Secureboot Jetson orin agx testing

Hello,

I successfully managed to set up UEFI Secure Boot. I’m using a devkit, and the JetPack version is 35. I tried to corrupt the image as well as the extlinux.conf to test the secureboot. However, when I reboot, the system does detect that the signature is not valid. However, it boots like nothing happened, which I think is wrong. Shouldn’t the Jetson block the booting of the device? Otherwise, what would be the purpose of Secure Boot?

Here is an image that shows the information before it boots successfully:

image

hello elhamriothman,

may I know what’s the chain-of-trust you’ve built up.
for example, is it SecureBoot + UEFI SecureBoot? or, only UEFI SecureBoot?

besides,
please also share the complete reproduce steps for reference.

Hello Jerrry, I did only the UEFI Secureboot (no fusing nothing),

For the procedure I generered the keys needed for the uefi secure boot(PK KEK db), generated the UEFI Keys Config File, and also the UefiDefautSecurityKeys.dtbo and the auth files, then I used the flash with the –uefi-keys with the UEFI config file as an input. I then changed one of the payloads, for exemple I corrupted the extlinux.conf from the rootfs and then when I restarted again it detects it but it don’t stop the booting as it was shown in the image above.

hello elhamriothman,

it’s expected.
since the corruption is in the RootFS, UEFI can detect the corruption, and failover to boot from kernel partition.

please refer to documentation, $OUT/Linux_for_Tegra/tools/README_uefi_secureboot.txt
you may see-also section [4. Verify UEFI Secureboot] for more details.

I know that what Im getting is right, but what I fail to understand is that why does the boot continue it don’t failover it just gives this warning. (I’ve already saw the uefi secureboot readme)

hello elhamriothman,

so that you’re able to boot from kernel partition, restore the original file, and then reboot to restore the corruption.

I agree with you but I can boot from the rootfs that’s the thing, I shouldn’t be able to boot from the rootfs but I should be able to boot from the kernel partition cause I didn’t corrupt it.

hello elhamriothman,

please setup serial console to gather complete bootloader and kernel logs for reference.

Hello Jerry, I never worked with a serial console would you mind telling me how to setup that?

hello elhamriothman,

you may see-also Jetson AGX Orin Developer Kit User Guide - How-to | NVIDIA Developer
there’s Debug UART, please connect your host machine to AGX Orin with micro-USB.
you may running (on host machine) with… $ sudo picocom -b 115200 /dev/ttyACM0 to gather UART logs.

Hello Jerry I did as you told me, however when I restart my jetson to gather the logs there is a FATAL error which is logical cause the connection stops when the jetsons reboots, is there a command that I should run before the jetsons starts?

The L4TLauncher attempts to first boot with extlinux.conf, if that fails it will attempt a ‘kernel boot’, as seen in your screenshot L4TLauncher: Attempting Kernel boot. extlinux.conf isn’t verified during kernel boot, and thus your system will boot normally to Ubuntu.

It’s a bit weird since you would indeed except that a security violation would block booting. You can change the logic in the UEFI source code.

Agreed have you tried to modified to get it to work with that logic or not yet?

Yes its fairly easy to do, see edk2-nvidia/Silicon/NVIDIA/Application/L4TLauncher/L4TLauncher.c at a5ac12d729f610035f16013482fa70284f75ddfd · NVIDIA/edk2-nvidia · GitHub