How to implement Secure ERASE on Jetson AGX Xavier Industrial

Hi All,

We want to implement SECURE ERASE feature in our Jetson AGX Xavier Industrial module, which has internal eMMC memory of 64 GB where we are doing the OS flashing.

Please provide me the
1)Exact and correct steps to be followed to implement this.
2) How to test if the secure erase has been performed successfully
3) How to reflash it back successfully again after secure erase is demonstrated successfully.

Thanks. As I am bit new to this topic, though I understand the basics kindly bear with my any if my primitive questions.

Can some one please provide your guidance on this.
I have Jetpack 5.1.2 installed on my jetson agx xavier device.

I referred the below link;
https://docs.nvidia.com/jetson/archives/r35.4.1/DeveloperGuide/text/SD/Security.html

I see this statement

  • Disk Encryption describes the Jetson Linux implementation of Linux Unified Key Setup (LUKS), the Linux standard for disk encryption. This release does not support this feature.

which states Disk Encryption is not supported for this release L4T 35.4.1
HOw to implement Secure Erase? Is disk encryption same as Secure Erase?

@JerryChang could you please reply this query about secure erase.

Can we use dd or shred command to write random 0/1 values and erase the eMMC?

Will we be able to reflash it again after this secure erase?

Please throw some more light about secure erase on Jetson AGX Xavier Industrial

hello nagesh_accord,

may I also know what’s the status of your Jetson AGX Xavier Industrial module?
is it has SecureBoot enabled? what else fuse variable had programmed to this module?

furthermore,
is it possible to put device enter forced-recovery and running with flash script to re-flash the target?
if yes, the initial process of flash script will erase the internal storage.

It is not secure boot enabled. We havent fused any variable to this module.
It is just the normal flash we have done and released our product. Currently our customer want Secure erase feature for this unit.

Of course this happens. We can put the device in to recovery mode either through the command and can do reflash successfully:

sudo reboot --force forced-recovery

or by shorting some pin using a jumper cable.

Yes. Even I have observed some messages saying "Erasing… " being printed on the terminal during the flashing process.

So let me know, How to implement secure erase and demonstrate that to our customer?

I have below queries, pls let me know your thoughts on this:

  1. If we do complete secure erase on the eMMC ( 64 GB) where I am flashing my “/” ( RFS) using ‘dd’ or “shred” command( used for writing random 1 or 0s) , wont the unit shut down at the end of “dd” cmmand as my complete kernel image will be wiped off.
    Can we force the unit to recovery mode after this secure erase and flash it again?

  2. Cannot we demonstrate the secure erase on the external M2 NVM drive so that we are safe with our eMMC and unit is stable and will be running all the time? Isn’t this better idea than wiping of entire internal eMMC.

  3. How to prove that secure erase was successful and we cannot recovery any data from the erase NVM drive again?
    Is here any recovery tool specific to Nvidia Jetson that we should use for data recovery?

  4. Is jetson security documentation provided the documentation link is different from the “Secure Erase” concept?

  5. Is the Erase that happen during flashing is normal erase or secure erase?

  6. Also, Let me know the commands that the flash.sh uses for it, if you have the details handy. Even I would check the contents inside flash.sh to see the commands used for Erasing.

Thanks in advance. These answers would help me understand things much better,

hello nagesh_accord,

please see-also Topic 264030 to erase the APP partition.

what did you meant secure erase? did you meant erase the content during attack?
if yes, that’s not supported.
please refer to The Threat Model, the purpose of disk encryption is to prevent an attack from stealing or tampering with data on the disk.

Ok. Thanks for the info.
That link says we can erase only one partition at a time.

  1. My understanding was APP paritition is same as RFS "/"paritition. Is my understanding correct?
  2. It says we cannot erase the all the partitions. What can be done, if we want to erase the complete eMMC( 64 GB) all parititions.?
  3. Also this erase performed by flashing script, how different is this from normal “rm” delete command?
    I think this is not called secure erase. Is there any method to recover the data by any means, after this erase. Please confirm.

Yes, With the current clarity with what we have from our customer, it means erasing the content during attack.
You mean this type of secure erase is not supported on any of the Jetson devices?

You mean, we have to implement this Disk encryption to safe guard from stealing or tampering? s secure erase is not supported by Jetson device.

In case YES, I see this line saying “Disk encryption” is not supported on this release l4T 35.4.1 as per the below link on Jetpack 5.1.2. Any other alternative for this?

Disk Encryption describes the Jetson Linux implementation of Linux Unified Key Setup (LUKS), the Linux standard for disk encryption. This release does not support this feature.

Have few more queries:

  1. Is there any hardware built -in support with internal eMMC memory for secure erase? where we can have an external button option from eMMC memory which can be pressed to trigger the erase operation, if not secure erase function n the entire disk?

  2. There are other section like secure storage, secure boot and OP-TEE. Are these no way related to secure Erase?

hello nagesh_accord,

let me have some clarifications,

(1) it’s APP partition for the RootfFS (RootFileSystem), for example, the internal eMMC storage use-case, it’s /dev/mmcblk0p1 to mounted on “/”.

(2) there’re other partitions. you may see-also $ ls -al /dev/disk/by-partlabel/
but… user data usually contain in RootfFS.

(3) >> Also this erase performed by flashing script, how different is this from normal “rm” delete command?
you don’t need to boot the device into linux to preform that with flashing script.

(4) as mentioned, disk encryption function it creates additional APP_ENC partition, which means this is encrypted partition. secure erase is other things, secure erase is not supported on any of the Jetson devices.

(5) JetPack 5.1.3 is the latest JP-5 release which support disk encryption.
we’ve also tested and verified it worked as expected, see-also Topic 284400.

>>Q1
you may see-also Two Ways to Make Kingston SSD Secure Erase.

>>Q2
no, they are not related to secure erase.

Thanks for the information.

ok. When I opened the flash.sh script and checked for “erase” key word and found an entry for it.
Can I directly execute this “erase” command on the terminal directly instead of calling them via the flash.sh script as per the link provided by you as shown below:

sudo ./flash.sh --no-flash --sign --no-systemimg mmcblk0p1

OK. This means we can tell the customer that Secure Erase is not supported on Jetson devices for any kind of memories like eMMC, NVM etc.
Disk Encryption is a different security concept and cannot be a substitute for Secure Erase. We can just do a plain Erase using “Erase” command provided inside the flash.sh script. Please confirm.

Ok. This means, On JP 5.1.2 Disk Encryption does not work?
But I see in that thread they are saying disk encryption worked fine on 5.1.2 as shown below;

We used the exact same commands that we used with 5.1.2 previously, and they worked without problems. All the key generations are done as in the documentation, and when flashing 5.1.2, the device booted properly.

Currently we have already loaded Jetpack 5.1.2 on all our production units and we are not in a position now to download this JP 5.1.3 and update the code/device tree files/etc again.
However, since Secure erase is not supported, not sure, if our customer agree for disk encryption implementation as a substitute for secure erase.

OK. Will read this for information sake. SInce already we have released the production units Jetson AGX Xavier Industrial, which has internal eMMC memory , which does not support hardware secure erase, we may not be able to replace that inbuilt memory inside SOM module now.

ok

.

@JerryChang

We came to know now from our hardware team that the NVM SDD drive has inbuilt Secure Erase feature supported. Atleast we can now provide secure erase support to our customer for the 2 TB external NVM ssd drive.

Its just that we need to execute the command with the corresponding operational command to securely erase NVM drive which is as shown below asper the user manual/data sheet of the NVM drive from the vendor:

my question is:

  1. How can we enable this from my jetson linux user space?
  2. Suppose this is triggered with a GPIO pin changing its state from low to high or viceversa,
    It would be helpful if you provide a shell script sample for reading gpio pin state and execute this “80h” - Format NVM" command - in script format when the gpio pin state is HIGH.

Even any sample python program also is fine.

  1. How to make sure this script execute in a continous loop checking for gpio state change and trigger the secure erase command?

Please provide your inputs on this. thanks.

hello nagesh_accord,

you should check which GPIO pin is connected, and, you may check via system nodes (/sys/class/gpio/).
please also refer to developer guide, [Identifying the GPIO Number]. please follow the GPIO debugfs for looking up the port and offset.