Booting in SecureBoot environement


My project is to encrypt whole rootfs partition (/boot included). In this case /boot partition need to be elsewhere or not used (prefered). I can boot kernel from another location but my last step is to manage INITRD /boot/initrd ? Actually I am blocking here.

Question 1 : If I remove LINUX entry from extlinux.conf kernel image will be loaded form kernel partition because CBoot scan and read extlinux.conf file and I can use secure Boot ? I am right ?

Question 2 :
If I want to use Secure Boot can I delete extlinux.conf file from /boot (rootfs) folder instead of just remove LINUX entry from this file ? Like that extlinux.conf can’t be read and booting from special kernel / dtbs partitions occur ? But INITRD /boot/initrd will be missing ? Do I have to keep /boot in /dev/mmcblk0p1 because Cboot use the first partition to boot I need to move my rootfs elsewere ?
Question 3 :
In case of secure Boot, booting from special partition, how to manage initrd present in /boot ? We need to keep initrd.img in /boot ? and It will be not signed and encrypted ? In fact, can I remove entire /boot folder because It will be not used in SecureBoot due to loading from special partitions ? (in my case /boot will be encrypted by my own with dm-crypt so /boot can’t be used anymore)

Question 4 :
I read a lot of docs and I see that Kernel-dtb need to be signed to be used with secureBoot (and I see sig file in the same folder) but I can’t read anywere that kernel, dtb is also encrypted by script like you explain me ? Do you have references (doc etc ) ? Others partitions when encrypted have encrypted file extension. If is it encrypted on the fly by I can’t see that on the script ?

Thank you so much.

hello JulienMoinard,

as you may know,
we have the latest NVIDIA JetPack SDK release, JetPack-4.5 is the latest production release, supporting all Jetson modules.
JetPack-4.5 included a new feature to enhance SecureBoot.
please check r32.5 developer guide, Signing and Encrypting Kernel, Kernel-DTB, and Initrd Binary Files.
there’s also Disk Encryption supported. it encrypts a whole disk or partition to protect the data it contains.

hello JulienMoinard,

regarding to your questions,

Q1 >

Q2 >
you may delete LINUX entry to make kernel images loads from kernel partition.
however, you may check r32.5 developer guide, [To sign kernel, kernel-dtb, and initrd files].

Q3 >
you may moving to JetPack-4.5 included a new feature to enhance SecureBoot.

Q4 >
that’s signed and encrypted by flash script within the flashing process.
you may also include --no-flash commands to generate those files locally.
further more, please combine -k options to specify the partition you would like to perform.
for example, $ sudo ./ --no-flash -r -k kernel-dtb jetson-xavier-nx-devkit mmcblk0p1
this sample command will generate signed and encrypted device tree blob locally to your local host machine.

[   0.0261 ] Signed file: $OUT/Linux_for_Tegra/bootloader/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
*** tegra194-p3668-all-p3509-0000.dtb has been signed successfully. ***

Dear JerryChang,

Your answers are fantastics for my project and solved my problems.

Thank you so much for your help.

Best regards.