Secure Boot on Jetson Xavier AGX

Autonomous Machines Jetson & Embedded Systems Jetson AGX Xavier
,
43

hello AbdulWasey,

these steps looks correct, you might have a try to enable secureBoot on your Jetson AGX Xavier in reality,
you should update CBoot sources and apply the patch, please have cboot_t194.bin to include the fix, you could either have partition update or perform full flash to update it.

BTW,
reply to your several specific questions as following,

Q1)
what’s your purpose to partition update (-k options) to generate signed/encrypted files individually?
if secureBoot has enabled, partition update is no longer supported.

in addition, it looks you’ve enable the Jetson security with PKC+SBK+KEK
for example, $ sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh --noburn -j -i 0x19 -c PKC -p -k <pkc_file> -S <sbk_file> --KEK2 <kek2_file> jetson-agx-xavier-devkit
which means you should keep these keys, and always assign the same key on the same platform to have image flashing.

Tools for EKB generation means you’ll need to generate eks_image_file by your own, with the same key files you’d assign to enable Jetson security.

Q2)
just as same as documentation, please set ROOTFS_ENC=1 for disk encryption.

Q3)
so, you’d follow Tool for EKB Generation , eks_image_file is an image file generated from the Encrypted Binary Blob (EKB) file by the EKB generation tool.

44

Hi @JerryChang
The -i <enc rfs key file> in sudo ROOTFS_ENC=1 ./flash.sh -i "./ekb.key" <board> <rootdev> is the same as the sym_key2 <sym2_key_file> which is the disk encryption key in the Tool for EKB Generation ?

45

Hi @JerryChang
The disk encryption documentation mentioned about the passphrase when will I have to provide the passphrase because the implementation I have seen so far doesn’t mention when do I have to set it.
Thanks

46

hello AbdulWasey,

everything is included in the developer guide, it’s sym2_key_file for data encryption and decryption.
for example,

<sym2_key_file> is the disk encryption key.
this key is used in two reference implementations. One is the secure sample implemented by hwkey-agent and hwkey-app. This sample uses the key for data encryption and decryption. In another case, the key is the source key of the key generation of the LUKS key in the disk encryption reference implementation.

this thread already went to long, I think all the questions has already clarified.
please do have a try on your site, you could initial another new thread if you still need further supports.
thanks