|
|
Line 1: |
Line 1: |
| <seo title=" Implementation of a Trusted Application using OP-TEE and JetPack5.1 | Jetson Xavier AGX" titlemode="replace" metakeywords=" OP-TEE, optee, Trusted, Linux SDK, Linux BSP, Embedded Linux, Device Drivers, Nvidia, JetPack, Embedded Linux driver development, Linux Software development, Embedded Linux SDK, Embedded Linux Application development, Jetson, Xavier, AGX, Jetson xavier AGX, NVIDIA Jetson Xavier, security, secure" metadescription="This wiki page provides information regarding the Implementation of a Trusted Application using OP-TEE and JetPack5.1."></seo> | | <seo title=" Running a Samba Server on Jetson platforms | Jetson Xavier AGX" titlemode="replace" metakeywords=" Samba, samba, server, Linux SDK, Linux BSP, Embedded Linux, Device Drivers, Nvidia, JetPack, Embedded Linux driver development, Linux Software development, Embedded Linux SDK, Embedded Linux Application development, Jetson, Xavier, AGX, Jetson xavier AGX, NVIDIA Jetson Xavier, fileshare, share, security, secure" metadescription="This wiki page provides information regarding the how to run a Samba Server on Jetson platforms."></seo> |
|
| |
|
| <table> | | <table> |
Line 395: |
Line 395: |
|
| |
|
| This simple example demonstrated how to share and edit files and directories between two platforms over a same network. | | This simple example demonstrated how to share and edit files and directories between two platforms over a same network. |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| == Implementation ==
| |
| This section aims to guide the user through the building process of the OP-TEE sources for JetPack 5.1, and add a "hello_world" Trusted Application example to them. Consider that the target platform used to implement the following steps is a Jetson Xavier AGX. Hence, commands may change depending on the target platform.
| |
|
| |
| === Prerequisites ===
| |
| * This wiki assumes that the JetPack 5.1 sources were downloaded, built, and installed using the NVIDIA SDKManager.
| |
| * Install the prerequisites from here: [https://optee.readthedocs.io/en/latest/building/prerequisites.html Prerequisites]
| |
|
| |
| === Platforms ===
| |
| The placeholder "<platform>" indicates Jetson platforms. Its possible values are:
| |
| * 194 = Jetson Xavier series
| |
| * 234 = Jetson Orin series
| |
|
| |
| === Toolchain ===
| |
|
| |
| Download the toolchain from Jetson release page according to your L4T version: [https://developer.nvidia.com/embedded/jetson-linux-archive Toolchains list] .
| |
|
| |
| '''Note:''' This implementation uses the 35.2.1.
| |
|
| |
| === Set environment variables ===
| |
| <pre>
| |
| export CROSS_COMPILE_AARCH64_PATH=/$HOME/jp5.1-l4t-gcc
| |
|
| |
| export CROSS_COMPILE_AARCH64=$CROSS_COMPILE_AARCH64_PATH/bin/aarch64-buildroot-linux-gnu-
| |
|
| |
| export NV_TARGET_BOARD=194
| |
| </pre>
| |
|
| |
| Add the UEFI StMM image, which is usually at:
| |
|
| |
| For the Jetson AGX Xavier series and the Jetson Xavier NX:
| |
| <pre>
| |
| /$HOME/<$SDKManager_JetPack_sources>/<Linux_for_Tegra>/bootloader/standalonemm_optee_t194.bin
| |
| </pre>
| |
|
| |
| For the Jetson AGX Orin series:
| |
| <pre>
| |
| /$HOME/<$SDKManager_JetPack_sources>/<Linux_for_Tegra>/bootloader/standalonemm_optee_t234.bin
| |
| </pre>
| |
|
| |
| Set the environment variable "UEFI_STMM_PATH":
| |
| <pre>
| |
| export UEFI_STMM_PATH=<StMM image path>
| |
| </pre>
| |
|
| |
| === Building the ATF source code ===
| |
| Extract the JetPack 5.1 sources:
| |
| <pre>
| |
| source_sync.sh -t jetson_35.2.1
| |
| </pre>
| |
|
| |
| Along with them, there should be a tegra directory where you can find the OP-TEE sources:
| |
| <pre>
| |
| /$HOME/<$SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src
| |
| </pre>
| |
|
| |
| Inside of it you should see the ATF source code:
| |
| <pre>
| |
| cd atf
| |
| </pre>
| |
|
| |
| And then, build the source code
| |
| <pre>
| |
| cd arm-trusted-firmware
| |
| make BUILD_BASE=./build \
| |
| CROSS_COMPILE="${CROSS_COMPILE_AARCH64}" \
| |
| DEBUG=0 LOG_LEVEL=20 PLAT=tegra SPD=opteed TARGET_SOC=t<platform> V=0
| |
| cd ../..
| |
| </pre>
| |
|
| |
| After that, built files should be stored here:
| |
| <pre>
| |
| /$HOME/$OPTEE_SOURCES/arm-trusted-firmware/build/tegra/t194/release
| |
| </pre>
| |
|
| |
| === Building the OP-TEE source code ===
| |
|
| |
| Go to the OP-TEE sources:
| |
| <pre>
| |
| cd Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee
| |
| </pre>
| |
|
| |
| Run the script to build the OP-TEE sources:
| |
| <pre>
| |
| ./optee_src_build.sh -p t194
| |
| </pre>
| |
|
| |
| === Building the OP-TEE dtb ===
| |
|
| |
| Within the OP-TEE sources, run:
| |
| <pre>
| |
| cd /$HOME/$OPTEE_SOURCES/nv-optee
| |
| dtc -I dts -O dtb -o ./optee/tegra<platform>-optee.dtb ./optee/tegra<platform>-optee.dts
| |
| </pre>
| |
|
| |
| This will output something like this, which is a Warning from Linaro.
| |
| <pre>
| |
| ./optee/tegra194-optee.dts:33.17-38.4: Warning (unit_address_format): /efuse@03820000: unit name should not have leading 0s
| |
| ./optee/tegra194-optee.dts:40.15-45.4: Warning (unit_address_format): /se0@03ac0000: unit name should not have leading 0s
| |
| ./optee/tegra194-optee.dts:47.20-52.4: Warning (unit_address_format): /se0-rng1@03ae0000: unit name should not have leading 0s
| |
| </pre>
| |
|
| |
| The new dtb file will be located at:
| |
| <pre>
| |
| /$HOME/$OPTEE_SOURCES/optee
| |
| </pre>
| |
|
| |
| === Generating the tos.img using ATF and OP-TEE sources ===
| |
|
| |
| Go to the OP-TEE source code:
| |
| <pre>
| |
| cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee
| |
| </pre>
| |
|
| |
| Move the '''gen_tos_part_img.py''' script to the recent location. You can find the python script within '''$HOME/<SDKManager_JetPack_sources>/Linux_For_Tegra/nv_tegra/tos-scripts''' path.
| |
| <pre>
| |
| cp $HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/nv_tegra/tos-scripts/gen_tos_part_img.py .
| |
| </pre>
| |
|
| |
| Run:
| |
| <pre>
| |
| ./gen_tos_part_img.py --monitor ./atf/arm-trusted-firmware/build/tegra/t194/release/bl31.bin --os ./nv-optee/optee/build/t194/core/tee-raw.bin --dtb ./nv-optee/optee/tegra194-optee.dtb --tostype optee ./tos.img
| |
| </pre>
| |
|
| |
| At the end, the output will be something like this:
| |
| <pre>
| |
| Generating Trusted OS Partition Image File
| |
| Generate TOS Image File for boot-wrapper.
| |
| </pre>
| |
|
| |
| Two files should be created after this:
| |
| * img.bin
| |
| * tos.img
| |
|
| |
| === Flash the target platform ===
| |
|
| |
| The recently generated tos.img should be renamed and relocated in order to start the flashing process. Go to the directory where tos.img is stored, and rename it as follows:
| |
| <pre>
| |
| cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee
| |
| mv tos.img tos_t<platform>.img
| |
| </pre>
| |
|
| |
| Where <platform> should be rename for one of the following options: 194 or 234.
| |
|
| |
| Move the new img file to the bootloader directory. This will replaced the old tos_t<platform>.img:
| |
| <pre>
| |
| mv tos_t<platform>.img /$HOME/<SDKManager_JetPack_sources>/Linux_For_Tegra/bootloader
| |
| </pre>
| |
|
| |
| Finally, proceed to flash the target board.
| |
|
| |
| == Add a new Trusted Application to the OP-TEE sources ==
| |
|
| |
| Clone the OP-TEE examples repository:
| |
| <pre>
| |
| git clone https://github.com/linaro-swg/optee_examples.git
| |
| </pre>
| |
|
| |
| Then copy the '''hello_world''' example to the OP-TEE sources:
| |
| <pre>
| |
| cd $HOME/optee_examples
| |
| cp -r hello_world /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples
| |
| </pre>
| |
|
| |
| Modify the TA root Makefile. Go to the hello_world directory within the sources:
| |
| <pre>
| |
| cd /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples/hello_world
| |
| sudo vim Makefile
| |
| </pre>
| |
|
| |
| Add the following changes:
| |
| <pre>
| |
| -# If _HOST or _TA specific compilers are not specified, then use CROSS_COMPILE
| |
| -HOST_CROSS_COMPILE ?= $(CROSS_COMPILE)
| |
| -TA_CROSS_COMPILE ?= $(CROSS_COMPILE)
| |
| -
| |
| -.PHONY: all
| |
| -all:
| |
| - $(MAKE) -C host CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables
| |
| - $(MAKE) -C ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" LDFLAGS=""
| |
|
| |
| -.PHONY: clean
| |
| -clean:
| |
| - $(MAKE) -C host clean
| |
| - $(MAKE) -C ta clean
| |
|
| |
| +TARGET_DIR := $(notdir $(shell pwd))
| |
| +
| |
| +.PHONY: all
| |
| +all:
| |
| + $(MAKE) -C ta \
| |
| + CROSS_COMPILE=$(CROSS_COMPILE) \
| |
| + TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
| |
| + O=$(O)/ta/$(TARGET_DIR)
| |
| + $(MAKE) -C host \
| |
| + CROSS_COMPILE=$(CROSS_COMPILE) \
| |
| + OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
| |
| + O=$(O)/ca/$(TARGET_DIR) \
| |
| + --no-builtin-variables
| |
|
| |
| +.PHONY: clean
| |
| +clean:
| |
| + $(MAKE) -C ta \
| |
| + TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
| |
| + O=$(O)/ta/$(TARGET_DIR) \
| |
| + clean
| |
| + $(MAKE) -C host \
| |
| + OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
| |
| + O=$(O)/ca/$(TARGET_DIR) \
| |
| + clean
| |
| + rm -rf $(O)/ca/$(TARGET_DIR)
| |
| </pre>
| |
|
| |
| Modify the Makefile within the host directory.
| |
| <pre>
| |
| cd /host
| |
| sudo vim Makefile
| |
|
| |
| The final file should look like this:
| |
|
| |
| -CC ?= $(CROSS_COMPILE)gcc
| |
| -LD ?= $(CROSS_COMPILE)ld
| |
| -AR ?= $(CROSS_COMPILE)ar
| |
| -NM ?= $(CROSS_COMPILE)nm
| |
| -OBJCOPY ?= $(CROSS_COMPILE)objcopy
| |
| -OBJDUMP ?= $(CROSS_COMPILE)objdump
| |
| -READELF ?= $(CROSS_COMPILE)readelf
| |
| -
| |
| -OBJS = main.o
| |
| -
| |
| -CFLAGS += -Wall -I../ta/include -I$(TEEC_EXPORT)/include -I./include
| |
| -Add/link other required libraries here
| |
| -LDADD += -lteec -L$(TEEC_EXPORT)/lib
| |
| -
| |
| -BINARY = optee_example_hello_world
| |
| -
| |
| -.PHONY: all
| |
| -all: $(BINARY)
| |
| -
| |
| -$(BINARY): $(OBJS)
| |
| - $(CC) $(LDFLAGS) -o $@ $< $(LDADD)
| |
| -
| |
| -.PHONY: clean
| |
| -clean:
| |
| - rm -f $(OBJS) $(BINARY)
| |
|
| |
| -%.o: %.c
| |
| - $(CC) $(CFLAGS) -c $< -o $@
| |
| +
| |
| +CC ?= $(CROSS_COMPILE)gcc
| |
| +
| |
| +CFLAGS += -Wall -I../ta/include -I./include
| |
| +CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include
| |
| +CFLAGS += -fstack-protector-strong
| |
| +LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib
| |
| +
| |
| +SRCS = main.c
| |
| +OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS))
| |
| +BINARY = optee_example_hello_world
| |
| +
| |
| +.PHONY: all install
| |
| +all: $(BINARY) install
| |
| +
| |
| +$(BINARY): $(OBJS)
| |
| + $(CC) -o $(O)/$@ $< $(LDADD)
| |
| +
| |
| +$(O)/%.o: %.c
| |
| + mkdir -p $(O)
| |
| + $(CC) $(CFLAGS) -c $< -o $@
| |
| +
| |
| +install: $(BINARY)
| |
| + mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin
| |
| + cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin
| |
| +
| |
| +.PHONY: clean
| |
| +clean:
| |
| + rm -f $(OBJS) $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin/$(BINARY)
| |
| </pre>
| |
|
| |
| Go to the /ta directory and make sure that the sub.mk includes the source and header file for the TA.
| |
| <pre>
| |
| cd ta/
| |
| vim sub.mk
| |
| </pre>
| |
|
| |
| It should look like this:
| |
| <pre>
| |
| global-incdirs-y += include
| |
| srcs-y += hello_world_ta.c
| |
| </pre>
| |
|
| |
| hello_world_ta.c is the source code and hello_world_ta.h lives within the include directory.
| |
| Modify the Makefile inside the /ta directory.The final file should look like this:
| |
| <pre>
| |
| -CFG_TEE_TA_LOG_LEVEL ?= 4
| |
| -CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y
| |
|
| |
| - The UUID for the Trusted Application
| |
| -BINARY=8aaaf200-2450-11e4-abe2-0002a5d5c51b
| |
|
| |
| -include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk
| |
|
| |
| -ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), )
| |
| -clean:
| |
| - @echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA'
| |
| - @echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)'
| |
| -endif
| |
|
| |
| - Copyright (c) 2021, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
| |
| - SPDX-License-Identifier: BSD-2-Clause
| |
| +
| |
| +# The UUID for the hello world TA
| |
| +BINARY=8aaaf200-2450-11e4-abe2-0002a5d5c51b
| |
| +
| |
| +include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk
| |
| </pre>
| |
|
| |
| After that, build the sources again. Follow the steps of the Building the OP-TEE source code.
| |
|
| |
| After that, the output should look like this:
| |
| <pre>
| |
| make[1]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world'
| |
| make -C ta \
| |
| CROSS_COMPILE=/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu- \
| |
| TA_DEV_KIT_DIR=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194/export-ta_arm64/ \
| |
| O=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world
| |
| make[2]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/ta'
| |
| CPP /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/ta.lds
| |
| CC /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/hello_world_ta.o
| |
| GEN /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/dyn_list
| |
| CC /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/user_ta_header.o
| |
| LD /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.elf
| |
| OBJDUMP /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.dmp
| |
| OBJCOPY /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf
| |
| SIGN /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ta/hello_world/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta
| |
| make[2]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/ta'
| |
| make -C host \
| |
| CROSS_COMPILE=/home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu- \
| |
| OPTEE_CLIENT_EXPORT=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr \
| |
| O=/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world \
| |
| --no-builtin-variables
| |
| make[2]: Entering directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/host'
| |
| mkdir -p /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world
| |
| /home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu-gcc -Wall -I../ta/include -I./include -I/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/include -fstack-protector-strong -c main.c -o /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/main.o
| |
| /home/jdelgado/jp5.1-l4t-gcc/bin/aarch64-buildroot-linux-gnu-gcc -o /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/optee_example_hello_world /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/main.o -lteec -L/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/lib
| |
| mkdir -p /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/sbin
| |
| cp /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/build/t194//ca/hello_world/optee_example_hello_world /home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/install/t194/usr/sbin
| |
| make[2]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world/host'
| |
| make[1]: Leaving directory '/home/jdelgado/JetPack5.1/Linux_for_Tegra/source/public/tos_image/nvidia-jetson-optee-source/optee/samples/hello_world'
| |
| .
| |
| .
| |
| .
| |
| .
| |
| optee sources compiled successfully.
| |
| </pre>
| |
|
| |
| The build process will output an optee_example_hello_world binary (from the host Makefile), and a uuid.{ta,elf,dmp,map} (from the ta Makefile). They can be found in this location:
| |
| <pre>
| |
| /$HOME/<SDKManager_JetPack_sources>/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/build/t194/ta/hello_world
| |
| </pre>
| |
|
| |
| Build and flash the OP-TEE image and dtb again, as it was shown before.
| |
|
| |
| === Run the new Trusted Application ===
| |
|
| |
| After building the application, copy the generated files to the Jetson platform. Go to the install directory and look for a t<platform> directory. Compress it and send it to the Jetson platform.
| |
| <pre>
| |
| cd /$HOME/JetPack_5.1_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee
| |
| /install
| |
| tar -cvf t194.tar t194/
| |
| scp t194.tar nvidia@192.168.100.233:~/
| |
| </pre>
| |
|
| |
| On the Jetson platofm. Decompress the t<platform> file and copy the files and directories inside of it to its respective location on the Jetson.
| |
|
| |
| Then, you are going to be able to run the trusted application.
| |
| <pre>
| |
| $sudo optee_example_hello_world
| |
| Invoking TA to increment 42
| |
| TA incremented value to 43
| |
| </pre>
| |
|
| |
| === Security Considerations ===
| |
| ==== Universal User Identification (UUID) ====
| |
| For every TA created, an UUID must be generated and added. This UUID must be added to its corresponding header file and Makefile. To generate an UUID, there are two approaches:
| |
| '''Using Python:'''
| |
| <pre>
| |
| python -c 'import uuid; print(uuid.uuid4())'
| |
| </pre>
| |
|
| |
| '''Using random (Linux only):'''
| |
| <pre>
| |
| cat /proc/sys/kernel/random/uuid # Linux only uuidgen
| |
| </pre>
| |
|
| |
| uuidgen is available from the util-linux package in most distributions.
| |
|
| |
| === Potential applications ===
| |
|
| |
| OP-TEE OS may offer the following features in which developers can build potential applications:
| |
| * Memory Segregation: establish memory boundaries between the rich world and the trusted world.
| |
| * Inter-world Communication: a way to receive data, interrupts, and events from the rich world.
| |
| * Crypto and Storage: to facilitate the cryptography and the secure storage.
| |
| * Standardised API: inter-operable implementation of the software protocol between the rich and trusted world. Also, there needs to be a way to specify how a TA should respond to a requested functionality so that the rich world can parse it.
| |
| * Authenticated TA Execution: Considering we will be executing an application in the trusted world, one would want that the TA itself should be trusted. Authenticating a TA before passing control to it would be a fantastic feature.
| |
|
| |
| == See also ==
| |
| [https://docs.nvidia.com/jetson/archives/r34.1/DeveloperGuide/text/SD/Security/OpTee.html Developer Guide OPTEE]
| |
| [https://optee.readthedocs.io/en/latest/index.html OP-TEE Documentation]
| |
|
| |
|
| {{ContactUs}} | | {{ContactUs}} |
|
| |
|
| [[Category:Jetson]][[Category:Jetson Security OP-TEE]][[Category:Maxim]] | | [[Category:Jetson]][[Category:AGX]][[Category:Xavier]] |
About Samba
Samba is the standard Windows interoperability suite of programs for Linux and Unix. It turns out to be an interesting option to share files and scripts between devices over a network.
Some advantages provided could be that:
- It provides file sharing and print services for computers on a network.
- It uses the Server Message Block and Common Internet File System (SMB/CIFS) protocol.
- Samba can be available on Linux, macOS, and Windows clients.
- It is an easy, flexible, cross-platform, and open source collaboration approach across an organization.
- It is platform agnostic (as it was mentioned, it can run in several operated systems).
- It can run on terminal or using a GUI.
This wiki explains:
- How to install Samba on Ubuntu
- How to configure it as a standalone server to provide file sharing between a Jetson and a local PC, over a network.
- How to use the Samba client
- How to mount a Samba server on a local PC directory.
- How to connect to a Samba server using a Samba client.
The implementation and steps provided on this wiki were tested on a Jetson Xavier AGX running JetPack 5.0.2 and 5.1.
Prerequisites
Update the apt packages index:
sudo apt update
Install the Samba package:
sudo apt install samba
After that, the Samba service will start automatically. Check whether the Samba server is running:
sudo systemctl status smbd
Getting started
Configuring Global Samba Options
Create a backup of the smb.conf file, this could help to get back to the default settings in the future:
sudo cp /etc/samba/smb.conf{,.backup}
Open the file and make sure that the server role is set to "standalone server":
sudo vim /etc/samba/smb.conf
...
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
...
Restart the Samba services with:
sudo systemctl restart smbd
sudo systemctl restart nmbd
Creating Samba Users and Directory Structure
Samba directories and its data can be located everywhere across the filesystem. For this case, directory structure will be located under the /samba path. Using the /samba directory instead of using the standard home directories (/home/$USER) allows easier maintainability and flexibility.
Create the /samba directory:
sudo mkdir /samba
Set the group ownership to "sambashare". This group is created during the Samba installation.
sudo chgrp sambashare /samba
Creating Samba Users
This section helps to create a regular user that has its private file share and one administrative account with read and write access to all shares on the Samba server.
To create a new user named "ridgerun", use the following command:
sudo useradd -M -d /samba/ridgerun -s /usr/sbin/nologin -G sambashare ridgerun
The useradd options have the following meanings:
- M: -do not create the user’s home directory.
- d: /samba/ridgerun - set the user’s home directory to /samba/ridgerun.
- s: /usr/sbin/nologin - disable shell access for this user.
- G: sambashare - add the user to the sambashare group.
Create the user’s home directory and set the directory ownership to user ridgerun and group sambashare:
sudo mkdir /samba/ridgerun
sudo chown ridgerun:sambashare /samba/ridgerun
Set the directory’s permissions to 2770, this allows the sadmin user(a group that will be created later during this wiki) to create a new file that the user "ridgerun" will be able to read/write.
sudo chmod 2770 /samba/ridgerun
Add the "ridgerun" user account to the Samba database by setting the user password:
sudo smbpasswd -a ridgerun
Samba uses Linux users and group permission system but is has its own authentication mechanism separate from the standard Linux authentication. You will be prompted to enter and confirm the user password:
New SMB password:
Retype new SMB password:
Added user ridgerun.
Enable the Samba account run:
sudo smbpasswd -e ridgerun
Output
Enabled user ridgerun.
Change permissions on the Samba shared file:
sudo chmod 2770 /samba/ridgerun
To create another user repeat the same process as was shown before.
Create an user and group sadmin
All members of this group, sadmin, will have administrative permissions. Later if you want to grant administrative permissions to another user simply add that user to the sadmin group.
Create the administrative user:
sudo useradd -M -d /samba/users -s /usr/sbin/nologin -G sambashare sadmin
This creates a group sadmin and add the user "users" to both sadmin and sambashare groups.
Set a password and enable the user:
sudo smbpasswd -a sadmin
sudo smbpasswd -e sadmin
Create the Users share directory:
sudo mkdir /samba/users
Set the directory ownership to user sadmin and group sambashare:
sudo chown sadmin:sambashare /samba/users
This directory will be accessible by all authenticated users. The following chmod command gives write/read access to members of the sambashare group in the /samba/users directory:
sudo chmod 2770 /samba/users
Configuring Samba Shares
The /etc/samba/smb.conf file allows to edit the configuration of the samba sharefolders, by adding them as below:
+[users]
+ path = /samba/users
+ browseable = yes
+ read only = no
+ force create mode = 0660
+ force directory mode = 2770
+ valid users = @sambashare @sadmin
+[ridgerun]
+ path = /samba/ridgerun
+ browseable = no
+ read only = no
+ force create mode = 0660
+ force directory mode = 2770
+ valid users = ridgerun @sadmin
- [users] and [ridgerun]: The names of the share users that you will use when logging in.
- path: The path to the share directory.
- browseable: Whether the share should be listed in the available shares list. By configuring it as "no" other users will not be able to see the share.
- read only: Whether the users specified in the valid users list are able to write to this share.
- force create mode: Sets the permissions for the newly created files in this share.
- force directory mode: Sets the permissions for the newly created directories in this share.
- valid users: A list of users and groups that are allowed to access the share.
Note: Groups are prefixed with the "@" symbol.
Once the configuration file is ready, restart the Samba services with:
sudo systemctl restart smbd
sudo systemctl restart nmbd
Connecting to a SambaShare from Linux Client
Access the samba share from the command line, using the file manager or mount the Samba share can be done. This section explains how to access to a sharefolder using smbclient client.
smbclient is a tool that allows you to access Samba from the command line. It is a package that is not pre-installed on most Linux distributions, so it must be installed using distribution package managers.
To install smbclient on Ubuntu and Debian, run:
sudo apt install smbclient
The syntax to access a Samba share is:
smbclient //samba_hostname_or_server_ip/share_name -U username
For example to connect to a share named ridgerun, on a Samba server with IP address 192.168.121.118, as user ridgerun, then the appropriate command to do that will be:
smbclient //192.168.121.118/ridgerun -U ridgerun
A password output will be prompted. Enter the password assigned before:
Enter WORKGROUP\ridgerun's password:
Once the password is entered, you will be logged into the Samba command line interface.
Try "help" to get a list of possible commands.
smb: \>
Mounting a Samba share server
This approach helps to move files from the sambashare folder to the local system, edit them and add them back.
Install the cifs-utils package. On Ubuntu and Debian, run:
sudo apt install cifs-utils
Next, create a mount point:
sudo mkdir /mnt/smbmount
Mount the share using the following command:
sudo mount -t cifs -o username=username //samba_hostname_or_server_ip/sharename /mnt/smbmount
For instance:
sudo mount -t cifs -o username=ridgerun //192.168.121.118/ridgerun /mnt/smbmount
You will be prompted to enter the user password.
Password for ridgerun@//192.168.121.118/ridgerun: ********
Add a Samba server to an external partition
These instructions are specifically to add external partitions such as SSD or SD cards.
Create a new user for the partition. For instance, it will be called "ridgerun" for this example, and the sharefolder will be located in the partition location /media/partition_name:
sudo useradd -M -d /media/partition_name -s /usr/sbin/nologin -G sambashare ridgerun
Change the ownership to ridgerun:
sudo chown ridgerun:sambashare /media/partition
Add the account to the database, and add a new password
sudo smbpasswd -a ridgerun
Enable the account:
sudo smbpasswd -e ridgerun
Edit the smb.conf file in order to add the $USER, this will fixed the lack permissions from the client side:
sudo vi /etc/samba/smb.conf
The user "nvidia" was added to the smb.conf. This is the user of the platform where the Samba server is running, for this example it was running on a Jetson Xavier AGX which user's name was "nvidia". You can find the user information under the media/partition lives by typing:
ls -l /media/
It will show you the user information and its permissions:
drwxr-xr-x 4 nvidia root 16384 dic 31 1969 partition_name
Add the user to the "force user" variable within the smb.conf. This allows to share partitions such as Solid State Disks, which usually works under some user or group permissions.
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
+ force user = nvidia
Note: This also helps to troubleshoot when the mounting server on the local PC throws permissions problems.
Add the new user and its location to the smb.conf file:
+[user]
+ path = /media/partition_name
+ browseable = yes
+ read only = no
+ force create mode = 0660
+ force directory mode = 2770
+ valid users = @sambashare
Finally, restart the service:
sudo service smbd restart
To connect to this new sharefolder from another location you can do it by using the smbclient or by mounting the sharefolder on a local folder.
Simple implementation example
This is an example of a local PC mounting a Samba server that is running on a Jetson AGX platform. In particular, this approach is preferred over running a Samba Client on a local PC to connect to a Samba Server, due to its flexibility to edit files and directories on both ways.
- The first step is to create a samba user on the Jetson platform. I named the user "ridgerun", for future references. Follow the steps on 3.1 Creating Samba Users section.
- Then, edit the /etc/samba/smb.conf file by adding the recently created user to the force user directive. Like this:
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
force user = ridgerun
- Mount the Samba Server on the local PC. Follow the steps on 5. Mounting the Samba share.
sudo mount -t cifs -o username=ridgerun //192.162.100.233/ridgerun /mnt/smbmount
[sudo] password for user:
Password for ridgerun@//192.162.100.233/ridgerun: ******
- Create a directory from the Jetson side:
root@jetson:/samba/ridgerun# mkdir Hello_Client
root@jetson:/samba/ridgerun# ls
Hello_Client
- Now, you have access to the Samba Server running on the Jetson:
$ cd /mnt/smbmount/
$ ls
Hello_Client
You can create files and edit them on both sides:
touch hello_server.txt
vi hello_server.txt
This simple example demonstrated how to share and edit files and directories between two platforms over a same network.