Memory encryption of normal applications outside of TrustZone on Xavier NX

Hello! I know that the Xavier NX provides a means to encrypt the memory used for ARM TrustZone with Trusty (TZ-DRAM), however is there a way to encrypt the memory of the normal space Linux OS as well? For example, if we want to protect sensitive data in RAM from our main software application. If so, how do we enable/activate the encryption?

Thanks!

hello bmsp,

please refer to r32.5 release notes, there’s new features added to have disk encryption.
you should also check developer guide, please also refer to Disk Encryption to protect the data.

please also check below forum thread as see-also.
HW Accelerated Encryption for Xavier NX with LUKS/cryptsetup - #5 by JerryChang
thanks

Thanks Jerry! I was referring to the 8GB of LPDDR4 (RAM - memory) rather than the non-volatile storage (16GB eMMC). How can we ensure the data in the volatile RAM is encrypted?

hello bmsp,

the bootloader allocates a dedicated carveout, TZ-DRAM, to run a secure OS.
please refer to security session, Trusty, a Trusted Execution Environment for reference.

BTW,
here’re discussion threads you should also check as see-also.
for example,
The difference between TZDRAM and TZRAM - #7 by JerryChang
Where is TZDRAM? - #3 by JerryChang

Hi Jerry,

I’m aware of the encrypted memory allocated for applications running inside of Trusty (using TZ-DRAM in the trusted execution environment), however I’m wondering about encrypting the memory for applications running outside of Trusty (i.e. running in the normal Linux OS - non-secure environment). This would be useful for larger, more complex, applications/processing since we ideally want to minimize the amount SW running on the secure OS for security reasons.

Thanks!

hello bmsp,

why you still need an encrypt process outside Trusty if you enable TA/CA service?
may I have your comments, thanks

Suppose I have an application that is processing camera data and I want to protect the processing algorithm (which maybe uses TensorRT or DeepStream) from being leaked by someone probing the memory. Should I write core online processing algorithms inside of Trusty?

hello bmsp,

BTW,
here’re forum discussion threads you may check for Jetson security.
such as Topic 80861, and Topic 107742. thanks

Hi Jerry,

These topics are related to encrypting the bootloader, securing the boot process, burning fuses in the security engine, and device integrity measurements. They do not discuss encryption of normal RAM (non TZ-DRAM).

Thanks!

hello bmsp,

if you’d enable Jetson security, and also TA/CA service. you’re configure this into Normal world and Secure world.
there’s SMC (secure monitor call) hardware support to ensure secure resources is not accessed in normal world.

Hi Jerry,

Thanks! Should we implement core algorithmic functionality in the secure world then if we want to protect it? I thought we should minimize the amount of SW in the secure world to reduce the potential security risks. Plus there’s a limited amount of TZ-DRAM.

hello bmsp,

a client application (CA) running in the non-secure world typically has a partner trusted application (TA) running in the secure world.

you may have TA implementation to protect code and data; please refer to Secure Samples for a diagram which shows an overview of two secure sample applications, a CA and a TA.

please check Trusted Application Development for the step-by-step instruction for developing Trusted Applications (TAs). you may also check Trusty API for reference,
thanks

Thank you! I’m still not sure that it’s appropriate to include portions of a DeepStream pipeline inside a TA.

However, I appreciate your time and will move forward assuming that the memory for CAs is unencrypted in the physical RAM.