Hello,
I am currently working with a Jetson Nano eMMC 4GB and I noticed that the Secure Boot implementation only covers the bootloader: the chain of trust stops at that stage. As a result, the operating system is not protected, and it is technically possible to load any OS without additional verification.
I need to implement a full chain of trust, from the BootROM all the way up to the operating system, in order to ensure the integrity of the entire platform.
Could you please advise on what solutions or best practices NVIDIA recommends to fully secure the platform, including OS verification during boot ? Is there an official mechanism or supported workflow to extend the chain of trust beyond the bootloader on Jetson Nano ?
Hardware :
seeed studio reComputer J1010
SOM Model P3448
180-13448-DAAA-B01
L4T version R32.7.6 (latest for jetson nano)
hello Kralibur,
unfortunately, Jetson Nano (t210 series) support bootloader secureboot only.
I will add that when secureboot is enabled, then much of the content in “/boot” is no longer allowed; instead, signed partitions are used. This does mean you can enforce a specific valid kernel, and probably you could add options for the kernel command line to aid some sort of security enforcement once in Linux. For example one could enable SElinux and carefully work with security roles, but that is a big learning curve. Something like SElinux cannot be disabled without rebooting and not passing the “enable” on command line, so in essence, you can have some form of enforcement if you are willing to micro manage.
Your question though is rather general, and you’re at a point where you would need to ask about specific security worries or goals to provide any more useful answer (and perhaps not even then, it is a big topic).