Some inquiries about Secure Boot

Youke · September 25, 2023, 7:24am

hi all，
I have some questions about safe startup,
1、Will Orin or Xavier default to safe boot mode when starting after I write pkc or sbk fuses? Is there a configuration to enable secure startup?

2、After flashing the pkc and sbk fuses, must the flashing image flash. sh be accompanied by the - v and - u parameters?

3、After writing pkc and sbk fuses, if I don’t know the corresponding key information, can I use orin or xavier as ordinary hardware, write non encrypted images, and enter the system for debugging?

thanks

JerryChang · September 25, 2023, 9:10am

hello Youke,

fuses are designed to be inaccessible for production.

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.

PKC for sign:
if PKC is burned, then the KEYFILE users provide is for signing the images.

SBK for encryption:
if SBK is burned, then the SBKFILE users provide is for encrypting the images.

KEKs for encryption keys:
they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

FYI,
here’s Training video to give your an overview of Jetson security.
you may see-also similar topics for reference, such as… Topic 166401, Topic 107742…etc

Youke · September 25, 2023, 9:30am

hi Jerry，
What I want to know is that for an orin or Xavier that has already been fused, if I lose my key (pkc? Sbk?), can I still burn an unencrypted or unsigned image and enter the system?

thanks。

JerryChang · September 26, 2023, 1:47am

hello Youke,

you cannot burn unencrypted/unsigned binaries.
by default, it’s using all zero keys to encrypted/signed binaries locally and then flashing to the target.
once Jetson security has enabled, those binaries must process by the same keys on the target, please check again with above for the description of different keys.

FYI, Orin supports up-to three PKC keys. Images can be signed by any of the keys.
there’s PKC key revocation feature on Orin series.
PKC key revocation is through settings in mb1_bct and fuse burned by mb2 during boot.
2 revoke fuses (i.e. FUSE_REVOKE_PK_H0_0 & FUSE_REVOKE_PK_H1_0) are used to revoke (i.e. FUSE_PUBLIC_KEY0_x and FUSE_PK_H1_0_x)
please see-also developer guide, Revocation of the PKC Keys.

Youke · September 27, 2023, 12:34am

Hi jerry，
Thank you for resolving my question.

system · October 11, 2023, 12:35am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.