Xavier NX secure boot support with RSA 3072 key

5121802 · May 27, 2021, 4:10pm

Hello,

We are looking to enable secure boot on the Xavier NX and the fuse specification indicates the Xavier NX supports RSA 3072 bit public keys.

https://developer.nvidia.com/jetson-xavier-nx-fuse-specification-application-note

FUSE_BOOT_SECURITY_INFO [15:0]Boot Security InfoBits
                                   interpreted by boot software with following mapping:
                                   Bits [1:0] mapped to Secure Boot Authentication Scheme, where
                                   00b: SHA2 Hash
                                   01b: 2048 bit RSA
                                   **10b: 3072 bit RSA**
                                   11b: ECC (Elliptic Curve, see also bit 7)

Based on this info it appears that the NX target device supports 3072 bit keys and we we should be able to sign images with keys of this length giving us 128 bit effective security (Keylength - NIST Report on Cryptographic Key Length and Cryptoperiod (2020))

However, with Jetpack 4.5.1 it looks like the Nvidia tools do not support RSA 3072, specifically the tegrasign_v2 tool. Attached is log output from l4t_sign_image.sh using both an RSA 2048 bit key (successful) and an RSA 3072 bit key (failure).

Is there a change to the Jetpack tools we can make to the jetpack tools in order to use RSA 3072 bit keys? tegrasign_v2 is a binary executable so it is difficult to determine the proper inputs to make this work.

Thanks!

l4t_sign_image.sh_log.txt (13.5 KB)

5121802 · May 27, 2021, 9:13pm

Resolved the issue. After generating the private key in openssl I wrapped it in PKCS#8 format to provide at least some protection. The issue is when extracting the private key from the PKCS#8 file using:

$openssl pkcs8 -in pkcs8_priv_rsa_3072.pem -outform PEM -out priv_rsa_3072.pem

The resulting output plaintext file is NOT in traditional or “SSLeay format” which is required by the Nvidia tools. An additional step of:

openssl rsa -in priv_rsa_3072.pem > nvidia_fmt_3072.pem

is needed. When the Nvidia tools are fed the nvidia_fmt_3072.pem file things work as expected.

kayccc · May 27, 2021, 11:37pm

Glad to know issue resolved, thanks for the update!

Topic		Replies	Views
Xavier NX JP 5.1.2 Secureboot BootSecurityInfo Jetson Xavier NX security	4	344	January 26, 2024
Failed to flash signed boot image Jetson Xavier NX security	10	1373	September 19, 2021
[TRUSTY] - RSA Encryption / Decryption Jetson AGX Xavier security	7	912	December 17, 2021
Confirmation/Review on secureboot steps for Xavier NX production kit (custom board) Jetson Xavier NX boot , board-design , security	5	1052	July 29, 2022
Signing firmware with an HSM protected private key Jetson Xavier NX security	8	1628	December 11, 2021
Secureboot questions Jetson Xavier NX security	6	1041	June 19, 2022
Enabling disk encryption doesn't boot the device // Jetson Xavier NX // P3668-0001 Jetson Xavier NX security	12	1933	March 29, 2022
Verify key length and store about secure boot Jetson AGX Xavier security	2	484	October 18, 2021
Apt upgrade will affect secureboot? Jetson Xavier NX security	11	1692	September 7, 2021
Xavier NX with JetPack4.5.1 Fuse issue Jetson Xavier NX security	2	532	September 12, 2021

Xavier NX secure boot support with RSA 3072 key

Related topics