Partition Explaination on Orin NX 16GB

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin NX
1

Hi, I am trying to harden my Orin NX 16GB. However, I am unsure what does some of the partition that already exist on the disk do, or if any hardening of it is even needed. I referenced to CIS Benchmark but there no instructions on how to secure partition of some partition such as PARTLABEL=“kernel”. Therefore, is setting up auditing the only way to harden it? The following is the output of “blkid”:

/dev/nvme0n1p1: UUID=“85a35ccd-a620-43b8-9643-9499f1263661” TYPE=“ext4” PARTLABEL=“APP” PARTUUID=“195d8858-d19a-4064-ab8b-910c66f60c1e”
/dev/nvme0n1p2: PARTLABEL=“kernel” PARTUUID=“651f5590-b948-4005-a888-590a0368d22f”
/dev/nvme0n1p3: PARTLABEL=“kernel-dtb” PARTUUID=“3dee94b4-1a2a-4225-9b58-bb306d681947”
/dev/nvme0n1p4: PARTLABEL=“reserved_for_chain_A_user” PARTUUID=“2b314d3a-b5c0-4cec-9047-be0fd5749613”
/dev/nvme0n1p5: PARTLABEL=“kernel_b” PARTUUID=“5db746a9-9b8d-47c0-8301-754ae1339202”
/dev/nvme0n1p6: PARTLABEL=“kernel-dtb_b” PARTUUID=“3eb70ecb-88d9-4e6b-b763-ad7f8808fc08”
/dev/nvme0n1p7: PARTLABEL=“reserved_for_chain_B_user” PARTUUID=“68413710-f333-4448-827d-fe518668d60f”
/dev/nvme0n1p8: PARTLABEL=“recovery” PARTUUID=“6a3e7540-b766-4761-9086-9e7473786d01”
/dev/nvme0n1p9: PARTLABEL=“recovery-dtb” PARTUUID=“2d85a5a3-0346-4c5b-ba34-6a2833fba412”
/dev/nvme0n1p10: PARTLABEL=“RECROOTFS” PARTUUID=“4c60bc8e-bda2-42c3-b663-774242514f0a”
/dev/nvme0n1p11: UUID=“06FD-3C0B” TYPE=“vfat” PARTLABEL=“esp” PARTUUID=“14e8d7cc-bb51-4332-afb9-685106251a40”
/dev/nvme0n1p12: PARTLABEL=“recovery_alt” PARTUUID=“301f7112-017f-4127-9b99-b053bbb7d60d”
/dev/nvme0n1p13: PARTLABEL=“recovery-dtb_alt” PARTUUID=“58e79d0d-9b5e-4e25-9ceb-6810d8ab9e17”
/dev/nvme0n1p14: PARTLABEL=“esp_alt” PARTUUID=“3c912437-4f53-4016-a0b4-9a20485bd224”
/dev/loop0: SEC_TYPE=“msdos” LABEL_FATBOOT=“L4T-README” LABEL=“L4T-README” UUID=“1234-ABCD” TYPE=“vfat”
/dev/zram0: UUID=“a6dcfc56-1834-45f7-b4ac-9719eb62a5f2” TYPE=“swap”
/dev/zram1: UUID=“abfd3f90-9341-4b65-9d92-5ab646274fd2” TYPE=“swap”
/dev/zram2: UUID=“aa3da3ac-c92b-4628-a61f-bf64ec06704f” TYPE=“swap”
/dev/zram3: UUID=“b67c8fab-3ca8-4245-9ecf-8c42dc47ef90” TYPE=“swap”

3

Hi,

what do you mean with harden?
Sounds like you want remove some partitions considered unnecessary?

4

Yes, as I am trying to reduce the possible attack surface of the system.

5

Hi,

I don’t think that’s something to be done by users.
You have to change and partition layout file, and calculate offsets yourself.

AFAIK, if you do need to do that, partitions for kernel-dtb may be removed because kernel dtb is by default read from a file as specified in /boot/extlinux/extlinux.conf instead of a dedicated partition.

6

FYI, there is no BIOS on a Jetson. Thus only one partition is the actual operating system (or a backup), the rest are either the equivalent of a BIOS or bootloader content. Not all models of Jetson support burning security fuses (the purely SD card models do not, but eMMC models do), but this is the realm of security fuses. By default that content is signed with a NULL key, but if you burn the fuses, then that content must be signed with a key matching the fuses. This does not prevent reading that content, but it does prevent booting from content which has been alltered (and is thus improperly signed content).

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.