file(file: str, platform: str) -> str: + """ + Read the magic string from a file at a specified offset. + + Args: + file (str): Path to the file. + platform (str): Target platform. + + Returns: + str: The magic string. + """ + with open(file, 'rb') as f: + f.seek(PLATFORM_OFFSETS[platform]["magic"]) + magic = f.read(4).decode("utf-8") + logging.debug(f"Read magic '{magic}' from file '{file}'.") + return magic + +def read_hash_from_file(file: str, platform: str) -> bytes: + """ + Read the SHA-512 hash from a file at a specified offset. + + Args: + file (str): Path to the file. + platform (str): Target platform. + + Returns: + bytes: SHA-512 hash. + """ + with open(file, 'rb') as f: + f.seek(PLATFORM_OFFSETS[platform]["hash"]) + raw_data = f.read(hashlib.sha512().digest_size) + if len(raw_data) != hashlib.sha512().digest_size: + raise ValueError(f"File '{file}' has insufficient data for hash calculation.") + logging.debug(f"Read SHA-512 hash from file '{file}'.") + return raw_data + +def calculate_pcr(files: List[str], algorithm: str, platform: str) -> str: + """ + Calculate the PCR value by hashing measurement of binary files with a specified algorithm. + + Args: + files (List[str]): List of binary file paths. + algorithm (str): Supported hash algorithm. + platform (str): Target platform. + + Returns: + str: The PCR value. + """ + if algorithm not in SUPPORTED_ALGORITHMS: + raise ValueError(f"Unsupported hash algorithm '{algorithm}'") + + pcr_result = bytearray(hashlib.new(algorithm).digest_size) # Initialize PCR buffer to 0 + + for f in files: + try: + hash_value = read_hash_from_file(f, platform) + # If UEFI-supported hash algorithm, hash the SHA-512 value + # This is to ensure the hash value is the same as the one calculated by MB2 + if algorithm in UEFI_SUPPORTED_MEASUREMENT: + hash_value = hashlib.new(algorithm, hash_value).digest() + + pcr_result = hashlib.new(algorithm, pcr_result + hash_value).digest() + + except Exception as e: + raise ValueError(f"Error processing file '{f}': {e}") + + if algorithm in UEFI_SUPPORTED_MEASUREMENT: + separator_event = hashlib.new(algorithm, EV_SEPARATOR_DATA).digest() + pcr_result = hashlib.new(algorithm, pcr_result + separator_event).digest() + + return binascii.hexlify(pcr_result).upper().decode() + +def main() -> None: + """ + Main function to orchestrate the PCR generation process. + """ + parser = argparse.ArgumentParser( + description='Generate measured boot list of PCR to be monitored in measured boot flow' + ) + + # Add platform argument + parser.add_argument( + '--platform', + required=True, + choices=['t234'], + help='Target platform.' + ) + + # Add arguments for MB2, Secure OS, and UEFI images + parser.add_argument( + '--mb2_image', + required=True, + help='MB2 image name.' + ) + parser.add_argument( + '--secure_os_image', + required=True, + help='The image includes ATF, OPTEE, pseudo TAs, and all early TAs such as fTPM.' + ) + parser.add_argument( + '--uefi_image', + required=True, + help='UEFI image name.' + ) + + args = parser.parse_args() + + # Get platform + platform = args.platform + + # Collect files into a list + mb2_image = args.mb2_image + secure_os_image = args.secure_os_image + uefi_image = args.uefi_image + files = [mb2_image, secure_os_image, uefi_image] + + # Configure logging settings for the tool + configure_logging() + + # Validate the existence and order of all image files + validate_files(files, platform) + + # Calculate PCR values for all supported hash algorithms + for algorithm in SUPPORTED_ALGORITHMS: + try: + pcr_value = calculate_pcr(files, algorithm, platform) + logging.info(f"\n{algorithm.upper()} PCR value: {pcr_value}") + except ValueError as e: + logging.error(f"Error calculating PCR: {e}") + +if __name__ == "__main__": + main() + diff --git a/optee/samples/ftpm-helper/host/tool/ftpm_sim_provisioning_tool.sh b/optee/samples/ftpm-helper/host/tool/ftpm_sim_provisioning_tool.sh new file mode 100755 index 0000000..a9b9203 --- /dev/null +++ b/optee/samples/ftpm-helper/host/tool/ftpm_sim_provisioning_tool.sh @@ -0,0 +1,254 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause + +# Depends on tpm2-tools, tpm2-tss +# $ apt-get install tpm2-tools + +set -e + +export TPM2TOOLS_TCTI="device:/dev/tpmrm0" + +RSA_EK_HANDLE="0x81010001" +EC_EK_HANDLE="0x81010002" +RSA_EK_CERT_HANDLE="0x01c00002" +EC_EK_CERT_HANDLE="0x01c0000a" + +OWNER_PW="owner" + +TEMP_DIR="./temp_ftpm_sim_prov" +TEMP_CERT_DIR="${TEMP_DIR}/cert" + +FTPM_SIM_ROOT_CA_CONF="conf/ftpm_sim_root_ca_csr.config" +FTPM_SIM_I_CA_CONF="conf/ftpm_sim_i_ca_csr.config" +FTPM_SIM_EK_CSR_CONF="conf/ftpm_sim_ek_csr.config" + +# TPM EK cert attribute +EK_CERT_ATTR="ppwrite|writedefine|ppread|ownerread|authread|no_da|platformcreate" + +function check_config_file() { + local conf_file="$1" + + if [ ! -f "${conf_file}" ]; then + echo "[ERROR] Configuration file not found: ${conf_file}" + return 1 + elif [ ! -r "${conf_file}" ]; then + echo "[ERROR] Configuration file not readable: ${conf_file}" + return 1 + elif [ ! -s "${conf_file}" ]; then + echo "[ERROR] Configuration file is empty: ${conf_file}" + return 1 + fi + return 0 +} + +# Check if the configuration files exist +for conf_file in "${FTPM_SIM_ROOT_CA_CONF}" "${FTPM_SIM_I_CA_CONF}" "${FTPM_SIM_EK_CSR_CONF}"; do + if ! check_config_file "${conf_file}"; then + exit 1 + fi +done + +function check_ftpm_provision_state() { + ftpm_prov_st="$(nvftpm-helper-app -i 2>&1 | grep "Invalid provision mode!")" + + if [ -z "${ftpm_prov_st}" ]; then + echo "Warning: fTPM is already provisioned." + exit 1 + fi +} + +function tpm_ek_prov() { + local _rsa_ek_alg="rsa" + local _ec_ek_alg="ecc" + local _pub_rsa_ek_pem="${TEMP_DIR}/pub_rsa_ek.pem" + local _pub_ec_ek_pem="${TEMP_DIR}/pub_ec_ek.pem" + + mkdir -p ${TEMP_DIR} + + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Creating EK." + tpm2_createek -c ${RSA_EK_HANDLE} -G ${_rsa_ek_alg} -f pem -u ${_pub_rsa_ek_pem} -w ${OWNER_PW} -P ${OWNER_PW} + tpm2_createek -c ${EC_EK_HANDLE} -G ${_ec_ek_alg} -f pem -u ${_pub_ec_ek_pem} -w ${OWNER_PW} -P ${OWNER_PW} +} + +function create_self_signed_root_ca_cert() { + local _root_ca_priv_key_pem="${TEMP_CERT_DIR}/ftpm_sim_root_ca_priv_key.pem" + local _root_ca_cert="${TEMP_CERT_DIR}/ftpm_sim_root_ca_cert.pem" + + mkdir -p ${TEMP_CERT_DIR} + + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Creating self-signed Root CA Certificate." + + # Generate a root CA key pair + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ${_root_ca_priv_key_pem} 2>/dev/null + + # Create self-signed CA cert + openssl req -batch -verbose -new -sha256 -x509 -days 30 -config ${FTPM_SIM_ROOT_CA_CONF} -key ${_root_ca_priv_key_pem} -out ${_root_ca_cert} 2>/null +} + +function create_intermediate_ca_cert() { + local _i_ca_priv_key_pem="${TEMP_CERT_DIR}/ftpm_sim_i_ca_priv_key.pem" + local _i_ca_csr="${TEMP_CERT_DIR}/ftpm_sim_i_ca_csr.pem" + local _i_ca_cert="${TEMP_CERT_DIR}/ftpm_sim_i_ca_cert.pem" + local _root_ca_cert="${TEMP_CERT_DIR}/ftpm_sim_root_ca_cert.pem" + local _root_ca_priv_key_pem="${TEMP_CERT_DIR}/ftpm_sim_root_ca_priv_key.pem" + + mkdir -p ${TEMP_CERT_DIR} + + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Creating Intermediate CA Certificate." + + # Generate an ICA key pair. + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ${_i_ca_priv_key_pem} 2>/dev/null + + # Generate the intermediate CA CSR + openssl req -sha256 -new -key ${_i_ca_priv_key_pem} -config ${FTPM_SIM_I_CA_CONF} -out ${_i_ca_csr} 2>/dev/null + + # Sign the intermediate CA CSR + openssl x509 -in ${_i_ca_csr} -req -keyform PEM -CA ${_root_ca_cert} -CAkey ${_root_ca_priv_key_pem} -CAcreateserial -sha256 \ + -days 30 -extensions ca_ext -extfile ${FTPM_SIM_I_CA_CONF} -out ${_i_ca_cert} 2>/dev/null + + # Verify the intermediate CA certificate + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Validating the Intermediate CA Certificate." + openssl verify -CAfile ${_root_ca_cert} ${_i_ca_cert} +} + +function create_tpm_ek_cert() { + local _temp_priv_key="${TEMP_CERT_DIR}/temp_priv_key.pem" + local _ek_csr="${TEMP_CERT_DIR}/ftpm_sim_${1}_ek_csr.pem" + local _pub_ek_pem="${TEMP_DIR}/pub_${1}_ek.pem" + local _i_ca_priv_key_pem="${TEMP_CERT_DIR}/ftpm_sim_i_ca_priv_key.pem" + local _i_ca_cert="${TEMP_CERT_DIR}/ftpm_sim_i_ca_cert.pem" + local _root_ca_cert="${TEMP_CERT_DIR}/ftpm_sim_root_ca_cert.pem" + local _ek_cert="${TEMP_CERT_DIR}/ftpm_sim_${1}_ek_cert.der" + local _ek_cert_pem="${TEMP_CERT_DIR}/ftpm_sim_${1}_ek_cert.pem" + local _cert_file_size; + local _ek_cert_handle; + local _ek_handle; + local _ossl_keygen_opt; + + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Creating TPM ${1} EK Certificates." + + case "${1}" in + rsa) + _ek_cert_handle="${RSA_EK_CERT_HANDLE}" + _ek_handle="${RSA_EK_HANDLE}" + _ossl_keygen_opt="-algorithm RSA -pkeyopt rsa_keygen_bits:2048" + ;; + ec) + _ek_cert_handle="${EC_EK_CERT_HANDLE}" + _ek_handle="${EC_EK_HANDLE}" + _ossl_keygen_opt="-algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve" + ;; + esac + + # Create a temp key + openssl genpkey ${_ossl_keygen_opt} -out ${_temp_priv_key} 2>/dev/null + + # Create CSR with the temp key + openssl req -sha256 -new -key ${_temp_priv_key} -config ${FTPM_SIM_EK_CSR_CONF} -out ${_ek_csr} + + # Sign CSR and replace the temp key with TPM2 EK + openssl x509 -in ${_ek_csr} -req -force_pubkey ${_pub_ek_pem} -keyform PEM -CA ${_i_ca_cert} -CAkey ${_i_ca_priv_key_pem} \ + -CAcreateserial -extensions req_ext -extfile ${FTPM_SIM_EK_CSR_CONF} -days 30 -sha256 -outform DER -out ${_ek_cert} + + # Verify the certificate + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Verifying TPM ${1} EK Certificate." + openssl x509 -inform DER -outform PEM -in ${_ek_cert} -out ${_ek_cert_pem} + openssl verify -CAfile ${_root_ca_cert} -untrusted ${_i_ca_cert} -show_chain ${_ek_cert_pem} + + # Store the certificate into TPM + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Writing TPM ${1} EK Certificate." + _cert_file_size=$(wc -c < ${_ek_cert}); + tpm2_nvdefine ${_ek_cert_handle} -C p -a ${EK_CERT_ATTR} -s ${_cert_file_size} + tpm2_nvwrite ${_ek_cert_handle} -C p -i ${_ek_cert} +} + +function sign_ek_cert () { + create_self_signed_root_ca_cert + create_intermediate_ca_cert + create_tpm_ek_cert "rsa" + create_tpm_ek_cert "ec" +} + +function tpm_take_ownership () { + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Taking TPM ownership." + + tpm2_changeauth -c o ${OWNER_PW}; + tpm2_changeauth -c e ${OWNER_PW}; +} + +function tpm_clear () { + echo "[fTPM SIM Provisioning][FOR DEV ONLY]: Deprovisioning the fTPM & changing EPS." + + tpm2_changeeps; + tpm2_clear; + + tpm2_nvundefine -C p ${RSA_EK_CERT_HANDLE} + tpm2_nvundefine -C p ${EC_EK_CERT_HANDLE} +} + +function tpm_dump_caps() { + local _caps=("persistent" "transient" "nv-index" "loaded-session" "saved-session"); + + tpm2_getcap properties-variable; + + for i in "${_caps[@]}" + do + echo "-- ${i} --" + tpm2_getcap handles-${i}; + done +} + +case "${1}" in + ek_prov) + check_ftpm_provision_state; + tpm_take_ownership; + tpm_ek_prov; + sign_ek_cert; + ;; + clear) + check_ftpm_provision_state; + tpm_clear; + ;; + dump) + tpm_dump_caps; + ;; + *) + echo "Usage ${0} {ek_prov | clear | dump}" + echo "" + echo "Description:" + echo " This tool is for fTPM simulation only. It provides the fTPM SIM provisioning" + echo " for development only. After the fTPM is provisioned, it can be used as a TPM" + echo " simulator for local environment testing and development purpose." + echo "" + echo "Warning:" + echo " 1. This is not a production tool. It shouldn't be used in production environment." + echo " The fTPM SIM CA and EK certificates are not signed by a real authority." + echo " You shouldn't use them for any business purpose." + echo " 2. Don't use this script on a fTPM provisioned device. It could cause damages of" + echo " the fTPM functionality." + echo "" + echo "How to use:" + echo " 1. Provision the fTPM with the following command:" + echo " >./ftpm_sim_provisioning_too.sh ek_prov" + echo "" + echo " The fTPM SIM CA certificates can be found in the file:" + echo " fTPM SIM Root CA: temp_ftpm_sim_prov/cert/ftpm_sim_root_ca_cert.pem" + echo " fTPM SIM ICA: temp_ftpm_sim_prov/cert/ftpm_sim_i_ca_cert.pem" + echo "" + echo " 2. To clear the fTPM contents, use the following command:" + echo " >./ftpm_sim_provisioning_tool.sh clear" + echo "" + echo " 3. To dump fTPM capabilities:" + echo " >./ftpm_sim_provisioning_tool.sh dump" + echo "" + echo "Options:" + echo "" + echo "* ek_prov: the fTPM SIM provisioning for development only." + echo "" + echo "* clear: Clear fTPM contents." + echo "" + echo "* dump: Dump fTPM capabilities." + ;; +esac diff --git a/optee/samples/ftpm-helper/host/tool/kdk_gen.py b/optee/samples/ftpm-helper/host/tool/kdk_gen.py index e3d4536..2726e91 100755 --- a/optee/samples/ftpm-helper/host/tool/kdk_gen.py +++ b/optee/samples/ftpm-helper/host/tool/kdk_gen.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2023-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2023-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: BSD-2-Clause import argparse @@ -85,7 +85,7 @@ def gen_ecdsa_private_key(seed: bytes): def convert_sn_endian(sn: bytes) -> bytes: # The device SN is 10 bytes, and has the format: # - # oem_id is stored in fuse "odm_info" which is a 4-byte fuse + # oem_id is stored in fuse "odm_info" # All 4-byte or less Tegra fuses are stored in little-endian so we need # to convert the endian of oem_id in device SN before doing the key calculation # The left 8 bytes don't have an endian issue - it is big-endian everywhere @@ -143,13 +143,28 @@ def get_device_sn(oem_id: int, sn: int) -> bytes: device_sn += sn_low return device_sn +# Get the kdk string by stripping the hex prefix, check its length and validity as a hex string +# Returning empty string if the provided kdk string does not meet the standard +def get_kdk_string(kdk: str) -> str: + kdk_str = kdk.strip() + if kdk_str.startswith("0x") or kdk_str.startswith("0X"): + kdk_str = kdk_str[2:] + if len(kdk_str) != 64: + return "" + try: + int(kdk_str, 16) + except ValueError: + return "" + return kdk_str.lower() + def main(): parser = argparse.ArgumentParser(description='The KDK db generation tool.') parser.add_argument('--oem_id', help='The ID of the OEM vendor. A positive 16-bit integer in hex format') parser.add_argument('--sn', help='The beginning of device serial number. A positive 64-bit unsigned integer in hex format') parser.add_argument('--num_devices', type=int, help='the number of devices') parser.add_argument("--destroy", action='store', help='destroy the kdk database') - parser.add_argument("--preset", help='use the preset KDK database(for testing purpose only)') + parser.add_argument("--preset", help='use the preset KDK database') + parser.add_argument("--fixed", action='store_true', help='Use the fixed KDK value. Requires the --preset option to be set, with the first value in the file used as the fixed KDK.') parser.add_argument("--prov_mode", type=str, default="offline", help="The fTPM provisioning mode (offline or online). The default is offline.") parser.add_argument("--silicon_id_csr_cn", type=str, default="Silicon-ID-ECA", help="The common name of the Silicon ID CSR (Certificate Signing Request).") parser.add_argument("--silicon_id_csr_og", type=str, default="fTPM Corp", help="The organization name of the Silicon ID CSR (Certificate Signing Request).") @@ -197,19 +212,26 @@ def main(): print("Write access denied on ", output_dir) raise PermissionError + if args.fixed == True and args.preset == None: + raise ValueError("--fixed option must be used with the --preset option") preset_kdks = [] + fixed_kdk="" if args.preset != None: with open(args.preset, 'r') as file: preset_kdks = file.readlines() - if len(preset_kdks) != args.num_devices: + if args.fixed == True: + if len(preset_kdks) < 1: + raise ValueError("Error: incorrect number of values specified by --preset: ", len(preset_kdks)) + elif len(preset_kdks) != args.num_devices: raise ValueError("The number of preset KDKs is not equal to the number of devices") for i in range(0, len(preset_kdks)): - device_kdk = preset_kdks[i].strip() - if device_kdk.startswith("0x") or device_kdk.startswith("0X"): - device_kdk = device_kdk[2:] - if len(device_kdk) != 64: + device_kdk = get_kdk_string(preset_kdks[i]) + if not device_kdk: raise ValueError("Invalid preset KDK@" + str(i + 1) + " found: " + preset_kdks[i]) + if args.fixed == True: + fixed_kdk = device_kdk + break preset_kdks[i] = device_kdk device_sn = get_device_sn(args.oem_id, args.sn) @@ -228,7 +250,9 @@ def main(): quotechar='|', quoting=csv.QUOTE_MINIMAL) for i in range(0, args.num_devices): - if len(preset_kdks) > 0: + if fixed_kdk: + device_kdk = fixed_kdk + elif len(preset_kdks) > 0: device_kdk = preset_kdks[i] else: device_kdk = binascii.b2a_hex(os.urandom(32)).decode() diff --git a/optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py b/optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py index 1b0bf48..c123c33 100755 --- a/optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py +++ b/optee/samples/ftpm-helper/host/tool/odm_ekb_gen.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2023-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# Copyright (c) 2023-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: BSD-2-Clause import argparse @@ -90,7 +90,7 @@ def display_device_sn(sn: bytes) -> str: def convert_sn_endian(sn: bytes) -> bytes: # The device SN is 10 bytes, and has the format: # - # oem_id is stored in fuse "odm_info" which is a 4-byte fuse + # oem_id is stored in fuse "odm_info" # All 4-byte or less Tegra fuses are stored in little-endian so we need # to convert the endian of oem_id in device SN before doing the key calculation # The left 8 bytes don't have an endian issue - it is big-endian everywhere diff --git a/optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c b/optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c index 72384c5..abb73e9 100644 --- a/optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c +++ b/optee/samples/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c @@ -217,8 +217,6 @@ TEE_Result TA_CreateEntryPoint(void) _plat__SetTimerAvail(); fTPMEarlyInit = false; if (fTPMEarlyInitDone) { - // Clear the init flag to do the normal init again. - fTPMInitialized = false; // Non-secure world OP-TEE services are ready to connect. fTPMNSInitReady = true; } @@ -233,16 +231,6 @@ TEE_Result TA_CreateEntryPoint(void) fTPMEarlyInit = true; } - // If we've been here before, don't init again. - if (fTPMInitialized) { - // We may have had TA_DestroyEntryPoint called but we didn't - // actually get torn down. Re-NVEnable, just in case. - if (_plat__NVEnable(NULL) == 0) { - TEE_Panic(TEE_ERROR_BAD_STATE); - } - return TEE_SUCCESS; - } - // Initialize NV admin state _admin__NvInitState(); @@ -320,12 +308,14 @@ Exit: g_chipFlags.fields.TpmStatePresent = 1; _admin__SaveChipFlags(); - // Initialization complete - fTPMInitialized = true; // Early initialization complete if (fTPMEarlyInit) fTPMEarlyInitDone = true; + // Initialization complete + if (fTPMNSInitReady) + fTPMInitialized = true; + #ifdef MEASURED_BOOT if (tpmEventLogProcessed) goto Measured_boot_done; @@ -393,8 +383,18 @@ TEE_Result TA_OpenSessionEntryPoint(uint32_t param_types, // Active session fTPMSessionActive = true; + // If we've been here before, don't init again. + if (fTPMInitialized) { + // We may have had TA_DestroyEntryPoint called but we didn't + // actually get torn down. Re-NVEnable, just in case. + if (_plat__NVEnable(NULL) == 0) { + TEE_Panic(TEE_ERROR_BAD_STATE); + } + return TEE_SUCCESS; + } + // Check normal world status to re-init fTPM - if (fTPMEarlyInitDone && + if (!fTPMInitialized && (TEE_SUCCESS == ping_ns_world())) TA_CreateEntryPoint(); @@ -420,6 +420,10 @@ void TA_CloseSessionEntryPoint(void *sess_ctx) if (fTPMSessionActive) { fTPMSessionActive = false; } + + if (fTPMInitialized) { + TA_DestroyEntryPoint(); + } } // diff --git a/optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c b/optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c index 76c9e1f..aee1910 100644 --- a/optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c +++ b/optee/samples/ms-tpm-20-ref/TPMCmd/tpm/src/subsystem/PCR.c @@ -1230,7 +1230,7 @@ PCRCapGetHandles(TPMI_DH_PCR handle, // IN: start handle // This function is for fTPM TA internal use only. // It saves the PCR values during early boot stage. // https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 -#define BACKUP_LAST_PCR_INDEX 7 +#define BACKUP_LAST_PCR_INDEX 15 void PCRBankSave(void) { INT32 pcr, i; diff --git a/push_info.txt b/push_info.txt index eefca6d..0b1f281 100644 --- a/push_info.txt +++ b/push_info.txt @@ -1 +1 @@ -jetson_36.4.3 +jetson_36.4.4