Ways to prevent data accessing in the recovery mode

david.huang1 · December 2, 2020, 3:20am

Hi,

We are investigating ways to prevent data accessing when Jetson TX2 is in recovery mode. Can you please point us in the right direction? The reply in this ticket has mentioned similar ways. Unfortunately, the reference posts are no longer exist.

Thanks

JerryChang · December 2, 2020, 6:35am

hello david.huang1,

as long as you’d enable secureboot, the RCM code will be signed.
so, it should be secure as other signed components, such as BCT or bootloader

vdv.18 · May 17, 2021, 4:23pm

It isn’t barely clear to me, secure here means I can’t access to internal stoarage data at all using USB recovery mode?
And if I decided to update or read internal storage, I should use secret keys?

linuxdev · May 17, 2021, 5:23pm

Not really any kind of answer, but possibly useful info: If the chain of boot is signed with a secret key, and if the security fuses are burned, then you won’t be able to read that boot content, but you will be able to flash it with any new content which is signed correctly. Nobody will be able to change the chain of boot other than the person with the key. Even the person with the key won’t be able to read those partitions when the security fuses are burned (so far as I know burned security fuses will imply part of the boot chain is write-only). The rootfs is not part of this, but if the rootfs is encrypted, then recovery mode will only read the encrypted content. Any key in the earlier boot stages will be inaccessible. There is nothing you can do though to prevent going into recovery mode per se, and there is nothing you can do to prevent reading the rootfs/APP partition…but what is read is perhaps not useful to anyone who does not have the key.

Of course the down side is that while booted, and while the rootfs has been unencrypted via the correct key, then a privileged user can use ordinary Linux tools to read content. However, recovery mode won’t be an issue.

JerryChang · May 18, 2021, 12:54am

hello vdv.18,

here’s training material you may check for more details.
for example, Jetson Security and Secure Boot from the https://developer.nvidia.com/embedded/learn/tutorials#developerTools page
thanks

vdv.18 · May 18, 2021, 11:28am

Thank you!

vdv.18 · May 18, 2021, 11:30am

Hello linuxdev and JerryChang, thank so match you for detailed description and for the links!

Topic		Replies	Views
Readout protection Jetson TX2	19	1676	October 18, 2021
Boot flow about Recovery mode Jetson TX2	4	544	October 18, 2021
Disabling flash rear/write in recovery mode Jetson TX2 security	8	553	October 18, 2021
Disk Encryption on TX2 Jetson TX2 security	4	1399	October 18, 2021
What can signing rootfs protect against? Jetson AGX Xavier security	6	721	May 9, 2022
Securing data access Jetson AGX Xavier security	5	804	October 18, 2021
Secure OS / Rootfs Encryption Jetson TX2	5	2431	December 11, 2018
TK1 Security of nvflash's "fastboot.bin" Jetson TK1	3	1033	October 18, 2021
Backup Jetson TX2 Jetson TX2 clone	4	928	October 18, 2021
TX2 won't boot after rootfs alteration -> possible to recover user files ? Jetson TX2	6	1434	October 18, 2021

Ways to prevent data accessing in the recovery mode

Related topics