Linux Support of Secure OS

Hello for a 4K set-top box, we would need to integrate Playready 3.0 and SL3000 (like for Netflix 4K).

Do you know what is the plan to support this on Linux TX2?

Thanks for your feedback,
Aurelien

I could be wrong, but I don’t believe the TX2 supports the whole rights management path needed for end-to-end video copy protection or encryption…which in turn would be needed for Playready. Perhaps there is a future plan to support this (I don’t know), but I suspect hardware itself would prevent this.

Hi Aurelien/linuxdev,
We will check if we have plan for it.

"for a 4K set-top box, we would need to integrate Playready 3.0 and SL3000 (like for Netflix 4K).

adesombre,
Do you have an existed product already has a support for it under Linux? Or this is a new product based on Jetson TX2 and there is no prior generation. Is it’s former, is there a link for our reference? Thanks.

Hello Chijen, this is for a new product for which we are planning to use Jetson TX2 on Linux.

Here is a link with Playready requirement: https://www.microsoft.com/playready/features/EnhancedContentProtection.aspx

Hello Chijen,

Any feedback for me?

Thanks!

adesombre,
In order to support Playready 3.0, we need to have DRM framework in place. However, lack of DRM framework under Linux is a huge deal to support this. Google provides DRM framework for Android so it’s less effort for us to support it. Besides DRM framework, to support it, we will need to provide trusted application infrastructure which is another major development.

Thus, at this point we do not have affirmative plan to provide the support.

For the (Netflix) application side, to support your product, do you develop your own application?

If you have different idea to share, feel free to let us know.

Chijen,

For the DRM framework to be set using GSTreamer, we have a specialist who could perform this integration work for Playready 3.0.

=> What we need on our level is a Linux version with:

  • HW root of trust / ARM Trust Zone (I guess more related to HW requirement)
  • Trusted Environment execution
  • Secured media path

All,

this is an interesting point and we are currently in the same position and are qualifying the hardware we will need to use to support the PR3.0 constraints evoqued by adesombre

Chijen, could you comment on the support for the functionalities mentioned by adesombre in his last post ?

Thanks in advance for your answer.

Best regards,
Emmanuel Poitier

enman/adesombre,
Sorry for late response …I certainly wish to respond earlier :)

We are in beta testing for secure boot package and plan to make it available in the next Jetpack release targeted for early July. Secure boot provides a cryptographic check for each boot process to ensure only trusted software components being run in the system. It includes hardware root of trust and key management and is required to further support secure OS and trusted application.

I will need to provide secure OS support update later but won’t be in the next release. Thanks for your patience.

Hello,
Is this secure boot package now available through the most recent JetPack? Can you please point me to the appropriate JetPack which has this support?

Thanks!

The Jetson platform secure boot package was published at https://developer.nvidia.com/embedded/downloads

[b]- Jetson Platform Fuse Burning and Secure Boot Documentation and Tools

  • Jetson TX2 Fuse Specification
  • Jetson TX1 Fuse Specification
  • Jetson TK1 Fuse Specification[/b]

This collection of documentation and tools enables fuse burning for secure boot and other purposes with Jetson TX2, Jetson TX1, and Tegra K1 for developing secure OS and trusted application.

Thank you, for much for making the secure boot package available. I am going through the documentation and have following additional questions:

  1. Does secure boot allow encryption of boot files or just signature verification. How can we enable encryption if not supported by default?
  2. Can rootfs be encrypted? What support is available in the JetPack/SecureBoot package to do so?

Thank you, for your help!

  1. Does secure boot allow encryption of boot files or just signature verification. How can we enable encryption if not supported by default?
    => secure boot enable image signing only so signature verification only.

  2. Can rootfs be encrypted? What support is available in the JetPack/SecureBoot package to do so?
    => This is not part of secure boot but secure OS instead. Secure OS is not yet a public release and schedule still unknown at this point.

Thank you, ChiJen. I appreciate your response. This is very important from security perspective and especially in the context of our project. Please keep us posted on your schedule/release plans about making this feature available.

embedded,
OK it might take a while. However, here is the document you could reference,
https://source.android.com/security/trusty/

Our implementation is mainly based on that (without Android dependency).

Hi @chijen, has there been any update on when you plan to support Secure OS for the TX2? Thank you!

Hi jrad77,

There is still no firm schedule at this point.

Thanks

Was wondering if there is any update about the the trusty support? or any estimation of how long it will take?

Thank you,