Jetson orin UEFI Secureboot

Hello there,

im trying to get the secure boot to work, specially the UEFI Secureboot, I am at the step where I had to generate the UefiDefaultSecurityKeys.dtbo and the Auth Files, hoverever I don’t see the use of the .dtbo, it is said that the UefiDefaultSecurityKeys.dtbo will be used during flashing however when I have to enable UEFI secureboot during flashing I only pass the uefi_keys.conf through the option –uefi-keys and not the UefiDefaultSecurityKeys.dtbo.

Can someone explain to me where the UefiDefaultSecurityKeys.dtbo is used in the flashing or Im I doing something wrong?


Hi elhamriothman,

Are you using the devkit or custom board for Jetson Nano?
What’s your Jetpack version in use?

There’s no UEFI for Jetson Nano.
Are you using Orin Nano rather than Jetson Nano?

Please refer to <Linux_for_Tegra>/tools/README_uefi_secureboot.txt for details.

Could you share the full flash log for further check?

Hello im using the jetson orin agx not nano my bad.

I’ve moved your topic to the correct category for AGX Orin.

Hello Kevin,

I think I got it, thank you.

Hello Kevin,

Im trying to implement the secureboot as you know there is two types of secureboot implemented in the jetson orin agx one called the low-level bootloader secureboot) that happens before the bootloader (UEFI secureboot) I see we use two keys the PKC key Pair and the SBK key.

My question is that I know what the UEFI secureboot sign (the payload) but I don’t really know what the Secureboot before the bootloader really sign can you be more detailed about the payload of the low-level bootloader.

Thank you again!

Secureboot is used to protect bootloader.
UEFI secureboot is used to protect UEFI payload(like kernel, initrd…etc)

I see is there a flow chart for the low level secureboot?

Also Im confused about who loads the fw is it the MB1 or MB2 this is what I found:

and then I found this:

Yes, you can refer to the Jetson AGX Orin, Orin NX and Orin Nano Boot Flow or check the serial console log for boot flow.
BootROM → MB1 → MB2 → UEFI → Kernel → Rootfs

1 Like

I did yeah thanks, Im now doing the manual signing of the uefi payloads, when I have to download the the signed payloads from the host to the target’s folder, in the readme of eufi secureboot line 236 is there a reason why we have to download the extlinux.conf and the extlinux.conf.sig? why don’t we just download the signed file?

e. Download and write the signed UEFI payloads.

  i. Download these signed UEFI pyloads from host to their corresponding storage.

     Note: You might want to save copies of the original files.

                         filename                                           target's folder
     =================================================================      ===============
     extlinux.conf and extlinux.conf.sig                                    /boot/extlinux/
     initrd and initrd.sig                                                  /boot/
     kernel_tegra234-p3701-0004-p3737-0000.dtb, and
       kernel_tegra234-p3701-0004-p3737-0000.dtb.sig (for Concord SKU 4)   /boot/dtb/
     Image                                                                  /boot/
     BOOTAA64.efi                                                           /uefi_keys/
     boot.img                                                               /uefi_keys/
     tegra234-p3701-0004-p3737-0000.dtb (for Concord SKU 4)                 /uefi_keys/
     recovery.img                                                           /uefi_keys/
     tegra234-p3701-0004-p3737-0000.dtb.rec (for Concord SKU 4)             /uefi_keys/

extlinux.conf is the original source for the configuration.
Is there any issue to copy this file?

No it’s not that there is a problem with the copying I just want to make sure when they are saying the target’s folder they mean the host folder. where do I put these files that we downloaded (signed and unsigned) in the jetson orin exactly?

Please refer to the column of target's folder.
You should put that list of files from your host(PC) to your target(Jetson).

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.