UEFI secure boot certificate validation

Hi,

I am currently implementing secure boot on the Jetson AGX Xavier and have followed the guidelines outlined in the NVIDIA documentation to generate UEFI keys and certificates with a validity of 3650 days (10 years). The specific steps were based on the instructions provided in this document.

I would like to confirm whether the UEFI firmware verifies the ‘Not Before’ and ‘Not After’ dates of the UEFI certificates during the boot process. If it does perform this check, could you please clarify whether the firmware utilizes a secure internal RTC or relies on an external RTC for timekeeping?

Hi saaisanthosh.r,

Are you using the devkit or custom board for AGX Xavier?
What’s your Jetpack version in use?

I’m not clear about this.
Do you mean that if UEFI firmware would check the certificate is valid during boot up?

May I know what’s your use case to get this info? Are you using external RTC?

Hi Kevin,

I am using the Jetson Agx Xavier industrial board, not the custom board. I am using the Jetpack version 5.1.2 (Jetson linux 35.4.1).

Yes, I want to know whether the UEFI firmware cross-verifies the validity of the UEFI certificates during boot time. Suppose I have created the UEFI db certificate with a validity(-days option in OpenSSL) of 5 years, what happens after 5 years? will the UEFI firmware reject the certificate based on its validity?

Assuming the UEFI bootloader rejects the certificate based on the validity, I would like to know how the UEFI firmware gets the current date to reject the older certificate. Does it use the internal or external RTC to check the current date? We are planning to remove the External RTC from our product, so I wanted to know whether it affects the UEFI secure boot certificate validation?

UEFI would use the RTC on the board over I2C. (i.e. I think it is the one you are considering to remove).

Time can be stored in variable store too. It is epoch based time.
Please try to remove rtc entry in device tree for your use case.

We think so.
If the certificate has expired, we do not use that certificate.
There can be multiple certs in DB. You can find more details in List UEFI Secure Boot Certificate Contents « Musings (fpmurphy.com).