NVIDIA Tegra
NVIDIA DRIVE OS 5.1 Linux SDK

Developer Guide
5.1.15 Release


 
Over the Air Update of Security Files
 
Downloads Using the Communications Virtual Machine
Supported Files
Generating Security Configuration Files
Generating TLS Security Configuration Files
The Security Services on the target platform are accessible using the whole system firmware update or the OTA interface.
The OTA interface allows for:
Controlled access to the configuration files that are pushed to the Service
Access to the Security logs to be extracted from the Service.
Downloads Using the Communications Virtual Machine
The security config and TLS security files can be downloaded directly to the Communications partition, then pushed to the Security partition.
In this case, the download is available at:
/userdata/otavmclient/download
Supported Files
The supported files are as follows:
security.config
ca_cert.pem
ca_key.pem
tls_client_ca_chain.pem
To push the files to the security partition
1. Execute the command:
nvsecpush /userdata/otavmclient/download/<filename>
2. After transferring the file, remove it from the download directory.
Removal of the file is not automatically performed.
Generating Security Configuration Files
The Security configuration files are bundled with the release files. They can be manually generated using the Configuration Tool.
Generating TLS Security Configuration Files
The TLS security configuration files are created by using OpenSSL.
For details, consult the OpenSSL website at:
https://www.openssl.org/source/
To install Openssl on Linux
1. Navigate to the /home directory and execute these commands:
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xvzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
./config --prefix=/usr/
make
sudo make install
2. Add the installed tool to your PATH:
export PATH=$PATH:$HOME/openssl-1.1.1/apps
To verify the installation is successful
Execute the command:
openssl version
The system returns:
OpenSSL 1.1.1 11 Sep 2018
To create the TLS Proxy server certificate files
This procedure describes how to create the following files:
ca_key.pem
ca_cert.pem
1. Create a new directory. For example, $HOME/tls_cert/, then navigate to the newly created directory.
2. Execute these commands:
sudo perl $HOME/openssl-1.1.1/apps/CA.pl -newca
For each of these commands, identify the PEM pass phrase, Country code, State, Common Name etc.
Where:
The PEM pass phrase must be the same as the pwd phrase in the security.config file.
The server certificate file must be added to the trusted certificates in the Guest OS; otherwise, the connection is NOT trusted.
If all the information has been entered successfully, the directory now contains the following files and subdirectories:
demoCA/cacert.pem
demoCA/careq.pemdemoCA/certs -empty
demoCA/crl -empty
demoCA/index.txt
demoCA/index.txt.attr
demoCA/index.txt.attr.old
demoCA/index.txt.old
demoCA/serial
demoCA/private/cakey.pem
demoCA/newcerts/xxxxxxxxxxxx.pem -Root ca certificate
To rename the files
Once the certificate files have been generated, they must be renamed to match the naming convention for the Security Services as follows:
demoCA/private/cakey.pem -> ca_key.pem
demoCA/cacert.pem -> ca_cert.pem
 
Note:
When generating a new TLS proxy ca_key.pem or new ca_cert.pem , the user must ensure the certification information (from ca_cert.pem) is added to the local certificate storage on the Guest OS.
For example, for a Linux Guest OS, the user must update/add the security information to the file:
/etc/ssl/certs/ca-certificates.crt
Or add the security information as a separate file/link at the certs directory at:
/etc/ssl/certs
TLS Proxy CA certificate list
tls_client_ca_chain.pem
The Certificate Authority Trust chain file is likely to require frequent updates because it contains the certificate authentication details for the signing Certificate Authorities. The data for this file is available at:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
The certificate collection is kept in a proprietary format and must be converted before it can be loaded into any OpenSSL libraries.
For example, by using this Curl project tool:
https://raw.github.com/bagder/curl/master/lib/mk-ca-bundle.pl
The Curl project provides a ready available version in .pem format at:
https://curl.haxx.se/docs/caextract.html
Once downloaded, or generated, the file must be in the .pem format and renamed to tls_client_ca_chain.pem
Note:
If there are any local certificates that are used on the system, they must be manually added to the tls_client_ca_chain.pem file; otherwise the TLS proxy is not trusted by the remote server.