optee: add options for FV values and test keys.

* Allow configuring EKB and SSK FV values. * Allow enable/disable of test keys via CFG_TEGRA_SE_USE_TEST_KEYS.
anduril · May 2, 2024 · 04e0f78 · 04e0f78
1 parent 9ff96bf
commit 04e0f78
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 2 deletions.
diff --git a/device-pkgs/default.nix b/device-pkgs/default.nix
@@ -42,7 +42,7 @@ let
 
   tosArgs = {
     inherit socType;
-    inherit (cfg.firmware.optee) taPublicKeyFile;
+    inherit (cfg.firmware.optee) taPublicKeyFile fvForEKB fvForSSK useTegraTestKeys;
     opteePatches = cfg.firmware.optee.patches;
     extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
   };

diff --git a/modules/flash-script.nix b/modules/flash-script.nix
@@ -173,6 +173,29 @@ in
             };
           };
 
+          useTegraTestKeys = mkOption {
+            type = types.bool;
+            default = true;
+            description = ''
+              Enable default OemK1 and OemK2 keys.
+            '';
+          };
+
+          fvForEKB = mkOption {
+            type = types.strMatching "([[:xdigit:]]{2}[[:space:]]){15}[[:xdigit:]]{2}";
+            default = "ba d6 6e b4 48 49 83 68 4b 99 2f e5 4a 64 8b b8";
+            description = lib.mdDoc ''
+              Random fixed vector for EKB.
+              Note: This vector MUST match the 'fv' vector used for EKB binary generation process.
+            '';
+          };
+
+          fvForSSK = mkOption {
+            type = types.strMatching "([[:xdigit:]]{2}[[:space:]]){15}[[:xdigit:]]{2}";
+            default = "e4 20 f5 8d 1d ea b5 24 c2 70 d8 d2 3e ca 45 e8";
+            description = "Random fixed vector used to derive SSK_DK (Derived Key).";
+          };
+
           patches = mkOption {
             type = types.listOf types.path;
             default = [ ];

diff --git a/pkgs/optee/default.nix b/pkgs/optee/default.nix
@@ -16,6 +16,8 @@ let
   atfSrc = gitRepos."tegra/optee-src/atf";
   nvopteeSrc = gitRepos."tegra/optee-src/nv-optee";
 
+  fvToArr = fv: lib.foldl' (acc: s: acc + "0x${s}, ") "" (lib.splitString " " fv);
+
   opteeClient = stdenv.mkDerivation {
     pname = "optee_client";
     version = l4tVersion;
@@ -47,6 +49,9 @@ let
                                     , earlyTaPaths ? [ ]
                                     , extraMakeFlags ? [ ]
                                     , opteePatches ? [ ]
+                                    , useTegraTestKeys ? true
+                                    , fvForEKB
+                                    , fvForSSK
                                     , taPublicKeyFile ? null
                                     , ...
                                     }:
@@ -73,9 +78,15 @@ let
       inherit pname;
       version = l4tVersion;
       src = nvopteeSrc;
-      patches = opteePatches;
+      patches = opteePatches ++ [ ./optee-keys.patch ];
+      # TODO: use --replace-fail after nixpkgs 24.05 update.
       postPatch = ''
         patchShebangs $(find optee/optee_os -type d -name scripts -printf '%p ')
+        substituteInPlace optee/optee_os/core/arch/arm/plat-tegra/conf.mk \
+          --replace '@@useTegraTestKeys@@' "${if useTegraTestKeys then "" else "#"}"
+        substituteInPlace optee/optee_os/core/pta/tegra/jetson_user_key_pta.c \
+          --replace '@@fvForEKB@@' "${fvToArr fvForEKB}" \
+          --replace '@@fvForSSK@@' "${fvToArr fvForSSK}"
       '';
       nativeBuildInputs = [
         dtc

diff --git a/pkgs/optee/optee-keys.patch b/pkgs/optee/optee-keys.patch
@@ -0,0 +1,37 @@
+diff --git a/optee/optee_os/core/arch/arm/plat-tegra/conf.mk b/optee/optee_os/core/arch/arm/plat-tegra/conf.mk
+index aecd6df..475d8b1 100644
+--- a/optee/optee_os/core/arch/arm/plat-tegra/conf.mk
++++ b/optee/optee_os/core/arch/arm/plat-tegra/conf.mk
+@@ -110,7 +110,7 @@ endif
+ $(call force,CFG_EARLY_TA,y)
+ $(call force,CFG_EMBEDDED_TS,y)
+
+-$(call force,CFG_TEGRA_SE_USE_TEST_KEYS,y)
++@@useTegraTestKeys@@$(call force,CFG_TEGRA_SE_USE_TEST_KEYS,y)
+
+ libdeps += $(NV_CCC_PREBUILT)
+ endif
+diff --git a/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c b/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c
+index 3b95156..601b633 100644
+--- a/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c
++++ b/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c
+@@ -38,8 +38,7 @@ static vaddr_t ekb_base_addr;
+  * ba d6 6e b4 48 49 83 68 4b 99 2f e5 4a 64 8b b8
+  */
+ static uint8_t fv_for_ekb[] = {
+-	0xba, 0xd6, 0x6e, 0xb4, 0x48, 0x49, 0x83, 0x68,
+-	0x4b, 0x99, 0x2f, 0xe5, 0x4a, 0x64, 0x8b, 0xb8,
++       @@fvForEKB@@
+ };
+
+ /*
+@@ -48,8 +48,7 @@ static uint8_t fv_for_ekb[] = {
+  * e4 20 f5 8d 1d ea b5 24 c2 70 d8 d2 3e ca 45 e8
+  */
+ static uint8_t fv_for_ssk_dk[] = {
+-	0xe4, 0x20, 0xf5, 0x8d, 0x1d, 0xea, 0xb5, 0x24,
+-	0xc2, 0x70, 0xd8, 0xd2, 0x3e, 0xca, 0x45, 0xe8,
++       @@fvForSSK@@
+ };
+
+ /*