Secure Boot TX1 Questions

Hello,

I am wanting to setup secure boot on my TX1.

I have followed the guide here:
https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-282/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fsecureboot.html%23wwpID0E0GH0HA

And successfully flashed a signed image onto my TX1, which I have then verified via the tegrafuse.sh showing odm_production mode : 0x00000001 and a public key.

I have also checked the dmesg output and found that androidboot.security=enabled.

However, when I flash an image signed with an altered private key, ubuntu 16.04 still boots. Is this expected? How can I verify that secure boot is working as expected and stopping tampered with software from running?

I am still trying to understand the difference between the TOS and the ROS. Is the chain of trust extended up to the ubuntu? Looking at the tutorial here: https://www.brainshark.com/nvidia/Jetson_Security_SecureBoot?dm=5&pause=1&nrs=1 , it looks like ubuntu is not verified. What is the best way to extend the chain of trust to ubuntu if it is not verified currently?

hello david.j.mccormick2,

according to below,

However, when I flash an image signed with an altered private key, ubuntu 16.04 still boots. Is this expected? How can I verify that secure boot is working as expected and stopping tampered with software from running?

may I know which partition you had tried to replace for testing.
thanks

Hi JerryChang,

I am unsure, I have simply re-ran the flash command:

sudo ./flash.sh -x -y PKC -u mmcblk0p1 with the correct variables added, but with a purposely altered private key pem file.

Which partition does this my default replace? I assume the /dev/root on /dev/mmcblk0p1

hello david.j.mccormick2,

we would check this internally, could you please share your software environment setups.
for example, which JetPack release you’re working with.
thanks

Hi david.j.mccormick2,

Have you managed to get secure boot successfully on your device?
Any result cane be shared?

Thanks

Thanks for following up.

Upon reflashing I got this working in the sense that I could not flash a non signed image. However I would like to understand how I can extend the chain of trust up to ubuntu, and how I can access the trust zone from user space in ubuntu. Are there any resources I can look at to gain a better understanding of this?

hello david.j.mccormick2,

suggest you refer to Webinars from Tutorials page,
you should check the Jetson Security and Secure Boot to have an overview for the security features.
thanks