Further documentation about Secure Boot

I read through the Secure Boot section of the Developer Guide. This section mainly describes how to set up and enable Secure Boot.
Is there any further documentation about how exactly Secure Boot works/is implemented on the Jetson Orin?
For example I’d like to understand which parts of the Boot Chain are signed by which keys? (Nvidia keys or OEM keys)
The Boot Architecture section of the Developer Guide does give some hints about that, but is also not really clear.

hello jonathan.schnitzler,

PKC for sign:
if PKC is burned, then the KEYFILE users provide is for signing the images.

SBK for encryption:
if SBK is burned, then the SBKFILE users provide is for encrypting the images.

KEKs for encryption keys:
they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

Hi JerryChang,

thank you for your answer.
I would be glad if you could answer me some more questions:

  1. Can you tell me which images are signed with the PKC key?

  2. Assuming we have a device with active secure boot and one of its images (e.g. one of the BCTs) is unsigned or signed with a wrong key. What would happen if I would try to boot this device?

  3. Is it possible to test the deployment of Secure Boot without the risk of rendering a system unbootable? (I worked with some other embedded CPUs where you first enter a “Test Mode”. In this mode signatures are verified but a failure does not prevent booting. Instead it just prints an error message.)

  4. Are any signing private keys required to flash an image with secure boot? (Assuming everything is already properly signed.)

hello jonathan.schnitzler,

you may see-also this advance Training video about Jetson security.
furthermore, please see-also similar discussion threads for reference, such as Topic 1066937, Topic 157952, or Topic 166401.

Hello JerryChang,

thank you for the references.
The video is about TK1, TX1 & TX2. Is the video still valid for Orin?
According to the video SBK & KEK are unique-per-device. Is this also the case for Orin? Why is this not stated somewhere in the Jetson Linux Developer Guide?

The resources referenced by you contain some new information but do not really answer my questions.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.