AGX Orin安全启动过程中具体要对哪些文件进行签名?

Autonomous Machines Jetson & Embedded Systems Jetson AGX Orin
,
1

你好,

我们已经根据安全启动文档完成了初步的安全启动测试。大致流程如下:

  1. 安全启动
    1.1. 生成PKC密钥
    1.2. 由PKC生成PublicKeyHash
    1.3. 烧写fuse配置
    1.4. 一键签名并刷机
  2. UEFI安全启动
    2.1. 生成 PK,KEK,db Keys
    2.2. 创建uefi_keys.conf
    2.3. 使用gen_uefi_default_keys_dts.sh生成UefiDefaultSecurityKeys.dtbo和Auth文件
    2.4. 刷机时指定–uefi-keys uefi_keys.conf

在上述流程中,通过刷机时指定PKC和uefi_keys.conf可以方便的完成一键签名和刷机:

./flash.sh -u pkc_rsa3k.pem --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit mmcblk0p1

但是,由于我们的开发和生产流程可能涉及:

  1. 拆解的或自定义的“打包->刷机”流程。
  2. 自定义的OTA流程。

我们想要了解具体的拆解的签名流程,具体的:

  1. 安全启动(BootRom校验UEFI)实现中,需要对哪些文件签名?签名方法或命令是什么?
  2. UEFI安全启动(UEFI校验OS)实现中,需要对哪些文件签名?签名方法或命令是什么?

谢谢!

3

hello jluysf,

FYI,
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.
KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

for Orin series, it supports PKC with RSA-3K only, and 256-bit SBK only;
XML based is validated only for AGX Orin platform. odmfuse uses openssl + tegraopenssl.

you may see-also Topic 266387 for more details of fuse configuration.

4

Hi JerryChang,
我对PKC/SBK/KEK的生成、fuse的烧写没有疑问。我想要了解的是在烧写后,flash.sh刷机过程中:使用这些key对哪些文件进行了签名,以及如何进行签名的。

5

hello jluysf,

you may see-also the binaries under… $OUT/Linux_for_Tegra/bootloader/signed/
it’s tegrasign_v3 for processing, let’s taking mb1 binary as an example,
as you can see… it’ll write A_mb1 partition with the signed/encrypted binary file.

[ 198.1644 ] Writing partition A_mb1 with mb1_t234_prod_aligned_sigheader.bin.encrypt [ 280976 bytes ]
[ 198.1647 ] [................................................] 100%

furthermore, there’re also script files for your reference,
you may check l4t_sign_image.sh and also l4t_uefi_sign_image.sh for more details.

6

Hi JerryChang,
多谢回复。我看到了flash.sh中使用l4t_sign_image.sh和l4t_uefi_sign_image.sh对bootimage等进行签名。
但我理解这只是用于安全启动中UEFI校验OS部分。我还想了解安全启动中BootRom校验UEFI部分的情况,能否帮忙指出:
1,使用PKC对UEFI的签名的代码在哪里?
2,使用PKC的签名的文件除uefi外还有其它的吗?

谢谢!

7

hello jluysf,

instead of PKC, UEFI uses the PK, the KEK, and the db keys.
BTW, have you also referred to the steps in $OUT/Linux_for_Tegra/tools/README_uefi_secureboot.txt

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.