I’d like to encrypt my machine learning model in the Jetson Nano so that other people cannot steal the model. I’ve read this thread, which concludes that making secure file encryption is impossible on Jetson Nano. I understood that TrustedZone in Xavier and TX2 is a good solution.
I’ve read NVIDIA Jetson Linux Developer Guide. In this document, Jetson has a user-programmable fuse
odm_reserved. If the secure boot feature prohibits booting from an unknown storage, the
odm_reserved fuse is only visible to the trusted user (is this correct?). This means that
odm_reserved can be used as a secure key storage, because it is only accessible to the trusted user who has booted from storage authenticated by the secure boot.
So I came up with a way to encrypt data in Jetson Nano using secure boot and
- Generate a key and encrypt the machine learning model (using LUKS encrypted partition, zip encryption, etc…)
- Burn that key to
- Prepare some program that reads a key from
odm_reservedand decrypt the model. Include it in the application to be executed on Jetson Nano
- Following the secure boot configuration steps, generate key pair, burn fuse, sign, and flash boot files.
I know that software isolation like TrustedZone, of course, can’t be achieved by this method, so a cracked application may have an access to the machine learning model. However, this method, based on secure boot and
odm_reserved, prevents stealing the model from SD card or eMMC on Jetson Nano, simply removing them from the Jetson board and connecting them to other computers.
Is my understanding of secure boot and
odm_reserved correct? Does this method work?