Writing partition kernel with boot_sigheader.img.encrypt

Hi,

I have:

L4T BSP Information:
R32 , REVISION: 3.1
Target Board Information:
Name: jetson-tx2, Board Family: t186ref, SoC: Tegra 186, 
OpMode: production, Boot Authentication: SBKPKC, 

Boot Authentication is SBKPKC.

When I execute this command

sudo BOARDID=3310 FAB=D00 ./flash.sh -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key jetson-tx2 mmcblk0p1

flash.sh loads boot_sigheader.img.signed.

However I would like to load boot_sigheader.img.encrypt.signed.

If I execute this command

sudo BOARDID=3310 FAB=D00 BOARDSKU=1000 BOARDREV=F.0 ./flash.sh \
     -k kernel --image bootloader/boot_sigheader.img.encrypt.signed \
     -x 0x18 -y PKC -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key \
     jetson-tx2 mmcblk0p1

I get the following error:

[   0.6589 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[   0.6599 ] 
[   0.6599 ] Boot Rom communication
[   0.6606 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[   0.6613 ] RCM version 0Xa
[   0.6641 ] Boot Rom communication failed
[   5.8552 ] 
Error: Return value 3
Command tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
Failed to flash/read t186ref.

How to load the boot_sigheader.img.encrypt image?

Hi,
Could you share the purpose? Do you need the bootloader signed and encrypted in your usecase?

Hi,

I need boot.img (kernel) to be not only signed, but also encrypted.

Hi

Could you try below command? Also, for TX2, what in kernel partition is the u-boot. Do you want uboot to be signed and encrypted?

sudo BOARDID=3310 FAB=D00 BOARDSKU=1000 BOARDREV=F.0 ./flash.sh
-r -k kernel -x 0x18 -y PKC -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key
jetson-tx2 mmcblk0p1

Hi,

Also checked R32 , REVISION: 2.3. with

sudo BOARDID=3310 FAB=D00 BOARDSKU=1000 BOARDREV=F.0 ./flash.sh 
-r -k kernel -x 0x18 -y PKC -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key 
jetson-tx2 mmcblk0p1

The same results:

Error: Return value 3
Command tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
Failed to flash/read t186ref.

Could you enable the UART log from tegra and see what is the error from it?

Also, could we use the simplest one and narrow down?

For example, use

sudo BOARDID=3310 FAB=D00 BOARDSKU=1000 BOARDREV=F.0 ./flash.sh
-r -x 0x18 -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key jetson-tx2 mmcblk0p1

In this case there is no any messages from UART when terga in recovery mode.

Then it sounds like the flash process is not event get into tegra part.

Currently is there any way you could flash the board? Have you tried #8?

This commands works well:

sudo BOARDID=3310 FAB=D00 BOARDSKU=1000 BOARDREV=F.0 ./flash.sh
-r -x 0x18 -u keys/rsa_priv.pem -v keys/SBK_flash_sh.key jetson-tx2 mmcblk0p1

I have already used such command to flash TX2. However it loads signed boot.img:

[  39.7581 ] Writing partition kernel with boot_sigheader.img.signed
[  39.7643 ] [................................................] 100%

But I need encrypted image.

Also, for TX2, what in kernel partition is the u-boot. Do you want uboot to be signed and encrypted?

uboot is disabled, only cboot is used. In kernel partition is Linux kernel.

My end goal is to add full encryption of TX2. (bootloaders, dtbs, kernel, rootfs).

Hi nazaraa,

I think you need to clarify more detail about what you’ve done. According to your comment, I guess you are using rel-28 cboot on rel-32, right?

Hi,

Yes, I use rel-28 cboot on rel-32.

First of all I would like to decrypt and check signature of boot_sigheader.img.encrypt.signed by using TEGRABL_SIGNINGTYPE_OEM_RSA_SBK mode.

Hi,

  1. SBKPKC support are end at CBoot. i,e the last component in boot chain that are encrypted and signed is CBoot. Images loaded in by CBoot, such as kernel and kernel-dtb, are signed only. So, the image flashed to kernel partition is boot_sigheader.img.signed.

  2. Flash single partition for SBKPKC fused board currently is not supported. You can only use “dd” command in kernel to do single partition write.

  3. Whether your design (r28 cboot on r32 BSP) works or not with other is out of current support scope. It does not go through a valid QA test.

Hi,

As I mentioned above, my end goal is to add full encryption of TX2. (bootloaders, dtbs, kernel, rootfs). I would like to do it with minimal efforts.
Could you share some information regarding current and further cboot and L4T releases?

  • Will R32 cboot release support SBKPCK (or other auth scheme with encryption) for kernel and kernel-dtb?
  • When R32 cboot is going to be released?
  • Will rootfs encryption be supported? If yes, then when?
  • Where can I read about details of SBKPCK authentication scheme and .encrypted.signed file structure?
  • Where can I read about how to use crypto API used by R28 cboot?

Need to check these with internal team.
What I can tell you now is the cboot src is still under review. It would be targeted to rel-32.5 or later.

Hi,

Do you have any updates?

It would be targeted to rel-32.5 or later.

It sounds quite unpredictable.
Nowadays we have the cboot R28.3 released almost year ago (2019/04/24).
I need cboot somehow to load necessary key from fuses to Secure Engine (SE) key slot (in case odm_production fuse is set).
Could you share an example how to do it?

  • Will R32 cboot release support SBKPCK (or other auth scheme with encryption) for kernel and kernel-dtb?
    -> cboot payload is signed only.

  • When R32 cboot is going to be released?
    -> Yes. We are still cleaning the audit of each code.

  • Will rootfs encryption be supported? If yes, then when?
    For rootfs encryption or disk encryption, it will be choice of customer. Such as LUKS, it is up to customer to determine their implementation plan. If customer needs encryption key support, the upcoming release would contain a sample to demonstrate how to store and retrieve user defined key. The sample also shows a per device key that user can use. It is called Secure Storage Key (SSK) that is generated by NV.

  • Where can I read about details of SBKPCK authentication scheme and .encrypted.signed file structure?

  • Where can I read about how to use crypto API used by R28 cboot?
    -> Are you asking these two because of the need of kernel encryption so you want cboot to help do the authentication?

When R32 cboot is going to be released?
-> Yes. We are still cleaning the audit of each code.

But when?

-> Are you asking these two because of the need of kernel encryption so you want cboot to help do the authentication?

Yes, exactly.
I managed to decrypt boot_sigheader.img.encrypt file in cboot by means of SE. However the SBK was hardcoded in cboot. I can read SBK from fuses, but, in my understanding, it will not work if I set odm_production fuse.

So, I need API to securely load key (SBK or KEKs) from fuses to SE.