TPM support on Jetson AGX Orin – Unable to expose /dev/tpmX

[ArielZidon]

Hello,

I am working on a Jetson AGX Orin platform using a Meta-Tegra Yocto (Scarthgap) distribution.

I am trying to understand TPM support on Jetson AGX Orin.

My goal is to use TPM for secure/measured boot and to read hashes and keys from Linux.
Specifically, I am trying to expose a TPM device in Linux (/dev/tpmX).
Current situation:
I create bbappend (linux-jammy-nvidia-tegra_%.bbappend) that config -

CONFIG_TCG_TPM=y
CONFIG_TCG_TPM2=y
CONFIG_TCG_CRB=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_SECURITYFS=y
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_TIS_SPI=y

But:

• No /dev/tpm0 or /dev/tpmrm0
• No TPM-related messages in dmesg
• No TPM node appears under /proc/device-tree

In this forum thread:

I saw that NVIDIA customer service responded with:
"just for confirmation, are you going to attach a DTPM (HW TPM) on Jetson via SPI interface?
note, we do not support DTPM for Jetson, yet."

In any case, I am not trying to use a discrete physical TPM device.
I only need the firmware TPM (fTPM) — not a real hardware TPM component.

When I use JetPack 6.2.1, the device /dev/tpm0 is exposed.

At this point I am unsure whether:

• Jetson AGX Orin includes any built-in TPM or fTPM that can be exposed to Linux
• Discrete SPI TPM is expected to work
• Additional configuration (device tree / firmware / OP-TEE) is required

Thank you very much!

[madisongh]

The NVIDIA documentation on the fTPM they provide is here. We don't currently have a recipe for building it for the R36.x-based branches, because NVIDIA didn't provide source code. For R38.x, they do provide sources, so we do have a recipe for building it. I'm not sure it's been tested, though. It's been a while since I looked at that documentation, but IIRC it sounded pretty complicated to get things set up to use it.

That said, if you're just experimenting, you could probably install their pre-built copy of the fTPM TA to try it. You may need to tweak your OP-TEE OS build to build in the FTPM helper TA, also (or use the pre-built OP-TEE OS, too). There is probably some client-side code you'd need to add into your build, also.

As far as using a discrete TPM, it should be possible to do, with appropriate kernel configuration, and probably an addition to the device tree to tell the kernel where to find the device at boot time.

[dolwup]

Nvidia actually provides source code as part of the optee samples.
I got the fTPM running on 36.4 based scarthgap. I currently build it as part of optee-nvsamples as opposed to in a separate recipe like how @ichergui builds it for 38.4.
If that's fine I'd prepare a PR around next week.

Sorry for kinda hijacking this (answered) discussion for that. For further discussion about the implementation and documentation around how to setup fTPM feel free to move this to new discussion (or I start a new discussion), open an issue or we discuss it under the PR ^^