Device-Side Operations

Running the fTPM Provisioning Script

The fTPM provisioning script handles provisioning of the fTPM on NVIDIA Jetson™ devices. This process involves querying EK certificates from the Encrypted Key Block (EKB), storing the EK certificate in fTPM non-volatile (NV) memory, taking ownership of the fTPM, and creating EKs with default EK handles.

The fTPM helper TA/CA and PTA are applications designed to support fTPM provisioning, providing interfaces for querying SN and EK certificates.

The fTPM TA supports TPM 2.0 functionalities defined by the Trusted Computing Group (TCG). It receives EPS from the fTPM helper PTA during the first startup and stores it in NV memory.

Rebuilding and Updating the TOS Image

To customize the fTPM function on your Jetson device, you might need to rebuild and update the Trusted Operation System (TOS) image.

1. Download the source package from Jetson Linux Archive.

2. Rebuild the TOS image. Refer to the README file in the OP-TEE or ATF source package. Add the -t option to enable the fTPM feature.

   # Jetson Thor series:
   ./optee_src_build.sh -p t264 -t
   
   # Jetson Orin series:
   ./optee_src_build.sh -p t234 -t
   
   # Update the TOS image after rebuild.
   
   # Jetson Thor series:
   cp tos.img ${ODM_BSP_TOP}/Linux_for_Tegra/bootloader/tos-optee_t264.img
   
   # Jetson Orin series:
   cp tos.img ${ODM_BSP_TOP}/Linux_for_Tegra/bootloader/tos-optee_t234.img
   

3. Re-flash the device with the new TOS image.

4. Prepare the fTPM provisioning folder. If you need to use fTPM, create a provisioning folder and copy the necessary files into it.

   # Create an "ftpm_prov" folder.
   mkdir -p ftpm_prov
   
   # Copy the provisioning script from the host.
   scp optee/samples/ftpm-helper/host/tool/ftpm_device_provision.sh ${REMOTE_DEVICE}:${DEST_PROV_DIR}/ftpm_prov
   

   Note

   Replace ${REMOTE_DEVICE} and ${DEST_PROV_DIR} with the actual device IP address and provisioning directory.

Automatic Provisioning During Boot

The automatic fTPM provisioning function is integrated into the NVIDIA JetPack BSP. When the Jetson device boots, fTPM provisioning is performed automatically. For details, refer to /etc/systemd/nv-ftpm-device-provision.sh.

The conditions for automatic provisioning are as follows:

• The fuseblob is burned.

• The EKB is paired with the fTPM.

• The fTPM is not already provisioned.

  Note

  To check the fTPM provisioning status, run:

  sudo tpm2_getcap handles-persistent
  - 0x81010001  -> RSA EK
  - 0x81010002  -> EC EK
  sudo tpm2_getcap handles-nv-index
  - 0x1C00002   -> RSA EK Certificate
  - 0x1C0000A   -> EC EK Certificate
  

  If the output is empty, the fTPM is not provisioned.

Manual Provisioning

1. Clear the fTPM from the previous provisioning.

   sudo tpm2_clear
   sudo tpm2_nvundefine -C p 0x1C00002
   sudo tpm2_nvundefine -C p 0x1C0000A
   

2. Provision and activate the fTPM by running the ftpm_device_provision.sh script, which performs the following tasks:

   • Queries the EK Certificates (RSA and EC) and stores them in fTPM NV memory.

   • Sets up the fTPM authorization.

   cd ftpm_prov
   sudo ./ftpm_device_provision.sh -r ek_cert_rsa.der -e ek_cert_ec.der -p owner
   

   Command-line arguments:

   • -r <file name of RSA EK certificate>: RSA EK certificate saved after querying from EKB.

   • -e <file name of EC EK certificate>: EC EK certificate saved after querying from EKB.

   • -p <authorization value of fTPM>: fTPM authorization value. Refer to the tpm2_changeauth man page.

Generating the fTPM Measurement List

After provisioning fTPM on the Jetson device, you can generate a measurement list to validate measured boot integrity. This list verifies that boot components match expected values during Secure Boot with measured boot support.

PCR0 Measurement List (Jetson Boot Chain)

Use ftpm_gen_measurement_list.py to generate the measurement list for PCR0, which represents the Jetson boot chain integrity. This tool is specific to Jetson measured boot and does not generate measurements for UEFI PCRs (PCR1–PCR8) and other PCRs.

python ftpm_gen_measurement_list.py --platform <platform> \
                                    --mb2 <MB2_image> \
                                    --tos <TOS_image> \
                                    --bl31 <BL31_image> \
                                    --bl32 <BL32_image> \
                                    --sp <sec_partition_image> \
                                    --uefi <UEFI_image>

For the Jetson Orin series:

python ftpm_gen_measurement_list.py --platform t234 \
                                    --mb2 mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed \
                                    --tos tos-optee_t234_sigheader_encrypt.img.signed \
                                    --uefi uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader_encrypt.bin.signed

For the Jetson Thor series:

python ftpm_gen_measurement_list.py --platform t264 \
                                    --mb2 mb2_t264_with_mb2_bct_MB2_sigheader.bin.encrypt \
                                    --bl31 bl31_t264_sigheader.fip.encrypt \
                                    --bl32 hafnium_t264_sigheader.fip.encrypt \
                                    --sp sp_t264_aligned_blob_w_bin_sigheader.fip.encrypt \
                                    --uefi uefi_t26x_general_with_dtb_aligned_blob_w_bin_sigheader.bin.encrypt

Output:

INFO:
SHA256 PCR value: <SHA256 value>
INFO:
SHA384 PCR value: <SHA384 value>
INFO:
SHA512 PCR value: <SHA512 value>

UEFI PCR Measurements (PCR1–PCR8 and Other PCRs)

For PCRs measured by UEFI, use tpm2_eventlog to parse the TPM event log:

1. Locate the TPM event log file:

   /sys/kernel/security/tpm0/binary_bios_measurements
   

2. Decode the event log:

   tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
   

   Example output:

   Eventlog:
   PCR Index: 1
   Digest: <SHA256 hash>
   Event: EFI Variable
   ...
   PCR Index: 8
   Digest: <SHA256 hash>
   Event: Boot Manager Code
   

Optionally, save the parsed event log for later validation:

tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements > uefi_eventlog.txt

Validating Measurement Results

You can validate measured boot integrity in two ways:

• Manual check: Use tpm2_pcrread to read PCR values and compare them against the generated measurement list.

  tpm2_pcrread sha256:0 sha256:1 sha256:2 ...
  

• Automated validation: Combine the results from the PCR0 and UEFI measurement steps to create a golden measurement list and verify it using a TPM attestation framework such as Keylime or a TPM 2.0 attestation server.

Verifying the fTPM EK

With the offline provision method, the fTPM EKs are pre-generated by the fTPM production scripts. The ODM EKB Gen Tool provides a verify mode to help the fTPM manufacturer validate fTPM EKs before shipping EKB images to the OEM. This mode compares the fTPM EK public keys generated by the production script with the EK public keys generated by the fTPM TA.

Before verifying, ensure you have the following:

• A dedicated Jetson device with custom fTPM helper TA and CA to verify the fTPM EK.

• A secure environment to keep the intermediate data. Remove the data after verification is complete.

Generating Verification Data

Generate the intermediate data by running the ODM EKB Gen Tool with the --verify option:

odm_ekb_gen.py --kdk_db ftpm_kdk/kdk_db-01020000000100000002-5.csv --verify

When --verify is set, odm_ekb_gen.py creates ftpm_keys.txt in the output folder, which contains the following:

• Device SN

• EPS

• RSA EK public key

• EC EK public key

Setting Up a Dedicated Jetson Device

Caution

To enable fTPM EK verification, you must rebuild OP-TEE with the CFG_JETSON_FTPM_HELPER_INJECT_EPS configuration. This is a custom configuration for fTPM EK verification only and must not be enabled in production builds.

To enable fTPM EK verification, modify optee_src_build.sh:

diff --git a/optee_src_build.sh b/optee_src_build.sh
--- a/optee_src_build.sh
+++ b/optee_src_build.sh
@@ -117,7 +117,8 @@ function build_optee_sources {
        if [ "${ENABLE_FTPM_BUILD}" == "yes" ]; then
                optee_config+=("CFG_CORE_TPM_EVENT_LOG=y \
                        CFG_REE_STATE=y \
-                       CFG_JETSON_FTPM_HELPER_PTA=y")
+                       CFG_JETSON_FTPM_HELPER_PTA=y \
+                       CFG_JETSON_FTPM_HELPER_INJECT_EPS=y")
                early_tas+=("${build_dir}/early_ta/ftpm-helper/a6a3a74a-77cb-433a-990c-1dfb8a3fbc4c.stripped.elf \
                        ${build_dir}/early_ta/optee_ftpm/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf")

After modifying the script, rebuild OP-TEE, generate the TOS image, and flash it to the board.

Running the Verification

To verify the RSA and EC EK public keys on a Jetson device, run ftpm_offline_provisioning_verify.sh:

1. Copy ftpm_keys.txt to the Jetson device.

   scp ${SRC_VERIFY_DIR}/ftpm_keys.txt ${REMOTE_DEVICE}:${DEST_VERIFY_DIR}/ftpm_prov
   

2. Copy the verification script from the OP-TEE source directory.

   scp optee/samples/ftpm-helper/host/tool/ftpm_offline_provisioning_verify.sh ${REMOTE_DEVICE}:${DEST_VERIFY_DIR}/ftpm_prov
   

3. Copy the custom nvftpm-helper-app to the device.

   scp optee/build/t234/ca/ftpm-helper/nvftpm-helper-app ${REMOTE_DEVICE}:${DEST_VERIFY_DIR}/ftpm_prov
   

4. Run the verification script on the device.

   cd ${DEST_VERIFY_DIR}/ftpm_prov
   sudo ./ftpm_offline_provisioning_verify.sh