Jetson security vulnearbilites

There is a bunch of security vulnerabilities found in the Jetpack software according to this:
Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB) - June 2021 | NVIDIA(the%20trusted%20OS%20produced,disclosure%2C%20escalation%20of%20privileges%2C%20and

How do we know if we are affected? does it only affect users of secure boot (Trusty?) or does it affect any users of Jetpack regardless of features used?

Hi urielom8ug,

It’s better to refer to L4T 32.5.2 and L4T 28.5 Released with Security Fixes - Jetson & Embedded Systems / Announcements - NVIDIA Developer Forums to upgrade to the new version.

Hi, that topic doesn’t answer my question.

How do I know if my device is affected? All the vulnerabilities talk about trusty which AFAIK is the trusted OS used for secure booting.

If we don’t use secure boot are we affected?

hello urielom8ug,

it’s SecureBoot to ensure boot security,
SecureOS (Trusty) to include security features to ensure code and data on a device is protected.

as you can see,
there’s software update to addresses security issues. to protect your system, it’s suggest moving to the latest release to include the fixes. you may also dig into descriptions for a summary of potential vulnerabilities.
thanks

Hi Jerry,

I understand that and understand that we need to upgrade (quite difficult due to lack of OTA in JP 3.x branch but that is a different topic) but the question is not about that, the question is to understand if we are affected.

If secure boot is not used does it mean that trusty is not used? can an attacker used such vulnerabilities on a JP flashed without secure boot enabled?

hello urielom8ug,

to be honest, every devices connect to ethernet isn’t secure.

the concept of SecureBoot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.

there’s PKC (to sign) used to ensure data integrity.
with PKC protection, if there’s any boot code changes or corruption, boot should not be able to go through.
there’s SBK (to encrypt) to protect data confidentiality.
with SBK protection, boot code should be properly encrypted, it will check signature for boot.