Questions about Orin Secure Boot

ancientmodern4 · June 20, 2024, 7:13am

Hello,

I’m trying to enable secure boot on my Jetson Orin following the guide at Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation, but I have a few questions that I hope can be clarified:

It mentions “the odmfuse.sh tool has been deprecated” and recommends using the Fuse Burning Toolkit for T234. However, I cannot find any info related to the Fuse Burning Toolkit for T234. Shall I still use odmfuse.sh for fusing?
It seems that secure boot based on BootROM and fuses only verifies up to the “bootloader” (which I understand to be like MB1 and MB2 in the boot flow?). After that, control is handed over to UEFI, which can then start UEFI Secure Boot with different keys. However, “Sign and Flash Secured Images” section says that image and initrd are signed and flashed using the PKC and SBK keys. What exactly is the “image” referring to here? Is it the bootloader (MB1, MB2, etc.) or the linux kernel image?
The doc states “the security of your device depends on how securely you keep the key file,” and also recommends using an HSM to generate keys. Are there any best practices for key file generation and storage?

Thank you!

JerryChang · June 24, 2024, 2:26am

hello ancientmodern4,

>>Q1
assume you’ve installed Jetpack release image via SDK Manager. it’ll also downloaded to your local host machine.
for instance,

~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra$ ll odmfuse*
-rw-rw-r-- 1 jerry jerry 34347 Aug  2  2023 odmfuse.func
-rwxrwxr-x 1 jerry jerry 35693 Aug  2  2023 odmfuse.sh*
-rwxrwxr-x 1 jerry jerry  3349 Apr 17 14:18 odmfuseread.sh*

>>Q2
please note that… here’re bootloader SecureBoot and UEFI SecureBoot.
according to developer guide, Secure Boot, the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader. After this, the current Bootloader (UEFI) will use UEFI’s Security Keys scheme to authenticate its payloads.
we strongly recommend that users enable fuse-based bootloader secure boot so that the root-of-trust can start from the BootROM.

>>Q3
it’s recommend to generate a truly random number key by HSM. but, there’s no best practices for key file generation and storage.

system · July 17, 2024, 6:25am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Orin nano devkit tegrasign_v3.py isn't found Jetson Orin Nano security	10	465	March 19, 2024
Implement Jetson Secure Boot without UEFI Secure Boot on Jetson AGX Orin Jetson AGX Orin security	8	84	October 8, 2024
Questions regarding secure boot Jetson AGX Orin boot , security	4	241	April 8, 2024
[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses Jetson Orin Nano security	7	316	May 22, 2024
SecureBoot validation Jetson AGX Orin security	4	237	July 3, 2024
Fusing file test Jetson Orin Nano security	4	277	May 7, 2024
Disk Encryption on Jetson Orin Nano Without Secure Boot or UEFI Secure Boot Jetson Orin Nano security	6	107	July 31, 2024
Some inquiries about Secure Boot Jetson AGX Xavier boot	5	459	October 11, 2023
Enabling disk encryption on Jetson Orin NX Jetson Orin NX security	8	65	November 19, 2024
Secure Boot Jetson AGX Orin security	7	629	February 21, 2024

Questions about Orin Secure Boot

Related topics