thanks for uploading the secure boot and fuse documentation documents.
In order to make our platform secure, me and my team were wondering about the possibility of someone putting a board in recovery mode and dumping all the contents of the eMMC to its host, where they could do whatever they want with the data.
Generally though, nvflash expects to download NVIDIA’s “fastboot” bootloader, and then communicate with it using an extended nv3p protocol. nvflash can both write portions of the device’s flash, and/or read back parts of the device’s flash to the host machine.
As far as I understood, the binary in recovery mode can’t do anything but wait for NVIDIA’s “fastboot” bootloader, which in turn executes the other commands (flash, download partition to host, etc…). This is reflected by the usage of nvflash (which requires the switch --bl fastboot.bin when flashing)
Is this binary verified prior to loading it? If so, can the key be changed through fuses or something else? Otherwise, if I understood correctly, one could still dump all the eMMc contents without any kind of check.
It’s true that the data could be encrypted (and the key could lie in an encrypted kernel, which itself could be booted from an encrypted u-boot if I understood everything correctly), so the data would still be protected somehow, but we’d like to make sure of our options.