Optee TAs

[brianmcgillion]

First off, thank you for this amazing work!!

I am currently testing on the Orin AGX devkit, I tested this a week or 10 days ago and only getting to raise the question now:

I am not sure if this is a feature request or an - educate an ignorant user issue - I'm still new to nix in general, but here goes:

It appears the default TAs are built in https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L84 and https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L190.

However, they are not exported in a package, either optee-os or a potential optee-os-ta. If I scp the binaries to the target system from the /nix/store/.....ta, I can use them. Which leads to point 2.

Optee-client defaults to using /lib as the root search directory for the supplicant to load the TA from as defined by CFG_TEE_CLIENT_LOAD_PATH : https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/optee_client/config.mk;h=24904af9cef9f504747549c3fc87fe06d27f14be;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l37

This is not very nix-y :) So I think that when building opteeClient https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L32 the CFG_TEE_CLIENT_LOAD_PATH should be set to the package that exports the TAs from point 1).

For some reason the OpTEE developers are not happy to set a load path, but rather it is a load path prefix which then needs a ta dev_path to be combined with it - line 82:
https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/optee_client/tee-supplicant/src/teec_ta_load.c;h=2cb5e98170ed9dd999c45715c8113636f22a1c2b;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l82

Which means that the supplicant needs to be launched with -t <sub dir> to find the ta.

Summary of steps I previously followed:
Build and flash firmware, and system image
scp /nix/store/....pkcs11.ta /lib/ta
ssh
install pkcs11-tool
Stop the tee-supplicant with systemctl
manually start tee-supplicant with -t ta
then run pkcs11-tool to test the TA is loaded and responding

So ultimately, the question is: which package should export the TAs? Then this can be plugged into the CFG_TEE_CLIENT_LOAD_PATH to build the client, and the subdirectory can be passed to the systemd unit when launching the supplicant.

I had 2 proposals, not sure either is good. Either add an installPhase to buildOptee or add another package like buildOpteeTaDevKit or buildNvLuksSrv called optee-ta that exposes the tas.

Sorry! This turned into a thesis.

[jmbaur]

Thanks for marking this issue. This is something I wanted to come back to after
adding the optee builds to this repo. There are definitely a few aspects of the
optee build we currently have that we want to cleanup. The tee-supplicant secure
filesystem (defaults to /data/tee), TA directory (defaults to /lib/optee_armtz),
and plugin path (defaults to /usr/lib/tee-supplicant/plugins) all being some of
the pieces that we can add NixOS options for in the module.

As for CFG_TEE_CLIENT_LOAD_PATH, maybe setting it to something hardcoded like
/var/lib/optee would suffice, then the NixOS module (or really anything else)
can place the TAs under that directory. Is there a benefit to building optee
client with the load path set within the nix build, but not as a builtin TA
(i.e. one of the early TAs)? It seems limiting to set the load path for runtime
TAs to a directory whose contents cannot be updated at runtime. With that said,
if /var/lib/optee is the load path, the optee client would require adding
CFG_TEE_CLIENT_LOAD_PATH to the build flags and the systemd service for
tee-supplicant would require adding the --ta-dir/-t flag. Does that sound
good?