How to verify UEFI Variable Protection is enabled

I am using an Orin AGX and JP36.3.

This section of the JP36.3 doc says to save the UEFI variable signing key in user_authentication.key.

It then goes on to use the following command to enable variable protection:
$ sudo ./flash.sh -u <pkc_keyfile> [-v <sbk_keyfile>] --uefi-keys uefi_keys/uefi_keys.conf mmcblk0p1

user_authentication.key is not used in this command… How does variable protection get enabled exactly? Does it extract it from the KEB image somehow or is something missing from the command above?

How can I verify that EUFI variable protection has been enabled?

Hi jeanphilippe.arnaud,

user_authentication.key is User Key: A user-defined UEFI variable authentication key that is stored in EKB.

Please refer to <sym_key_file> in Tool for EKB Generation for details.

Thanks Kevin, my question was more to understand how the user_authentication.key is used to encrypt UEFI variables. But I have been able to verify that I get an error if I remove that key from the EKB and trigger a capsule update, so I know the variables have been encrypted somehow.

Are you asking about the mechanism of UEFI secureboot?

It seems you’ve verified it working.

Hi KevinFFF,
I do have UEFI Secureboot working. I wanted to verify that UEFI variable were indeed signed, having added the the key to the EKB. I have done so by removing the key and seeing that it fails to authenticate. I presume it is the L4T launcher that signs and authenticates them?

Yes, please share the full serial console log to check.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.