Apt upgrade will affect secureboot?

Hi, everyone

I’m having a problem with apt-get upgrade affecting secureboot and making it impossible to boot. After troubleshooting, I found that updating nvidia-l4t-bootloader causes the problem, I want to confirm it, if or not.

Other than that, I wonder if apt-get upgrade updates to other packages might also cause the problem and how to deal with it since I can’t prevent the user from doing anything on terminal. Now I use apt-mark hold nvidia-l4t-bootloader to solve the problem temporarily

Thanks.

hello zjfsharp,

may I know which JetPack release you’re based-on, and, which version you’re moving to.
in addition, what’s the Jetson security your NX platform enabled, is it PKC, PKC+SBK, or something else?
thanks

Hi, JerryChang

NX and agx platform all met.

secureboot: PKC+SBK with R32.5.1

Thanks

hello zjfsharp,

NVIDIA provides the basic functionality of updating the system through the OTA update process.
You must modify the process and create a complete and secure OTA solution,
for example, authenticating the OTA update server, encrypting /decrypting OTA payloads…etc.

currently there’s no details steps about it,
please expect next public release (i.e. JetPack-4.6) will have more details to support this.
thanks

Thanks

By the way, when will JetPack-4.6 be released roughly?

please refer to Jetson Software Roadmap for 2H-2021 and 2022, it’s scheduled for July 2021.

Hi Jerry,

We have noticed the same issue with Jetpack 4.5.1 that zjfsharp reports and waiting for Jetpack 4.6 is not an acceptible solution for us. Specifically, we would like to update to the latest version of bootloaders to mitigate the security issues identified in https://nvidia.custhelp.com/app/answers/detail/a_id/5205. Is there any way to get the new bootloader images so we can add them to our Jetpack installation and then sign the images and finally build an appropriate bl_update_payload file? Can Nvidia post these images somewhere? Alternatively is there an offline tool for extracting the latest images from the bl_update_payload file included in the latest bootloader debian package? It is very important for us to stay up to date with the latest security updates.

Thanks

hello 5121802,

please refer to Topic 182123,

there’re changes inside the trusty and also some non-public sources.
if you’re having cboot modification and would like to integrate the patches, suggest you please initial another new discussion thread for asking that.
thanks

Hi Jerry,

I should have made it clearer, we are using the bootloaders and trusty as released by Nivida. In other words, we are not modifying either C-Boot or trusty.

As for Topic 182123 we are not requesting Nvidia to back port any changes. The security updates have already been made for Jetpack 4.5.1 and are included in the latest bootloader debian package. However, that package cannot be used by your customers that have enabled secure boot, which are probably the customers most interested in the security updates.

Thanks.

hello 5121802,

I see, it’ll need the binaries to generate the signed/encrypted for the fused device.
however, that’s currently not supported. (cause you don’t have separate files/binaries of the MB1, MB2… binaries)
could you please initial another new topic with your request, we’ll arrange resources to find-out how to enable that,
thanks

Hi Jerry,

Thanks for looking into this. I’ve generated a new topic at: Security bulletin support for Xavier NX with secure boot enabled

Thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.