For secured boot how to sign the files externally and update on System

sagarkoli159 · March 25, 2025, 11:26am

Hi,

Below are the list to check on the jetson agx xavier secure boot System.

Components That Can Still Be Updated After Fuses Are Burned

Linux Kernel (Image or zImage)
Can be updated as long as the new kernel is signed with the same OEM private key.
Kernel modules (.ko) can also be updated if they are signed (if kernel module verification is enabled).
Root Filesystem (rootfs)
Can be updated freely if not encrypted.
If dm-verity or full disk encryption (FDE) is enabled, updates must follow their integrity policies.
Device Tree (dtb)
Can be updated if signed with the same OEM key.
Kernel Command Line Parameters (bootargs)
Can be updated if the bootloader allows modifying them.
If “secure boot with rollback protection” is enabled, updates must be signed.
Userspace Applications (/usr/bin, /lib, etc.)
Can be updated like any Linux system.

Components That Cannot Be Updated After Fuses Are Burned

Bootloader (MB1, MB2, cboot, UEFI)
Cannot be modified unless a signed update is provided .
If rollback protection is enabled, the bootloader will reject updates with an older version number.
Secure Boot Key Hash (OEM Public Key)
Permanent once burned (prevents key replacement).
SBK Key (if using encrypted boot)
Irreversible and locks down encrypted boot process.
Rollback Counter (if enabled)
Enforced at boot time to prevent downgrades to vulnerable firmware.

’
How can we verify this on secure boot agx xavier system?

Please provide the related document and detailed information on this.

Thanks!

JerryChang · March 26, 2025, 6:25am

hello sagarkoli159,

FYI, partition update has disabled once you enable Jetson security boot.
in other words, you have to full-flash a target (of course, given your keys to flash command-line) for updating image/binary.
besides, please see-also similar topics, such as Topic 289466 and Topic 266387 to verify secure boot.

system · April 23, 2025, 3:01am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to boot jetson agx xavier devkit after flashing the JP4.6.1 with PKC and SBK secured keys Jetson AGX Xavier boot , kernel	8	43	February 20, 2025
Security bulletin support for Xavier NX with secure boot enabled Jetson Xavier NX security , nvbugs	5	1250	September 19, 2021
Xavier doesn’t boot after Secure Boot flash (JetPack 5.1.2 / L4T R35.4.1) Jetson AGX Xavier security	8	49	July 1, 2025
Jetson Orin AGX UEFI secureboot payload manual signature Jetson AGX Orin security	12	391	June 4, 2024
Jetson AGX Orin, updating image while secureboot active not working [36.3/ devkit] Jetson AGX Orin security	12	476	July 17, 2024
Secureboot enabled with encrypted rootfs Jetson AGX Xavier security	25	140	March 26, 2025
What changes if I specify the optional PKC Key and SBK Key when generating the OTA update payload package? Jetson AGX Xavier security , ota , setup	23	1784	April 27, 2022
Secure Boot Jetson AGX Orin security	7	787	February 21, 2024
Xavier doesn't boot after Secure Boot (PKC + SBK + KEK2) flash (JetPack 5.1.5 / L4T R35.6.1) Jetson AGX Xavier security	15	113	April 23, 2025
Secure boot for agx-xavier flash error Jetson AGX Xavier reflash , security	2	43	October 22, 2024

For secured boot how to sign the files externally and update on System

Related topics