You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, they are not exported in a package, either optee-os or a potential optee-os-ta. If I scp the binaries to the target system from the /nix/store/.....ta, I can use them. Which leads to point 2.
Which means that the supplicant needs to be launched with -t <sub dir> to find the ta.
Summary of steps I previously followed:
Build and flash firmware, and system image
scp /nix/store/....pkcs11.ta /lib/ta
ssh
install pkcs11-tool
Stop the tee-supplicant with systemctl
manually start tee-supplicant with -t ta
then run pkcs11-tool to test the TA is loaded and responding
So ultimately, the question is: which package should export the TAs? Then this can be plugged into the CFG_TEE_CLIENT_LOAD_PATH to build the client, and the subdirectory can be passed to the systemd unit when launching the supplicant.
I had 2 proposals, not sure either is good. Either add an installPhase to buildOptee or add another package like buildOpteeTaDevKit or buildNvLuksSrv called optee-ta that exposes the tas.
Sorry! This turned into a thesis.
The text was updated successfully, but these errors were encountered:
Thanks for marking this issue. This is something I wanted to come back to after
adding the optee builds to this repo. There are definitely a few aspects of the
optee build we currently have that we want to cleanup. The tee-supplicant secure
filesystem (defaults to /data/tee), TA directory (defaults to /lib/optee_armtz),
and plugin path (defaults to /usr/lib/tee-supplicant/plugins) all being some of
the pieces that we can add NixOS options for in the module.
As for CFG_TEE_CLIENT_LOAD_PATH, maybe setting it to something hardcoded like /var/lib/optee would suffice, then the NixOS module (or really anything else)
can place the TAs under that directory. Is there a benefit to building optee
client with the load path set within the nix build, but not as a builtin TA
(i.e. one of the early TAs)? It seems limiting to set the load path for runtime
TAs to a directory whose contents cannot be updated at runtime. With that said,
if /var/lib/optee is the load path, the optee client would require adding
CFG_TEE_CLIENT_LOAD_PATH to the build flags and the systemd service for
tee-supplicant would require adding the --ta-dir/-t flag. Does that sound
good?
First off, thank you for this amazing work!!
I am currently testing on the Orin AGX devkit, I tested this a week or 10 days ago and only getting to raise the question now:
I am not sure if this is a feature request or an - educate an ignorant user issue - I'm still new to nix in general, but here goes:
It appears the default TAs are built in https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L84 and https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L190.
However, they are not exported in a package, either
optee-os
or a potentialoptee-os-ta
. If I scp the binaries to the target system from the /nix/store/.....ta, I can use them. Which leads to point 2.Optee-client defaults to using /lib as the root search directory for the supplicant to load the TA from as defined by CFG_TEE_CLIENT_LOAD_PATH : https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/optee_client/config.mk;h=24904af9cef9f504747549c3fc87fe06d27f14be;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l37
This is not very nix-y :) So I think that when building opteeClient https://github.com/anduril/jetpack-nixos/blob/master/optee.nix#L32 the CFG_TEE_CLIENT_LOAD_PATH should be set to the package that exports the TAs from point 1).
For some reason the OpTEE developers are not happy to set a load path, but rather it is a load path
prefix
which then needs a ta dev_path to be combined with it - line 82:https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/optee_client/tee-supplicant/src/teec_ta_load.c;h=2cb5e98170ed9dd999c45715c8113636f22a1c2b;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l82
Which means that the supplicant needs to be launched with
-t <sub dir>
to find the ta.Summary of steps I previously followed:
Build and flash firmware, and system image
scp /nix/store/....pkcs11.ta /lib/ta
ssh
install pkcs11-tool
Stop the tee-supplicant with systemctl
manually start tee-supplicant with
-t ta
then run pkcs11-tool to test the TA is loaded and responding
So ultimately, the question is: which package should export the TAs? Then this can be plugged into the CFG_TEE_CLIENT_LOAD_PATH to build the client, and the subdirectory can be passed to the systemd unit when launching the supplicant.
I had 2 proposals, not sure either is good. Either add an installPhase to buildOptee or add another package like buildOpteeTaDevKit or buildNvLuksSrv called optee-ta that exposes the tas.
Sorry! This turned into a thesis.
The text was updated successfully, but these errors were encountered: