Problems getting OP-TEE running

[carben42]

Hey everyone!
I'm having problems getting optee running on my Orin AGX using the meta-tegra kirkstone branch.
I fused the Signing, Encryption and OEM K1 and K2 Keys onto the device and built an EKS with the following command:
gen_ekb.py -chip t234 -oem_k1_key oemK1.hex -fv iv_default.hex -in_sym_key2 disk_enc.hex -out eks.img
I'm using the default nvidia fixed vector and leaving out the uefi encryption key, because the system won't boot as I couldn't get kernel encryption working.
Now, when I try to run the nvhwkey-app, I'm getting the error:

E/TC:?? 00 get_rpc_alloc_res:645 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2
E/LD:  init_elf:486 sys_open_ta_bin(82154947-c1bc-4bdf-b89d-04f93c0ea97c)
E/TC:?? 00 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff000c

I checked that the guid is correct and the build system seems to pack it into the image, but it fails to load. However LUKS and dm-crypt seem to work which makes me wonder if is even using the disk encryption key used in the ekb.
Does anyone have an idea what I'm doing wrong?

[madisongh]

As mentioned here, there was a change in L4T R35.5.0 that requires an authentication key to be added to your EKB. See the dev forum thread linked there for more information.

[carben42]

Unfortunately that didn't fix the problem. However looking through the nvida forum post, I found that UEFI is not showing the "Auth key not set in EKB" error, instead, it tries to load a TA that is not there.

I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled

E/TC:?? 00 get_rpc_alloc_res:645 RPC allocation failed. Non-secure world result: ret=0xffff0000 ret_origin=0
E/LD:   init_elf:486 sys_open_ta_bin(bc50d971-d4c9-42c4-82cb-343fb7f37896)
E/TC:?? 00 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff000c

Is that the problem? How do I tell UEFI the correct GUID? According to the build scripts the early TA should have the GUID b83d14a8-7128-49df-9624-35f14f65ca6c

[ichergui]

Hi @carben42
I didn't underdstand your issue TBH.
Could you please join the following element room channel ?
https://matrix.to/#/#nv-jetson-secureboot:gitter.im
I will try to help you
I didn't have any issue with L4T R35.5.0 GA Disk encryption.

[madisongh]

bc50d971-d4c9-42c4-82cb-343fb7f37896 is the GUID for the fTPM, which we aren't building (yet), so that particular error is expected, and shouldn't have any effect on the hwkey-agent TA.

[ichergui]

Agree with @madisongh

[Lexmark-chad]

FWIW I'm seeing the same thing. 0xffff000c is TEE_ERROR_OUT_OF_MEMORY. The size of the .ta is < 110K. I had planned on experimenting with the hwkey-agent TA and signing TAs to make sure I fully understood how signing worked, but ran into this same issue just using the default key.