Xavier NX secure boot support with RSA 3072 key

Autonomous Machines Jetson & Embedded Systems Jetson Xavier NX
,
1

Hello,

We are looking to enable secure boot on the Xavier NX and the fuse specification indicates the Xavier NX supports RSA 3072 bit public keys.

https://developer.nvidia.com/jetson-xavier-nx-fuse-specification-application-note

FUSE_BOOT_SECURITY_INFO [15:0]Boot Security InfoBits
                                   interpreted by boot software with following mapping:
                                   Bits [1:0] mapped to Secure Boot Authentication Scheme, where
                                   00b: SHA2 Hash
                                   01b: 2048 bit RSA
                                   **10b: 3072 bit RSA**
                                   11b: ECC (Elliptic Curve, see also bit 7)

Based on this info it appears that the NX target device supports 3072 bit keys and we we should be able to sign images with keys of this length giving us 128 bit effective security (Keylength - NIST Report on Cryptographic Key Length and Cryptoperiod (2020))

However, with Jetpack 4.5.1 it looks like the Nvidia tools do not support RSA 3072, specifically the tegrasign_v2 tool. Attached is log output from l4t_sign_image.sh using both an RSA 2048 bit key (successful) and an RSA 3072 bit key (failure).

Is there a change to the Jetpack tools we can make to the jetpack tools in order to use RSA 3072 bit keys? tegrasign_v2 is a binary executable so it is difficult to determine the proper inputs to make this work.

Thanks!

l4t_sign_image.sh_log.txt (13.5 KB)

2

Resolved the issue. After generating the private key in openssl I wrapped it in PKCS#8 format to provide at least some protection. The issue is when extracting the private key from the PKCS#8 file using:

$openssl pkcs8 -in pkcs8_priv_rsa_3072.pem -outform PEM -out priv_rsa_3072.pem

The resulting output plaintext file is NOT in traditional or “SSLeay format” which is required by the Nvidia tools. An additional step of:

openssl rsa -in priv_rsa_3072.pem > nvidia_fmt_3072.pem

is needed. When the Nvidia tools are fed the nvidia_fmt_3072.pem file things work as expected.

3

Glad to know issue resolved, thanks for the update!