Multi a/b root file system with secure boot

Hi,

I’m trying to achieve something similar mentioned in this thread - https://devtalk.nvidia.com/default/topic/1055487/jetson-tx2/secure-boot-ota-update/

  • secure boot - but upto and including u-boot / initrd / initramfs
  • OTA updates, e.g. update rootfs of inactive partition from active rootfs partition, and modify u-boot or initramfs or initrd to switch to inactive rootfs on reboot
  • luks encryption of the root file systems on an nvme m2 drive
  • somehow securely pull the luks key from a fuse or TEE, possibly from initrd / initramfs to point root to the right partition

Is the above even possible on the Jetson?
Is it only secure boot up to cboot?

The main goal is to protect our IP and if possible also from manufacturing, do you know if there is a good / sound process to achieve this?

Many Thanks

Hi,
For secure boot, there is a training video:
https://www.brainshark.com/nvidia/Jetson_Security_SecureBoot?dm=5&pause=1&nrs=1
For A/B redundancy, there is a post with detail:
https://devtalk.nvidia.com/default/topic/1062508/jetson-agx-xavier/enabling-a-b-redundancy-for-rootfs/post/5381875/#5381875

If you would need combination of the two functions, it is not verified and may not work properly. Please check if is good to run secure boot only for protecting IP.

We are also working on OTA demonstration. Will keep you posted.

Hi,

Secure Boot by itself just ensures our code runs.
For OTA style updates I’ll look into hacking cboot, do you know if I can query the fuses from cboot? as I’d like to achieve disk encryption but securely get the key assuming with secure boot I’d be the only one that can get the key?

I look forward to the OTA demonstration, do you know roughly when that’ll be available?

Thanks

"- somehow securely pull the luks key from a fuse or TEE
"Is it only secure boot up to cboot?

=>
yusufftrxn,

Secure boot is to ensure boot components such as BCT, MB1 or bootloader are trusted to run. Secure OS, Trusty for Jetson, is to provide product with a secure environment and enable to develop application to securely access the secrets after boot up. Here is the Trusty document,
https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Ftrusty.html%23

From next R32.4.x release, we will add security samples to demonstrate,

  1. how to use user-defined key to protect the secrets

This key will be the same for all the devices. The key will be part of EKB that is flashed on the partition during production.

  1. how to use SSK derived key to protect secrets

This key is unique for each device. SSK is secure storage key that is derived from SBK, DK and an ID. It’s generally used to encrypt certain storage.

Please do spend some time to look into the samples and documentation when release is available. Thanks

Thanks chijen, I’ve been through that document but I’ve no ‘c’ knowledge, was hoping to be able to script a solution with sh / bash.
An example of generating encrypted key blobs would be fantastic.

One thing holding us back atm is the know how (or possibility) of ensuring our IP is protected, any future samples to demonstrate the ability to combine encrypted partitions would be really helpful, e.g. decrypt a luks container on bootup and mount an encrypted root fs within. We can achieve such a thing on x86 with the help of TPM modules, we need to achieve a similar thing on ARM / Jetson.

Hi chijen,

On the link - https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Ftrusty.html%23 I couldn’t find the source files, do you know where I can get them so I can take a look at the sample?

Yusuf

Hi,
Please check trusty_src.tbz2 in
https://developer.nvidia.com/embedded/dlc/r32-3-1_Release_v1.0/Sources/T186/public_sources.tbz2

Thanks DaneLLL, I’ve extracted both trusty_src and atf_src but can not find the samples mentioned in the link https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Ftrusty.html%23, any idea where it’s located?

yusuf_tran,

"From next R32.4.x release, we will add security samples to demonstrate,

  1. how to use user-defined key to protect the secrets
  2. how to use SSK derived key to protect secrets

Thanks chijen, I look forward to the next release.

Hi,

After extraction, you should see samples in

public\trusty\app\keystore-demo
public\trusty\app\sample\ipc-unittest\main
public\trusty\app\sample\ipc-unittest\srv

Thanks DaneLLL, found them.

@yusufftran were you able to get a A/B root file system eventually?

yes, only recently, bit hacky, involves customising the l4t_initrd.img with a custom init, 2 root partitions and a ‘data’ partition, and some logic to check a file on the data partition to figure out which root partition to boot into, still in the process of cleaning things up, only got secure boot working recently and working on securely pulling luks encryption key from fused value, if you’re interested, this was a great starting point - https://github.com/madisongh/keystore