Is reboot required to update a TA in Linux filesystem on OP-TEE?

[ancientmodern]

Hi all,

We are working on OP-TEE on our Jetson Orin to enhance security in our autonomous driving systems. However, the OP-TEE bundled with our Jetson Orin source package is slightly old (v.3.19.0), e.g. the bundled pkcs11 TA does not support hidden EC points, so I needed to patch this commit, which has resolved the issue.

Now, we're preparing to deploy this updated TA across our fleet. However, the behavior I observed when an updated TA takes effect seems a bit unexpected:

1. If the system is initially booted with the original (or modified version, whatever) pkcs11 TA, it continues to use this version even if I replace or remove it from /lib/optee_armtz.
2. If the system is booted without any pkcs11 TA, the pkcs11 client understandably fails to work. Once I copy a pkcs11 TA to /lib/optee_armtz, it starts functioning immediately. From that point on, even if I replace or remove the TA, the system continues to use the first one loaded.
3. In practice, it seems that to update an already loaded TA, a full system reboot is required.

Could anyone explain the underlying mechanisms behind this behavior? I’d like to find the best practice for updating an existing pkcs11 TA in OP-TEE.

Thank you in advance :)

[ivila]

You may check the TA_FLAGS in user_ta_header_defines.h of pkcs11 ta It defines single instance(only one will be loaded), multiple session(can handle multiple session), keep alive(once loaded, keep in memory until TEE restart) And for reference: Global Platform Properties