User Guide (Latest)
NVIDIA IGX Orin Developer Kit User Guide (Latest)

Enable Secure Boot for UEFI

You can enable end-to-end secure boot for your production NVIDIA IGX device. For an overview, see Secure Boot for IGX.

Before you complete the steps in this documentation, complete the steps in Enable Secure Boot for Pre-UEFI Phases.

To enable secure boot for UEFI phases, use the following documentation:

UEFI secure boot uses digital signatures (RSA) to validate the authenticity and integrity of the codes that it loads.

UEFI_Secureboot.png

Before you can complete the steps in this documentation, you need the following installed on your computer:

  • openssl

  • device-tree-compiler

  • efitools

  • uuid-runtime

In this example we prepare the keys by using self-signed certificates for demonstration purposes only. For production, follow your official certificate generation procedure.

  1. To generate the PK RSA keypairs and certificates, run the following code.

    Copy
    Copied!
                

    cd <Your_DIR>/Linux_for_Tegra mkdir uefi_keys cd uefi_keys GUID=$(uuidgen) openssl req -newkey rsa:3072 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 \ -subj "/CN=Vendor Owned Platform Key/" -out PK.crt cert-to-efi-sig-list -g "${GUID}" "PK.crt" PK.esl

    Caution

    Guard your PK.key private key file. The security of your IGX device depends on the security of your private keys.

  2. To generate the KEK and DB RSA key pairs and certificates, run the following code.

    Copy
    Copied!
                

    cd <Your_DIR>/Linux_for_Tegra/uefi_keys openssl req -newkey rsa:3072 -nodes -keyout KEK_vendor.key -new -x509 -sha256 -days 3650 \ -subj "/CN=Vendor Owned Key Exchange Key/" -out KEK_vendor.crt cert-to-efi-sig-list -g "${GUID}" KEK_vendor.crt KEK_vendor.esl sign-efi-sig-list -k PK.key -c PK.crt KEK KEK_vendor.esl KEK_vendor.auth openssl req -newkey rsa:3072 -nodes -keyout db_vendor.key -new -x509 -sha256 -days 3650 \ -subj "/CN=Vendor Owned Signature Database key/" -out db_vendor.crt cert-to-efi-sig-list -g "${GUID}" db_vendor.crt db_vendor.esl sign-efi-sig-list -k KEK_vendor.key -c KEK_vendor.crt db db_vendor.esl db_vendor.auth

    Caution

    Guard your KEK_vendor.key and db_vendor.key private key files. The security of your IGX device depends on the security of your private keys.

  3. Download the Microsoft KEK and DB esl files, and create an EFI Signature List from Microsoft’s DER format KEK certificate.

    Copy
    Copied!
                

    cd <Your_DIR>/Linux_for_Tegra/uefi_keys # download Microsoft Corporation KEK CA 2011 certificate: curl -O https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK.esl MicCorKEKCA2011_2011-06-24.crt # download Microsoft Corporation UEFI CA 2011 certificate: curl -O https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt

  4. Append the esl files of the KEK and the DB.

    Copy
    Copied!
                

    cat KEK_vendor.esl MS_Win_KEK.esl > combined_KEK.esl cat db_vendor.esl MS_UEFI_db.esl > combined_db.esl

There are two ways to enable the UEFI secure boot:

Note

Although you can enable UEFI secure boot independently from a low-level bootloader secure boot, we strongly recommended that you enable bootloader secure boot so that the root-of-trust can start from the BootROM.

Enable UEFI Secure Boot at Run Time

You can enable UEFI secure boot at run time from the kernel with the UEFI utility running from Ubuntu. These instructions are for targets that are not flashed with UEFI secure boot enabled.

  1. Make sure the IGX network port is connected. Use the port on the left, labelled 4 in the diagram in I/O and External Interfaces.

  2. To install the UEFI utilities efitools and efivar on IGX, run the following code.

    Copy
    Copied!
                

    sudo apt update sudo apt-get install efitools sudo apt-get install efivar

  3. Verify that secure boot is not yet enabled by running the following code. If the return value is 0, secure boot is not enabled. If the return value is 1, secure boot is already enabled.

    Copy
    Copied!
                

    efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot

  4. To generate the file PK.auth on your computer, run the following code.

    Note

    Before you do this step, verify that you generated the KEK and DB RSA key pairs and certificates in the section Prepare the Keys.

    Copy
    Copied!
                

    cd <Your_DIR>/Linux_for_Tegra/uefi_keys sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

  5. To download the files PK.auth, combined_KEK.esl, and combined_db.esl from the host computer to IGX, run the following code.

    Copy
    Copied!
                

    cd /opt sudo mkdir uefi_keys sudo scp <host_name>@<host_ip>:<Your_DIR>/Linux_for_Tegra/uefi_keys/PK.auth ./uefi_keys/ sudo scp <host_name>@<host_ip>:<Your_DIR>/Linux_for_Tegra/uefi_keys/combined_KEK.esl ./uefi_keys/ sudo scp <host_name>@<host_ip>:<Your_DIR>/Linux_for_Tegra/uefi_keys/combined_db.esl ./uefi_keys/

  6. Before enrollment, to check the UEFI secure boot key status, run the following code.

    Copy
    Copied!
                

    sudo efi-readvar

    The output should look similar to the following.

    Copy
    Copied!
                

    Variable PK has no entries Variable KEK has no entries Variable db has no entries Variable dbx has no entries Variable MokList has no entries

  7. To enroll the combined DB, run the following code.

    Copy
    Copied!
                

    sudo efi-updatevar -e -f /opt/uefi_keys/combined_db.esl db

  8. To enroll the combined KEK, run the following code.

    Copy
    Copied!
                

    sudo efi-updatevar -e -f /opt/uefi_keys/combined_KEK.esl KEK

  9. To enroll the PK and enable UEFI secure boot, run the following code.

    Copy
    Copied!
                

    sudo efi-updatevar -f /opt/uefi_keys/PK.auth PK

  10. Reboot the target device.

  11. Verify that secure boot is enabled by running the following code. If the return value is 1, secure boot is now enabled.

    Copy
    Copied!
                

    efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot

    Note

    You can also use the command sudo mokutil --sb-state to check the status of UEFI secure boot.

Enable UEFI Secure Boot at Flash Time

To create a UEFI keys config file with the generated keys, use the following procedure.

  1. To open and edit your uefi_keys.conf file, run the following code.

    Copy
    Copied!
                

    cd to <Your_DIR>/Linux_for_Tegra/uefi_keys vim uefi_keys.conf

  2. Insert the following lines in the uefi_keys.conf file. You generated the .esl files previously in Prepare the Keys.

    Copy
    Copied!
                

    UEFI_DEFAULT_PK_ESL="PK.esl" UEFI_DEFAULT_KEK_ESL_0="MS_Win_KEK.esl" UEFI_DEFAULT_DB_ESL_0="MS_UEFI_db.esl" UEFI_DEFAULT_KEK_ESL_1="KEK_vendor.esl" UEFI_DEFAULT_DB_ESL_1="db_vendor.esl"

  3. To generate the UefiDefaultSecurityKeys.dtbo file, run the following code.

    Copy
    Copied!
                

    cd .. sudo tools/gen_uefi_keys_dts.sh --no-signing-key uefi_keys/uefi_keys.conf cp uefi_keys/UefiDefaultSecurityKeys.dtbo bootloader/

  4. Put the IGX device into recovery mode. For details, see Put the system into recovery mode.

  5. Flash the IGX with QSPI-only configuration with the UefiDefaultSecurityKeys.dtbo file. Specify -u <RSA-Private-Key> or -v <sbk key> if the IGX secure boot has already been enabled on the boards. You can use this step to enable both pre-UEFI and UEFI secure boot in one flashing step, and to enable both at the same time.

    Copy
    Copied!
                

    sudo ADDITIONAL_DTB_OVERLAY="UefiDefaultSecurityKeys.dtbo" ./flash.sh [-u <RSA-Private-Key>] [-v <SBK-key>] p3740-0002-p3701-0008-qspi external

  6. Boot to the OS and check the UEFI secure boot status by running the following code.

    Copy
    Copied!
                

    mokutil --sb-state

    You should see the following output.

    Copy
    Copied!
                

    SecureBoot enabled

Previous Enable Secure Boot for Pre-UEFI Phases
Next Revoke a Fused PKC Key
© Copyright © 2024, NVIDIA Corporation. Last updated on Aug 23, 2024.