I am working on TK1 (Toradex aplalis-tk1 module), I am wondering if this “secure monitor” is the same thing with “secure boot” for TK1? I see that “secure monitor” includes the “warmboot” code, but it is the same thing, can I have the document about the signing and programming process for it on jetson TK1?
We don’t have secure boot support on TK1.
If you want, you could try to buy jetson nano. We don’t support any new feature on TK1 anymore.
You might want to see what the “help” description says…two right arrows should show that. Toradex still supports this so they could probably answer.
Toradex doesn’t give any support on secureboot, I just want to know if the L4T “secure monitor” is the same thing with secureboot
I could not say for sure on that. Someone from NVIDIA would have to answer that, but 32-bit was never well developed in terms of securing boot. Most of the development for this started in 64-bit. About the best I could suggest (other than NVIDIA answering) is to check the TK1’s documentation. In general:
In particular, look there for the “Jetson Platform Fuse Burning and Secure Boot Documentation and Tools” document:
(you might need to go to the URL, log in, and click the link a second time)
Thank you so much, linuxdev
I believe L4T R21.7 was the last support for secureboot on jetson-tk1, the document your pointed out as “Jetson Platform Fuse Burning and Secure Boot Documentation and Tools” are very clear and good, I experiment and exercised, it looks like working OK.
L4T R21.8 was the last release for jetson-tk1, there is no official document about secureboot on it, just dig into the u-boot source, it newly introduced “secure monito” module, it appears to be the same thing with secure boot on R21,7, but Nvidia never explicitly documented it, or if I missed something
there’s Tegra K1 Fuse Specification to provides an overview for TK1,
you should also moving your BSP to rel-28, please access Jetson Platform Fuse Burning and Secure Boot Documentation and Tools package for Tk1 supports.
Let me put it in a simple way, I am using jetson-tk1 development board (model: TR375)
- u-boot in R21.7.0-source, without “secure monitor”, it could boot on the board very well
- u-boot in R21.7.0-source, with “secure monitor”, it could NOT boot on the board at all
- I believe “secure monitor” in R21.8-source is the same thing with “secure boot” in R21.7-source, please help confirm, if so, then do we have any document about how to setup secure boot on TK1 with “secure monitor”?
- When I used “wb_sign.sh” to sign u-boot-dtb-tegra.bin being built from #2, the image became around 2.0 GB, I guess the SECURE_MONITOR_BASE configuration might be wrong, please read the italic lines in below result
- I found that CONFIG_ARMV7_SECURE_BASE=0xffe00000, could this be the reason the wb_header is way too big?
Can you help give document about the u-boot signing process with rel-28?
Please see my wb_sign.sh result
…/wb_sign.sh u-boot.bin …/…/…/jetson_tk1_rsa_priv.pem u-boot u-boot-spl
- Extract WB_header from U-Boot
- Extract WB_code from U-Boot
- Construct complete WB0
len_insecure = 1744
len_secure = 1744
code_length = 1168
- Call WB0 signing function
to sign length: 1200
Extract the part of the binary that needs to be signed
Calculate rsa-pss signature and save to wb.tmp.rsa.sig
Reverse rsa signature byte order
Inject rsa-pss signature wb.tmp.rsa.sig.rev into wb_header
Generate public key modulus and save to ./key.tmp.mod
Inject public key modulus ./key.tmp.mod.rev into wb_header
Image signed to file wb.tmp
- Inject WB_header back to U-Boot image
WarmBoot code reside in /home/myname/Desktop/jetson-tk1/Linux_for_Tegra/bootloader/ardbeg/u-boot.bin has been signed