NVIDIA Tegra
NVIDIA Tegra Linux Driver Package

Development Guide
28.3 Release

 
Security
 
Validation of Binaries
This section explains the security in the BDK.
Validation of Binaries
 
Boot Binaries and Associated Signing
All of the binaries involved in the boot process have a generic header (except MB1). The binary is appended to the generic header. The header stores the signature of the binary, which is used for validation in secure boot.
Boot Binaries and Associated Signing
The following table summarizes the boot binaries available in Tegra and their respective signing authorities.
Boot Binary
Signing Authority
BRBCT
OEM generated binary, signed by OEM
MB1BCT
OEM generated binary, signed by OEM
MB1
NVIDIA provided binary, signed/encrypted by NVIDIA, OEM will sign/encrypt again
MTS-Preboot
NVIDIA provided binary, signed/encrypted by NVIDIA, OEM will sign/encrypt again
MTS-Package (MTS-DMCE + MTS-Proper)
Signed/encrypted separately by NVIDIA, OEM will sign/encrypt again.
SPE-CAN-FW
OEM owned binary, signed/encrypted by OEM.
TBoot-BPMP
NVIDIA provided reference code, ultimately OEM owned, signed/encrypted by OEM.
TBoot-CPU
NVIDIA provided reference code, ultimately OEM owned, signed/encrypted by OEM.
CBoot
NVIDIA provided reference code, ultimately OEM owned, signed/encrypted by OEM.
TOS
NVIDIA provided reference code, ultimately OEM owned, signed/encrypted by OEM.
SC7-FW
NVIDIA provided binary, signed by NVIDIA, OEM will sign/encrypt again.
BL-DTB
NVIDIA provided reference code, ultimately OEM owned, signed/encrypted by OEM.
Uboot/Kernel
NVIDIA-adapted OSS code. Signed/encrypted by OEM.