[Secure boot] Secure symmetric key provision

Suppose we have a trusted server, untrusted factory and brand new unflashed Jetson AGX board.

Trusted server can generate signing key pair, generate fuse blob and signed image, and send it to factory. Factory will then burn fuses and image, resulting in a fully operational device without exposing signing private key.

The question is: how to do same with symmetric encryption keys, e.g. if I want to have encrypted rootfs that should not be exposed to factory? If server will generate SBK/KEK and send the fuse blob to factory, then factory can just read the keys from XML file in fuse blob and decrypt rootfs images.

Does Jetson provide some mechanism to securely send symmetric keys to device?

hello initrd.img,

please access Tutorials page, and refer to [Developer Tools] session,
you may check Jetson Security and Secure Boot for reference,

I had read all these tutorials, but the main question is not covered: is there a mechanism to prevent untrusted factory from reading flashed symmetric keys?

hello initrd.img,

the complete secure boot process must be tested at the factory for the security deployment. there’re fuse variables to protect your keys; please check Jetson AGX Xavier Fuse Specification App Note.
when you begin production and burn the ODM production fuse, secure boot is enabled, JTAG debug is disabled, and all the fuses become inaccessible except Reserved_ODM; Reserved_ODM fuse are programmable until it disabled by the ODM_lock fuse.

But I’m asking completely different thing.

Suppose you have a factory which you don’t trust. You need a batch of flashed devices. There are two options:

  1. You order unflashed devices and flash them yourselves, which can be somehow unconvenient and cumbersome. But this way you don’t reveal contents of your firmware to factory.
  2. You give some blobs to factory and say ‘flash them please’. But there is an issue: factory can read the firmware before flashing. You can’t encrypt the firmware, because factory can still read keys from blobs before flashing, since they are stored in plaintext.

This is not a question about security of already flashed fuses. This is a question that I don’t see any way to protect the keys when they are in transit. You give factory a file to flash, but instead of flashing they just open it in text editor and voila - all keys are plaintext, just copy and paste them somewhere.

So outcome of this: you can’t make untrusted factory flash your devices without a risk that they will steal your firmware. No encryption will work: they can steal a keys, and then decrypt a firmware. You need a trusted place to flash to ensure that keys won’t be leaked.

So this is a feature request, as it seems that there is no way to do it: add mechanism for secure key provision. It can be implemented like this:

  1. Every ‘clean’ new device comes with device’s own private key and device’s certificate, signed by NVIDIA root. The key, of course, should be unreadable for anything but NVIDIA’s own code.
  2. When you need to flash the fuses, you invoke some special function in ROM code. It presents you a certificate (so you can be sure that you are talking to a genuine device), and you send it a fuse blob encrypted to a public key in that certificate. ROM/bootloader code receives encrypted blob, decrypts it with device private key, and applies the fuses.