Hi, NVIDIA team
I have a question regarding the Secure boot+disk encryption on the Jetson Orin Nano board. Specifically, what cavities I may run into during the process. I’m planning to go with 36.4.3, and according to the welcome page (Welcome — NVIDIA Jetson Linux Developer Guide), the board can boot securely from USB and NVMe drives. Earlier I tried to boot with a burned PKC+ODM fuse on the P3767-0005 board but ran into a problem the board can no longer boot from the SD card. Now I’m considering re-try with the eMMC board as pointed out in the forum discussion (Secure boot on jetson nano) but isn’t obvious from the documentation. Am I right that the process will look smth like this:
-
download L4T
-
Download and unarchive the
rootfs -
./applybinaries.sh
-
Initial flash without any additional configurations
-
Prepare the PKC+SBK+OemK1 (at this step I don’t understand the point of two keys, as per the documentation the K1 is used for EKB Generation and I’m not sure what happens if I burn OemK1+OemK2)
-
Create UEFI variable authentication
authkey file and use it forgen_ekb.py -
Prepare the PK, KEK, db Keys (Secure Boot — NVIDIA Jetson Linux Developer Guide)
-
Flash with
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u <pkc_keyfile> [-v <sbk_keyfile>] --uefi-keys uefi_keys/uefi_keys.conf -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit external
But here is where I get lost in your documentation and not sure whether those steps are enough to achieve the secure boot and full disk encryption (either with LUKS or by other means)