Disabling UART Serial and NVJTAG for security

Autonomous Machines Jetson & Embedded Systems Jetson Nano
, ,
1

We are attempting to disable both UART and NVJTAG.

We are trying to disable all UART connections. We already attempted to disable the GPIOs in the PinMux and we removed the console parameters from the kernel command line. The console is disabled once the kernel boots, but we are trying to disable it during cboot and uboot as well. I attempted to add CONFIG_SILENT_CONSOLE=y to the uboot config but the uboot output is still seen on the UART serial console. Is there a config we can make to disable this completely?

The other suggestion we have been given is to disable NVJTAG to close it as an attack surface. We know the ARM JTAG is disabled when we burn the fuses in production mode but the team doing tests were able to see traffic on the NVJTAG pads. We have seen in some documentation that there is a FUSE_OPT_NVJTAG_PROTECTION_ENABLE fuse but we are not sure where it is accessible to be set. Has anyone ever set this fuse? We are trying to avoid attackers being able to access the scan chain.

3

Hi jjsalzano,

Are you using the devkit or custom board for Jetson Nano?

What’s your purpose to disable UART?
It would cause you hard to do further debug.
maybe you could refer to Disable Console over UART .

4

We are using a custom board. This is disabling UART and NVJTAG on our production units that get shipped to customers, we keep it on on our dev and test units for debugging the solution. It was security requirements that we are following to disable.

We have referred to that solution, and it works to disable UART in the kernel. But we need to disable it from the start, if we follow that guide cboot and uboot are both still writing to the console, we need to disable all IO from the board other than our solution API.

5

Please try to configure ODMDATA=0x14000 to disable nvtboot and cboot logs.

And confirm that you have done the following:

  1. Remove ttyS0 from p3448-0000.conf.common:
- CMDLINE_ADD="console=ttyS0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0";
+ CMDLINE_ADD="console=tty0 fbcon=map:0 net.ifnames=0";
  1. Remove console-port from kernel/dtb/tegra210-p3448-0002-p3449-0000-b00.dtb
serial@70006000 { /* UART-A : UART1: Debug */
                compatible = "nvidia,tegra210-uart", "nvidia,tegra114-hsuart", "nvidia,tegra20-uart";
-               console-port;
                ..
6

Thank you,
We will try this now.

What about disabling NVJTAG, where can we burn FUSE_OPT_NVJTAG_PROTECTION_ENABLE?

7

Could you help to provide where you see the information about NVJTAG and FUSE_OPT_NVJTAG_PROTECTION_ENABLE?
It seems the different topic from disabling UART serial.

8

Well I created this topic for disabling any debug IO on production units for security. UART is one part, and NVJTAG is the other. ARM JTAG is disabled when we burn the secure boot and production fuses.

We have a security pen test team that was able to solder wires and use JLINK to communicate with NVJTAG but not ARM JTAG? They pointed us to this link to solve the issue, which is that both FUSE_ARM_JTAG_DIS and FUSE_OPT_NVJTAG_PROTECTION_ENABLE should be burnt.
https://switchbrew.org/wiki/Fuses#FUSE_OPT_NVJTAG_PROTECTION_ENABLE

9

To disable JTAG, you could refer to the following instruction through odmfuse.sh with -disable-jtag.
NVIDIA Jetson Linux Developer Guide : Security | NVIDIA Docs

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.