Is it possible to use Secure World without secure boot?

Hi, I use a NVIDIA Jetson AGX Xavier developer board.
I got some question about security world on the board.

Q1. Is it possible to enable “Secure World” without secure boot?
Q2. If ‘Q1’ is impossible, is there any way to use security hardware in normal world?
Q3. Could I know where the secure things are? (like, Trusted Applications, codes and etc…)

  • I tried to find out that on the board but I failed.

The reason why I ask these question is…
The things I’m developing is for a security test, not mass production.
So, I wanted to know if there’s a way to use security hardwares without secure boot or TOS.


This category is for DOCA security conversations. This topic will be better served if it was posted in the Jetson AGX Xavier forum, I will move it over for you.

Tom K

hello kyuhaa.hwang,

may I have more details regarding to this hardware.

for Jetson security, it’s a must to enable Secureboot, which prevents execution of unauthorized boot codes through chain of trust.

So, do you mean is it impossible to use secure world without secure boot?

I want to do aes-cmac using the secure hw.
Is it impossible to do this without secure boot?

hello kyuhaa.hwang,

please also check this documentation, Trusty Key Generation APIs.
it needs input a key, which must be loaded into an SE keyslot.
however, for testing purpose. you may pre-load the keys into the keyslot.
please check public release sources for reference,
i.e. $L4T_Sources/r32.6.1/Linux_for_Tegra/source/public/atf_and_trusty/trusty/trusty/app/nvidia-sample/hwkey-agent/key_mgnt.c

Thanks. But I’d like to find a way to use the secure hw (not sw).
Is there no way to use that hw without secureboot?

hello kyuhaa.hwang,

it’s the fuse process to program the keys to the platform.
so, please enable secureboot for running that.

Hello, JerryChang,

I have a further question.
Can I use test purpose secure boot and test key?
Can I use HW AES-CMAC after set up the test version secure boot?

If test version of secureboot is available. Could you share the link?

Thank you.

hello hyuki13,

what did you mean test version?

Test version means … Not Commercial version, only for test purpose …

hello hyuki13 ,

please visit Jetson Linux | NVIDIA Developer page for the available packages.
you’ll see [Jetson Platform Fuse Burning and Secure Boot Documentation and Tools] in the end of this table. this is the package to enable Jetson security, please read the readme file and also developer guide, Secureboot. you should create your own keys to program the fuse to enable secureBoot.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.