I am currently implementing secure boot on the Jetson AGX Xavier and have followed the guidelines outlined in the NVIDIA documentation to generate UEFI keys and certificates with a validity of 3650 days (10 years). The specific steps were based on the instructions provided in this document.
I would like to confirm whether the UEFI firmware verifies the ‘Not Before’ and ‘Not After’ dates of the UEFI certificates during the boot process. If it does perform this check, could you please clarify whether the firmware utilizes a secure internal RTC or relies on an external RTC for timekeeping?
I am using the Jetson Agx Xavier industrial board, not the custom board. I am using the Jetpack version 5.1.2 (Jetson linux 35.4.1).
Yes, I want to know whether the UEFI firmware cross-verifies the validity of the UEFI certificates during boot time. Suppose I have created the UEFI db certificate with a validity(-days option in OpenSSL) of 5 years, what happens after 5 years? will the UEFI firmware reject the certificate based on its validity?
Assuming the UEFI bootloader rejects the certificate based on the validity, I would like to know how the UEFI firmware gets the current date to reject the older certificate. Does it use the internal or external RTC to check the current date? We are planning to remove the External RTC from our product, so I wanted to know whether it affects the UEFI secure boot certificate validation?