Hi,we want to check the secure boot to make sure it comply with company safety requirements.
So there Some details need to be worked out.
How to set the first-level secure boot verification key (BootROM verification MB1)? And where is the key stored?
hello Username1,
there’s hardware crypto security engine key slot for storing keys.
you may also refer to Topic 107742 for some Q&As about security boot.
thanks
helllo JerryChang,
from the link https://forums.developer.nvidia.com/t/question-about-security-boot/107742,I see that you said
"there’s hardware crypto security engine key slot for storing SBK, KEK, SSK…etc."
1 for the first question
How to set the first-level secure boot verification key(BootROM verification MB1)? I did not find the answer
2 for the second question
If the key is sotred into keyslot,how to flash it? the key slot is a partition?
hello Username1,
may I have more details about what’s your mean about “first-level secure boot verification key”.
you may also check Signing and Flashing Boot Files for the procedures to sign and flash boot files.
thanks
Hello JerryChang
from Tegra Linux Driver
I found the description “MB1 is signed and encrypted by an NVIDIA owned key.”
" first-level secure boot verification key" it’s means that the key BootROM verification MB1.
And I want to set the key by ourself,is there anyway?
hello Username1,
BootROM will establishes root keys upon release of reset, it copies BCT and public key into SysRAM;
it validate with SHA256 has value inside the fuse vs RSA2048 public key modules. (i.e. PK v.s. PKH)
after that, it’s BootROM to authenticates and jumps to MB1, it’ll copy MB1 into SysRAM and have authenticates MB1 signature with public key.
please also refer to documentation, Generating the RSA Key Pair to generate a key-pair.
thanks