Secure boot UEFI clarifications

sidalit · August 7, 2024, 1:03pm

Hello

I have questions regarding UEFI secure boot.
My setup is a Jetson Orin Nano 8GB devkit with latest jetpack 36.3 with bootloader secure boot enabled so that the root-of-trust can start from the BootROM.

I have read UEFI documentation and UEFI secure boot.

I have generated UefiDefaultSecurityKeys.dtbo using script gen_uefi_default_keys_dts.sh.

I enabled UEFI secure boot at flashing time and now I can use tools such as sbctl and mokutil to check that UEFI secure boot is enabled and PK, KEK and db keys are enrolled correctly.

My questions are:

May I consider there is no possible way for user to change any of the keys or update the OS with another one?
Even if access to UEFI menu at boot due to 5 seconds timeout (we plan on removing this timeout) is possible, can this be a security concern?
Same if user has access to root permission?
Can a user register MOK keys and sign its own UEFI payloads using MOK ?

Thanks for clarifications.

JerryChang · August 8, 2024, 8:18am

hello sidalit,

If an attacker with physical access, they may manipulate UEFI variables.

here’re more details,
In a deployed production scenario, QSPI flash is protected from non-secure side access via firewalls so that no unauthorized access can happen and make a change that can block the system from booting or tampering with its security settings.
However, if an attacker can manipulate contents of QSPI flash by physically talking to it (out of band), there was no protection for it.
an attacker can attach a QSPI NOR flash programmer (dediprog, etc.) to the flash directly and read/write its contents. Attackers can not only manipulate UEFI variables, but can also change the boot firmware.

system · August 28, 2024, 8:05am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Protecting UEFI secure boot configuration from physical attack Jetson AGX Orin security , nvbugs	5	1088	July 28, 2023
Security -- Jetson Orin Nano Jetson Orin Nano security	19	72	April 21, 2025
Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting [part 2] Jetson Orin Nano security	8	47	February 20, 2025
Is it safe to use UEFI Secure Boot and disk encryption without burning any fuse keys to protect my data on the disk? Jetson Orin NX security	4	41	December 2, 2024
Disk encryption key in EKS partition Jetson Orin NX security	13	109	December 27, 2024
Orin NX UEFI can't enroll keys Jetson Orin NX security	12	721	February 29, 2024
[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses Jetson Orin Nano security	7	343	May 22, 2024
Issue Enabling UEFI Secure Boot Using UEFI Utilities on Jetson Orin Jetson AGX Orin boot , security	12	79	March 11, 2025
Question about updating UEFI keys in QSPI Jetson Orin NX boot , security	1	20	May 1, 2025
Jetson orin UEFI Secureboot Jetson AGX Orin security	14	812	May 21, 2024

Secure boot UEFI clarifications

Related topics