Jetson orin UEFI Secureboot

elhamriothman · April 19, 2024, 1:18pm

Hello there,

im trying to get the secure boot to work, specially the UEFI Secureboot, I am at the step where I had to generate the UefiDefaultSecurityKeys.dtbo and the Auth Files, hoverever I don’t see the use of the .dtbo, it is said that the UefiDefaultSecurityKeys.dtbo will be used during flashing however when I have to enable UEFI secureboot during flashing I only pass the uefi_keys.conf through the option –uefi-keys and not the UefiDefaultSecurityKeys.dtbo.

Can someone explain to me where the UefiDefaultSecurityKeys.dtbo is used in the flashing or Im I doing something wrong?

Thanks!

KevinFFF · April 22, 2024, 1:59am

Hi elhamriothman,

Are you using the devkit or custom board for Jetson Nano?
What’s your Jetpack version in use?

There’s no UEFI for Jetson Nano.
Are you using Orin Nano rather than Jetson Nano?

Please refer to <Linux_for_Tegra>/tools/README_uefi_secureboot.txt for details.

Could you share the full flash log for further check?

elhamriothman · April 22, 2024, 6:40am

Hello im using the jetson orin agx not nano my bad.

KevinFFF · April 22, 2024, 7:35am

I’ve moved your topic to the correct category for AGX Orin.

elhamriothman · April 22, 2024, 8:23am

Hello Kevin,

I think I got it, thank you.

elhamriothman · April 24, 2024, 2:48pm

Hello Kevin,

Im trying to implement the secureboot as you know there is two types of secureboot implemented in the jetson orin agx one called the low-level bootloader secureboot) that happens before the bootloader (UEFI secureboot) I see we use two keys the PKC key Pair and the SBK key.

My question is that I know what the UEFI secureboot sign (the payload) but I don’t really know what the Secureboot before the bootloader really sign can you be more detailed about the payload of the low-level bootloader.

Thank you again!

KevinFFF · April 25, 2024, 7:21am

Secureboot is used to protect bootloader.
UEFI secureboot is used to protect UEFI payload(like kernel, initrd…etc)

elhamriothman · April 25, 2024, 7:52am

I see is there a flow chart for the low level secureboot?

elhamriothman · April 25, 2024, 1:21pm

Also Im confused about who loads the fw is it the MB1 or MB2 this is what I found:

and then I found this:

KevinFFF · April 26, 2024, 5:57am

Yes, you can refer to the Jetson AGX Orin, Orin NX and Orin Nano Boot Flow or check the serial console log for boot flow.
BootROM → MB1 → MB2 → UEFI → Kernel → Rootfs

elhamriothman · April 26, 2024, 2:22pm

I did yeah thanks, Im now doing the manual signing of the uefi payloads, when I have to download the the signed payloads from the host to the target’s folder, in the readme of eufi secureboot line 236 is there a reason why we have to download the extlinux.conf and the extlinux.conf.sig? why don’t we just download the signed file?

e. Download and write the signed UEFI payloads.

  i. Download these signed UEFI pyloads from host to their corresponding storage.

     Note: You might want to save copies of the original files.

                         filename                                           target's folder
     =================================================================      ===============
     extlinux.conf and extlinux.conf.sig                                    /boot/extlinux/
     initrd and initrd.sig                                                  /boot/
     kernel_tegra234-p3701-0004-p3737-0000.dtb, and
       kernel_tegra234-p3701-0004-p3737-0000.dtb.sig (for Concord SKU 4)   /boot/dtb/
     Image                                                                  /boot/
     BOOTAA64.efi                                                           /uefi_keys/
     boot.img                                                               /uefi_keys/
     tegra234-p3701-0004-p3737-0000.dtb (for Concord SKU 4)                 /uefi_keys/
     recovery.img                                                           /uefi_keys/
     tegra234-p3701-0004-p3737-0000.dtb.rec (for Concord SKU 4)             /uefi_keys/

KevinFFF · May 2, 2024, 9:39am

extlinux.conf is the original source for the configuration.
Is there any issue to copy this file?

elhamriothman · May 2, 2024, 12:13pm

No it’s not that there is a problem with the copying I just want to make sure when they are saying the target’s folder they mean the host folder. where do I put these files that we downloaded (signed and unsigned) in the jetson orin exactly?

KevinFFF · May 3, 2024, 2:32am

Please refer to the column of target's folder.
You should put that list of files from your host(PC) to your target(Jetson).

system · May 21, 2024, 6:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security -- Jetson Orin Nano Jetson Orin Nano security	20	76	April 21, 2025
Secureboot Jetson orin agx testing Jetson AGX Orin security	14	283	May 15, 2024
UEFI Secure Boot fails flashing Jetson AGX Orin security	9	173	December 18, 2024
Jetson Orin AGX UEFI secureboot payload manual signature Jetson AGX Orin security	12	369	June 4, 2024
Disk encryption key in EKS partition Jetson Orin NX security	13	115	December 27, 2024
Fail flashing Orin AGX with UEFI payload encryption enabled (--uefi-enc) enabled with JP36.3 Jetson AGX Orin reflash , security	8	175	September 23, 2024
UEFI secureboot and disk encryption in 36.4 Jetson AGX Orin security	11	175	October 28, 2024
Implement Jetson Secure Boot without UEFI Secure Boot on Jetson AGX Orin Jetson AGX Orin security	8	191	October 8, 2024
Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting [part 2] Jetson Orin Nano security	8	50	February 20, 2025
Enabling disk encryption and secureboot on internal device 36.3 Jetson AGX Orin security	19	402	July 5, 2024

Jetson orin UEFI Secureboot

Related topics