I’m doing some test on the secure boot on the ORIN NX using the Jetpack 6.1, for the moment I only enable the UEFI part of the secure boot and test that the system does not start if some element are not signed.
I configure my system to boot in kernel mode, and sign only the elements needed to boot in this mode. My issue is that when I do the test with the DTB not signed, the system still boot. I was expected it to fail with an error on the DTB signature.
Is there something to enable for the DTB to be check during the boot?
Is there a fall back system I don’t see, that still allow the system to boot?
per your flashing logs.. it looks you did not fuse a target yet, right?
for instance,
it looks you did not assign keys (such as PKC key) to the flash command-line. /home/alexandre-froissard/test_install/tmp_dir/tools/kernel_flash/l4t_initrd_flash_internal.sh --network usb0 --usb-instance 1-12 --device-instance 0 --flash-only --network usb0 jetson-orin-d131 internal
Yes for now I didn’t fuses, I’m doing some testing on the UEFI part first to make sure all my configuration on this point is good. On a second step I will fuses the board.
Does the fact that the fuses are not set yet make the check of the DTB to be skipped?
BTW,
may I also know how you test with the DTB not signed?
for instance,
please check its partition labels, $ ls -la /dev/disk/by-partlabel/ lrwxrwxrwx 1 root root 15 Nov 21 2023 A_kernel-dtb -> ../../mmcblk0p3
and, please use dd to write A_kernel-dtb partition, which is located at mmcblk0p3 $ sudo dd if=tegra234-xxx.dtb of=/dev/mmcblk0p3 bs=64k
DTB it can coming from partition (A_kernel-dtb) or root file system (FDT entry).
flash script handle sign/encryption by default to write the binary file to partitions.
The real use case is the have full secure boot enable on the system with the elements sign by a private service during the build of the OS.
The OS is configure via a chroot, then the different image are generate using the l4t_initrd_flash.sh with the no_flash option, after that the element are sign using the private signing service and finally the sign binary are flash to the device.
The all the steps except the flash will all done in a CI/CD pipeline.
In the case I tested with the DTB not sign, neither the A_kernel-dtb or the FDT contain a sign version of the files.
From the documentation, if the system is booted in kernel mode, A_kernel-dtb should be used. I choose to configure the system in kernel boot mode because I saw it’s the last mode before switching in recovery in case of error.
From the diagram you share, there is a DTB EFI, how can I check if this one is used? Does that mean that if the DTB from the partition is invalid it will switch to the EFI one?
DTB EFI does it mean a DTB that is embedded in the EFI image?
Indeed I finally saw a log on the debug console about the DTB
“DTB signature invalid”
It something that is not saved neither in the dmesg neither in the journal as it is printed before the boot of Linux
My guess for now it’s that the EFI DTB is an element sign by the PKC key so as long as I don’t enable the full secure boot I can not test further.