Firmware TPM

Applies to the Jetson AGX Thor series, the Jetson AGX Orin series, the Jetson Orin NX series, and the Jetson Orin Nano series.

Before you begin, reference the Trusted Computing Group (TCG) website to familiarize yourself with the Trusted Platform Module (TPM) specification:

• TPM 2.0: A Brief Introduction.

• TPM 2.0 Library Specification.

• TCG Resources Archive, which includes TCG documentation.

The Firmware TPM (fTPM) implementation is based on the Official TCG Reference Implementation of the TPM 2.0 specification. It uses a sample fTPM Trusted Application (TA) from OP-TEE/optee_ftpm and runs within OP-TEE.

Attention

The fTPM implementation differs between Jetson Linux 36.4.4 GA and Jetson Linux 38.4 GA (and later releases):

• Jetson Linux 36.4.4 GA:

  • Based on an earlier revision of the open-source ms-tpm-20-ref (commit: e9fc7b89d865536c46deb63f9c7d0121a3ded49c) repository.

  • TPM 2.0 library based on TCG TPM 2.0 Library Specification Revision 1.59.

  • fTPM TA implementation provided in the Samples folder.

• Jetson Linux 38.4 GA (and later releases):

  • Based on the latest available version of ms-tpm-20-ref and TCG TPM 2.0 Reference Implementation.

  • TPM 2.0 library based on TCG TPM 2.0 Library Specification Revision 1.84.

  • fTPM TA implementation moved from ms-tpm-20-ref to OP-TEE/optee_ftpm.

  • As a result, the Endorsement Key (EK) generation process for the RSA key type is not compatible with the previous release. If upgrading from 36.4.4 GA to 38.4 GA (or later), choose one of the following options:

    • Option 1: Retain the previous fTPM implementation and preserve the EK certificates.

    • Option 2: Migrate to an EK of the ECC key type.

    • Option 3: Re-generate a new EK and EK certificates using the updated implementation, and inject them into a new RSA EK handle and the associated NV storage for the certificate. It is recommended to implement an fTPM provisioning scheme that supports the new EK and EK certificates.

Note

The TEE storage location for the Rich Execution Environment file system (REE FS) changes after the OP-TEE upgrade to version 4.4.0. The default location is updated from /data/tee to /var/lib/tee/.

• If upgrading from Jetson Linux 36.4.4 GA to 38.4 GA (or later), account for this change in the TEE storage location.

• To retain the previous TEE storage location, refer to the Cross-Compiling a Trusted Application section. Follow step 5 to rebuild optee_client with CFG_TEE_FS_PARENT_PATH=/data/tee by adding this configuration option to optee_src_build.sh.