Disk encryption and secureboot questions

I’m trying to better understand the threat models of a few different options. Looking at Workflow 11 Example 4 in Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt: “Generate an encrypted root filesystem configuration for the internal device
, then generate an encrypted root filesystem for the external device”

When I do this I see “Warning: A test key is used”. Does this workflow providing any real protection for data at rest? Do I have to go down the SecureBoot route to truly achieve data at rest encryption?

Hi nbnv,

You can refer to UEFI Reports “Test Key Detected” even when there are no test keys on the system - Jetson & Embedded Systems / Jetson AGX Xavier - NVIDIA Developer Forums for details.

Disk-encryption is used to protect the root file system.
Secureboot is used to protect the bootloader.

Thanks for the reply. I’m trying to figure out if I can avoid burning the fuses and enabling secureboot on my orin agx devkit. If I only go the disk-encryption (no secureboot) route and the device is lost can a bad actor manipulate the bootloader to read the disk? Or would they still need the system username/password to login?

hello nbnv,

yes, you may enable Disk Encryption without SecureBoot.

as you can see of The Threat Model,
the data cannot be exposed even unmounted the disk to attack physically.
however, it cannot protect if you leak login ID and password.

please see-also Details of Operation section.
your encrypted data were located in APP_ENC partition.
there’s a key (EKB disk encryption key), and it’s TA/CA to retrieve the passphrase for access.
AFAIK, it’s unable to manipulate the bootloader to read the APP_ENC.
even though, it’s suggest to enable SecureBoot to establishes chain-of-trust for a production device, no malware could have executed before the OS loader took control.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.