Ways to prevent data accessing in the recovery mode


We are investigating ways to prevent data accessing when Jetson TX2 is in recovery mode. Can you please point us in the right direction? The reply in this ticket has mentioned similar ways. Unfortunately, the reference posts are no longer exist.


hello david.huang1,

as long as you’d enable secureboot, the RCM code will be signed.
so, it should be secure as other signed components, such as BCT or bootloader

It isn’t barely clear to me, secure here means I can’t access to internal stoarage data at all using USB recovery mode?
And if I decided to update or read internal storage, I should use secret keys?

Not really any kind of answer, but possibly useful info: If the chain of boot is signed with a secret key, and if the security fuses are burned, then you won’t be able to read that boot content, but you will be able to flash it with any new content which is signed correctly. Nobody will be able to change the chain of boot other than the person with the key. Even the person with the key won’t be able to read those partitions when the security fuses are burned (so far as I know burned security fuses will imply part of the boot chain is write-only). The rootfs is not part of this, but if the rootfs is encrypted, then recovery mode will only read the encrypted content. Any key in the earlier boot stages will be inaccessible. There is nothing you can do though to prevent going into recovery mode per se, and there is nothing you can do to prevent reading the rootfs/APP partition…but what is read is perhaps not useful to anyone who does not have the key.

Of course the down side is that while booted, and while the rootfs has been unencrypted via the correct key, then a privileged user can use ordinary Linux tools to read content. However, recovery mode won’t be an issue.

1 Like

hello vdv.18,

here’s training material you may check for more details.
for example, Jetson Security and Secure Boot from the Tutorials | NVIDIA Developer page

1 Like

Thank you!

Hello linuxdev and JerryChang, thank so match you for detailed description and for the links!