I successfully managed to set up UEFI Secure Boot. I’m using a devkit, and the JetPack version is 35. I tried to corrupt the image as well as the extlinux.conf to test the secureboot. However, when I reboot, the system does detect that the signature is not valid. However, it boots like nothing happened, which I think is wrong. Shouldn’t the Jetson block the booting of the device? Otherwise, what would be the purpose of Secure Boot?
Here is an image that shows the information before it boots successfully:
Hello Jerrry, I did only the UEFI Secureboot (no fusing nothing),
For the procedure I generered the keys needed for the uefi secure boot(PK KEK db), generated the UEFI Keys Config File, and also the UefiDefautSecurityKeys.dtbo and the auth files, then I used the flash with the –uefi-keys with the UEFI config file as an input. I then changed one of the payloads, for exemple I corrupted the extlinux.conf from the rootfs and then when I restarted again it detects it but it don’t stop the booting as it was shown in the image above.
it’s expected.
since the corruption is in the RootFS, UEFI can detect the corruption, and failover to boot from kernel partition.
please refer to documentation, $OUT/Linux_for_Tegra/tools/README_uefi_secureboot.txt
you may see-also section [4. Verify UEFI Secureboot] for more details.
I know that what Im getting is right, but what I fail to understand is that why does the boot continue it don’t failover it just gives this warning. (I’ve already saw the uefi secureboot readme)
I agree with you but I can boot from the rootfs that’s the thing, I shouldn’t be able to boot from the rootfs but I should be able to boot from the kernel partition cause I didn’t corrupt it.
Hello Jerry I did as you told me, however when I restart my jetson to gather the logs there is a FATAL error which is logical cause the connection stops when the jetsons reboots, is there a command that I should run before the jetsons starts?
The L4TLauncher attempts to first boot with extlinux.conf, if that fails it will attempt a ‘kernel boot’, as seen in your screenshot L4TLauncher: Attempting Kernel boot. extlinux.conf isn’t verified during kernel boot, and thus your system will boot normally to Ubuntu.
It’s a bit weird since you would indeed except that a security violation would block booting. You can change the logic in the UEFI source code.