Is it possible to use Secure World without secure boot?

kyuhaa.hwang · October 22, 2021, 3:09am

Hi, I use a NVIDIA Jetson AGX Xavier developer board.
I got some question about security world on the board.

Q1. Is it possible to enable “Secure World” without secure boot?
Q2. If ‘Q1’ is impossible, is there any way to use security hardware in normal world?
Q3. Could I know where the secure things are? (like, Trusted Applications, codes and etc…)

I tried to find out that on the board but I failed.

The reason why I ask these question is…
The things I’m developing is for a security test, not mass production.
So, I wanted to know if there’s a way to use security hardwares without secure boot or TOS.

TomNVIDIA · October 22, 2021, 2:31pm

Hi,

This category is for DOCA security conversations. This topic will be better served if it was posted in the Jetson AGX Xavier forum, I will move it over for you.

Best,
Tom K

JerryChang · October 25, 2021, 6:11am

hello kyuhaa.hwang,

may I have more details regarding to this hardware.

for Jetson security, it’s a must to enable Secureboot, which prevents execution of unauthorized boot codes through chain of trust.

kyuhaa.hwang · October 27, 2021, 12:19am

So, do you mean is it impossible to use secure world without secure boot?

I want to do aes-cmac using the secure hw.
Is it impossible to do this without secure boot?

JerryChang · October 27, 2021, 5:45am

hello kyuhaa.hwang,

please also check this documentation, Trusty Key Generation APIs.
it needs input a key, which must be loaded into an SE keyslot.
however, for testing purpose. you may pre-load the keys into the keyslot.
please check public release sources for reference,
i.e. $L4T_Sources/r32.6.1/Linux_for_Tegra/source/public/atf_and_trusty/trusty/trusty/app/nvidia-sample/hwkey-agent/key_mgnt.c

kyuhaa.hwang · October 28, 2021, 4:00am

Thanks. But I’d like to find a way to use the secure hw (not sw).
Is there no way to use that hw without secureboot?

JerryChang · October 28, 2021, 5:35am

hello kyuhaa.hwang,

it’s the fuse process to program the keys to the platform.
so, please enable secureboot for running that.

hyuki13 · November 1, 2021, 12:56am

Hello, JerryChang,

I have a further question.
Can I use test purpose secure boot and test key?
and,
Can I use HW AES-CMAC after set up the test version secure boot?

If test version of secureboot is available. Could you share the link?

Thank you.

JerryChang · November 1, 2021, 3:16am

hello hyuki13,

what did you mean test version?

hyuki13 · November 1, 2021, 6:06am

Test version means … Not Commercial version, only for test purpose …

JerryChang · November 1, 2021, 6:25am

hello hyuki13 ,

please visit https://developer.nvidia.com/embedded/linux-tegra page for the available packages.
you’ll see [Jetson Platform Fuse Burning and Secure Boot Documentation and Tools] in the end of this table. this is the package to enable Jetson security, please read the readme file and also developer guide, Secureboot. you should create your own keys to program the fuse to enable secureBoot.

system · November 24, 2021, 3:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.