fTPM implementation in a Jetson Orin Nano Devkit

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin Nano
,
1

Hi,

We are currently working on a security features research project, specifically Nvidia’s fTPM at the moment. To do this, we are checking out your fTPM guide.

However, it looks like this guide is mostly focused to production, so would it be possible for us to follow the guide and implement fTPM in a Jetson Orin Nano devkit? And if so, what values can we use for variables such as the OEM ID, as an example in the KDK Database and Fuseblobs Generation section, when you execute the kdk_gen.py script, would it be possible to use the same example values provided in this section?

Thanks in advance

4

hello carlos.jimenez,

FYI,

  1. kdk_gen.py always generates random KDK values.
  2. We use a specified KDK value (because we do the fTPM tests on certain Jetson AGX Orin board) when generating the KDK database.
  3. The value of oem_id and sn here must match the value of fuse OdmInfo and OdmId in your ODM fuse XML.
  4. kdk_gen.py exits silently when no errors occur. It generates 2 files in the folder “ftpm_kdk”, these 2 files contain the KDK value and the corresponding Silicon ID public key value.
5

Hi,
Please check and follow the steps in

Firmware TPM — NVIDIA Jetson Linux Developer Guide

Here is an example of executing kdk_gen.py. The options –oem_id, –sn and –preset have to be matched with the fuses:

...
<fuse name="OdmInfo" size="4" value="0x102"/>
<fuse name="OdmId" size="8" value="0x0000000100000002"/>
<fuse name="Kdk0" size="32" value="0x6208e3cd81ed0cd77b214db0c875ade40c26bca09382ad82cd0e24046cc8c64e"/>
...

$ echo "0x6208e3cd81ed0cd77b214db0c875ade40c26bca09382ad82cd0e24046cc8c64e" > kdk.key
$ ./kdk_gen.py --oem_id 0x102 --sn 0x100000002 --num_devices 1 --preset <kdk.key>

It uses AGX Orin developer kit as example. For using Orin Nano developer kit, please do

  1. Read info of the Orin Nanp developer kit:
$ sudo ./flash.sh --read-info jetson-orin-nano-devkit internal
  1. Update the information to
l4t/tools/flashtools/fuseburn/orinnano-board-spec.txt
  1. If there is orin-agx-board-spec.txt in the command, replace it with orinnano-board-spec.txt. And replace jetson-agx-orin-devkit.conf with jetson-orin-nano-devkit.conf
7

Hi Dane and Jerry,

Thank you for your previous answers. We followed the guide and have successfully burned the fuses and flashed the board. As indicated by the guide the last step is to execute the fTPM provisioning script, however I get the following error when doing so:

[fTPM device]: === fTPM device provisioning ===
[fTPM device]: === Extracting the EK Certs from EKB ===
ca_query_prov_mode: TEEC_InvokeCommand failed 0xffff0008 origin 0x4
Invalid provision mode!
Could not read certificate from ek_csr_rsa-0021-0000001000218000.der
20500080FFFF0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
Unable to load certificate
[ftpm device]: fTPM provisioning failed.

We are using the certificates generated by the execution of odm_ekb_gen.py and previously rebuild OPTEE sources using the -t flag and flashed the board again. We also get the same error when trying to use the nvftpm-helper-app directly, for example:

sudo nvftpm-helper-app -g

#Output:
ca_query_prov_mode: TEEC_InvokeCommand failed 0xffff0008 origin 0x4
Invalid provision mode!

Do you know why we are getting this failure and what we could do to fix it? Thanks in advance

9

There is no update from you for a period, assuming this is not an issue anymore.
Hence, we are closing this topic. If need further support, please open a new one.
Thanks ~0422

Hi,
Please set up debug uart console, boot Orin Nano developer kit, run $ sudo nvftpm-helper-app -g, and share the uart log for reference.