diff --git a/device-pkgs/default.nix b/device-pkgs/default.nix index 5f60785..45de2d9 100644 --- a/device-pkgs/default.nix +++ b/device-pkgs/default.nix @@ -42,7 +42,7 @@ let tosArgs = { inherit socType; - inherit (cfg.firmware.optee) taPublicKeyFile; + inherit (cfg.firmware.optee) taPublicKeyFile fvForEKB fvForSSK useTegraTestKeys; opteePatches = cfg.firmware.optee.patches; extraMakeFlags = cfg.firmware.optee.extraMakeFlags; }; diff --git a/modules/flash-script.nix b/modules/flash-script.nix index 3c5f8d1..f09bdfd 100644 --- a/modules/flash-script.nix +++ b/modules/flash-script.nix @@ -173,6 +173,29 @@ in }; }; + useTegraTestKeys = mkOption { + type = types.bool; + default = true; + description = '' + Enable default OemK1 and OemK2 keys. + ''; + }; + + fvForEKB = mkOption { + type = types.strMatching "([[:xdigit:]]{2}[[:space:]]){15}[[:xdigit:]]{2}"; + default = "ba d6 6e b4 48 49 83 68 4b 99 2f e5 4a 64 8b b8"; + description = lib.mdDoc '' + Random fixed vector for EKB. + Note: This vector MUST match the 'fv' vector used for EKB binary generation process. + ''; + }; + + fvForSSK = mkOption { + type = types.strMatching "([[:xdigit:]]{2}[[:space:]]){15}[[:xdigit:]]{2}"; + default = "e4 20 f5 8d 1d ea b5 24 c2 70 d8 d2 3e ca 45 e8"; + description = "Random fixed vector used to derive SSK_DK (Derived Key)."; + }; + patches = mkOption { type = types.listOf types.path; default = [ ]; diff --git a/pkgs/optee/default.nix b/pkgs/optee/default.nix index 28e6174..b222258 100644 --- a/pkgs/optee/default.nix +++ b/pkgs/optee/default.nix @@ -16,6 +16,8 @@ let atfSrc = gitRepos."tegra/optee-src/atf"; nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; + fvToArr = fv: lib.foldl' (acc: s: acc + "0x${s}, ") "" (lib.splitString " " fv); + opteeClient = stdenv.mkDerivation { pname = "optee_client"; version = l4tVersion; @@ -47,6 +49,9 @@ let , earlyTaPaths ? [ ] , extraMakeFlags ? [ ] , opteePatches ? [ ] + , useTegraTestKeys ? true + , fvForEKB + , fvForSSK , taPublicKeyFile ? null , ... }: @@ -73,9 +78,15 @@ let inherit pname; version = l4tVersion; src = nvopteeSrc; - patches = opteePatches; + patches = opteePatches ++ [ ./optee-keys.patch ]; + # TODO: use --replace-fail after nixpkgs 24.05 update. postPatch = '' patchShebangs $(find optee/optee_os -type d -name scripts -printf '%p ') + substituteInPlace optee/optee_os/core/arch/arm/plat-tegra/conf.mk \ + --replace '@@useTegraTestKeys@@' "${if useTegraTestKeys then "" else "#"}" + substituteInPlace optee/optee_os/core/pta/tegra/jetson_user_key_pta.c \ + --replace '@@fvForEKB@@' "${fvToArr fvForEKB}" \ + --replace '@@fvForSSK@@' "${fvToArr fvForSSK}" ''; nativeBuildInputs = [ dtc diff --git a/pkgs/optee/optee-keys.patch b/pkgs/optee/optee-keys.patch new file mode 100644 index 0000000..ac3da67 --- /dev/null +++ b/pkgs/optee/optee-keys.patch @@ -0,0 +1,37 @@ +diff --git a/optee/optee_os/core/arch/arm/plat-tegra/conf.mk b/optee/optee_os/core/arch/arm/plat-tegra/conf.mk +index aecd6df..475d8b1 100644 +--- a/optee/optee_os/core/arch/arm/plat-tegra/conf.mk ++++ b/optee/optee_os/core/arch/arm/plat-tegra/conf.mk +@@ -110,7 +110,7 @@ endif + $(call force,CFG_EARLY_TA,y) + $(call force,CFG_EMBEDDED_TS,y) + +-$(call force,CFG_TEGRA_SE_USE_TEST_KEYS,y) ++@@useTegraTestKeys@@$(call force,CFG_TEGRA_SE_USE_TEST_KEYS,y) + + libdeps += $(NV_CCC_PREBUILT) + endif +diff --git a/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c b/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c +index 3b95156..601b633 100644 +--- a/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c ++++ b/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c +@@ -38,8 +38,7 @@ static vaddr_t ekb_base_addr; + * ba d6 6e b4 48 49 83 68 4b 99 2f e5 4a 64 8b b8 + */ + static uint8_t fv_for_ekb[] = { +- 0xba, 0xd6, 0x6e, 0xb4, 0x48, 0x49, 0x83, 0x68, +- 0x4b, 0x99, 0x2f, 0xe5, 0x4a, 0x64, 0x8b, 0xb8, ++ @@fvForEKB@@ + }; + + /* +@@ -48,8 +48,7 @@ static uint8_t fv_for_ekb[] = { + * e4 20 f5 8d 1d ea b5 24 c2 70 d8 d2 3e ca 45 e8 + */ + static uint8_t fv_for_ssk_dk[] = { +- 0xe4, 0x20, 0xf5, 0x8d, 0x1d, 0xea, 0xb5, 0x24, +- 0xc2, 0x70, 0xd8, 0xd2, 0x3e, 0xca, 0x45, 0xe8, ++ @@fvForSSK@@ + }; + + /*