Hello Nv Teams
I would like to know which bits need to be enabled for the secure boot of the agx orin devkit.
I’m a novice in this area and I need a more precise response from you. I’m a bit confused after reading the official technical documentation. Thank you for your support.
*** Please note that this reply is generated by LLM automatically ***
To enable secure boot on the Jetson AGX Orin DevKit, you need to understand the boot flow and the components involved. The Jetson AGX Orin Boot Flow consists of the following stages:
- BootROM: This is the first stage of the boot process, which is responsible for initializing the system and loading the next stage.
- PSCROM: This stage is responsible for loading the MB1 stage.
- MB1: This stage is responsible for loading the MB2 stage.
- MB2: This stage is responsible for loading the UEFI firmware.
- UEFI: This stage is responsible for loading the operating system.
To enable secure boot, you need to ensure that each stage is properly authenticated and verified before loading the next stage. Here are the specific bits that need to be enabled for secure boot on the Jetson AGX Orin DevKit:
- BootROM: The BootROM is responsible for initializing the system and loading the next stage. To enable secure boot, you need to ensure that the BootROM is properly authenticated and verified. This is done by setting the
SECURE_BOOT_ENABLEbit in the BootROM configuration register. - PSCROM: The PSCROM is responsible for loading the MB1 stage. To enable secure boot, you need to ensure that the PSCROM is properly authenticated and verified. This is done by setting the
SECURE_BOOT_ENABLEbit in the PSCROM configuration register. - MB1: The MB1 is responsible for loading the MB2 stage. To enable secure boot, you need to ensure that the MB1 is properly authenticated and verified. This is done by setting the
SECURE_BOOT_ENABLEbit in the MB1 configuration register. - MB2: The MB2 is responsible for loading the UEFI firmware. To enable secure boot, you need to ensure that the MB2 is properly authenticated and verified. This is done by setting the
SECURE_BOOT_ENABLEbit in the MB2 configuration register. - UEFI: The UEFI firmware is responsible for loading the operating system. To enable secure boot, you need to ensure that the UEFI firmware is properly authenticated and verified. This is done by setting the
SECURE_BOOT_ENABLEbit in the UEFI configuration register.
In addition to enabling the SECURE_BOOT_ENABLE bit, you also need to ensure that the following bits are set:
BOOT_MODE_SECURE: This bit enables secure boot mode.BOOT_MODE_U EFI_SECURE: This bit enables UEFI secure boot mode.BOOT_MODE_PSC_SECURE: This bit enables PSC secure boot mode.
It’s also important to note that the Jetson AGX Orin DevKit uses a combination of hardware and software components to implement secure boot. The hardware components include the BootROM, PSCROM, MB1, and MB2, while the software components include the UEFI firmware and the operating system.
In comparison to other Jetson modules, such as the Jetson Xavier NX and Jetson AGX Xavier, the Jetson AGX Orin DevKit has a similar secure boot architecture. However, the specific bits and configuration registers may differ.
To summarize, to enable secure boot on the Jetson AGX Orin DevKit, you need to:
- Set the
SECURE_BOOT_ENABLEbit in the BootROM, PSCROM, MB1, and MB2 configuration registers. - Set the
BOOT_MODE_SECURE,BOOT_MODE_U EFI_SECURE, andBOOT_MODE_PSC_SECUREbits. - Ensure that the UEFI firmware and operating system are properly authenticated and verified.
I hope this helps clarify the process for enabling secure boot on the Jetson AGX Orin DevKit. If you have any further questions or concerns, please don’t hesitate to ask.
*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***
Hello @yc13,
Were you able to enable secure boot for your AGX Orin ?
best,
Andrew
Embedded Software Engineer at ProventusNova
Thank you for the response
I still have some doubts about this document. I haven’t been able to open it yet. I’m a novice in this area and I would like to confirm which bits need to be enabled.
hello yc13,
you may run disk encryption without secure boot.
it’s the flash command to enable disk encryption,
$ sudo ROOTFS_ENC=1 ./flash.sh -i "./disk_enc.key" jetson-agx-orin-devkit internal
disk encryption key is within EKS image, EKB: Encrypted Key Blob.
you’ll need to re-create EKS image to include your user key, Tool for EKB Generation, disk encryption key is sym2_t234.key in the sample script.
BTW, see-also similar discussion thread, Topic 330638 for reference.
Thank you for your reply.
I will try your method. Could you please tell me specifically which bit to enable for safe booting and also the operation steps?
best wishes to you
hello yc13,
please refer to developer guide, Secure boot, and UEFI Secure Boot.
as mentioned, the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader. After this, the current Bootloader (UEFI) will use UEFI’s Security Keys scheme to authenticate its payloads. it’s recommend that users enable fuse-based bootloader secure boot so that the root-of-trust can start from the BootROM.
please dig into Jetson Orin Fuse Specification to have detail of fuse variables.
Thank you for your reply.
I will wait until I finish the current tasks over the next couple of days before verifying it. I will be very grateful if you could provide guidance then.
Thank you.
hello yc13,
please check Burn Fuses with the Fuse Configuration file to enable secure boot.
please see-also Topic 357559 to enable disk encryption on fused Orin-NX.
Thank you very much for your reply.