Running a Samba Server on Jetson platforms

From RidgeRun Developer Connection
Revision as of 13:30, 16 June 2023 by Jdelgado (talk | contribs) (Created page with "<seo title=" Implementation of a Trusted Application using OP-TEE and JetPack5.1 | Jetson Xavier AGX" titlemode="replace" metakeywords=" OP-TEE, optee, Trusted, Linux SDK, Lin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Nvidia-preferred-partner-badge-rgb-for-screen.png

RR Contact Us.png

About Samba

Samba is the standard Windows interoperability suite of programs for Linux and Unix. It turns out to be an interesting option to share files and scripts between devices over a network. Some advantages provided could be that:

  • It provides file sharing and print services for computers on a network.
  • It uses the Server Message Block and Common Internet File System (SMB/CIFS) protocol.
  • Samba can be available on Linux, macOS, and Windows clients.
  • It is an easy, flexible, cross-platform, and open source collaboration approach across an organization.
  • It is platform agnostic (as it was mentioned, it can run in several operated systems).
  • It can run on terminal or using a GUI.

This wiki explains:

  • How to install Samba on Ubuntu
  • How to configure it as a standalone server to provide file sharing between a Jetson and a local PC, over a network.
  • How to use the Samba client
  • How to mount a Samba server on a local PC directory.
  • How to connect to a Samba server using a Samba client.

The implementation and steps provided on this wiki were tested on a Jetson Xavier AGX running JetPack 5.0.2 and 5.1.

Prerequisites

Update the apt packages index:

sudo apt update

Install the Samba package:

sudo apt install samba

After that, the Samba service will start automatically. Check whether the Samba server is running:

sudo systemctl status smbd

Getting started

Configuring Global Samba Options

Create a backup of the smb.conf file, this could help to get back to the default settings in the future:

sudo cp /etc/samba/smb.conf{,.backup}

Open the file and make sure that the server role is set to "standalone server":

sudo vim /etc/samba/smb.conf
        
...
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server
...

Restart the Samba services with:

sudo systemctl restart smbd
sudo systemctl restart nmbd

Creating Samba Users and Directory Structure

Samba directories and its data can be located everywhere across the filesystem. For this case, directory structure will be located under the /samba path. Using the /samba directory instead of using the standard home directories (/home/$USER) allows easier maintainability and flexibility.

Create the /samba directory:

sudo mkdir /samba

Set the group ownership to "sambashare". This group is created during the Samba installation.

sudo chgrp sambashare /samba

Creating Samba Users

This section helps to create a regular user that has its private file share and one administrative account with read and write access to all shares on the Samba server.

To create a new user named "ridgerun", use the following command:

sudo useradd -M -d /samba/ridgerun -s /usr/sbin/nologin -G sambashare ridgerun

The useradd options have the following meanings:

  • M: -do not create the user’s home directory.
  • d: /samba/ridgerun - set the user’s home directory to /samba/ridgerun.
  • s: /usr/sbin/nologin - disable shell access for this user.
  • G: sambashare - add the user to the sambashare group.

Create the user’s home directory and set the directory ownership to user ridgerun and group sambashare:

sudo mkdir /samba/ridgerun
sudo chown ridgerun:sambashare /samba/ridgerun

Set the directory’s permissions to 2770, this allows the sadmin user(a group that will be created later during this wiki) to create a new file that the user "ridgerun" will be able to read/write.

sudo chmod 2770 /samba/ridgerun

Add the "ridgerun" user account to the Samba database by setting the user password:

sudo smbpasswd -a ridgerun

Samba uses Linux users and group permission system but is has its own authentication mechanism separate from the standard Linux authentication. You will be prompted to enter and confirm the user password:

New SMB password:
Retype new SMB password:
Added user ridgerun.

Enable the Samba account run:

sudo smbpasswd -e ridgerun

Output

Enabled user ridgerun.

Change permissions on the Samba shared file:

sudo chmod 2770 /samba/ridgerun

To create another user repeat the same process as was shown before.

Create an user and group sadmin

All members of this group, sadmin, will have administrative permissions. Later if you want to grant administrative permissions to another user simply add that user to the sadmin group.

Create the administrative user:

sudo useradd -M -d /samba/users -s /usr/sbin/nologin -G sambashare sadmin

This creates a group sadmin and add the user "users" to both sadmin and sambashare groups.

Set a password and enable the user:

sudo smbpasswd -a sadmin
sudo smbpasswd -e sadmin

Create the Users share directory:

sudo mkdir /samba/users

Set the directory ownership to user sadmin and group sambashare:

sudo chown sadmin:sambashare /samba/users

This directory will be accessible by all authenticated users. The following chmod command gives write/read access to members of the sambashare group in the /samba/users directory:

sudo chmod 2770 /samba/users

Configuring Samba Shares

The /etc/samba/smb.conf file allows to edit the configuration of the samba sharefolders, by adding them as below:

+[users]
+    path = /samba/users
+    browseable = yes
+    read only = no
+    force create mode = 0660
+    force directory mode = 2770
+    valid users = @sambashare @sadmin

+[ridgerun]
+    path = /samba/ridgerun
+    browseable = no
+    read only = no
+    force create mode = 0660
+    force directory mode = 2770
+    valid users = ridgerun @sadmin
  • [users] and [ridgerun]: The names of the share users that you will use when logging in.
  • path: The path to the share directory.
  • browseable: Whether the share should be listed in the available shares list. By configuring it as "no" other users will not be able to see the share.
  • read only: Whether the users specified in the valid users list are able to write to this share.
  • force create mode: Sets the permissions for the newly created files in this share.
  • force directory mode: Sets the permissions for the newly created directories in this share.
  • valid users: A list of users and groups that are allowed to access the share.

Note: Groups are prefixed with the "@" symbol.

Once the configuration file is ready, restart the Samba services with:

sudo systemctl restart smbd
sudo systemctl restart nmbd

Connecting to a SambaShare from Linux Client

Access the samba share from the command line, using the file manager or mount the Samba share can be done. This section explains how to access to a sharefolder using smbclient client.

smbclient is a tool that allows you to access Samba from the command line. It is a package that is not pre-installed on most Linux distributions, so it must be installed using distribution package managers.

To install smbclient on Ubuntu and Debian, run:

sudo apt install smbclient

The syntax to access a Samba share is:

smbclient //samba_hostname_or_server_ip/share_name -U username

For example to connect to a share named ridgerun, on a Samba server with IP address 192.168.121.118, as user ridgerun, then the appropriate command to do that will be:

smbclient //192.168.121.118/ridgerun -U ridgerun

A password output will be prompted. Enter the password assigned before:

Enter WORKGROUP\ridgerun's password:

Once the password is entered, you will be logged into the Samba command line interface.

Try "help" to get a list of possible commands.
smb: \>

Mounting a Samba share server

This approach helps to move files from the sambashare folder to the local system, edit them and add them back.

Install the cifs-utils package. On Ubuntu and Debian, run:

sudo apt install cifs-utils

Next, create a mount point:

sudo mkdir /mnt/smbmount

Mount the share using the following command:

sudo mount -t cifs -o username=username //samba_hostname_or_server_ip/sharename /mnt/smbmount

For instance:

sudo mount -t cifs -o username=ridgerun //192.168.121.118/ridgerun /mnt/smbmount

You will be prompted to enter the user password.

Password for ridgerun@//192.168.121.118/ridgerun:  ********

Add a Samba server to an external partition

These instructions are specifically to add external partitions such as SSD or SD cards.

Create a new user for the partition. For instance, it will be called "ridgerun" for this example, and the sharefolder will be located in the partition location /media/partition_name:

sudo useradd -M -d /media/partition_name -s /usr/sbin/nologin -G sambashare ridgerun

Change the ownership to ridgerun:

sudo chown ridgerun:sambashare /media/partition

Add the account to the database, and add a new password

sudo smbpasswd -a ridgerun

Enable the account:

sudo smbpasswd -e ridgerun

Edit the smb.conf file in order to add the $USER, this will fixed the lack permissions from the client side:

sudo vi /etc/samba/smb.conf

The user "nvidia" was added to the smb.conf. This is the user of the platform where the Samba server is running, for this example it was running on a Jetson Xavier AGX which user's name was "nvidia". You can find the user information under the media/partition lives by typing:

ls -l /media/

It will show you the user information and its permissions:

drwxr-xr-x 4 nvidia root 16384 dic 31  1969 partition_name

Add the user to the "force user" variable within the smb.conf. This allows to share partitions such as Solid State Disks, which usually works under some user or group permissions.

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP
+  force user = nvidia

Note: This also helps to troubleshoot when the mounting server on the local PC throws permissions problems.

Add the new user and its location to the smb.conf file:

+[user]
+    path = /media/partition_name
+    browseable = yes
+    read only = no
+    force create mode = 0660
+    force directory mode = 2770
+    valid users = @sambashare

Finally, restart the service:

sudo service smbd restart

To connect to this new sharefolder from another location you can do it by using the smbclient or by mounting the sharefolder on a local folder. Simple implementation example

This is an example of a local PC mounting a Samba server that is running on a Jetson AGX platform. In particular, this approach is preferred over running a Samba Client on a local PC to connect to a Samba Server, due to its flexibility to edit files and directories on both ways.

  • The first step is to create a samba user on the Jetson platform. I named the user "ridgerun", for future references. Follow the steps on 3.1 Creating Samba Users section.
  • Then, edit the /etc/samba/smb.conf file by adding the recently created user to the force user directive. Like this:
# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP
   force user = ridgerun
  • Mount the Samba Server on the local PC. Follow the steps on 5. Mounting the Samba share.
sudo mount -t cifs -o username=ridgerun //192.162.100.233/ridgerun /mnt/smbmount
[sudo] password for user: 
Password for ridgerun@//192.162.100.233/ridgerun:  ******                  
  • Create a directory from the Jetson side:
root@jetson:/samba/ridgerun# mkdir Hello_Client
root@jetson:/samba/ridgerun# ls
Hello_Client
  • Now, you have access to the Samba Server running on the Jetson:
$ cd /mnt/smbmount/
$ ls
Hello_Client

You can create files and edit them on both sides:

touch hello_server.txt
vi hello_server.txt 

This simple example demonstrated how to share and edit files and directories between two platforms over a same network.









Implementation

This section aims to guide the user through the building process of the OP-TEE sources for JetPack 5.1, and add a "hello_world" Trusted Application example to them. Consider that the target platform used to implement the following steps is a Jetson Xavier AGX. Hence, commands may change depending on the target platform.

Prerequisites

  • This wiki assumes that the JetPack 5.1 sources were downloaded, built, and installed using the NVIDIA SDKManager.
  • Install the prerequisites from here: Prerequisites

Platforms

The placeholder "<platform>" indicates Jetson platforms. Its possible values are:

  • 194 = Jetson Xavier series
  • 234 = Jetson Orin series

Toolchain

Download the toolchain from Jetson release page according to your L4T version: Toolchains list .

Note: This implementation uses the 35.2.1.

Set environment variables

export CROSS_COMPILE_AARCH64_PATH=/$HOME/jp5.1-l4t-gcc

export CROSS_COMPILE_AARCH64=$CROSS_COMPILE_AARCH64_PATH/bin/aarch64-buildroot-linux-gnu-

export NV_TARGET_BOARD=194

Add the UEFI StMM image, which is usually at:

For the Jetson AGX Xavier series and the Jetson Xavier NX:

/$HOME/<$SDKManager_JetPack_sources>/<Linux_for_Tegra>/bootloader/standalonemm_optee_t194.bin

For the Jetson AGX Orin series:

/$HOME/<$SDKManager_JetPack_sources>/<Linux_for_Tegra>/bootloader/standalonemm_optee_t234.bin

Set the environment variable "UEFI_STMM_PATH":

export UEFI_STMM_PATH=<StMM image path>

Building the ATF source code

Extract the JetPack 5.1 sources:

source_sync.sh -t jetson_35.2.1 

Along with them, there should be a tegra directory where you can find the OP-TEE sources:

/$HOME/<$SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src

Inside of it you should see the ATF source code:

cd atf

And then, build the source code

cd arm-trusted-firmware
   make BUILD_BASE=./build \
       CROSS_COMPILE="${CROSS_COMPILE_AARCH64}" \
       DEBUG=0 LOG_LEVEL=20 PLAT=tegra SPD=opteed TARGET_SOC=t<platform> V=0
   cd ../..

After that, built files should be stored here:

/$HOME/$OPTEE_SOURCES/arm-trusted-firmware/build/tegra/t194/release

Building the OP-TEE source code

Go to the OP-TEE sources:

cd Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee

Run the script to build the OP-TEE sources:

./optee_src_build.sh -p t194

Building the OP-TEE dtb

Within the OP-TEE sources, run:

cd /$HOME/$OPTEE_SOURCES/nv-optee
dtc -I dts -O dtb -o ./optee/tegra<platform>-optee.dtb ./optee/tegra<platform>-optee.dts

This will output something like this, which is a Warning from Linaro.

./optee/tegra194-optee.dts:33.17-38.4: Warning (unit_address_format): /efuse@03820000: unit name should not have leading 0s
./optee/tegra194-optee.dts:40.15-45.4: Warning (unit_address_format): /se0@03ac0000: unit name should not have leading 0s
./optee/tegra194-optee.dts:47.20-52.4: Warning (unit_address_format): /se0-rng1@03ae0000: unit name should not have leading 0s

The new dtb file will be located at:

/$HOME/$OPTEE_SOURCES/optee

Generating the tos.img using ATF and OP-TEE sources

Go to the OP-TEE source code:

cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee

Move the gen_tos_part_img.py script to the recent location. You can find the python script within $HOME/<SDKManager_JetPack_sources>/Linux_For_Tegra/nv_tegra/tos-scripts path.

cp $HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/nv_tegra/tos-scripts/gen_tos_part_img.py .

Run:

./gen_tos_part_img.py --monitor ./atf/arm-trusted-firmware/build/tegra/t194/release/bl31.bin --os ./nv-optee/optee/build/t194/core/tee-raw.bin --dtb ./nv-optee/optee/tegra194-optee.dtb --tostype optee ./tos.img

At the end, the output will be something like this:

Generating Trusted OS Partition Image File
Generate TOS Image File for boot-wrapper.

Two files should be created after this:

  • img.bin
  • tos.img

Flash the target platform

The recently generated tos.img should be renamed and relocated in order to start the flashing process. Go to the directory where tos.img is stored, and rename it as follows:

cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee
mv tos.img tos_t<platform>.img

Where <platform> should be rename for one of the following options: 194 or 234.

Move the new img file to the bootloader directory. This will replaced the old tos_t<platform>.img:

mv tos_t<platform>.img /$HOME/<SDKManager_JetPack_sources>/Linux_For_Tegra/bootloader

Finally, proceed to flash the target board.

Add a new Trusted Application to the OP-TEE sources

Clone the OP-TEE examples repository:

git clone https://github.com/linaro-swg/optee_examples.git

Then copy the hello_world example to the OP-TEE sources:

cd $HOME/optee_examples 
cp -r hello_world /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples

Modify the TA root Makefile. Go to the hello_world directory within the sources:

cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples/hello_world
sudo vim Makefile

Add the following changes:

-# If _HOST or _TA specific compilers are not specified, then use CROSS_COMPILE
-HOST_CROSS_COMPILE ?= $(CROSS_COMPILE)
-TA_CROSS_COMPILE ?= $(CROSS_COMPILE)
-
-.PHONY: all
-all:
-	$(MAKE) -C host CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables
-	$(MAKE) -C ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" LDFLAGS=""

-.PHONY: clean
-clean:
-	$(MAKE) -C host clean
-	$(MAKE) -C ta clean

+TARGET_DIR := $(notdir $(shell pwd))
+
+.PHONY: all
+all:
+	$(MAKE) -C ta \
+		CROSS_COMPILE=$(CROSS_COMPILE) \
+		TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
+		O=$(O)/ta/$(TARGET_DIR)
+	$(MAKE) -C host \
+		CROSS_COMPILE=$(CROSS_COMPILE) \
+		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+		O=$(O)/ca/$(TARGET_DIR) \
+		--no-builtin-variables

+.PHONY: clean
+clean:
+	$(MAKE) -C ta \
+		TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
+		O=$(O)/ta/$(TARGET_DIR) \
+		clean
+	$(MAKE) -C host \
+		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+		O=$(O)/ca/$(TARGET_DIR) \
+		clean
+	rm -rf $(O)/ca/$(TARGET_DIR)

Modify the Makefile within the host directory.

cd /host
sudo vim Makefile

The final file should look like this:

-CC      ?= $(CROSS_COMPILE)gcc
-LD      ?= $(CROSS_COMPILE)ld
-AR      ?= $(CROSS_COMPILE)ar
-NM      ?= $(CROSS_COMPILE)nm
-OBJCOPY ?= $(CROSS_COMPILE)objcopy
-OBJDUMP ?= $(CROSS_COMPILE)objdump
-READELF ?= $(CROSS_COMPILE)readelf
-
-OBJS = main.o
-
-CFLAGS += -Wall -I../ta/include -I$(TEEC_EXPORT)/include -I./include
-Add/link other required libraries here
-LDADD += -lteec -L$(TEEC_EXPORT)/lib
-
-BINARY = optee_example_hello_world
-
-.PHONY: all
-all: $(BINARY)
-
-$(BINARY): $(OBJS)
-	$(CC) $(LDFLAGS) -o $@ $< $(LDADD)
-
-.PHONY: clean
-clean:
-	rm -f $(OBJS) $(BINARY)

-%.o: %.c
-	$(CC) $(CFLAGS) -c $< -o $@
+
+CC ?= $(CROSS_COMPILE)gcc
+
+CFLAGS += -Wall -I../ta/include -I./include
+CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include
+CFLAGS += -fstack-protector-strong
+LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib
+
+SRCS = main.c
+OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS))
+BINARY = optee_example_hello_world
+
+.PHONY: all install
+all: $(BINARY) install
+
+$(BINARY): $(OBJS)
+	$(CC) -o $(O)/$@ $< $(LDADD)
+
+$(O)/%.o: %.c
+	mkdir -p $(O)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+install: $(BINARY)
+	mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin
+	cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin
+
+.PHONY: clean
+clean:
+	rm -f $(OBJS) $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin/$(BINARY)

Go to the /ta directory and make sure that the sub.mk includes the source and header file for the TA.

cd ta/
vim sub.mk

It should look like this:

global-incdirs-y += include
srcs-y += hello_world_ta.c

hello_world_ta.c is the source code and hello_world_ta.h lives within the include directory. Modify the Makefile inside the /ta directory.The final file should look like this:

-CFG_TEE_TA_LOG_LEVEL ?= 4
-CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y

- The UUID for the Trusted Application
-BINARY=8aaaf200-2450-11e4-abe2-0002a5d5c51b

-include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk

-ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), )
-clean:
-	@echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA'
-	@echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)'
-endif

- Copyright (c) 2021, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause
+
+# The UUID for the hello world TA
+BINARY=8aaaf200-2450-11e4-abe2-0002a5d5c51b
+
+include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk

After that, build the sources again. Follow the steps of the Building the OP-TEE source code.

After that, the output should look like this:

make[1]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world'
make -C ta \
	CROSS_COMPILE=/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu- \
	TA_DEV_KIT_DIR=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194/export-ta_arm64/ \
	O=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world
make[2]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/ta'
  CPP     /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/ta.lds
  CC      /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/hello_world_ta.o
  GEN     /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/dyn_list
  CC      /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/user_ta_header.o
  LD      /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.elf
  OBJDUMP /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.dmp
  OBJCOPY /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf
  SIGN    /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta
make[2]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/ta'
make -C host \
	CROSS_COMPILE=/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu- \
	OPTEE_CLIENT_EXPORT=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr \
	O=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world \
	--no-builtin-variables
make[2]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/host'
mkdir -p /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world
/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu-gcc -Wall -I../ta/include -I./include -I/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/include -fstack-protector-strong -c main.c -o /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/main.o
/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu-gcc -o /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/optee_example_hello_world /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/main.o -lteec -L/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/lib
mkdir -p /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/sbin
cp /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/optee_example_hello_world /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/sbin
make[2]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/host'
make[1]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world'
.
.
.
.
optee sources compiled successfully.

The build process will output an optee_example_hello_world binary (from the host Makefile), and a uuid.{ta,elf,dmp,map} (from the ta Makefile). They can be found in this location:

/$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/build/t194/ta/hello_world

Build and flash the OP-TEE image and dtb again, as it was shown before.

Run the new Trusted Application

After building the application, copy the generated files to the Jetson platform. Go to the install directory and look for a t<platform> directory. Compress it and send it to the Jetson platform.

cd /$HOME/JetPack_5.1_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee
/install
tar -cvf t194.tar t194/
scp t194.tar nvidia@192.168.100.233:~/

On the Jetson platofm. Decompress the t<platform> file and copy the files and directories inside of it to its respective location on the Jetson.

Then, you are going to be able to run the trusted application.

$sudo optee_example_hello_world
Invoking TA to increment 42
TA incremented value to 43

Security Considerations

Universal User Identification (UUID)

For every TA created, an UUID must be generated and added. This UUID must be added to its corresponding header file and Makefile. To generate an UUID, there are two approaches: Using Python:

python -c 'import uuid; print(uuid.uuid4())'

Using random (Linux only):

cat /proc/sys/kernel/random/uuid # Linux only uuidgen

uuidgen is available from the util-linux package in most distributions.

Potential applications

OP-TEE OS may offer the following features in which developers can build potential applications:

  • Memory Segregation: establish memory boundaries between the rich world and the trusted world.
  • Inter-world Communication: a way to receive data, interrupts, and events from the rich world.
  • Crypto and Storage: to facilitate the cryptography and the secure storage.
  • Standardised API: inter-operable implementation of the software protocol between the rich and trusted world. Also, there needs to be a way to specify how a TA should respond to a requested functionality so that the rich world can parse it.
  • Authenticated TA Execution: Considering we will be executing an application in the trusted world, one would want that the TA itself should be trusted. Authenticating a TA before passing control to it would be a fantastic feature.

See also

Developer Guide OPTEE OP-TEE Documentation


RidgeRun Resources

Quick Start Client Engagement Process RidgeRun Blog Homepage
Technical and Sales Support RidgeRun Online Store RidgeRun Videos Contact Us

OOjs UI icon message-progressive.svg Contact Us

Visit our Main Website for the RidgeRun Products and Online Store. RidgeRun Engineering informations are available in RidgeRun Professional Services, RidgeRun Subscription Model and Client Engagement Process wiki pages. Please email to support@ridgerun.com for technical questions and contactus@ridgerun.com for other queries. Contact details for sponsoring the RidgeRun GStreamer projects are available in Sponsor Projects page. Ridgerun-logo.svg
RR Contact Us.png