Securely store and retrieve secret with fuses

Hi,

Forgive my ignorance, I’ve been reading many docs and watching the video about the secure boot process and am trying to figure out a secure way of storing and retrieving a secret such that only I can retrieve it?

Am I right in thinking if I forego u-boot and use c-boot with SBK (secure boot key burned in and odm_production fuse burnt) that:

1 - I can still retrieve secret(s) / values from fuses
2 - my kernal/initrd / initramfs combo is encrypted and can not be tampered with?
3 - that an attacker can not retrieve the same secrets

I’m quite confused with the trusty / TEE environment and not clear how I would go about using it, how would I store and safely release secrets to trusted / un-tampered boot images?

Thanks

Also, can someone confirm when using cboot to boot image directly what image contains and if it’s encrypted?, e.g. kernel + initrd…

yusuf_tran,

"Am I right in thinking if I forego u-boot and use c-boot with SBK (secure boot key burned in and odm_production fuse burnt) that:

1 - I can still retrieve secret(s) / values from fuses

=> Yes, use CBoot. Once ODM_production fuse is burned, fuse keys are loaded into Security Engine (SE) key slots during boot. Fuse access is blocked except Reserved_OMD fuses. NVIDIA provides Crypto APIs to use the key but not read the key. This is by design. Again please refers to sample application from future R32.4.x release.

2 - my kernal/initrd / initramfs combo is encrypted and can not be tampered with?

Kernel combo is signed but not encrypted. Linux kernel is open source. Encryption is up to CBoot.

3 - that an attacker can not retrieve the same secrets

=> That’s the main purpose of the design :)

Thanks
Yusuf

yusuf_tran,

"what the bootloader image is
=> such as BCT, MB1/MB2 and bootloader boot components - basically what secure boot using PKC covers. Encryption is on top of the PKC signed images. Kernel components are still signed with private key.

"do you know when this will be released?
=> will check …

Thanks for the clarification

I’ll wait for the next release and look at the code to query / use the fuses from TEE to handle the secrets.