Secure Boot

bsp_dev · January 23, 2024, 6:27am

Hi,
I wish to learn and utilize the secure boot mechanism on the AGX Orin SoM.

What would be a good starting point for learning what i can and can’t do regarding this subject
How can I use a Secure Boot Key to decrypt/encrypt the different boot loaders images (mb1,mb2,uefi)
How can I use a secure boot key to decrypts/encrypt other images in the system (APP, kernel, dtb, etc…)

Thanks

JerryChang · January 24, 2024, 5:19am

hello BSP_User,

you may check developer guide, especially for the Security chapter.

moreover,

PKC for sign:
if PKC is burned, then the KEYFILE users provide is for signing the images.

SBK for encryption:
if SBK is burned, then the SBKFILE users provide is for encrypting the images.

KEKs for encryption keys:
they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

bsp_dev · February 6, 2024, 3:49pm

Thank you for your answer.
I have a follow up questions:

My goal is to see the different logs with and without secure boot (learning purposes).
from my understanding there are two paths for the secure boot:

bootROM → … → UEFI
UEFI → secured images (kernel/dtb/rootfs…)

Can I test or use the first path without actually blow a fuse? (I wish to do it to produce secure boot log and then revert the changes)
Can I test the second path without the first path? I mean that if I skip securing all the images until UEFI because I don’t want to blow fuses, can I secure the images loaded by UEFI and see different boot log?
I use the initrd tool to flash my devkit (external nvme). Should I use it to sign and flash the secured apps or still use the flash.sh as it appears in the instructions?

Thanks

JerryChang · February 15, 2024, 2:01am

you’ll see bootloader logs (MB2) with… RSA PSS signature check if you’ve SecureBoot enabled.

please see-also Topic 158361, you may performing two steps approach to fuse a board, please review all those keys has created correctly, and also keep flashcmd.txt file for further confirmation.

bsp_dev · February 20, 2024, 10:33am

Thank you.
My question is if its possible to demonstrate the secure boot path until UEFI without blowing the fuse?

JerryChang · February 21, 2024, 2:30am

no, please burn the fuse to enable Jetson security.

bsp_dev · February 21, 2024, 6:44am

Thank you

system · March 6, 2024, 6:44am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Further documentation about Secure Boot Jetson Orin NX security	5	886	May 2, 2023
Some inquiries about Secure Boot Jetson AGX Xavier boot	5	459	October 11, 2023
Questions about Orin Secure Boot Jetson AGX Orin security	2	208	June 24, 2024
AGX Orin安全启动过程中具体要对哪些文件进行签名？ Jetson AGX Orin security , chinese	6	486	April 1, 2024
[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses Jetson Orin Nano security	7	315	May 22, 2024
Disk encryption key in EKS partition Jetson Orin NX security	12	46	December 13, 2024
Questions regarding secure boot Jetson AGX Orin boot , security	4	241	April 8, 2024
Disk encryption and secureboot questions Jetson AGX Orin security	4	223	May 29, 2024
Implement Jetson Secure Boot without UEFI Secure Boot on Jetson AGX Orin Jetson AGX Orin security	8	84	October 8, 2024
Secure Storage Jetson AGX Orin security	4	354	February 20, 2024

Secure Boot

Related topics