Dear Team,
Although in your documentation it is mentioned “Secureboot requires a 2048-bit RSA key-pair” but through the openssl command only private key is being generated And it is used as public key and also used for signing the binaries. We are not able to understand how security has been achieved in Jetson Nano. Because public key is in BCT and accessible to read it and private key has not been used in secure boot process. How can we ensure that our board is secure from untrusted software download?
What command did you use to generate the key?
openssl genrsa -out rsa_priv.pem 2048
Given in your documentation to generate RSA key-pair
hello kavita.awasthi24,
SecureBoot it prevents execution of unauthorized boot codes through chain of trust.
PKC for sign, if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption, if SBK is burned, then the SBKFILE users provide is for encrypting the images.
BTW,
please access tutorials page, here’s training video, Jetson Security and Secure Boot to give an overview of Jetson security.
I don’t know if this would work for Jetsons, but I get public and private RSA keys for ssh keys via something like this:
ssh-keygen -t rsa -b 2048 -C "comment, name@machine"
(it’ll ask you where you want to save them)
Do you get both keys with this?
Dear User,
Yes, it will create private-public keypair but how private key will be used in Jetson nano secure-boot process that is not mentioned clearly in the provided documentation. We have the same doubt which we are asking here.
To be more specific, the application note for Jetson Nano fuses talk about what each each is used for. I am still not clear how they ensure security?
PKC is public key hash so where are we using Private key for signing our binaries?
SBK for encryption is nowhere used in Jetson Nano, it is for Xavier NX as per your tutorials.
Please reply
Note that if boot content is signed with a mandatory private key, and the hardware enforces this without revealing the private key, then successful boot guarantees the content used to boot is the content you placed there in an unmodified form. It isn’t that the boot content is “hidden” in some way that matters so much as it is that you are guaranteed that nobody tampered with that content. Encryption is quite different than authentication.
Dear user,
Boot content is signed with a public key and its hash has been stored in the dedicated flash memory location. There is nowhere use of private key for Jetson Nano SecureBoot process. Even public key is not getting stored in the flash, authentication will be done in between public key hash stored in the flash memory and public key used in the BT area. So my doubt is in BT area, it is accessible to anyone and anyone can read and temper the security process used in Jetson Nano.
I am following documentation provided by NVIDIA for jetson nano secureboot process:-
https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3243/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fbootloader_secure_boot.html%23wwpID0E0IG0HA
Only public_key_hash and odm_production_mode has been used to achieve the security of OS. But how it has been achieved that is understandable. Can you please explain in detail?
I do not know enough about that part of security and flashing to answer. Someone from NVIDIA will have to complete the answer.
@JerryChang Can you please update to my query?
hello kavita.awasthi24,
you’ll see SBK if you reading the doc, please check the table, [Fuse Name Aliases Recognized by tegraflash for T210].
please also check Jetson Nano Fuse Specification Application Note for details on hardware fuses and fuse names.
boot component is signed using private key, the authentication is done using digital signature and public key.
the key is stored in device, you’ll need to perform fuse burning to add keys.
@JerryChang
Thanks for your response. We have gone through the document "Jetson Nano Fuse Specification Application Note.
Referring to the document SecureBoot Generating RSA-KeyPair,
Extract from above link
"Generating the RSA Key Pair
Secureboot requires a 2048-bit RSA key-pair.
To generate a key-pair
- Execute the command:
$ openssl genrsa -out rsa_priv.pem 2048
Upon successful execution, OpenSSL generates the key file named rsa_priv.pem file.
- Rename and save the key file securely and safely.
The key file is used to burn fuse and sign boot files for Jetson devices. The security of your device depends on how securely you keep the key file.
To ensure the security of the key file, restrict access permission to a minimum number of personnel."
Notes :
-
It generates only the private key not RSA key pair ( Public Key and Private Key )
-
It says this private key is used to burn the fuse. ( The Public key supposed to be used to create the public key hash and burn the fuse )
-
It says this private key is used to sign the boot files.
The above steps also followed in the odmfuse.sh.
Also throughout the document it says Public key and Public key hash but it refers to the above private key generated via above step.
In principle if we generate the RSA key pair and the private key to be used to sign the boot files and public is stored in the flash and used to create the public key hash and burn to fuse, then we could have ensure security. So that our private key never leaves our security system at anytime and public key can be shared to the device for programming the fuse.
Please let us know if we are missing something in the process.
please see training video, Jetson Security and Secure Boot to give an overview of Jetson security.
@JerryChang
We have gone through the “Jetson Security and Secure Boot” video. Although in the video, it is explained that the public key will present at the device and private key will be used for signing the bootloader, but the scripts and other document explained in previous post is saying only about one key of 2048 bytes, not a key pair of public key and private key.
Please go through our previous post and correct us if there is any difference in our thought process.
hello kavita.awasthi24,
FYI,
the file generated by openssl genrsa -out rsa_priv.pem 2048 can be used to burn fuse. this key file, rsa-priv.pem is the PRIVATE key file.
the purpose of PKC solution is to avoid exposing private key in the factory line. so, you’ll need to generate PKC hash firstly and release it to factory for burning.
hello kavita.awasthi24,
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
you’ll need to assign the same keys when running the flash command,
for example, $ sudo ./flash.sh --no-flash -x 0x21 -y PKC -u <keyfile> <device name> mmcblk0p1
@JerryChang
Thanks for your quick response. From your reply it is clear that private key will be used for signing the boot components.
Through below command, we will do signing through private key and flashing the signed binaries not Keys.
sudo ./flash.sh --no-flash -x 0x21 -y PKC -u mmcblk0p1
My question is how authentication will be happened then?
hello kavita.awasthi24,
don’t previous posted documentations cover that? please point-out the paragraph you don’t understand.